Skip to main content
Versa Networks

Consolidated Release Notes for Release 21.2

Versa Analytics Release Notes for Release 21.2

This document describes features, enhancements, fixes, and known issues in the Release 21.2 Versa Analytics software, for Releases 21.2.0 (simply called 21.2) through 21.2.3. Releases 21.2.1 and later are general available (GA) releases and are supported for use in production networks.

August 2, 2022
Revision 3

Product Documentation

The Versa Networks product documentation is located at https://docs.versa-networks.com.

Install the Versa Analytics Software

To install the Versa Analytics software, see the Deployment and Initial Configuration articles.

Before You Upgrade

Before you upgrade the Analytics software to Release 21.2, upgrade the OS SPack on all Analytics nodes following the steps in Use OS Security Packages.

Release 21.2 requires that Analytics nodes run the Fusion database platform; the DSE database platform is not supported.

Before you upgrade, check the Analytics database platform:

  1. Upgrading to Release 21.2.2 or later requires that the underlying database to be Fusion. If the database is not Fusion, upgrade to 21.2.1 and then migrate the database to Fusion. After the Fusion migration, upgrade to Release 21.2.2 or later.
  2. Check whether the database is using the DSE or Fusion package. In Director view, select Analytics > Administration > Version in the left menu bar. If the string in the Database Version field ends with F, the database is Fusion. If it ends with E or does not display any character, the database is DSE.

    DB_Version.PNG
  3. If the database is DSE, SSH to any of the analytics or search nodes and issue the following command:
versa@versa-analytics:~$ dse -v
4.5.2
  1. If the database is DSE 4.5.x, upgrade to DSE 4.8 using the DSE migration scripts in the Customer Support article at https://support.versa-networks.com/support/solutions/articles/23000019690
  2. After you upgrade to DSE 4.8, upgrade the Analytics application to Release 21.2, as described in Upgrade to Release 21.2, below.

Upgrade to Release 21.2

You can upgrade Versa Analytics nodes to Release 21.2 from any service release of Release 16.1R2, that is, from Releases 16.1R2(Sx), and from Releases 20.2.x. Upgrading to Release 21.2.2 or later requires the underlying database to be Fusion. If the database is not Fusion, upgrade to Release 21.2.1 and then migrate the database to Fusion. After the Fusion migration, upgrade to Release 21.2.2 or later.

To upgrade to Release 21.2:

  1. Copy the appropriate binary package file to the /home/versa/packages/ directory on the Analytics node. Ensure that the file has +x execute permission. Alternatively, issue the following command, which copies the file to the /home/versa/packages directory:
    versa@versa-Analytics> request system package fetch uri uri
    
  2. Install the new software package:
    versa@Versa-Analytics> request system package upgrade filename.bin
    
  3. Check the status of the Versa services to determine whether they have started:
    admin@versa-analytics:~$ vsh status
    
  4. If the services have not started, start them:
    admin@versa-analytics:~$ vsh start
    
  5. Ensure that the Analytics IP addresses are present:
  • Search node IP addresses are listed under Search Hosts
  • Analytics node IP addresses are listed under Analytics Hosts
  • All log collector or forwarder IP addresses are listed under Driver Hosts
  1. After the upgrade completes, a message may display indicating that you should reboot the system. Even if a message does not display, it is recommended that you reboot the system to account for any GRUB or kernel parameter changes. To reboot the system:
     admin@versa-analytics:~$ sudo reboot
    

    After the reboot completes, the Versa services automatically restart.

Checks To Perform After the Upgrade

In Release 21.2, you cannot access the Versa Analytics application using port 8080, to avoid any security vulnerabilities. By default, only secure ports 443 and 8443 are enabled in Analytics, and port 8443 is used for communication between the Director and Analytics nodes. When you upgrade to Release 21.2 on Director nodes, the upgrade process automatically changes the northbound interface port number 8080 to 8443, and it automatically synchronizes the certificates required for SSL communication between the Analytics and Director nodes.

If there is no communication between the Versa Director and Versa Analytics nodes, perform the following steps:

  1. Check whether any firewall rule is blocking Versa Director to Versa Analytics communication on port 8443.
  2. Connect to Versa Analytics directly using https://analytics-ip-address to determine whether the portal is accessible. This ensures that the application is reachable using a secure port and that the SSL certificate is valid.
  3. Log in to the Versa Analytics node using the same username and password as the Versa Director node. If the login is successful, this means that RBAC between the Analytics and Director nodes is working using a secure connection. If the login is not successful, install Versa Director certificates on Versa Analytics nodes as described in https://support.versa-networks.com/a/solutions/articles/23000010418.
  4. Log in to the Versa Director shell and issue the following CLI command to check whether the Versa Analytics truststore has been created on Versa Director:
    admin@versa-director:/var/versa/vnms/data/certs$ ls -tlr versa_analytics_truststore.ts
    -rw-rw---- 1 versa versa 1274 Jul 30 05:42 versa_analytics_truststore.ts
    
  5. If the truststore file does not exist or if the Versa Analytics certificates were regenerated, resynchronize and import the Versa Analytics certificates by running the vd-van-cert-upgrade.sh script in the active Director shell. This script transfers the Versa Analytics certificates from each of the Analytics nodes configured under the connectors and then imports them. You must restart Versa Director for the certificate to take effect.
    admin@versa-director:~$ sudo su – versa
    versa@versa-director:~$ /opt/versa/vnms/scripts/vd-van-cert-upgrade.sh --pull
    

For example:

versa@versa-director:.../vnms/scripts$ ./vd-van-cert-upgrade.sh --pull
Pulling Analytics certificates to Director key store
Checking previous version config path
Changing port for [Analytics]
No modifications to commit.
Port Migration completed
VAN Clusters IPs: [ 10.48.189.23 ]
Removing previous analystics cert store
Getting Certificate for : 10.48.189.23
depth=0 C = US, ST = California, L = Santa Clara, O = versa-networks, OU = VersaAnalytics, CN = versa-analytics
verify error:num=18:self signed certificate
verify return:1
depth=0 C = US, ST = California, L = Santa Clara, O = versa-networks, OU = VersaAnalytics, CN = versa-analytics
verify return:1
DONE
Importing Certificate for : 10.48.189.23
Certificate was added to keystore
Certificates Imported... Requires restart.. Do you want to postpone restart (y/N): N
[sudo] password for versa:
Stopping VNMS service
------------------------------------
Stopping TOMCAT................[Stopped]
Stopping REDIS.................[Stopped]
Stopping NETBOX-IPAM...........[Stopped]
Stopping POSTGRE...............[Stopped]
Stopping SPRING-BOOT...........[Stopped]
Stopping SPACKMGR..............[Stopped]
Stopping NCS...................[Stopped]
* Stopping daemon monitor monit
Starting VNMS service
------------------------------------
Starting NCS...................[Started]
Starting POSTGRE...............[Started]
Starting NETBOX-IPAM...........[Started]
Starting SPRING-BOOT.......... [Started]
Starting REDIS.................[Started]
Starting TOMCAT................[Started]

Fusion Database Information

Starting with Release 20.2, Versa Analytics supports a new database platform called Fusion, which is based on open source technology. When you install a new Analytics cluster using a Release 20.x or Release 21.x ISO/QCOW2/OVA image, the Fusion database is automatically enabled. If you are upgrading from Release 16.1R2 to Release 20.x or Release 21.x, you must run additional scripts after you upgrade the software to install Fusion database and migrate the data.

The following are some of the frequently asked questions related to this database upgrade:

  • Why should we upgrade the database to Fusion?
    • The Fusion database uses the latest version of database software that provides better scaling and performance, and fixes many security vulnerabilities. The DSE database used in Release 16.1R2 has reached its end of life.
    • Although there currently is feature compatibility between the DSE Analytics database and the Fusion database, it will soon be required to diverge to take advantage of newer capabilities in the Fusion database, and so newer features may be available only in Fusion database.
  • Is there any impact on reports and features after the upgrade?
    • All reports and features available in Release 16.1R2 are also available in Releases 20.2 and later. Additionally, the new releases provide many new reports and features and vulnerability fixes.
    • Some reports in Releases 21.2.1 and later use features specific to the Fusion database. These reports are not available without the Fusion database.
  • I am using Versa Analytics Release 16.1R2. I want to upgrade to Release 20.2, Release 21.1, or Release 21.2. Which image do I download and how do I upgrade?
    • First, upgrade the software to the desired version. To upgrade to Release 21.2.1, see Upgrade to Release 21.2, above. The software update does not automatically upgrade the database to Fusion. The underlying DSE database remains.
    • Then, upgrade the database to Fusion. To do this, you can use a cluster upgrade script to uninstall the DSE packages and install Fusion packages. This script upgrades one node at a time. Historical data is preserved and real-time search data is truncated. The upgrade scripts and related documentation are available here:
      https://versanetworks.box.com/s/8pdi9ppyjzfq8cx53s10l3zbwt6k2kbw
    • If you are upgrading a large database or have issues while running the upgrade scripts, contact the Versa Support team.
  • Is it possible to upgrade only Versa Analytics to Release 20.2, Release 21.1, or Release 21.2 to use the Fusion database?
    • Release 20.2.2 of Versa Analytics is backward compatible with Releases16.1R2S10 and 16.1R2S11 of Versa Director and Versa Operating SystemTM (VOSTM ) (previously called FlexVNF).
    • Release 21.1.1 of Versa Analytics is backward compatible with Releases 16.1R2S10 and 16.1R2S11, and with Release 20.2.2 of VOS. However, Versa Director and Versa Analytics must be running Release 21.1.1.
    • Release 21.2.1 of Versa Analytics is backward compatible with Releases 16.1R2S10 and 16.1R2S11, and with Release 20.2.2 or 21.1.x of VOS. Release 21.2.1 of Versa Analytics is compatible with Versa Director 21.1.2 for all features except single sign-on (SSO) authentication.
    • Release 21.2.2 of Versa Analytics is backward compatible with Releases 16.1R2S10 and 16.1R2S11, and with Release 20.2.x or 21.1.x of VOS. Release 21.2.2 of Versa Analytics is compatible with Versa Director 21.1.x for all features except single sign-on (SSO) authentication.
    • Release 21.2.3 of Versa Analytics is backward compatible with Releases 16.1R2S10 and 16.1R2S11, and with Releases 20.2.x, 21.1.x, and 21.2.x of VOS software. Release 21.2.3 of Versa Analytics is compatible with Versa Director 21.1.x for all features except single sign-on (SSO) authentication.
  • Will there be downtime during the upgrade to Release 20.2, Release 21.1, or Release 21.2?
    • The upgrade from Release 16.1R2 to Release 20.2, Release 21.1, or Release 21.2 is like any other upgrade in that only the Versa application software is upgraded. During the upgrade process, data is not lost. When you upgrade the database from DSE to Fusion using the upgrade script, there will be some downtime for the database operations (approximately 1 to2 hours), depending on the size of the cluster. You will not lose any logs, and streaming to third-party collectors will not be interrupted. To reduce the downtime, you can bring up a new cluster that is running Release 20.2, Release 21.1, or Release 21.2 and then configure the Controller to use the server IP addresses of the new cluster so that logs start flowing to the new cluster. If data stored in older cluster must be migrated to the new cluster, use one of these options:
      • Export the archived data from the old cluster to the new cluster, and then restore it. Depending on the number of days and size of the data, this can take some time because archive logs do not differentiate between the type of data. All the data for the specified interval is transferred and restored. The scripts to trigger log transfer and restore are available here:
        https://support.versa-networks.com/a/solutions/articles/23000008970
      • Export the processed data from the old cluster to the new cluster, and then restore it. Here, you can specify the type of data you want to export and restore. The script is available here:
        https://versanetworks.box.com/s/vryjpluuv18dfat03hxb5a49pgws0cx5

For more information, see Migrate the Versa Analytics Database from DSE to Fusion.

New Features

This section describes the new Versa Analytics features in Release 21.2. Releases 21.2.1 and later of Versa Analytics are backward compatible with any service release of Release 16.1R2, that is, from Releases 16.1R2(Sx), of VOS software. Releases 21.2.1 and later of Versa Analytics are also backward compatible with Releases 20.2 and Releases 21.1of VOS software.

  • Advanced logging service—(For Releases 21.2.3 and later.) You can configure the advanced logging service (ALS) connector, and then on-premises Analytics clusters can reference the connector for various log types. See Configure the Versa Advanced Logging Service.
  • Analytics alarm settings enhancements—(For Releases 21.2.2 and later.) Versa Analytics includes new alarm types and overrides for default severity settings per alarm type. These settings allow you to:
    • Enable parameters for new alarms for CPU utilization, memory utilization, disk utilization and Versa Analytics driver stuck.
    • Configure the severity for set and clear alarms.
    • Configure overrides for threshold alarms for low-threshold and high-threshold severity alarms.

      2021-09-11_14-27-02.png
  • Analytics cluster redundancy—You can configure Analytics cluster redundancy. There are two redundancy options: active-backup mode and active-active mode.

    In active-backup mode, the secondary (backup) cluster is used only when the primary cluster goes down. The application delivery controller (ADC) load balancer on the Controllers steers the log connections to the secondary cluster during data center failure. When the primary data center comes back up, the ADC switches the connections back to the primary cluster. The secondary cluster may have collected data for the duration of the time of failure. The secondary cluster may run the database or just perform the log collection function. You can use cron scripts on the secondary cluster to ship logs back to the primary cluster when it comes back up.

    The following components are involved for managing active-backup Analytics clusters:

    • Director—Director has two connectors: one pointing to the primary cluster and another pointing to the secondary cluster. Director can access Analytics data by switching to the primary or secondary cluster IP address.

    • Controllers—The application delivery controllers (ADC) running on the primary and backup Controllers have one virtual IP address (VIP) pointing to two pools: a primary and a backup. The primary pool contains servers of the primary data center and the backup pool contains servers of the secondary data center. See Configure an Application Delivery Controller.

    • Branches—Branches are configured with LEF collector groups containing LEF collectors using the VIPs of the primary and backup Controllers as their destination IP address and port.

    Analytics_cluster1_900px.png

    A configuration example for Controller1 is shown below.
admin@SDWAN-Controller1-cli(config-adc)% show
lb {
    servers {
        LEF-Collector-Analytics-1 {
            type             any;
            ip-address       192.168.95.2;
            port             1234;
            state            enabled;
            routing-instance provider-org-Control-VR;
        }
        LEF-Collector-Analytics-2 {
            type             any;
            ip-address       192.168.95.3;
            port             1234;
            state            enabled;
            routing-instance provider-org-Control-VR;
        }
        LEF-Collector-Analytics-3 {
            type             any;
            ip-address       192.168.96.2;
            port             1234;
            state            enabled;
            routing-instance provider-org-Control-VR;
        }
        LEF-Collector-Analytics-4 {
            type             any;
            ip-address       192.168.96.3;
            port             1234;
            state            enabled;
            routing-instance provider-org-Control-VR;
        }
    }
    server-pools {
        VAN-Primary-Pool {
            type any;
            member LEF-Collector-Analytics-1;
            member LEF-Collector-Analytics-2;
        }
        VAN-Secondary-Pool {
            type any;
            member LEF-Collector-Analytics-3;
            member LEF-Collector-Analytics-4;
        } 
 
    }
    virtual-services {
        VAN-VIP {
            type             any;
            address          10.0.0.0;
            port             1234;
            default-pool     VAN-Primary-Pool;
            default-backup-pool VAN-Secondary-Pool;
            fallback-to-active enabled
            routing-instance provider-org-Control-VR;
        }
       
    }
}

A similar configuration is done on Controller2.

A configuration example for Tenant1 on a branch VOS device is shown below.

[edit orgs org-service Tenant1 lef]
collectors {
    collector LEF-Collector-log_collector1 {
        destination-address 10.0.0.0; à Controller1 VIP
        destination-port    1234;
        routing-instance    provider-org-Control-VR;
        transport           tcp;
        template            Default-LEF-Template;
    }
    collector LEF-Collector-log_collector2 {
        destination-address 10.0.0.4; -> Controller2 VIP
        destination-port    1234;
        routing-instance    provider-org-Control-VR;
        transport           tcp;
        template            Default-LEF-Template;
    }
}
collector-groups {
    collector-group Default-Collector-Group {
        collectors [ LEF-Collector-log_collector1 LEF-Collector-log_collector2 ];
    }
}
profiles {
    profile Default-Logging-Profile {
        collector-group-list [ Primary-Collector-Group Secondary-Collector-Group ];
    }
}
default-profile Default-Logging-Profile;

In active–active mode, both primary and secondary clusters receive log data from VOS devices. The ADCs on the Controllers have separate VIPs for the primary and secondary clusters. There is no backup pool configured on the VIPs. During normal conditions, both clusters will have the same data. During failure, the cluster which is down may not have the data for the period of failure. Data will not be synced between the clusters. You may need to connect to both the clusters to compare the data during failure scenarios.

The following components are involved for managing active-active clusters:

  • Director—Director has two connectors: one pointing to the primary cluster and another pointing to the secondary cluster. Director can access Analytics data by switching to the primary or secondary cluster IP address.
  • Controllers—The ADC running on each Controller has two VIPs using only primary pools. The first VIP on each Controller points to servers in the primary cluster and the second VIP on each Controller points to servers in the secondary cluster.
  • Branches—Branches are configured with two LEF collector-groups. One collector-group contains log collectors with the VIPs of primary and backup Controller pointing to the primary cluster as destination IP and port. The other collector-group contains collectors with the VIPs of primary and backup Controller pointing to the secondary cluster as destination IP and port. A collector group list containing both collector groups is configured under the LEF profile.

Analytics_cluster2_900px.png

A configuration example for Controller1 is shown below.

admin@SDWAN-Controller1-cli(config-adc)% show
lb {
    servers {
        LEF-Collector-Analytics-1 {
            type             any;
            ip-address       192.168.95.2;
            port             1235;
            state            enabled;
            routing-instance provider-org-Control-VR;
        }
        LEF-Collector-Analytics-2 {
            type             any;
            ip-address       192.168.95.3;
            port             1235;
            state            enabled;
            routing-instance provider-org-Control-VR;
        }
        LEF-Collector-Analytics-3 {
            type             any;
            ip-address       192.168.96.2;
            port             1236;
            state            enabled;
            routing-instance provider-org-Control-VR;
        }
        LEF-Collector-Analytics-4 {
            type             any;
            ip-address       192.168.96.3;
            port             1236;
            state            enabled;
            routing-instance provider-org-Control-VR;
        }
    }
    server-pools {
        VAN-Primary-Pool {
            type any;
            member LEF-Collector-Analytics-1;
            member LEF-Collector-Analytics-2;
        }
        VAN-Secondary-Pool {
            type any;
            member LEF-Collector-Analytics-3;
            member LEF-Collector-Analytics-4;
        } 
 
    }
    virtual-services {
        VAN-Primary-VIP {
            type             any;
            address          10.0.0.0;
            port             1235;
            default-pool     VAN-Primary-Pool;
            routing-instance provider-org-Control-VR;
        }
        VAN-Secondary-VIP {
            type             any;
            address          10.0.0.0;
            port             1236;
            default-pool     VAN-Secondary-Pool;
            routing-instance provider-org-Control-VR;
        }
    }
}

A similar configuration is done on Controller2.

A configuration example for Tenant1 on a branch VOS device is shown below

[edit orgs org-service Tenant1 lef]
collectors {
    collector LEF-Collector-log_collector1 {
        destination-address 10.0.0.0; à Controller1 VIP
        destination-port    1235;
        routing-instance    provider-org-Control-VR;
        transport           tcp;
        template            Default-LEF-Template;
    }
    collector LEF-Collector-log_collector2 {
        destination-address 10.0.0.4; -> Controller2 VIP
        destination-port    1235;
        routing-instance    provider-org-Control-VR;
        transport           tcp;
        template            Default-LEF-Template;
    }
    collector LEF-Collector-log_collector3 {
        destination-address 10.0.0.0; à Controller1 VIP
        destination-port    1236;
        routing-instance    provider-org-Control-VR;
        transport           tcp;
        template            Default-LEF-Template;
    }
    collector LEF-Collector-log_collector4 {
        destination-address 10.0.0.4; -> Controller2 VIP
        destination-port    1236;
        routing-instance    provider-org-Control-VR;
        transport           tcp;
        template            Default-LEF-Template;
    }
}
collector-groups {
    collector-group Primary-Collector-Group {
        collectors [ LEF-Collector-log_collector1 LEF-Collector-log_collector2 ];
    }
    collector-group Secondary-Collector-Group {
        collectors [ LEF-Collector-log_collector3 LEF-Collector-log_collector4 ];
    }
}
profiles {
    profile Default-Logging-Profile {
        collector-group-list [ Primary-Collector-Group Secondary-Collector-Group ];
    }
}
default-profile Default-Logging-Profile;
  • Analytics log collector nodes accept newer IPFIX template version—In releases prior to Release 21.2.1, Analytics log collector nodes process IPFIX logs only if they are received with a template version less than or equal to its known value. In Releases 21.2.1 and later, Analytics log collector nodes can accept logs from VOS devices running newer versions of the IPFIX template.

    By default, new log types sent by branches are dropped and log types recognized by Analytics nodes are accepted and parsed. You can change the default behavior from the CLI. If you disable the default values, all logs with a higher IPFIX template version are dropped. To disable the default values:
versa@versa-analytics% show log-collector-exporter settings template
backward-compatible-only false;

You can check the value using vty commands:

LCED-DBG> show lced globals
LEF Template Version: 97
Kafka Version : 0.11.4-2-g13befa-dirty
LEF template version check relaxed - false
  • Analytics platform alarms—Analytics platform alarms provide real-time status about services and activities that require attention. These alarms are logged locally on the hosts, and they can also be streamed to third-party remote collectors, including Director nodes. See Configure Analytics Device Alarms.
  • Analytics Secure Access > Users dashboard displays top user count by appliance, continent, city, and country—(For Releases 21.2.2 and later.) You can display the top VOS devices, continents, cities, and countries by user count.

    In Director view, select Analytics > Dashboards > Secure Access > Users > Summary to display the following:

    2021-09-11_14-30-30.png

    Drill down to display the users for each category:

    2021-09-11_14-28-44.png
     
  • Analytics System dashboard displays search log activity—(For Releases 21.2.2 and later.) You can display the number of search logs per type, tenant, and appliance.

    Select Analytics > Dashboards > System > Search to display the following.

    2021-09-11_14-32-36.png

  • Application reports for SD-WAN and DIA traffic—(For Releases 21.2.2 and later.) You can generate application usage reports for traffic sent on an SD-WAN or DIA interface as follows:

    2021-09-11_14-33-58.png
     
  • Custom date and time selection widget—(For Releases 21.2.2 and later.) A new widget for custom date and time selection has been added for dashboard and reporting screens. This widget allows you to specify a custom relative date and time range in addition to an absolute date and time range.

    For example, in Director view, select Analytics > Dashboards > SD-WAN. The following screen displays:

    2021-09-11_15-34-24.png

    In the main pane, select Custom Range from the second drop-down menu. The Select Custom Data/Time Range window displays:

    2021-09-11_14-36-05.png
  • Data plane availability report—The data plane availability report shows whether a branch has connectivity to any other remote branches other than Controller nodes. To display the data plane availability charts, select the Availability tab of a site, as shown below. A new service uptime report shows how long the device. You can use the information in this report to determine whether there were any local issues, such as service restarts and device reboots.

    Dataplane1.png
    Dataplane2.png

    To display information about SD-WAN health metrics over time, drill down from the data plane statistics grid:

    Dataplane3.png

    Information about the number of seconds all remote sites are down, and other SD-WAN path and site-related statistics is sent using an sdwanHealthLog. An example of an sdwanHealthLog is shown below. This log is sent to the Analytics node every 5 minutes.
2021-01-18T23:05:14+0000 sdwanHealthLog, applianceName=SDWAN-Controller2, tenantName=CVS, 
generateTime=1611011100, tenantId=7, applianceId=0, vsnId=0, duration=300000, pathsUp=0, 
pathsDown=0, pathsNoConf=0, rmtSitesUp=0, rmtSitesDown=0, allRmtSitesDown=0, allRmtSitesDownTime=0, 
svcUptime=329778, allLclCktDown=0 
  • Last month time selector—In the day/time selector, you can choose the last month. The last month is the previous calendar month. For example, if today is February 15, the last month report provides data for January, from January 1 through 31.

    Last-month-time-selector225pix.png
  • Local collectors for allowed tenants—(For Releases 21.2.3 and later.) You can configure local collectors on Analytics nodes to accept logs only from specified tenants to ensure that only logs from these tenants are parsed and processed by the collector.

    Release_notes_21.2.3_Local_Collector_Tenant_List.png
     
  • Local collectors for syslog over TLS—(For Releases 21.2.3 and later.) You can configure local collectors on Analytics nodes to receive logs that are in syslog format over TLS transport with the following configuration. When you select TLS transport, you must specify the path to certificates in the TLS Attributes group of fields.

    Release_notes_21.2.3_Local_Collector_Syslog_over_TLS.png
     
  • LEF collector group list—Log export functionality (LEF) on VOS devices is used to send service-specific logs, such as SD-WAN, CGNAT, security, and system logs, to a destination collector. These services refer to a LEF profile, which points to a destination collector or a collector group. A LEF collector group is a container for one or more collectors that are in active-backup mode. Logs are sent to one of the active collectors in the collector group. In Release 21.2.1, you can send logs to multiple destination collectors for high availability or for serving different applications by configuring a collector group list. A LEF profile can refer to a collector, collector group, or collector group list. A collector group list is a list of collector groups. Logs are sent to the active collector of each of the collector groups in the list.

    For example, the following configuration creates a collector group list containing Collector-Group1 and Collector-Group2:
[edit orgs org-services Tenant1 lef]
profiles {
    profile Default-Logging-Profile {
+        collector-group-list [Collector-Group1 Collector-Group2];
    }                
}
  • Log archive management—After logs are processed on Analytics log collector nodes, the logs are compressed and stored in gzip files in the Analytics archive directory on the node on which they were received. You can restore or delete archived logs from the Director node. You can view the dates of the oldest and newest log archive file and the number of log archive files.

    To view, restore, and delete log files, go to the Analytics > Administration > Maintenance > Log Archives screen.

    Archived_log_management.png

    Select Delete Archive Logs to free disk space on log collector nodes by deleting archived files for a specific tenant or VOS device and time range.

    Select Restore Archive Logs to extract the archived files for a specific tenant or VOS device and time range into a destination directory. If the destination directory is /var/tmp/log, the data is returned io the database.

    Select View Archive Log Details to determine the number of archived files and the filenames of the oldest and newest files for a tenant or VOS device and for a log collector.

  • Log export from Analytics reporting tool—In the Analytics reporting tool, after you generate a report containing logs, you can export the logs to a compressed file from the GUI.

    For any report type containing logs, choose the number of rows and then click Add. An Export icon displays. Click to trigger the backend to export the data to a file, compress it and then make it available for download. The process may take few minutes depending on amount of data downloaded.

    For example, to generate a report containing traffic logs in Versa Director:

    Export_logs1.png

    A progress bar displays in place of the Export icon while the logs are exported. This changes to a Download icon once the export is complete. For example:

    Export_logs2.png

    Click the download button to download a tar.gz file to your local system. You can uncompress and extract the file using any file extraction tool.

    After you generate a report, you can access the exported files under Analytics > Reporting> Manage > Exported Reports. For example:

    Export_logs3.png
  • Log collector connection eviction optimizations—The Analytics local log collector processes the logs received from client connections. By default, each local collector has a maximum connection limit set to 512. When this limit is reached, the log collector stops accepting new connections. You can increase the maximum number of connections. However, doing so can overload the log collector node, especially if all the connections are carrying active data.

    To handle more connections, you add more log collectors. For example, 1024 tenants/appliances may need 2048 connections (for active-backup mode) or four log collectors to handle the processing. You can reduce the number of connections by enabling the suspend backup collector option in the collector groups on customer premises equipment (CPE). If you enable this option, only one connection is enabled during steady-state conditions. However, during some failure conditions, there may be multiple connections from the same CPE.

    Releases 21.2.1 introduces connection eviction on Analytics log collector nodes. Connection eviction closes unused connections so that the Analytics log collector node can make space for active connections from CPEs. Normally, there can be multiple connections from the same CPE. However, logs are sent only on one of the connections. When you enable connection eviction, if the maximum connection limit is reached, connections may be closed. Connection eviction is done as follows:

    • If the number of connections from a tenant/appliance is greater than 1, evict the least used connection.
    • If there is only one connection from a tenant/appliance and the connection has been idle for more than 10 minutes, evict the connection.

You can configure connection eviction as follows:

versa@SDWAN-Versa-Analytics% show
collector1 {
    address             192.168.95.2;
    port                1234;
    max-connections     56;
    # By default eviction is turned on
+    connection-eviction true;
    storage {
        directory                /var/tmp/log;
        format                   syslog;
    }
}

You can use VTY commands to check eviction. A new table is maintained to map the tenant/appliance to connection list.

LCED-DBG> show lced connections local
  Local Collector   : collector1(0)
Tenant:              Tenant1  Appliance:        SDWAN-Branch3  Count:  1 FD List: 34
Tenant:         provider-org  Appliance:        SDWAN-Branch1  Count:  1 FD List: 38
Tenant:         provider-org  Appliance:        SDWAN-Branch4  Count:  1 FD List: 60
Tenant:              Tenant6  Appliance:        SDWAN-Branch4  Count:  1 FD List: 53
Tenant:              Tenant7  Appliance:        SDWAN-Branch1  Count:  1 FD List: 36
Tenant:             Tenant10  Appliance:        SDWAN-Branch2  Count:  1 FD List: 43
Tenant:              Tenant1  Appliance:        SDWAN-Branch2  Count:  2 FD List: 46 146
Tenant:              Tenant6  Appliance:        SDWAN-Branch1  Count:  1 FD List: 37
Tenant:              Tenant7  Appliance:        SDWAN-Branch4  Count:  1 FD List: 61
:
:
CPEs : 33  Conns: 34  CPEsWithRedConn: 1 

To check connection evictions:

LCED-DBG> show lced stats | grep -i evict
    Evict Unused Connection Events : 26
    Evict Unused Connection Count : 24
  • Rule statistics support for DIA traffic—(For Releases 21.2.2 and later, and for Releases 21.1.3 and later.) You display DIA rule statistics as shown in the following screenshots. In earlier releases, the rule statistics on the SD-WAN site dashboard showed utilization for traffic sent on the SD-WAN overlay only.

    2021-09-11_14-22-10.png

    2021-09-11_14-23-28.png
  • SD-WAN application report enhancements—The traffic type and forwarding class are new fields in logs sent from VOS devices running Releases 21.2.1 and later. The SD-WAN application drilldown displays usage per traffic type and forwarding class as shown below. Traffic type can be SD-WAN or DIA. Forwarding class can be one of the 16 forwarding classes, for example: fc_ef, fc_be, fc_nc, or fc_af.

    For example, from the Analytics > Dashboard > SD-WAN > Sites screen, select SDWAN-Branch4 from the drop-down. Click the Applications tab and then click the linkedin application on the Top Applications by Bandwidth graph.

    sdwan_app_report2.png

    The logs corresponding to these reports are as follows:

2021-03-05T00:57:12+0000 monStatsLog, applianceName=SDWAN-Branch4, tenantName=Tenant1, 
mstatsTimeBlock=1614906000, tenantId=2, vsnId=0, mstatsTotSentOctets=535, 
mstatsTotRecvdOctets=1074, mstatsTotSessDuration=300000, mstatsTotSessCount=1, 
mstatsType=sdwan-acc-ckt-app-stats, appId=github, site=SDWAN-Branch4, accCkt=WAN3, 
siteId=106, accCktId=3, user=172.16.11.110, networkPrefix= , traffType=SDWAN, fc=fc_be, 
risk=2, productivity=3, family=general-internet, subFamily=web, bzTag=Business
  • SD-WAN site tag enhancements—SD-WAN reports allow you to filter based on site tags to get reports for a subset of sites for a tenant. The same concept extends to generating reports for sites with matching tags.

    Site_tag3.png
  • Secure access report enhancements—The secure access report under Analytics > Dashboard > Secure Access > Users > Registry provides details of the number of registered users per gateway, client OS, client OS version, client version, and location, as shown below.

    Secure_access1.png

    The logs corresponding to these reports are as follows:
2021-02-23T20:01:46+0000 secAccUserRegEventLog, applianceName=HE-DC-Branch-1, 
tenantName=Corp-Inline-Customer-1, vsnId=0, applianceId=1, tenantId=1, userName=abc@versa-networks.com, 
latitude=9.5869, longitude=76.5213, os=macos, osVersion=11.2.1, secAccClientVersion=7.2.1
  • Statistics rollup—The Analytics platform receives large volumes of data every 5 minutes from VOS devices. Reports with source IP and destination IP addresses typically take up large amounts of storage and computing resources. You can configure VOS devices to send only the top-N of these types of reports to reduce the number of records sent and processed. However, there can still be a large number of unique records over an hour or a day.

    Statistics rollup provides a mechanism to reduce the volume of stored data by performing aggregation and computing the top-N for the hour and day. Releases 21.2.1 and later support rollup for firewall sources and destination statistics reports. Migration cron jobs are run automatically on the Analytics nodes to migrate existing data to new roll tables.

    Note that after you upgrade to Release 21.2.1 or later, you may not be able to display historical firewall source and destination statistics reports until the migration task is complete. This may take a few hours to a few days, depending on size of the existing tables.

  • Synchronized charts for path status—A new synchronized chart option displays multiple time-series charts for SD-WAN path status for charts containing the same zoom level and time range. This helps in visualizing various metrics of the paths at the same time.

    To view a synchronized chart, choose a from site and to site under the Analytics > Dashboards > SD-WAN > Paths> Usage tab as shown below. Metrics for all paths between the branches are displayed.

    Sync_chart.png
     
  • Syslog priority values in remote templates—(For Releases 21.2.3 and later.) For remote templates, you can configure a syslog priority value. For remote template for logging to third-party collectors, set the priority type value as follows:

    Release_notes_21.2.3_Remote_Template_syslog_priority.png
     
  • System anomalies report—You can display VOS device anomalies under Analytics > Dashboard > System> Appliance Anomalies. The appliance anomalies are:
    • CPU load exceeded
    • Memory load exceeded
    • Packet buffer depletion (running out of mbufs)
    • Session load exceeded
    • Service load exceeded
    • Worker thread busy (LCORE detection)


Anomalies1.png

Drill down to display charts showing each of the anomalies over time.

Anomalies2.png

The log corresponding to these reports is as follows:

2021-03-03T17:55:03+0000 systemHealthLog, applianceName=HE-DC-Branch-1, tenantName=Corp-Inline-Provider, 
generateTime=1614794100, duration=300000, applianceId=0, vsnId=0, tenantId=2, numLcoreInactivity=0, 
numMbufDepletions=0, numSvcLoadExceeded=16, numSessLoadExceeded=0, numCpuLoadExceeded=0, 
numMemLoadExceeded=0

A system health log is exported from each appliance every 5 minutes to Analytics. These logs are exported in provider organization (appliance owner) context on multitenant branches.

  • Tenant usage reports—(For Releases 21.2.3 and later.) At the tenant level, you can aggregate the statistics of individual appliances for a number of reports. Analytics provides report templates for the Tenant Usage for SD-WAN and Tenant Usage for DIA report types.

    Release_notes_21.2.3_Tenant_Usage_Reports.png
     
  • Threshold-based reporting—In releases prior to Release 21.2, the Analytics reporting tool provides metrics as summaries, time series, and tables. In Releases 21.2.1 and later, you can filter based on conditions that you set per report type. Some of the examples are usage reports if bandwidth exceeds certain threshold, sites or links with low availability, and sites whose violations exceed a limit. The following screen displays an example of SD-WAN access circuit usage across all sites of a tenant with session count exceeding a certain value:


    Threshold_based_reporting1.png

    The following screen displays an example of a conditional report for sites with low availability:

    Threshold_based_reporting2.png

  • TWAMP reports—The Two-Way Active Measurement Protocol, defined in RFC 5357, is used to measure metrics such as delay, delay variation, and loss between two IP endpoints that support the TWAMP sender and receiver functionality. The metrics are exported to Analytics nodes. The Analytics > Dashboard > System > Measurements screen displays the TWAMP metrics per IP session for a tenant or VOS device.

    System_Measurements.png

    The following metrics are collected:

    • Received and transmitted packets
    • Received and transmitted packet errors
    • Two-way delay, forward delay, and reverse delay
    • Two-way delay variation, forward delay variation, and reverse delay variation

Drill down to display metrics over time:

Measurements_drilldown1.png

Measurements_drilldown2.png
Measurements_drilldown3.png

The logs corresponding to these reports are as follows:

2021-03-03T16:22:53+0000 twampSenderSessLog, applianceName=Branch1, tenantName=ServiceProvider, 
twampSrc=70.0.1.2:50000, twampDst=70.0.2.2:50000, twampVRF=ISP-A-Transport-VR, twampDSCP=32, tenantId=6, v
snId=0, applianceId=1, twampPktSz=false|27, twampNumPkts=100000, twampNumPktLoss=0, twampNumTx=6488, 
twampNumRx=6488, twampNumTxErr=0, twampNumRxErr=1, twampFwdDelay=2307|17|80952, twampRevDelay=2390|376|31616, 
twamp2WayDelay=4699|417|92210, twampFwdDelayVar=2270|0|80914, twampRevDelayVar=2009|0|31240, 
twamp2WayDelayVar=4269|0|91793, twampStartTime=1614735029, twampEndTime=1614788573
  • WiFi statistics—You can find WiFi reports under Analytics >Dashboard> System > Interfaces. For a multitenant device, these reports are part of the provider organization (appliance owner organization). The main dashboard of the WiFi Interfaces tab displays the devices and the connected clients for the specified time range.

    WiFi1.png

    To display information about all the clients connected to the VOS device, drill down on the VOS device:

    WiFi2.png

    To display information about client traffic usage and signal strength, drill down on a client in the grid:

    WiFi3.png
    WiFi4.png

    The logs corresponding to these reports are as follows:

2021-03-04T00:05:11+0000 wifiClientStatsLog, applianceName=CSG355-Qual, tenantName=Provider-Org, 
generateTime=1614816300, tenantId=2, vsnId=0, applianceId=0, interfaceName=vni-0/201, 
macAddr=9e:23:65:d5:0b:69, ipAddr=192.168.101.4, hostname=iPhone, ssid=Adv-5G2, band=2.437 GHz, 
recvdOctets=268001, sentOctets=20430475, duration=300000, uptime=299, rssi=-34, snr=6

Fixed Bugs

The following are the critical and major defects fixed in Release 21.2.

Fixed Bugs in Release 21.2.1

Note that fixes for all bugs found in Release 16.1R2 through Release 16.1R2S11, in Release 20.2.3, and in Release 21.1.2 are available in Release 21.2.1.

Bug ID

Summary

55976 Application crash caused because of expensive queries and heap exhaustion. This issue has been fixed. Now, the maximum limit for a query is set to 200,000 records.
57948 Fix to secure access map icon when clustering is required.
58311 Versa-lced process may not start on Bionic systems when versa-confd does not fully start. This issue has been fixed.
58314 PDF file generated from data tables may not display all columns because of a space issue. This issue has been fixed. Now, the appropriate zoom level is used to fit all table columns.
58743 Add support for forwarding class and traffic type during application drilldown, for VOS devices running Release 21.2.
58931 If you select the site tag filter, SD-WAN Map view shows sites with matching site tags instead of all sites. This issue has been fixed. Also added support for site tag filters in the reporting tool.
59084 Add support for special characters in Analytics local user password.
59150 Add Africa to the timezone selection list.
59887 Add support for join queries to join two different report data.
60255 Remove duration column from the data tables, because it is used only for internal calculations.
60275 Fix for VLR score computation issue in SD-WAN TCP APM report.
61002 If you not configure email settings, display a warning message when you want to generate report and send report notifications using email.
61048 Add date time selector filter to filter by last calendar month.
61251 Python2 to Python3 migration for vulnerability fixes requires migration of all Python scripts. Support for the Analytics database manager script was missing, which caused problems in a fresh installation of Release 21.1.1. This issue has been fixed.
61878 Time series chart in dashboards now aggregate per hour for the last 7 days instead of using 5-minute or 15-minute data.
61915 Add support for streaming Analytics platform–generated alarms to remote collectors, including Versa Director.
62001 Fix start/stop option in Agents & ETL Status under Administration > System > General in Analytics GUI.
62051 Enable confd audit log and web GUI access log on analytics and log forwarder nodes by default
62058 Remote collector connection status show command and GUI are enhanced to display transport type, number of flaps, and last flapped count.
62197 Add support for setting banner text from Analytics GUI Administration tab.
62280 In the log’s hierarchy, rename SD-WAN SLA Violation to Traffic Steering.
62308 Log collector exporter process is in busy state when there are a large number of TACACS+ CLI accounting logs. This issue has been fixed. Now, the logs are processed in a staggered manner to avoid process overload.
62427 Fix to show MOS value in time series charts in correct range. In Release 21.1.1, the value shown is divided by 100.

62569

Fix ETL monitoring page loading time, broken tabs, and page layout under Analytics GUI Administration > System Status in Analytics GUI.

62610

Fix SD-WAN QoE chart for post SD-WAN optimization to show correct information when the site is down.

63044

SD-WAN QoE chart displays 50% score when path is completely down. This issue has been fixed.

63172

Add GUI support for setting TACACS+ configuration for analytics and log forwarder nodes.

63251

Add GUI support for setting syslog priority field in remote collector template for syslog export.

63264

Fix breadcrumb implementation in Analytics dashboard navigation to show content again when you click the breadcrumb a second time.

63516

Site/link availability fixes:

  • Show accurate state when Analytics node is running Release 21.x and VOS devices are running Release 16.1R2 and there is loss of SLA monitoring data.
  • Show availability percentage as non-negative value.
  • Show availability percentage with 1 decimal value.
  • Show link availability even if Controller connectivity is not available for the link.
  • Availability computation to handle logs received few seconds outside of the sampling interval to avoid incorrect computation.

63892

Allow one metric selection for summary data using pie chart in reporting and dashboard. For metrics such as Volume Tx Rx, two pie charts would display side by side, causing the labels to overlap because of lack of space. In such cases column chart or bar chart can be chosen. If pie chart is chosen, user can select only one metric.

64047

Add help option in Log Collector Configuration page.

64384

When tenant operator logs into analytics, administration page now hides all the tabs except for version.

64398

Add vsh monit start/stop command to start or stop the versa monit service. The sudo service monit start/stop is deprecated for Bionic.

64512

Enhancements to show query-related errors for each chart within the chart itself instead of on the top of the page.

64567

Fix for setting the same tab position when user drills down with WAN link in SD-WAN site view.

64985

After an administrator unlocks a locked user configured through TACACS+, the unlocked user should not be shown in the show system locked-users command output. This issue has been fixed.

65715

When you drill down from Dashboard > System page, you are already in appliance view. This issue has been fixed. The fix disables appliance filter in the drill down page to avoid losing context.

66028

Fix to not show labels as “Slice” in summary data with empty metric values.

66297 SD-WAN site, link availability, and QoE metrics can take up to 15 minutes for the latest time block to display accurate information, because they relies on arrival of SLA and other logs to determine the state. There could be latency during log arrival or logs could be lost. For accurate state determination, more log data over time needs to be analyzed.

Fixed Bugs in Release 21.2.2

Note that fixes for all bugs found in Release 16.1R2 through Release 16.1R2S11, in Release 20.2.4, and in Release 21.1.3 are available in Release 21.2.2.

Bug ID

Summary

37832

Ability to search on SSL log clientAddr field.

56153

Availability report in PDF form is not rendered correctly.

56635

ETL monitor under Administration > System Status to show one chart per row.

63787

Add severity and disable options to alarm settings in log collector exporter configuration.

65819  

LCED UI not showing the status if the name has space in it.

66305

Cannot select pie chart if two or more metrics are selected on dashboard charts.

66497

Fix issue for secure access scheduled report when multiple VOS devices are selected.

66501

After upgrade, firewall source and destination statistics were not showing for the last hour because of a VOS device issue.

66622

Access circuit available bandwidth not showing user-friendly number on Y axis.

66775  

Remote export of logs not working if storage is disabled for flow in local collector configuration.

66787

Show system package info command to display operating system version.

66837

Wheen upgrading to Release 21.2.1, NTP server configuration was overwritten.

66914

SLA metrics data for Release 21.1.1 and earlier VOS devices not displaying in UI.

67123

Display user-readable metric names in reports.

67279

Datatables not populated for tenantSuperAdmin users because of some API restrictions.

67323

Datatables search issue when there is more than one table with search option.

67454

Application startup issue after upgrading because of multiple tomcat versions.

67903

Use common widget for tenant/appliance/site drop-down in dashboard and reporting.

68026

In the Ubuntu Bionic Analytics image, cpu/memory/disk resource utilization for Analytics nodes was not working.

68061

Display appropriate error message if connectivity to search engine fails.

68642

Support for Layer 2 SD-WAN rule statistics report per tenant/site.

68687  

Fix for preventing flooding of alarms from LCED alarm infrastructure on console with Ubuntu Bionic image.

68921

Under Administration > System Status, last analytics data cleanup was not shown correctly.

69280

ETL stats not seen in UI although received from API response.

69434

For tenantOperator role, add SD-WAN feature by default under Administration > Configuration > Settings > Authentication > Roles Configuration.

69601

Analytics appliance context in Director shows "Disk Space is Critically Low" when disk space is healthy.

69796

Support for timezone in scheduled report display under reporting.

69985

Fix to allow user with tenant operator role to edit scheduled report.

70026

Analytics report graph selection is not clear for different chart types, such as pie chart and bar chart.

70043

In system interface utilization time series chart, Y axis labels were incorrect when TX and RX utilization was selected.

70229

Breadcrumb support for showing filter path when a different site is selected under site dashboard.

70280

If application restarts when user is accessing the UI, redirection should take place immediately instead of showing an error message.

70288

Fix to report QoS interface statistics per device instead of for all devices.

70321

Extra widget shown in content removal page if we delete any data in content removal.

70355

SLA logs from Release 16.1R2 device will not have new fields. Treat them as 0.

70360

SLA metrics in hourly time series go over 100%.

70396

Modify alarms severity text font colors for easy reading.

70487

Read-only users should not have access to edit data in Administration tab.

70580

In some browsers, when certain invalid characters are entered in the URL for accessing the Analytics standalone GUI, the version of web server used by the Analytics node is visible.

70706

Javascript file hosted in Analytics portal exposes an internal IP address

70736

If Controller access for a user role is disabled, hide showing the data in search queries.

70916

Fix for site list drop down not showing all sites in scaled environment.

70919

Fix for UI display issues in reporting schedule option.

70972

Support in reporting tool to add multiple filters of same type for a query.

71188

Settings screen showing [object Object] message instead of showing proper error message.

71310

Fix for LCED VMEM_ID_LCED_STOR_BUF showing negative value for used bytes.

71373

Fix for SLA metrics time series charts showing invalid values and labels for certain time ranges.

71399

QoE chart to user 5% as threshold instead of 4% to determine if status is poor or fair.

71726

When multiple metrics are selected for summary data and if pie chart is the chart type, data can overlap. Prevent such selection and display an error message.

71781

After upgrade, search data configuration in the UI is shown as disabled even though it is not saved. Fix to show the correct state of the configuration in the UI.

72061

Fix for data plane and QoE report saving error

72074

Removed unsupported metrics in URL filtering report generation.

72296

Fix for trend line showing negative values in some scenarios.

72298

Trend line settings should get reset when navigating to other charts. Also chart type should not change when trend line setting are done.

72426

Secure access users map not showing all sites/traffic activity when a user is associated with more than one gateway.

Fixed Bugs in Release 21.2.3

Note that fixes for all bugs found in Release 16.1R2 through Release 16.1R2S11, in Release 20.2.4, and in Release 21.1.3 are available in Release 21.2.3.

Bug ID Summary

72274

Fix for page refreshing continuously when the Enter key is clicked while saving a report.

73423

Fix for Versa Director not initiating connection to Analytics because of too many close_wait state to analytics IP:Port.

74324

Fix to prevent tenant operators from being able to change or save settings on the Administration page.

75558

Availability reports to include up to 2 decimal digits. For example, 99.99%, 99.9% if it is 99.90%, and 99% if it is 99.00%.

76488

Fix to SD-WAN for QoE score degradation after enabling FEC. QoE computation has been enhanced to include the reverse loss obtained from SLA metrics.

76726

SSL log enhancements to include additional match filters and operations, such as not equal to.

77477

Fix to show Analytics cluster CPU/memory for all instances.

77869

Under Administration > Data Configuration > Search data retention settings, resetting log daily limit gives an error.

78900

Fix for autorefresh not working on the Analytics dashboard.

78960

Fix for APM metrics for tcpReXmitFwd, tcpReXmitRev shown as 0% because of incorrect conversion.

79487

Fix for TWAMP delay/delay variation metrics represented in msec.

80492

Fix for Analytics report after page reload getting stuck and adding & at the end of the URL.

80691

Total Sites"in SD-WAN dashboard is not drillable. Avoid showing hyperlink.

80782

Fix for QoE report in last 30 days not showing any data.

81109

Scalability and performance improvements by implementing new tables with partition keys.

81700

Fix to show the alarms received in the same second in the order of generation by sorting on both the sequence number and the receive time.

81707

Remove deleted tags Analytics in a short interval so that user cannot login again.

82211

Remove displaying internal field 'at' in raw logs because it is not significant to the user.

82296 Fix to log archive script which was not archiving all the files under heavy load.

82752

Fix to prevent time selector drop-down going behind the map widget.

83144

Remove CGNAT VSN usage report because it is deprecated.

Behavior Changes

The following are the behavior changes in Release 21.2:

  • Starting with Release 21.2.x, the Analytics software checks the the number of Apache ZooKeeper servers in the vansetup.conf script before running the script. (ZooKeeper performs internode communication among the nodes in an Analytics cluster.) If the number is even, the Analytics software changes it to an odd number. Using an odd number of ZooKeeper servers instead of an even number optimizes the internode communication. For example, if the vansetup.conf script has four ZooKeeper servers, the Analytics software changes the number to three. For the changed configuration to take effect, you must execute the vansetup.py script on each Analytics node.

Known Issues

The following are the known issues in Release 21.2.

Known Issues in Release 21.2.1

Bug ID

Summary

41534

Custom role creation view box and log filter drop box close automatically if you click outside the box.

42468

Search collection creation fails during installation if the hostname is not bound to the IP address on which the search node is listening, which is the interconnect IP address. As a workaround, have the search node’s interconnect IP address be the first IP address in the /etc/hosts file.

42469

If you select an appliance is selected in map filter, to change the appliance name, you must first delete the existing name and then choose another appliance name.

42555

Standby Director may not responding to REST API calls, so the standby Director cannot be registered until a failover is performed.

46001

Maintaining accounting records might stop working and then start working again after you reset auditd.

54713

Users maps on the secure access dashboard works only if you select Google maps as the map provider under Administrator > Settings > Display Settings.

58931

User map site tag feature is supported only for Google maps.

59517

As part of statistics rollup infrastructure changes for Releases 21.2, after you upgrade to Release 21.2.1, there is a delay in populating historical firewall source and destination statistics reports on UI. A daily cron job migrates the historical firewall source and destination data to the new rollup infrastructure. There is no impact on new data post upgrade

60658

Use sudo to run the cluster installation script from a Versa Director running a Bionic image.

66214

When you access the Analytics GUI through a Director node, the landing dashboard charts might shift from right to left.

Known Issues in Release 21.2.2

Bug ID

Summary

41534 

Custom role creation view box and log filter drop box closes automatically if clicked outside of the box.

42468

Search collection creation failure during installation if hostname is not bound to the IP on which Search node is listening (interconnect IP). Workaround is to use the Search node’s interconnect IP as the first IP in the /etc/hosts.

42469

If an appliance is selected in map filter, to change the appliance name, it needs to be erased to choose another appliance name.

42555

Standby Director not responding to REST API calls. We won’t be able to register Standby Director until a failover is performed

46001

Maintaining Accounting records stopped working and it started working after auditd restart.

54713

Secure access dashboard has “Users Map” which works only if Google map is selected as the map provider under Administrator> Settings> Display Settings>. Support for Open Street Map will be available in future releases.

58931

Site tag feature in maps is only supported for Google maps

59517

As part of Statistics Rollup Infrastructure changes for 21.2, post upgrade there will be a delay in populating historical firewall source and destination statistics reports on UI. There will be a daily cron job that takes care of migration of historical firewall source and destination data to new rollup infrastructure. There will be no impact to new data post upgrade. The historical data will be migrated over time.

66214

Analytics GUI landing dashboard charts shifts from right to left in few scenarios when accessed through Director.

Known Issues in Release 21.2.3 

Bug ID Summary

41534

Custom role creation view box and log filter drop box closes automatically if clicked outside of the box.

42468

Search collection creation fails during installation if the hostname is not bound to the IP address on which Search node is listening (interconnect IP). As a workaround, list the Search node’s interconnect IP address as the first IP address in the /etc/hosts.

42469

When you select an appliance in map filter, to rename the appliance name, you must first erase the existing appliance and then create an appliance that has a different name.

42555

Standby Director not responding to REST API calls. The standby Director cannot register until a failover is performed.

46001

Maintaining accounting records stops working, and it starts working again only after you restart auditd.

54713

Secure access dashboard has Users Map, which works only if Google map is selected as the map provider under Administrator > Settings > Display Settings.

58931

Site tag feature in maps is supported only for Google maps.

59517

As part of the statistics rollup Infrastructure changes for Releases 21.2, after the upgrade there is delay in populating historical firewall source and destination statistics reports on UI. A daily cron job takes care of migrating historical firewall source and destination data to the new rollup infrastructure. After the upgrade, there is no impact to new data. Historical data is migrated over time.

66214

Analytics GUI landing dashboard charts shift from right to left in few scenarios when accessed through Director.

72972

Under Reporting, when Analytics loads a report for a tenant, when you click Save, a dialog displays with copy settings option where it displays a drop-down with the appliances for selected tenant. However, the list does not show the correct appliances for the selected tenants. The behavior is not seen during initial creation of the report.

Request Technical Support

To request technical support, visit http://support.versa-networks.com. If you are contacting support for the first time, register and create an account. You can also send email to support@versa-networks.com or contact your Versa Networks sales account team.

Revision History

Revision 1—Release 21.2.1, March 19, 2021
Revision 2—Release 21.2.2, September 12, 2021
Revision 3—Release 21.2.3, August 2, 2022

Versa Director Release Notes for Release 21.2

These release notes describe features, enhancements, fixes, and known issues in the Release 21.2 Versa Director software, for Releases 21.2.0 (simply called 21.2) through 21.2.3. Releases 21.2.1 and later are general available (GA) releases and are supported for use in production networks.

August 2, 2022
Revision 3

Product Documentation

The Versa Networks product documentation is located at https://docs.versa-networks.com.

Install the Versa Director Software

To install the Versa Director software, see the Deployment and Initial Configuration articles.

Upgrade to Release 21.2

To upgrade to Release 21.2, see the Upgrade Software on Headend and Branch article.

Downgrade the Software

To downgrade to the software image that had been installed immediately before you performed the upgrade, issue the following command:

Administrator@versa-director> request system rollback to snapshot-timestamp

The Versa Director configuration and image are restored to the state when the snapshot was taken. Note that any configuration changes done since the snapshot was taken are lost when you perform the rollback operation.

Install the Software License for Versa Director

Versa Director is controlled by a software license. You must obtain a valid license file by contacting Versa Networks Customer Support.

Note the following:

  • Versa Director software ceases to operate after a 15-day trial period, so you must obtain a license key within that time.
  • On all newly installed Versa Directors, you must run the Versa Director startup script, /opt/versa/vnms/scripts/vnms-startup.sh, to correctly configure the Director network interfaces for their intended function (for example, interface eth0 for northbound communication towards OSS systems and for UI access, and eth1 for southbound communication towards VOS devices).

VOS Version Compatibility

Release 21.2 of Versa Director is compatible with the following Versa Operating SystemTM (VOSTM) software versions:

  • Release 20.2.x
  • Release 21.1.x
  • Release 21.2.x

Release 21.2 of Versa Director is not fully configuration-compliant with other versions of VOS software. If you commit templates or make direct configuration changes in Appliance view to non-compatible VOS releases, the commit or configuration changes may be rejected with an RPC error.

New Features

This section describes the new Versa Director features in Release 21.2. All features are introduced in Release 21.2.1 unless otherwise noted.

  • Cloud API enhancements—API-based integration in Azure virtual WAN and AWS transit gateway supports scenarios in which the branch is behind a NAT. See Configure Site-to-Site Tunnels.
  • Filter BGP path attributes—(For Releases 21.2.3 and later.) On the Monitoring > Service BGP screen, you can filter BGP on additional path attributes, include community, extended community, and AS path.

    filter-bgp-path-attributes.png
  • NAT in site-to-site tunnels—When creating site-to-site tunnel between a branch and an Azure Virtual WAN or AWS Transit Gateway, the WAN interface can use the NATed IP address. You can also configure the NATed IP address when deploying Workflows. See Configure Site-to-Site Tunnels.
  • Option to set RequestedAuthnContext value in SSO—(For Releases 21.2.2 and later.) Add an option to set Requested Auth Context Comparison in an SSO SAML connector. You can set the value to "minimum" or "exact" depending on your authentication type.
  • Total Site Up/Down in Tenant Summary window—(For Releases 21.2.2 and later.) In the Tenant Summary window, add the count of the number of sites that are up and down, and add a card that summarizes the status of all assets.

    clipboard_ea5f6d913a41ac73759e061c694ff8577.png
     
  • Versa Director central authentication—(For Releases 21.2.2 and later.) In a topology with more than one Director node, you can have one of the Director nodes be the central authentication Director node. The central authentication Director node verifies all authentication requests, and it issues a token that can be used for making APIs calls to any Director node. Director central authentication is useful for Concerto use cases.

    central-auth.png

    You enable central authentication from the CLI:

    Administrator@versa-director% show nms provider central-auth-connector
    enable-central-auth enabled;
    director-ips        [ 10.192.63.14 ];   Provide IP addresses of primary and secondary Director nodes
    
  • Versa Director–managed site-to-site tunnels—You can create a Versa Director–managed IPsec site-to-site tunnel between a provider Versa Director node and a customer Versa Director node to allow the customer Versa Director node to use available services from the provider Director node as if the services were directly available from the customer Director node. These services include:
    • On-ramp to SaaS providers, such as Box, Google, Microsoft Office, and Salesforce
    • Cloud Service Gateways (CSGs)
    • Application reverse proxies
    • Titan hubs

Director–managed site-to-site tunnels support EBGP, IKE, and IPsec, IKE. See Configure Site-to-Site Tunnels.

  • VMS passive authentication enhancements—Versa messaging server (VMS) supports the following:
    • Administrative container for VMS to manage services and the VMS deployment, including Rest API capabilities to manage the VMS features and infrastructure.
    • High availability for VMS infrastructure and containers.
    • Passive authentication. See Configure Passive Authentication for VMS.
  • VSA subscription—You can configure the number of Versa secure access (VSA) licenses for both basic and advanced users per organization using Versa Director. After you configure the VSA subscription information, it is tracked in the subscription monthly and the entitlement reports, and on the Entitlement Manager query page. See Configure Versa Secure Access Subscriptions.
  • Workflow support for T1/E1 and ADSL2+/VDSL2+ interfaces—You can use Workflows to configure T1/E1 and ADSL2+/VDSL2+ interfaces, making configuration of these interfaces easier and integral part of SD-WAN workflows. See Configure Interfaces.

Fixed Bugs

The following are the critical and major defects fixed in Release 21.2.

Fixed Bugs in Release 21.2.1

The following tables lists the critical and major defects that were fixed in Release 21.2.1.

Tracking Bug

Description

34494

Subscription Query page shows state as automatically renewed after device is automatically renewed instead of showing automatically activated. This issue has been fixed.

40095

Add enable and disable policy rules.

40157

Add support for TCP-based syslog remote connector.

42494

Snapshot creation is now audited and present in the audit log.

43124

Custom role editing is now audited.

45549

Add alarm for when AMQP/Kafka connector is not reachable from Director node.

46789

Add Total column, which was missing in Entitlement summary report.

47781

Spoke group search is now done by making query to the backend instead of performing a UI-level search.

47998

For a device managed with LTE as WAN, the Director node now decreases polling cycles and netconf notifications to reduce management traffic.

48207

Asset Inventory is not showing the count of hub-controllers under both Summary and Details tabs under Versa Director > Monitor > Provider > Summary. This issue has been fixed.

48431

Virtual router UI screen access was slow. This issue has been fixed.

49326

Add cloud-connector support, with type as Versa. This enables a client Versa Director to create site-to-site tunnels between VOS devices managed by different Director nodes.

50511

Add option to enable and disable the sending of device-level alarms to an AMQP server configured as an AMQP connector.

50562

Bulk delete of VRRP configuration fails in UI under template. This issue has been fixed.

50578

Entitlement management/subscription actions are not RBAC-protected from Rest APIs. This issue has been fixed.

52001

NCS crashed with error ''Internal error: Supervision terminated". This issue has been fixed by upgrading NCS to a newer version, version 4.7.8

52518

Add new alerts such as DESIGNATED-MASTER-NOT-ACTIVE, LICENSE-EXPIRY-ALERT, DISK-USAGE-ALERT. Update the alerts naming conventions, changing Master to Active and Slave to Standby.

52665

NCS Java logging does not work. This issue has been fixed.

54006

You can now customize common VOS HTTP/HTTPS credentials. The Director node uses these the in /var/versa/vnms/data/conf/default.conf script.

55106

Validation is missing for cluster list in bind data screen. This issue has been fixed.

55471

Upgrade with customer configuration from Release 16.1R2S10.1 to Release 20.3.1 fails during migrate scripts because of QoS configuration. This issue has been fixed.

55504

Create/delete device group is not notified over AMQP. This issue has been fixed.

55520

If a device in the unknown device list tries to reconnect, a new task is created. This issue has been fixed.

55655

Add support for circuit tag in Workflows > Template > interfaces > WAN Interfaces.

55676

Under Entitle Management, end date calculation for a subscription is wrong. This issue has been fixed.

56584

Director upgrade from Release 16.1R2S10.1 running customer snapshot fails in Workflows module related to split tunnel. This issue has been fixed.

56777

In a multitenant deployment, monitor UI now displays location information with access to the child organization.

57028

Free memory calculation is incorrect. This issue has been fixed.

57369

PPPoE WAN interface network is not added to traffic identification list during template Workflow deployment. This issue has been fixed.

58484

When a user attempts to change their password multiple times, the user account is not locked even after incorrect password attempts defined in max_login_fail_count in UserGlobalSettings. This issue has been fixed.

58749

In uCPE, add support to increase the secondary hard disk size to a maximum of 512 GB.

58828

In some GUIs, time is not displayed in the local time zone. This issue has been fixed.

59034

Local backups cannot be deleted using the Purge command. This issue has been fixed.

59131

Add support to encrypt all passwords in device configuration.

59334

In Entitlement Management Query page, TotalActiveDays is not updated properly. This issue has been fixed.

59426

Appliance location data type changed from varchar to text to accommodate larger location values.

60505

validate.py script does not display the errors from the ha-pair-config-validation.py script. This issue has been fixed.

60653

In the virtual router UI, changing the OSPF network returns the error “invalid byte sequence for encoding UTF8: 0x00..”. This issue has been fixed.

60857

Stale entries in bind data cause Director upgrade from Release 20.2.2 to Release 20.2.3 to fail. This issue has been fixed.

60954

Director upgrade from Releases 16.1R2S10.1/S11 to Release 21.2.1 fails during migrate script because of an incorrect user role, with the error: "Upgrade failed: Upgrade transaction failed to validate: /ncs:devices/device{DCA-Controller-01}/config/system/users{ab16399}/role (value "oper"): oper user cannot land on shell (use 'cli' or 'none')". This issue has been fixed.

60991

When you modify the bandwidth in a Workflow template and apply the changes, they do not take effect on existing SD-WAN branches. This issue has been fixed.

61281

Add support for bandwidth limit configuration when uploading a package to a branch or device.

61475

Add support in monitor screens for application identification.

62155

In an AWS SD-WAN gateway deployment, the DescribeInstances API call may fail, with the error "instance ID does not exist". This issue has been fixed.

62286

Redundant template deployment fails when you configure an AWS transit gateway site-to-site or Azure Virtual WAN tunnel in a Workflow template. This issue has been fixed.

62334

When you select multiple devices from a Director node to upgrade, if one device is not reachable, the task is shown as successful in the progress column. This issue has been fixed.

62346

Move Kerberos virtual URL configuration from captive portal to Kerberos profile.

62352

if you add or remove a service template in a device Workflow or device group, or make a configuration change in a service template, the template state does not go out of sync in the commit window.This issue has been fixed.

62375

Entitlement Management > License period is not updated after performing Workflow organization deploy.This issue has been fixed.

62390

When you change the SSH host keys on a VOS device, subsequent requests to the VOS device fail, with the error “SSH host key error”. This issue has been fixed.

62412

Update software to reduce the number of system/details calls made to each VOS device in each polling cycle.

62433 It is possible to inject comments by entering special characters. This vulnerability has bene fixed by adding careful handling of special characters.

62557

NGFl service is not picked up from default-sng if the services field is empty. This issue has been fixed.

62574

Reachable to unreachable state is not shown at least every 3 minutes. This issue has been fixed.

62608

GUI cursor keeps spinning when a TenantSuperAdmin user who is logged in with email format as the username tries to change session timeout. This issue has been fixed.

62618

Template recreation fails when radius-shared-secret contains special characters, such as ";" which is a valid character. This issue has been fixed.

62709

Cannot save/deploy a Controller node after the Controller node is deleted from the appliance listing screen. This issue has been fixed.

62790

EXTERNAL_USER.log shows bearer token instead of username. This issue has been fixed.

62900

Remove per-organization subscription details from the Entitlement Manager summary page.

62923

In Director GUI, cannot add VLAN to LAN interface on CPE with DF error. This issue has been fixed.

62952

Template regeneration fails when TACACS+ key is parameterized. This issue has been fixed.

63011

Add template sync status to tool tip for an appliance on Appliance Listing screen.

63142

Commit template should not send an email when commit template is set to schedule it now. This issue has been fixed.

63145

Proxy authentication is not working for SPack download. This issue has been fixed.

63185

When user creates new device Workflow and clicks Cancel at bind data, the user cannot create a new device Workflow with the same name. This issue has been fixed.

63206

Local CMS organization update might fail for tenant superadmin user. This issue has been fixed.

63241

After you upgrade to Release 20.2.3, the bind variables of a service template that were attached to all the devices using it are no longer present in the device bind-data tables. This issue has been fixed.

63249

When using the vnms-startup.sh script that is non-interactive, the system addresses are taking the docker IP address when no southbound interface is provided. This issue has been fixed.

63298

LAN routing instance is provisioned incorrectly for TVI interface for GRE-based tunnels when the tunnel start endpoint is LAN network instead of WAN network. This issue has been fixed.

63316

Bind data variable for BGP local AS in Workflow template for IBGP is not populating in the device. This issue has been fixed.

63328

Enabling IPsec for HA secure communication generates unwanted configuration, leading to an IPsec failure. This issue has been fixed.

63382

In Releases 20.2 and 21.1, files are not correctly copied in /var/versa/packages/spack/current/config/. This issue has been fixed.

63397

Redistribution policy Default-Policy-To-BGP on DMZ-VR (not VRF) is not created when you select ST with either DIA or gateway option. This issue has been fixed.

63430

After you delete a device from a Workflow, the device global site ID is not freed. This issue has been fixed.

63455

During URL ZTP, the email notification may not be not sent. This issue has been fixed.

63477

New solution tiers added to support Titan.

63500

Tenants deleted from a branch are still listed in the appliance listing screen. This issue has been fixed.

63525

WPA password or RADIUS shared secret key in Workflow device bind data is not encrypted. This issue has been fixed.

63589

Director failover operation results in application timeout. This issue has been fixed.

63607

Editing WAN circuit tag does not work. This issue has been fixed.

63610

Do not add the default configuration of Layer 2 learning in Workflow templates. This configuration is not needed.

63649

When creating a WiFi template, you can configure a different country for both radios in the wireless configuration. This issue has been fixed.

63714

You cannot delete multiple static routes from the GUI. This issue has been fixed.

63725

Add support for OOKLA speed test from the GUI.

63761

Add support to configure software package upload time under device group.

63769

NullPointerException is seen when you commit a shared service template associated with device group and device level. This issue has been fixed.

63897

Kafka/AMQP message publishing should happen using a separate event bus to handle unreachable or slow brokers. This was impacting ZTP task creation. This issue has been fixed.

63941

Changing the Director timezone causes incorrect timestamp to display in many listing screens. This issue has been fixed.

63977

Creating an AWS Transit Gateway or Azure Virtual WAN tunnel with redundant template creates duplicate tunnels for the primary and redundant templates. This issue has been fixed.

64035

In the entitlement manager, modifying the solution tier modification is not updated using the Workflow template. This issue has been fixed.

64040

Invalid CSRF token message is displayed during sync-from, sync-to, and bulk sync-from. This issue has been fixed.

64111

Deleting the SSO configuration might not work properly. This issue has been fixed.

64118

In the entitlement manager, rename solution tier VSA Basic to VSA Standard.

64169

Director backend has WPA password in encrypted text, but returns it in cleartext to Workflow template API call. This issue has been fixed.

64170

The AWS DeleteOnTermination flag for EBS volume should be set as True during VOS deployment using CMS connector to make sure that stale volumes are not present in the cloud. This issue has been fixed.

64248

SMS messages sent using the Versa account are rate-limited. This issue has been fixed.

64291

OS SPack download task is generated with no description. This issue has been fixed.

64330

TenantSuperAdmin user cannot download OS SPack on appliance page. This issue has been fixed.

64342

PSQL database password change command does not work. This issue has been fixed.

64362

Unable to log in as tenant user when single-idp-connector type selected. This issue has been fixed.

64363

For an incremental SPack upgrade, director.json and other xml files are not copied when incremental SPack is installed via rest API call with update-type "incremental" (in lowercase letters). This issue has been fixed.

64365

ZTP might fail, with a socket close error. This issue has been fixed.

64366

PPPoE password on appliance is now encrypted during communication between the Director node and the appliance.

64373

Upgrading a Director node to Release 21.2.1 fails, with the error "failed to execute migrate script sysusers.lua". This issue has been fixed.

64376

RMA skips upgrade/downgrade and continues with RMA process when software version is blank for existing device, but it prints proper messages in the task. This issue has been fixed.

64426

Include c5a instance type during device deployment on AWS using CMS connector.

64427

Static route screen shows invalid IPv4 or IPv6 address/prefix error for a valid destination. This issue has been fixed.

64467

Template automerge operation may remove configuration added at the template configuration level when recreating the template after adding DNS policy rule. This issue has been fixed.

64479

Unable to ZTP to a device running Release 20.2.2 when Controller and Director nodes are running Release 21.2. This issue has been fixed.

64497

When you delete a Controller device in the GUI, peer controller information is not removed from the database. This issue has been fixed.

64603

Resource groups are not listed during the creation of Azure Virtual WAN tunnels. This issue has been fixed.

64614

Allow only GET and /api/*/actions/* POST APIs. Reject other POST, PUT and DELETE APIs with appropriate error message from standby Director.

64664

Workflow templates deployed with duplicate name as redundant pair are corrected or flagged by validate.py script. This issue has been fixed.

64675

Local user information is pushed only to devices that are in the device group associated with the first template. This issue has been fixed.

64713

Login, logout, and change password time are not captured in the audit log. This issue has been fixed.

64807

TenantSecurityAdmin users cannot download OS security package. This issue has been fixed.

64816

Cannot remove Analytics cluster or all user-supported roles from Workflow organization after redeploying the organization. This issue has been fixed.

64828

In Entitlement Query, rename column State to Event.

64862

Search does not work for Configuration > Objects > VPN Profiles GUI. This issue has been fixed.

64872

After you modify the organization from a template, virtual switches are not populated because the backend sends the previous organization. This issue has been fixed.

64882

Device upgrade might get stuck at 70% even if upgrade is successful. This issue has been fixed.

65064

Cannot see bind data for more than 100 devices in a single device group. This issue has been fixed.

65069

Autogenerated bind data IKE identifier is not updated. This issue has been fixed.

65257

No data displays on Services > Monitor screen. This issue has been fixed.

65260

Audit logs are not reported for any of the operations performed by the local provider-level users. This issue has been fixed.

65335

Import workflow device is deploying devices without bind data variables. This issue has been fixed.

65365

Cannot delete service chain template in Workflows. This issue has been fixed.

65386

Variable bind data loads slowly after being deployed from a device Workflow. This issue has been fixed.

65517

Current user cannot make changes to the branch when the branch is locked for other users. This issue has been fixed.

65646

Cannot commit to multiple devices because of task description length description. This issue has been fixed.

65650

Incorrect configuration under device context when bootstrap fails. This issue has been fixed.

65683

Replacing an appliance with new serial number incorrectly updates lastModifiedBy field with null value in Workflow device. This issue has been fixed.

65696

Deploying application template by TenantSuperAdmin on Workflows > Template > Application Steering may fail. This issue has been fixed.

65718

After HA failover, cannot receive alarm emails. This issue has been fixed.

65735

User authentication now fetches HA status from cache instead of from NCS to improve performance and avoid resource-denied NCS issue.

65753

Enable suspend-backup-collectors as default in Workflow templates.

65774

Update CPE ports object on firewall rule in controller. Remove port 4000.

65775

Error occurs when pushing post-staging template for hub and spoke. This issue has been fixed.

65793

Workflow device deploy using CMS connector does not work in Azure China region. This issue has been fixed.

65818

SD-WAN policies created by Workflow must add action. This issue has been fixed.

65831

Changing SiteId from Workflow devices is shown in the inventory but not on the GUI appliances screen. This issue has been fixed.

65850

After ZTP, appliance shows incorrect subscription state as created in entitlement screen under appliance context. This issue has been fixed.

65960

Upgrade to Tomcat 9.0.43.

65992

Default spring-boot tomcat thread-pool size for ports 9182, 9183, and 8090 is configured incorrectly in application properties. This issue has been fixed.

35962

Update third-party libraries to address vulnerabilities reported by OWASP dependency check tool.

38387

During HA enable operation, task popup disappears from the window before displaying the success prompt. This issue has been fixed.

39367

Add GUI support for displaying PoE statistics.

40103

Remove keepalive timeout for IPsec from CLI and GUI.

42113

Under Device Templates in the Peer IP field, the + icon and parameterize icons are not aligned. This issue has been fixed.

45613

Add support to set and match BGP community in the old format, that is, as a 4-byte number.

45739

Fix OSPF clear neighbor operation in the GUI.

45901

Add GUI support for Director SPack upload and installation.

47699

Add pagination support for IGMP Group Monitor screen.

47781

Add GUI support for search for Spoke Group screen.

47929

Add support for health check for a standby interface.

48207

Asset Inventory does not display a count of Hub-Controllers (under both Summary and Details). This issue has been fixed.

48421

Add support for bulk delete operation for syslog servers in templates configuration.

48481

Fix GUI to gray out code field under DHCP custom options if vendor ID is selected.

48490

Fix Add Appliance screen in Administration tab.

48606

Fix GUI tool tip to show "Undefined" for Director and Analytics Cluster in Monitor > Provider-org > Summary > Asset Inventory.

49322

Add GUI support for Platform > Management Port > Usage Model.

49632

Add parameterization for routing instance in security package update configuration.

50611

Add parameterization for prefix under BGP route aggregation.

52518

Fix to display Director HA critical alarms in notification popup.

54327

Disable No Summaries option for OSPF3 Area 0.

56092

Rename whitelist/blacklist to allowlist/denylist in URL Filtering screen.

56175

In Filtering Profile screen, change incorrectly named Authentication profile to Cloud profile.

58351

Enhance traceroute to support ICMP and TCP probes.

59621

Add GUI support for Layer 2 services.

61617

Add support for IPv6 options on the LTE interfaces vni-0/100 to vni-0/103.

62418

Add new option in uCPE screen to enable and disable multiqueue settings for the VM.

62801

Networks and subinterfaces values are shown incorrectly under Administration > Organizations > Associations. This issue has been fixed.

62933

Remote server exception issue seen when editing global router. This issue has been fixed.

63380

Fix to allow only FIPS-compliant ciphers when FIPS mode is enabled.

63596

Fix issue seen while modifying the configuration of routing instance for speed-test server.

63671

Add support for 10 domains in RAS VPN profile.

63776

Add Director support for secure access server group configuration.

63804

packet-padding-size IMIX is not reflected in show commands. This issue has been fixed.

63895

Enhance Appliance System configuration GUI screen to allow configuration of health object parameters.

63915

Implement LEF-logging configuration under WLAN so that WiFi LEF logs are sent based on user configuration.

64012

Add BGP prefixes for Layer 2 VPN EVPN screens under monitor screen.

64040

Fix invalid CSRF token message seen during sync-from device.

64111

After you delete all SSO configurations, SSO link is now disabled from the login page.

64211

GUI shows error incorrectly as [Object,Object] in task window during replace appliance operation. This issue has been fixed.

64249

Cannot edit or delete SNMP communities, USM, and trap profiles configured with special characters. This issue has been fixed.

64316

When authentication control dot1x was opened and clicked, dynamic VLAN is disabled. This issue has been fixed.

64318

Fix search operation for Application Steering screen.

64323

Fix search operation for Disabled Access Policy rules.

64337

Organization selection is not maintained when moving from objects to services. This issue has been fixed.

64343

Search in DoS policy rules screen does not work for values other than rule name. This issue has been fixed.

64355

For IP SLA monitor of subtype ha-probe, change interval default to 1 second. You cannot change the default.

64361

Neighbor peering is not starting when RIP instance or group password is enabled. This issue has been fixed.

64371

Fix failure in security package screens for TenantSuperAdmin and TenantSecurityAdmin.

64410

Add search bar for DoS profiles screen.

64411

GUI gets stuck when navigating from NTP screen to Objects/Services page. This issue has been fixed.

64437

In BGP, share-aro is enabled if you open advance tab under peer-group twice, and vice versa.

64446

Add select index for routing instance field under Configuration > System > Security Update > Automatic.

64460

Fix search operation on domain name server screen.

64462

When you select the radio button from the popup to search on VRRP Group screen/interfaces screen, it does not go away with one click/enter option. This issue has been fixed.

64468

Creating a new DDoS profile from DoS Policies > Edit DoS Rule > Enforce > Aggregate Profile > +Add New, selects aggregate profile by default, and vice versa, for classified. This issue has been fixed.

64492

Fix sorting on DDoS profiles screen.

64532

Fix missing instance ID in spanning-tree details screen from the second row onwards.

64535

Fix issue seen when updating the transparent proxy match rule configuration.

64550

Form landing is incorrect for the decryption profile. This issue has been fixed.

64559

Rule enable/disable option is not available for traffic monitoring in device configuration page. This issue has been fixed.

64566

Add GUI support to add destination zone as match condition under SD-WAN policy screen.

64580

Some information is not same on Administration page card view and list view. This issue has been fixed.

64581

In CGNAT rule screen, source and destination range is not mandatory, but empty list is sent in payload, causing issue in template commit. This issue has been fixed.

64584

LLDP always shown as true in GUI even after you disable LLDP globally. This issue has been fixed.

64589

Correct name for global routing instance while adding DNS to be Global.

64596

Fix console error when you try to click on site configuration under Services.

64618

Enable caching mode for all profiles types, including local database, LDAP, Kerberos, SAML, and certificate authentication profile.

64639

When you add a static route with same gateway/next-hop IP address, GUI rejects configuration as a duplicate record. This issue has been fixed.

64640

Fix issue in the rearranging templates in the device service templates screen.

64651

VRRP Group ID and Interface are swapped in the VRRP Table. This issue has been fixed.

64652

Template workflow is not working properly for redundant pair cross-connect interface for vni0/2 or greater. This issue has been fixed.

64659

Add parameterization for Certificate Authentication Profile in template.

64669

Fix error in console while clicking redeploy button in organization Workflow.

64671

After committing the BGP general password, you cannot use the BGP GUI without modifying the BGP general password. This issue has been fixed.

64694

Fix issue in HA template screen in which recreate button was not working after re-opening.

64697

NTP configuration screen is not showing interfaces with units. This issue has been fixed.

64724

GUI is showing incorrect details in SAs in Monitor > Services > IPsec > SA screen. This issue has been fixed.

64728

If the appliance count is more than two digits, the number alignment was incorrect under System Summary. This issue has been fixed.

64740

When you try to add or edit decryption server profiles, error 500 is seen. This issue has been fixed.

64744

Under Configuration > Networking > PBF > Policies screen, the column header Status has been changed to Rule Status.

64757

In GUI, creating a new vendor catalog did not indicate any process of adding the new one. This issue has been fixed.

64766

Implement rule insertion for QoS policy, App QoS policy, PBF policy, and DNS proxy screens.

64797

Add Director GUI support for per-interface (SD-WAN) PMTUD interval.

64810

File type qcow2 is not passed in the payload when creating a new vendor catalog. This issue has been fixed.

64849

Fix clear command for the SSL History Monitor screen.

64859

Default zone protection scan interval in GUI changed from 300 seconds to 30 seconds.

64875

Rename SLA Dampen labels to SLA Damp.

64880

Fix issue seen in parameterization for vni under bridge domains.

64923

Fix incorrect message for predefined application groups.

64942

Add parameterization for weight under BGP peer group and under routing peer policy.

64943

Add parameterization for community in peer/group policy under match/action and under redistribution policy.

64945

Caching mode is always set as IP-based when you select local database or LDAP profile in authentication profile. This issue has been fixed.

64958

Change column name from Status to Rule Disabled in secure access portal and gateway rules screen.

65065

Add support to display audit logs under Administration > Troubleshooting screen.

65070

Captive portal is not displayed as a part of secure access. This issue has been fixed.

65071

LDAP user/group is not fetched in Secure Access portal and gateway policy in template. This issue has been fixed.

65175

After changing device ID for an existing device from workflows, user-defined bind data disappears when user attempts to redeploy a device. This issue has been fixed.

65198

Disable virtual service option was checked when controller is deployed but service is not actually disabled. This issue has been fixed.

65222

Tunnel interfaces that you add manually as type IPsec display as Down in monitor GUI when the interface is actually Up in appliance CLI and Director live status CLI. This issue has been fixed.

65229

Jitter value in SLA profile is shown in percentage. This issue has been fixed.

65230

Users cannot create mac-address object with only wildcard mask. This issue has been fixed.

65235

OK button is not working while creating a device after filling bind data information. This issue has been fixed.

65247

Add parameterization for keytab field in Kerberos profile in template.

65249

Add parameterization for virtual URL field in Kerberos profile in template.

65267

Fix GUI alignment issue when trying to create address group from IP filtering profile.

65299

In Secure Access Configuration screen, add the option to display how many characters can be typed for a string variable and the current length of the string typed.

65317

Fix cosmetic issues on File Filtering Profile screen.

65364

Vertical line is seen over the [+] icon in Add Rule window for Source/Destination and Application/URL tabs. This issue has been fixed.

65406

Regex pattern validation is missing in post-staging template under custom URL category. This issue has been fixed.

65431

Add support for Layer 2 services in Monitor Screen.

65458

When device is already deployed, GUI grays out changing tenant name in workflow device deploy. This issue has been fixed. You can now change the tenant name in device deploy Workflow.

65495

Remove OK button in Decryption Settings screen for TenantOperator user.

65549

Add support for secure access gateway and portal policy in Monitor Screen.

65576

Fix GUI issue in requests screen in Certificate Manager under Objects and Connectors.

65578

Tenant selector does not display when user switches from one tab to other in configuration page. This issue has been fixed.

65598

Add pagination on Security Profiles > DNS Filtering page for Device Templates/Service Templates.

65610

Add Director GUI support for new security algorithms.

65628

Remove Dual Tunnel from Gateway General page.

65631

Remove mandatory restriction for IP address in LDAP profile.

65645

Fix to allow maximizing Director task window.

65649

Templates attached to device groups are incorrectly added to Device Service Template. This issue has been fixed.

65658

Cannot select firewall service for fifth tenant when workflow template resolution is set to 1366 x 768. This issue has been fixed.

65661

Server configuration cannot be updated when IP address is not configured in LDAP profile. This issue has been fixed.

65666

Fix SD-WAN rules output in application monitor.

65679

Fix for password field that was displayed in clear text when logging into Versa Director.

65682

Fix for GUI issue that caused multihoming under Aggregated Ethernet interface not to work.

65738

Cannot update client CA Chain in Certificate Auth Profile. This issue has been fixed.

65779

Cannot configure loss as dotted decimal in SLA profile. GUI was pushing only integer values. This issue has been fixed.

65807

Add support for LLDP statistics in Monitor screen.

65817

Fix incorrect staging pool restriction for Hub-Controller nodes.

65857

Remove availability requirement field from Sever pool tab.

65881

VLAN ID is enabled when trunk is configured as interface mode. This issue has been fixed.

65884

Shared control plane field overlaps with organization field. This issue has been fixed.

65894

Fix parameterized values update and validation issue in ILC.

65916

Fix issue in BGP advertised routes that was showing incorrect subnet mask for the advertised prefix.

65948

Cloud profile type is now mandatory field in cloud profile page.

65966

Network addresses are accepted in the dstAddrIpv4 and srcAddrIpv4 fields in the bind data in IPsec section.

65980

Fix Eye icon in login screen so that it does not display password in clear text.

66017

Fix typo in CPE Public Cloud workflow.

66134

Add validation for encrypted keys in template configuration before committing via apply Template to device.

64773

Device deploy with redundant template having site-to-site tunnel for tunnel gateway or Virtual WAN does not creating tunnel objects. This issue has been fixed.

64609

URLs sent in VSA notification mails are updated with appropriate links.

64598

Release 21.1 Director pushes incorrect PSK key to Release 20.2.x devices when applying a template to a mix of Release 20.2.x and Release 21.1 devices. This issue has been fixed.

62422

Add user account type SERVICE/GENERAL to allow customer to use user accounts only for Rest APIs and disallow GUI login.

60805

Fix RBAC cache issues in failover.

59969

Add sort-by name functionality in the Controller listing screen.

63464

Add support for Concerto client SSO screen.

61492

Fix issue in which device software version in postgres was set to blank for devices that were down. This was affecting RMAs.

66040

Fix issue to support IDP and local SSO logout for Versa Director, Analytics, and Concerto.

63987

Remove wait time when stopping appliance monitoring thread and the scheduler is configured run the threads efficiently. This important fix allows a scale setup to run the appliance monitoring efficiently.

59207

Fix issue with sync status when parallel requests made to push configuration in Appliance view.

62205

Fix issue with uCPE VNF creation task when the template is committed to the device from the Diff View screen.

58477

Add support for federated SSO logout and to show custom login page after SSO logout.

60160

Fix issue with publishing appliance generated alarms to Kafka topic and AMQP server.

59464

Devices under Monitoring and Configuration tabs are not shown after HA failover. This issue has been fixed.

58921

Cannot export Versa SSO SP metadata from SSO screen to upload to external IDP. This issue has been fixed.

64445

Fix XPath injection vulnerability that was found in appliance APIs.

64443

FIx information disclosure vulnerability that was found in appliance APIs.

60156

Change SSO SAML samlp:RequestedAuthnContext method from Exact to Minimum to allow multifactor IDP login authentication.

64442 User Enumeration vulnerability seen with user read/creation/update/deletion and change/reset password and unlock user account APIs. This issue has been fixed.
65860 LDAP bind password decryption error seen in template/appliance context. This issue has been fixed.

Many

As part of many bug fixes, many of fields that define appliances are now encrypted when they are sent to appliances, including BGP, OSPF passwords, SNMP user passwords, and the MDM profile client secret.

Fixed Bugs in Release 21.2.2

The following tables lists the critical and major defects that were fixed in Release 21.2.2.

Tracking Bug

Description

43606

Fix drop-down compatibility issues in Firefox browser.

48020

Director uptime screen now reflects timezone data properly.

48033

Fix values shown for source network field on NTP page.

48973

Fix vulnerability regarding HTTP host header injection.

51468

Fix navigation glitches from authentication policy rule screen on address group screen.

52518

Director notification popup now shows different HA alarms, including HA-SLAVE-DIED, SLAVE-DIRECTOR-OFFLINE, and SLAVE-INCORRECT-MODE.

54132

Fix incorrect template status on Apply Template screen.

57028

Fix incorrect values for free memory in System Details card on Monitor screen.

57693

Fix apply template failure when description field contains the quotation (").

58050

Add parameterize validation when field has values such as {$v

62949

Add support for configuring the RADIUS and TACACS+ timeout.

62998

Fix IPv6 VRRP screen for parameterizing variable limitations.

63854

Add support for reordering rules in secure access portal and security gateway policies.

64330

TenantSuperAdmin can now download OS SPacks.

64337

Organiztion context is now maintained when user switches to different tab under the Configuration tab.

65069

Fix refreshing of autogenerated bind data values when device workflow name changes.

65658

Fix template workflow resolution issue that was preventing the user from seeing drop-down values.

65818

Default action is now set for policies added by template workflow.

65964

Director UI does not validate and provide feedback to user if there are errors in adding a user on the User Management screen.

66020

Fix element order issue during apply template

66061

Fix issue that TenantOperator user cannot view device workflow object content.

66257, 66263, 66442

Fix search functionality in Profiles > DHCP and Services > SD-WAN > Controller, Authentication policy rules pages.

66416

Add support for external auth user to take Director snapshot.

66417, 66418

Fix corner cases while taking Director snapshot

66582

Add encryption-proto support in workflow template.

66668

Add supported to show statistics per traffic class or per forwarding class on Monitor > Networking > CoS > Interfaces > Detail/Extensive screen.

66965

Destination IP address and port fields can now be parameterized on log collector screen.

66983

Fix issue of tenant users removing subscription from their own organization when saving it.

67008

Fix to set the correct username for a task.

67305

Fix intermittent LDAP user and group fetch issue.

67327

Fix CGNAT configuration issues when LAN Interface is part of the provider organization.

67582

Fix issue that an organization cannot be deselected if service templates are associated with that organization on the Device Group screen.

67603

TenantSuperAdmin is now allowed to perform sync-from operation.

67628

Fix task messages for bulk VOS device upgrade.

67677

NPE now does not generate an error if an HA pair site location in the asset table is empty.

67758

DSL interface and PPPoE username and password fields can now be parameterized.

67783

Service template bind data is now cleaned up when user deletes a service template from a device group.

67905

Increase FD limit for Director process.

67949

Fix disabling of OK button until the data is loaded on the VR page.

67965

Device name field now has uniform name for Director-generated alarms.

68006

Honor release date in the package to select the latest image during bootstrap of VOS device.

68041

Add support for editing OS SPack settings.

68064

Fix cross-connect select and deselect issues in template workflow for redundant templates.

68104

Fix HTML tags in message body of notification rule.

68231

Add GUI option to restrict routing and connectivity across regions.

68271

Fix CA chain certificate expiration issue in the UI.

68363

User can now make NMS action API calls with external OAuth token.

68372

Monitor screen now supports Layer 2 SD-WAN VOS device traffic.

68718

Custom user role can now create NTP server instance.

68847

Fix to pick correct Trusty/Bionic VOS image while pushing image to VOS device.

68914

Add support for deleting VRFs from the spoke group screen.

68923 NAT traversal configuration is added incorrectly when user modifies data on WAN Interface window.

68978

Fix HA template and Layer 2 interface configuration issue in template workflow.

68996

Fix monitor dashboard LTE display screen.

69246

For the Ubuntu 18.04 OS, if isolate-cpu is enabled on Rangeley CPU–based system, the services sometimes fail to start.

69314

SNMP rap profile does not allow the ‘.’ (dot) character. Only these special characters are allowed: _ # = + ^ $ @ : . { }',

69491

Add support for DNS filters under configuration.

69555

TenantSuperAdmin can now see organization workflows that are in the saved state.

69590

Add pagination for Locked User screen.

69641

Fix duplicate key sdwan-post-staging issues on Device Group screen.

69808

Workflow > Templates > Site > Subscriptions > Solution Tier > Service Bandwidth changes are now recorded in the audit log.

69859

Fix issue of IKE changing on Controller node while redeploying a device workflow.

69860

Path policy configuration now accepts free-form text.

69877

Fix hub template workflow.

69916

PPPoE service name now accepts special characters.

69949

After adding service chain under organization limits, service menu now shows correct options for service chain template.

69987

Entitlement report does not take into account the license year when reporting peak usage metric.

70002

Fix NGFW security policy rules filter issue.

70138

Changing IP address pool using docker-overlay-config.sh now prompts for confirmation to restart service.

70234

Add support for URL ZTP over xDSL interfaces.

70284

Per-user policies now are enabled when rate is parameterized.

70313

Fix sorting functionality for System Summary tables on Monitor screens.

70318

Fix download merge configuration issue on commit template screen.

70336

BGP, IKE, and paths on monitor page now shows correct data after deleting VOS device.

70338

Add support for user type data for IP-SLAM Monitor next-hop fields.

70342

Fix for notification rule payload not having phone number.

70368

Fix issues with importing service template configuration.

70394

Asset summary now shows count for service VNFs

70441

Suppress unwanted logs while fetching get-vnms-ha details from standby Director node.

70459

Fix incorrect security package information on monitor screen

70526

Fix RMA issue when encryption is enabled on Director node.

70560

Fix for calling uCPE VNF operation each time a service chain template is committed.

70585

Fix display of common template address group objects in device template.

70613 TLS v1.3 configuration in Proxy Profile window is not activated.

70647

Fix display of overlay address schema popup if controller already exists in the system.

70649

Fix units in Live monitor graph on monitor screen.

70656

Fix for template failing to add WiFi interfaces added when the security mode is none.

70659

Service template references are now removed from device workflow when service template is deleted.

70661

Fix corner cases when user opens existing device workflow objects.

70789

Add ability to configure port number on secure-access server screen.

70790

Add ability to configure configuring port number in server group URL on secure access server screen.

70814

Fix DHCP mapping file upload issue.

70845 Option to configure custom block action under captive portal in a template is missing.

70857

Add per-user policers under lass of service on monitor dashboard.

70932

Restrict TSA users so they cannot view other tenant appliances in IP SLA next hop UI page.

70955

Fix IPV6 identification in Tools > Ping page.

70956

Allow parameterizing fields in prefix list on device template screen.

70957

Fix autogenerated values that were missing in a secondary Hub Controller.

71004

Allow more than eight interfaces in a Workflows template

71006

RBAC-protect the nms/cloud/systems/getAllApplianceNames API call.

71083

Fix pushing default values along with user changes in the form.

71106

Make APN parameters for WWAN interface optional.

71210

Custom role user now can perform speed test.

71327

Fix bind data page to accept network address for IP address object.

71330

Fix issues with TenantSuperAdmin accessing appliance shell through GUI.

71386

Fix IP address and mask parameterized validation in service templates.

71471

Fix for duplicate key value violating unique constraint appliance_hardware_pkey error while onboarding a VOS device.

71477

TSA users can now take configuration snapshots of the common template.

71515 Fix the display of LEF profiles in secure access service templates that are configured in common templates.

71522

Fix for TenantSuperAdmin failing to delete VOS device.

71530

Fix special cases in Versa Analytics cluster installation script.

71622

Fix issues on DHCP relay profile edit screen.

71623 POE warning prevents configuration of a VNI interface even when the POE attribute is not enabled.

71638

Fix spoke group bulk deletion issue.

71665

Add support for Available Provider Organizations configuration on Org Limits page.

71685

Fix for scheduling image upload task messages that are not progressing.

71686

Fix for scheduling template issues when VOS device not reachable and job triggered.

71749

Fix issues on Hardware UI page.

71757

Add support for the special characters “{“, “}”, “#” in the SNMP manager in Workflow template.

71785

Fix for backup Director node not being able to take over as primary when port 5432 is not available.

71812

Remove autoconfiguration and URI fields from WiFi screen.

71831

Fix for Workflow template going blank while removing suborganization.

71863

Handle automerge gracefully when preserve appliance changes is disabled.

71903

Fix for Director node loading page even after logging out of Director node.

71917

Fix Director login issue for Bionic images.

71944

Fix for reset button not working on monitor screens.

71977

Fix for showing empty content for File Filter field on monitor page.

71983

Fix filter on monitor screen when switching from Appliance > Configuration > Objects > Addresses to the Monitoring tab.

72046

Fix for custom role tenant user not being able to log in to Analytics node from Director node.

72070

Fix incorrect order of BGP policy terms after workflow template is redeployed.

72084

Add missing dot1p-rw-enable filed under QoS profile.

72094

For virtual switches, MAC learning is now enabled by default.

72110

MTU for IRB can be now configured in UI.

72183

Fix to creation of shared service and service template configuration objects.

72186

Fix template workflow blank screen issue.

72215

Fix Director rollback issue.

72305 Fix to reset local preferences for remote region hub.

Fixed Bugs in Release 21.2.3

The following tables lists the critical and major defects that were fixed in Release 21.2.3.

Tracking Bug Description
13550 Update NSO to Version 4.7.10.
38973 Rewrite all NCS bound live-status APIs as dashboard live APIs.
48198 Monitor screen should show appliance system and service uptime.

48560

Remove the failover button from template under high availability.
49052 Sort and search operation issues on Director Monitor > Recent Events details screen.
54430 General service templates to modify BGP configuration without requiring router ID configuration via GUI.
58799 Fix for incorrect appliance type for appliances created on AWS or Azure.
58921 Ability for users to export SSO metadata to upload to external IDP.
59385 OS SPack URL parameter changes to pass Ubuntu Bionic/Trusty OS platform information.
59896 Unable to export keys to appliances.
60588 Notification rules page allows you to create alarms notification rules without a tenant. This issue has been fixed.
62390 Automate appliance host key refresh.
62519 Add support to create region in the Workflows template tab.
63168 Password string should be encrypted from UI browser,
63376 Cookie Without Same Site flag detected.
63733 LTE interface do not display in GUI for a deployed template if PPPoE is configured.
64059 Cannot redeploy the device because the WiFi password is encrypted on the backend, and when the UI applies plain-text validation to the encrypted text, the validation fails.
66012 Add a CLI command to set auto-merge as a default option.
66259 Display timezone details in director-HA failover alarms
66260 HA UI form displays same alarm results multiple times.
66372 Fix for issue sending SMTP email notifications for alarms.
66436 Extend local group name field length from 32 to 64 characters.
67118 Non-associated organization is shown in under Appliance.
67373 Add ability to export the device list on Director GUI pages
67963 Fix for failure to enable HA when Director node has more than 500 appliances.
68231 Add a GUI option to restrict routing and connectivity across regions in an organization workflow.
68466 Add a script or command to reinitiate Kafka connections.
68637 Pagination is not working in task window.
68665 The " and & characters in a description are translated to " and &,respectively
68690 Tomcat HTTP requests to Analytics now clean up or time out properly.
69340 Add an alarm on Concerto and Director if Kafka channel between them is broken.
69404 Performance improvements for appliance monitoring.
69405 Workflow template commit failed when LDAP password is configured with double quote ' " ' in parameterized bind data.
69642 Add support for "DHCP" as a bind variable value for IP addresses.
69920 Fix to ensure that WAN networks updated at the organization level propagate correctly to available networks in a tenant common template (DataStore template).

69996

Add GUI option "Mirror Interface" for uCPE interfaces.
70202 Add kernel version check during preupgrade.
70566

Display serial number on rollover popup window under Administration Appliance list table.

70799 Upgrade changes the custom SLAM path policy applied to WAN interfaces to the default SLAM path policy. This issue has been fixed.
71015 Add ability to change staging pool on Hub-Controller device.
71052 Enable TACACS+ server reachability over multiple transports.
71204 SPack downloads and installation alarms are missing on the Director node.
71336 Vulnerability fix: HTTP public key pinning (HPKP) header cannot be recognized.
71337 Vulnerability fix: HTTP strict transport security (HSTS) header cannot be recognized.
71529 Add ability to push certificates during ZTP and apply template.

71566

Add VOS configuration options for dynamic-scaling parameters in the GUI.
71789 Allow hardware inventory search based on hardware serial number and site ID.
71896 GUI and CLI do not match for name character limits for BGP instance under virtual routers.
72102 Filter is not working on Audit Logs page.
72232 Fix file size issue for captive portal pages.
72321 Cannot set the captive portal parameters such as FQDN and IP address.
72335 Fix for display devices issue on the Template Commit screen.
72388 Huge NCS connections are not closed and are seen as Open in the customer setup. This issue has been fixed.
72396 Add ability to abort an ongoing debugging operation and redirect the context to the Welcome-follow-up on chatbot.
72413

Add validation in the organization workflow to check that suborganizations do not have the same name as the parent organization.

72417 Pagination is not working properly for Bridge Domain screen.
72425 Values are not saved in DHCP Server on the DHCP > Server > Servers screen.
72473 Local database user password that contains an ampersand (&) is pushed incorrectly from the Director node to the appliance.
72480 You can add a ZScaler GRE tunnel without a VPN Profile in the Template workflow.
72485 Allow copying of chatbot text.
72525 Workflow Template creates duplicate neighbor entries in BGP.
72619 LEF profile referred to in the DHCP configuration is not present. This issue has been fixed.
72637 Update APIs to upload and delete tenant-specific CA and CA chain certificates.

72798

WAN interface details are not displayed when template with WAN/LAN on the same port is reopened.
72829 Appliance system informational Kafka message now includes appliance ping and sync state.
72909 Appliance upgrade fails from Director node because of an OS check. This issue has been fixed.
72916 Enabling high availability on the Director does not work consistently. This issue has been fixed
72963 Performance improvement for appliance dashboard APIs.
73026 TDF screen is spinning when trying to access the GUI.
73059 Enable EIM/EIF for dynamic-nat-44.
73063 Director upgrade fails because of database backup and restore issues. This issue has been fixed.
73076 Performance improvements for AMQP and KAFKA object change notifications.
73077 Committing configuration to a template or device generates object change notifications only for the top-level path and does not send notifications for each changed path.
73104 Avoid running validation scripts on standby Director nodes.
73108 Cannot add community options for a spoke group.
73122 Fix for Analytics cluster installer issues.
73183 Incorrect date and time in Live data graph for All Traffic.
73186 OAuth refresh token API now returns the proper roles in the response.
73195 Authenticate user or delete Controller call.
73305 Cloud-init module changed to prevent deletion of Director keys.
73316 Rename branch to release number in Director Appliance Monitor tab under Software Information section.
73423 Director not initiating connection to Analytics because of too many close_wait state to analytics IP:Port.
73472

UI always sets the file-filtering reach limit action to allow.

73501 Invalid characters in cookie.
73537 After clicking refresh button on Services > Sessions screen, the message "No data to display" displays.

73546

Adding a new tenant in an existing post-staging template using the workflows API returns an error.
73610

Keep chatbot from corrupting the dialog flow data for a number of interactions.

73760 Log external authentication time.
73813 Appliance upgrade from Director node fails during ZTP. This issue has been fixed.
73832 Add support for downloading OS security pack for both Trusty and Bionic Ubuntu versions.
73847 European special characters are not accepted by Director in the address field under system configuration.
73854 Save device workflow keeps spinning during a save operation when some variables have no values.
73856 Bulk import of devices from a CSV file fails because of a concurrency issue. This issue has been fixed.
73876 Captive portal configuration is deleted during commit.
73899 After you run the appliance status brief API call, appliances disappear from the appliances listing page. This issue has been fixed.
73974 Authentication type and Auth-Context-Required fields can be configured in the SSO SAML connector page.
74092 Rules columns are blank in the session table.
74213 SSO login fails after running import-key-cert.sh script, because the SSO certificates are moved to the backup folder after running this script. This issue has been fixed.
74276 Show RBAC Permission does not display actions correctly.
74399 Notification rules condition sets do not show all devices.
74578 Service template bind data variables are missing if redeployed from the Basic tab.
74609 Responder only option is missing in GUI for tunnel initiator in IPsec VPN profile.
74614 Fix for Get Director services status API issue.
74629 Director UI not reachable because of java heap space out-of-memory issue. This issue has been fixed.
74683 SD-WAN circuit priority variable created in workflow is overwritten in the device template
74838 Fix issue with checking Service Template bind data.
74926 Vulnerability fix: Options response method enabled.
74941 On NGFW Shared Service Template > Captive Portal, not all parameterized fields are displayed in the Workflows > Devices >Bind Data tab.
74946 Updating a scheduled report returns an error.
75027 Under Monitor Service tab, routes filter action applies only on the current page.
75031 Tooltip shows an error message for invalid characters for SSID input field.
75052 Update ha_pair_validation script to check whether an appliance is present in the inventory table.
75069 Template commit error message on Director node is now sent to Concerto over Kafka.
75100 UI does load and displays the error "Failed to load data from server".
75111 Do not send empty Controllers when creating templates for spoke groups when the Controller is optional.
75112 Validate Controller names when creating and deploying templates.
75117 Director upgrade fails at ip-sla-monitor under redistribution policy configuration. This issue has been fixed.
75133 Cannot upload the certificate for secure LDAP from the GUI.
75186 Director node cannot load Add Controller details under SD-WAN Service.
75236 WAL files do not clean up automatically, causing high disk usage. This issue has been fixed.
75273 Device bind data in the workflows throws a remote server exception when saving or deploying the device.
75389 Issue with setting isStatingController flag has been fixed.
75429 Prevent Postgres logs from getting too large.
75471 Director node does not copy the uCPE custom data file if only the custom data file option is configured in the service chain template. This issue has been fixed.
75512 Remove the reset option in the monitor GUI for guest VNFs.
75527

Monitor Tab > Associate Templates shows duplicates even though the device group has unique templates. This issue has been fixed.

75544

Director upgrade fails when executing the WorkflowsUpgrade script. This issue has been fixed.

75547 Kafka and AMQP messages now contain the Director identifier, which you can configure for Kafka and AMQP connectors.
75880 Deploying a template is failing, with a nested SQL exception.
75925 HTTP Strict Transport Security (HSTS) Policy Not Enabled (Port 443).
75951 Migration scripts now start after spring boot is fully up.
75963 SQL error occurs when creating a spoke template. This issue has been fixed.
75975 External AAA server authentication key displayed in clear text.
75992 On any templates > Objects > Custom Objects > Captive Portal Custom pages, no actions display in the UI.
76052 Authentication profile Caching Mode Setting not available in TenantSuperAdmin access.
76122 Fix for failures when simultaneously deploying multiple organizations.
76316 Director upgrade fails because spring boot does not go to the running state. This issue has been fixed.
76426 PFS set by workflows on peer Controller nodes does not match that of the first Controller node, causing issues during rekeying.
76427 Versa Director vulnerable for CVE-2021-44228: Apache Log4j2.
76487 Site-to-site local interface for HA cannot have quotes when using the active–active workflow template. This issue has been fixed.
76544 Display "B" flag on Director UI when user clicks on "i" in case the build is a Bionic build.
76613 Add available routing instances under the organization in the service chain template generated through Workflows.

76659

Add new vendor Netscout in the predefined vendor catalog list.
76667 Fix template commit issue by incorporating bind data validation for route prefixes.
76680 IPsec Site-To-Site screen should throw an error if no tunnel interface is specified for route-based tunnels.
76710 Template commit window fetches only the first 1000 templates.
76774 Southbound locking an appliance and then committing an unreachable appliance shows successful.
76902 Fix automerge when a list item to be deleted contains a space.
76903

Disable the "Data Interface Enabled" flag in the Service chain workflows VNF attributes for Netscout vendor.

76946 Provide proper error message while deleting an active user.
77061 Task to show reboot message when Commit Template with Reboot is triggered from diff-view screen.
77103 Onboard tenant to gateway is failing with INTERNAL_SQL_ERROR. This issue has been fixed.
77119 fetch=count in the NCS APIs returns the count.
77120 UI does not accept patterns containing any characters after $.
77173 Add a prevalidation check to verify that the staging prefix length is from 8 through 26
77233 Appliances might disappear if the owner organization is missing for some appliances. This issue has been fixed.
77246 Fix commit template task failure issue that occurs because of a concurrent lock.
77249 Make spoke group check and validation optional for a provider organization in s workflow template for multitenant scenario.
77285 Director services status vsh status command output issue has been fixed.
77324 View Profile under classified profile is not working for Edit DoS Rule > Enforce > DDoS Profile.
77337 Add ability to change configure customized IKE key on a VOS device using templates.
77353 System organization should not display on Add Notification Rules page when logged in as TSUPA user.
77379 Search does not work in Card view of Appliances page.
77488 Fix to address redistribution server heap overflow vulnerability.
77602 LEF configuration during spoke template creation on spokes with Hub-Controller Nodes (HCN) using template workflow should not include custom LEF connectors configurations from HCN nodes.
77639 Provide validation for inverse-mask-probability option in CoS drop profile.
77647 Do not allow duplicate Controller nodes to be added under Controllers in the workflow template.
77777 Support for multiple roles (array) in SSO user authentication
77788 Appliance snapshot creation now happens when configuration is committed through the diff view window.
77896 Fix for customer snapshot upgrade failure.
77897 Issue with the Director patch script and validation script has been fixed.
77992 "Force logout" option should logout other active session, not the current one from where the force logout option was executed.
78108 Global ID for devices and organization have a range conflict in the UI.
78172 When you delete a device workflow, the remote PSK authentication client entry is now deleted now from the Controller node.
78218 Fix Out Of Memory Error issue that occurs because of metaspace.
78240 The site-to-site tunnel in the workflow throws an error when you parameterize a WAN or LAN interface.
78296 Fix Appliance Brief API (/vnms/dashboardvnms/applianceStatus/{applianceUUID}/brief), which did not return Onboard status
78340 Commit template fails because of an issue with setting skip-apply. This issue has been fixed.
78391 Cipher suite selection against the selection criteria is not correct.
78434 WAN link monitor configuration for redundant WAN links over a cross-connect link is not updated as expected for HA devices. This issue has been fixed.
78470 Fix to limit side of VOS data for API calls.

78527

Workflow device bind data shows blank values for the variables endin with "-internal".
78648 UI response is slow when displaying IPsec VPN profile data for 300+ remote clients.
78681 Fix for the slowness issue in the diff view page when it is opened from the Template commit page.
78788 Unknown devices pages not updating after upgrate to Release 20.2.4.
78801 Associating organizations throws an exception when onboarding a workflow device in a public cloud deployment. This issue has been fixed.
79135 Fix logical volume extension (lvmextend) script by adding an option "–y" for Ubuntu Bionic platforms. Previously this script was not working on Bionic platforms.
79143 Cannot apply HA configuration when the Director node is running Release 21.2.2 and a VOS device is running Release 20.2.4.
79192 Changing VNI port causes removal of the BGP configuration in template workflows.
79218 To ensure template workflow generated DIA configuration IPv6 WAN should have matching BGP next hop and TVI interface IPv6 addresses in the format ::ffff:169.254.x.y/127.
79331 Provide proper error message when deleting an active user.
79372 Allow the BGP router ID to be changed from the GUI.
79625 Add a check to verify the OS SPack package before installing it on a VOS device.

79626

From the Director UI, uploading the key on an appliance in a tenant organization is failing.
79859 Fix to increase get API NB IP address response time when hostname/IP address mapping is not present in the /etc/hostsfiles
80030 Push-Keys-To-Device shell script now escapes special characters in the password.
80085 Director UI inaccessible because of a kernel out-of-memory issue. This issue has been fixed.
80172 NCS transaction leak issue has been fixed.
80177 Traffic-steering API sends split-tunnel disabled.
80279 Fix an issue with the appliances list page in the Administration tab.
80324 Add refresh option to Monitor > Services/Networking popup windows.
80340 Commit Template option displays a maximum of 1000 entries.
80412 Unable to download reports from Analytics Dashboard on Director UI.
80423 Vulnerability fix for CVE-2022-22965.
80448 Upgrade Apache Tomcat to 9.0.60 to fix multiple vulnerabilities.
80492 Analytics Report after Page Reload gets stuck at /reporting/reportingView/ because an extra ampersand (&) is added at the end of a page reload.
80661 Monitor tenant recent events for specific severity instead of sort showing all severity events.
80687 Fix so that global site ID throw the proper exception if allocation fails.
80815 IPv6 mode as router is added by default when creating an interface in the service template.
80862 Fix to reinitialize HTTP-client connection pool used by the APIs.
80874 When the Kafka server is down, the task-based async procedure takes a long time.
80918 Fix for URL ZTP over Hub-Controller when encryption is enabled.
81062 Fix to make sure alarms listed under Appliance > Configuration are correct.
81094 Appliances not displaying in UI.

81103

Confirm password validation fails with & , <> field.
81201 Fix to ensure Ctrl+C on Shell In A Box remains in the same shell.
81280 Fix to address Director split-brain by ensuring Director uses read-only transaction in standby mode.
81309 Duplicate entries for LAN interface present in the workflow template.
81327 Tenant user cannot create appliance tag when tenant is appliance owner.
81337 Handling CMS connector failures to include new regions.
81379 Add upgrade support for older devices.
81389 Fix issue where organization name does not dispaly in the left tree under Monitor | Cache update.
81435 Fix in commit template sometimes fails with "No such transaction" by opening a new session each time.
81516 Do not advertise any routes from the LAN side to the transport VR to block clients behind those VRFs from communicating.
81698 Search tab under routes under Monitor Dashboard does not work.
81712 Appliance snapshot creation now occurs when configuration is committed through diff view window.
81716 Fix the upgrade script that deletes incorrect shaping-rate configuration on tunnel and tvi interfaces.
81846 Cookie No HttpOnly Flag + Cookie without SameSite attribute.
81849 Fix to address out-of-memory issue with a large number of concurrent requests.
82048 WiFi connected client stats Tx,RX are showing as "Nan undefined" on the Monitor screen.
82166 Webhook rejects anything after the port number.
82182 Interval value under IP SLA monitor is not rendered properly in the UI.
82474 Source map file leak vulnerability.
82525 Devices tab on the Monitor tab sometimes shows an empty screen.
82638 TLS v1.3 does not support all the necessary or matching ciphers.

82674

Handle empty service template dind data values during an upgrade from Release 20.2 to Release 21.2.2.
82750 Update the organization tree on the left side to always point to BeMaster. Issue observed when a Director failover was performed, and the organization tree under Configuration showed stale entries.
82287 Next-hop priorities under SD-WAN forwarding profiles should support values from 1 through 8.
82974 Update SSLv23 to communicate with Cassandra using SSL.
83003 Support in Bionic Director to ssh using DSA keys into Trusty VOS devices.
83153 Support SS) certificate generation on FIPS-enabled Director node.
83310 Add Director site-to-site tunnel validate for LAN VRs.
83319 Destination is shown as undefined/undefined when moving back from a higher page to a lower page.
83465 Download OS security package should support download of both OS SPacks versions (Trusty and Bionic).

83556

Remove restriction of 200-character length for Alarm Specific Problem field.
83626 Upgrade Java SSH library to allow parsing of Open SSH private keys and set FIPS-compliant key exchange algorithms.

Behavioral Changes

The following are behavioral changes in Releases 21.2.1, 21.2.2, and 21.2.3:

  • The CGNAT and DNS configurations are automatically added through template Workflows to support OOKLA-based speed tests.
  • The algorithm used to generate ptvi interface numbers in spoke template to hub controllers has been changed to accommodate hub controllers with large device IDs.
  • When you deploy a template Workflow, the implicit zones "remote-client" are "versa-speedtest" are created in the templates.
  • When you create or redeploy a template, the speed-test configuration is pushed to devices running previous software versions.
  • In Device workflows, when you create a new device, if you have navigated to the bind data tab and you want to change the device name, cancel the popup and repeat the workflow again. This procedure ensures that the correct automatic variable value is generated.
  • The GET /nextgen/applicationserviceTemplate/sample/allSamples API call replaces the GET /nextgen/applicationserviceTemplate/allSamples API call.
  • Under Monitor > Tools > Ping, the default packet size value of 5 has been removed, and the input is now restricted to positive, nonzero numbers. If you choose not to specify a packet size, a default value is provided
  • Under Monitor > Services > Services, the VPN Clients field has been renamed to Secure Access. The options that were available under VPN Clients field are now available under Secure Access > IPsec Profiles.
  • Under Monitor > Tools > Speed Test, the Versa and Internet tabs are added. The options that were available in the Speed Test field are now available under the Versa tab, and the new OOKLA-based speed test is available under the Internet tab.
  • The Routing Instance and Interface drop-down fields are no longer available under Versa speed test configuration. Instead, you must select from a list of WAN networks, and the corresponding routing instance and interface are automatically pushed along with the selected network name.
  • HA-related critical alarms and disk usage-related alarms are shown as notification popups at the top of the GUI when you log in.
  • When a Netconf notification for an SD-WAN branch LTE-only transport is received from a Controller node, the alarm is presented in the alarms GUI, and the branch is marked as being in the LTE-only state. When the device is reachable and in LTE-only state, monitoring is suspended for a period of 2 hours, by default. (This time period is configurable). The LTE-only state is not obvious when navigating the GUI (it is seen only in alarms), but the appliance status API can show the state.

Limitations and Known Issues

The following are the limitations in Releases 21.2.1, 21.2.2, and 21.2.3:

  • If device deployment fails for an active-active scenario, the paired site ID is never generated correctly.
  • If you remove a link monitor from a WAN interface in the Workflow template and then commit the template, the existing configured monitor is removed. (Bug 65897).
  • The Director GUI may not open on Safari and MacOS 10.15, because the self-signed certificates that were used previously are not compatible with the new security requirements of the Apple Safari browser.

To install self-signed certificates, run the following commands:

sudo su - versa
cd  /opt/versa/vnms/scripts/
./vnms-certgen.sh --san example.com --san test.example.com --overwrite --storepass "password"

To install CA-signed certificates, regenerate the CA-signed certificates that honors the new security requirements:

sudo su - versa
cd /var/versa/vnms/data/certs/ 
keytool -import -alias tomcatserver -file {CA_CERTIFICATE}.cer -keystore tomcat_keystore.jks -storepass password

Then, synchronize the new certificate to all the Analytics nodes using the following script, which is located in the /opt/versa/vnms/scripts directory:

./vnms-cert-sync.sh –sync
  • If you do not enable proxies with HTTP 2.0 and TLS 1.2, browsers fall back automatically to use HTTP 1.1. In the newer version of Tomcat, HTTP 1.1–based REST API calls with large payloads might fail, because not all the payload is provided to the backend server. This issue is observed intermittently with configuration diff windows in template workflow and template commit to appliances.
  • When you commit a template, the Director node may display an error when one of the interface description text field contains multiple quotation marks (Bug 57693, Bug 58568).
  • When you create device workflows, if you want to change the name of the device after navigating to the bind data tab, cancel the popup and then recreate the device. This procedure ensures that the variables are autogenerated properly.
  • When you deploy paired devices, if deployment of the first device fails, but deployment of the paired device succeeds, if you want to redeploy the failed device again, manually copy the paired location ID from the paired device to the failed device and then redeploy the first device.
  • For Release 21.2.2, central authentication is not fully implemented and there are few limitations with the feature, including:
    • You cannot use SSO& as central authentication.
    • You must perform user operations such updates and password resets on the central Director node.

Enable HTTP 2.0 on Proxies

In Release 21.1.1, the Director web server (Apache Tomcat) was upgraded to support HTTP 2.0, also called HTTP/2 or H2. Newer versions of Chrome and Firefox browsers automatically take advantage of the HTTP/2 protocol when supported by the web servers.

If an HTTP proxy, such as Load Balancer, HA Proxy, and NGINX, is deployed between web clients (browsers) and a Director node, you must enable HTTP/2 with TLS 1.2 on them with the following cipher set:

  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

When users access the Director node using secure proxies, such as ZScaler, inspection done by the proxy of the sessions to the Director node must be bypassed or the proxy must be enabled with HTTP/2 and TLS 1.2 protocols with the above cipher set.

After you update the configuration on the proxy to enable HTTP/2, use the browser's Dev/Inspect tools to verify that the browser is using the HTTP/2 protocol:

  1. On the Director login page, right click and select Inspect to display the Dev/Inspect tools. The following screenshot shows how to do this in Google Chrome:

    Director_Login_Inspect.PNG
  2. In the Inspect window, select the Network tab.

    Network_Tab.PNG
  3. Right-click the column selector and select Protocol to display the Protocol column.

    Column_Selector_Protocol.PNG
  4. Reload the portal page and check the Protocol column for the H2 protocol (for the API calls made to the server).

    Protocol_H2.PNG

Request Technical Support

To request technical support, visit http://support.versa-networks.com. If you are contacting support for the first time, register and create an account. You can also send email to support@versa-networks.com or contact your Versa Networks sales account team.

Revision History

Revision 1—Release 21.2.1, March 19, 2021
Revision 2—Release 21.2.2, September 12, 2021
Revision 3—Release 21.2.3, August 2, 2022

Versa Operating System (VOS) Release Notes for Release 21.2

These release notes describe features, enhancements, fixes, known issues, and limitations in the Release 21.2 Versa Operating SystemTM (VOSTM) software, for Releases 21.2.0 (simply called 21.2) through 21.2.3. Releases 21.2.1 and later are general available (GA) releases and are supported for use in production networks.

August 2, 2022
Revision 3

Product Documentation

The Versa Networks product documentation is located at https://docs.versa-networks.com.

Install the VOS Software

You can install the VOS software on a standard Intel server or as a virtual machine (VM) based on ESXi or KVM. For installation instructions, see the Deployment and Initial Configuration articles.

Versa Networks provides the following versions of the VOS software:

  • For systems running Ubuntu 14.04:
    • *-wsm.bin—Install this image on physical CPE branch devices that use the Atom-based processor.
    • *.bin—Install this image on all VMs and high-end CPEs and on bare-metal servers with Xeon or later classes of CPU.
  • For systems running Ubuntu 18.04:
    • *-B-wsm.bin—Install this image on physical CPE branch devices that use the Atom-based processor.
    • *.B-bin—Install this image on all VMs and high-end CPEs and on bare-metal servers with Xeon or later classes of CPU

Upgrade to Release 21.2

You can upgrade VOS devices to Release 21.2 from Releases 16.1R2 (16.1R2S8) and later. If you are using an earlier software release, upgrade first to the latest Release 16.1R2 service release, and then upgrade to Release 21.2.

If the premium version of the security package (SPack) is already installed on the VOS device, you must upgrade to Version 1878 or later before you upgrade the VOS device. To display the version of the installed SPack, use the show security security-package information CLI command or, in the Versa Director monitor screen, view the security package information under Next-Gen Firewall.

If you are upgrading from Release 20.2 to Release 21.2 or later on HA nodes, and if you have enabled information validation (info-valid) in the configuration of one or both HA nodes, you must disable the info-valid configuration before you perform the software upgrade. After the upgrade completes, you can re-enable the info-valid configuration.

To upgrade to Release 21.2 from the CLI:

  1. Ensure the current running package is present in the /home/versa/packages/ directory.
  2. Save the existing version of the configuration:
    admin@vnf-cli(config)% save /var/tmp/backup.cfg
    
  3. Copy the .bin package file to the /home/versa/packages/ directory on the VOS node. Ensure that the file has +x execute permission. Alternatively, use the following command, which copies the file to the /home/versa/packages directory:
    admin@vnf-cli> request system package fetch uri uri
    
  4. Install the new software package:
    admin@vnf-cli> request system package upgrade filename.bin
    
    Follow the prompts, and wait until the upgrade status shows that the upgrade is complete.
  5. Confirm that the new software has been installed:
    admin@vnf-cli> show system package-info
    

Downgrade the Software

To downgrade to the software image that had been installed immediately before you performed the upgrade, issue the following command. This command restored the VOS device's configuration to the same state it was in just before the upgrade. Any configuration changes that you made since the upgrade are lost.

admin@vnf-cli> request system rollback to PRE-UPGRADE-1

Install a Software License for VOS Devices

A VOS device does not require a license if it is managed by Versa Director. If the VOS device is not subjugated to a functioning Versa Director, the software continues to operate after the initial trial period of 45 days. However, the number of data path sessions is limited to 30 sessions.

New Features

This section describes the new VOS device features in Release 21.2. All features are introduced in Release 21.2.1 unless otherwise noted.

Layer 2

  • EVPN multihoming—You use Ethernet VPN (EVPN) multihoming to connect a customer edge (CE) device with one or more provider edge (PE) devices using EVPNs. EVPN multihoming helps improve network performance and increase the reliability of traffic flows between multihomed devices. The Versa Network EVPN multihoming eliminates the need for proprietary technologies such as MC-LAG, virtual chassis, and VPC. See Configure EVPN Multihoming.
  • EVPN VXLAN—Virtual extensible LAN (VXLAN) is a data-plane encapsulation technology that allows you to run EVPN over an IP network using standard VXLAN encapsulation over UDP. In multitenant and cloud environments, VXLAN allows a network to handle much larger traffic loads than traditional VLANs, while providing the same traffic isolation and segmentation as classic VLANs. On the LAN or underlay ports, VOS devices use data plane-based learning and forwarding, and across VXLAN peers they uses standards-based EVPN-VXLAN-based reachability exchange and forwarding capabilities. See Configure EVPN VXLAN for SD-WAN.
  • LACP enhancements—You can configure a unique chassis ID on each VOS device. You can configure an admin key, which allows ports from two separate VOS devices to behave as if they are part of the same aggregate interface. See Configure EVPN Multihoming.
  • Layer 2 services—You can configure Layer 2 services, allowing you to apply many existing SD-WAN path selection policies to Layer 2 traffic, including Layer 2 SD-WAN policies, SLA profiles for Layer 2 SD-WAN traffic steering, and MOS score monitoring of Layer 2 traffic. See Configure Layer 2 Services.

Platform

  • APN name in URL ZTP procedure—(For Releases 21.2.2 and later.) As part of the URL ZTP procedure, you now have to provision the APN name, PIN, APN username, and APN password.
  • Duplicate IP addresses—(For Releases 21.2.2 and later.) If a duplicate IP address is detected to be same as any configured IP address on a VOS device, an alarm is generated.
  • Embedded 5G module for CSG700 and CSG1000 series appliances—(For Releases 21.2.3 and later.) CSG700 and CSG1000 series appliances can be equipped with factory-installed enterprise-grade 5G modules. The 5G modules support the FR1 mode of operation (also called sub-6) and associated frequencies to provide a consistent, flexible, and optimized WAN connection. You can use the 5G module WAN links as a primary or backup link.
  • Health checks on interfaces—You can perform periodic health checks on interfaces. See Configure Interfaces.
  • Internet speed tests—You can run speed tests for VOS devices from a Director node using predeployed internet speed-test servers. To run an internet speed test, you need only an internet connection over a WAN link to reach the internet speed-test server, eliminating the need to deploy an independent speed-test server. See Run Internet Speed Tests.
  • IP addresses on logical interfaces—(For Releases 21.2.2 and later.) The maximum number of IP addresses that you can configure on a logical interface has increased from 8 to 128.
  • MLPPP on T1/E1 interfaces—T1/E1 NIC interfaces support multilink PPP (MLPPP) on T1/E1 CSG Series NIC interfaces. MLPPP allows you to bundle separate PPP links into one bundled PPP interface to provide one higher-speed connection across a WAN. See Configure Interfaces.
  • OS security packages for Ubuntu 18.04–based VOS images—Versa Networks provides two sets of VOS images, one based on Ubuntu 14.04 and the other on Ubuntu 18.04. Prior to Release 21.2.1, Versa Networks provided Ubuntu OS security packages (SPacks) for Ubuntu 14.04–based VOS images. See Use OS Security Packages.
  • Path MTU aging time—You can configure path MTU aging time, in seconds, at the interface level, after which a process expires. A new probe is initiated within this interval to keep the record fresh. See Configure SD-WAN Sites.
  • PPP PAP and CHAP on T1/E1 interfaces—You can configure the T1/E1 authentication protocol and associated password using the Password Authentication Protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP) authentication methods for PPP. See Configure Interfaces.
  • PoE power management on CSG appliances—You can configure PoE parameters on PoE interfaces on Versa Networks CSG appliances. See Configure Interfaces.
  • Proxy ARP and proxy NDP—Ethernet interfaces on VOS devices support proxy ARP (for IPv4) and proxy NDP (for IPv6). You can now configure proxy ARP for a set of IPv4 subnet prefixes or ranges, and proxy NDP for a set of IPv6 address ranges. Proxy ARP and proxy NDP provide local responses, allowing VOS devices to reduce the amount of broadcast traffic over Layer 2 networks (such as EVPN) across SD-WAN and VXLAN. See Configure Interfaces.
  • QAT and SSL-TLS proxy—You can offload the SSL/TLS encryption and decryption functions to QAT for hardware-based acceleration for these cryptographic functions, for hardware platforms that use Intel QAT on Rangeley, Denverton embedded QAT blocks, and Coleto Creek cards with dedicated QAT processors. See Configure HTTP/HTTPS Proxy.
  • Secure boot—CSG700 series appliances running Ubuntu 18.04 support UEFI secure boot. UEFI secure boot is a verification mechanism for ensuring that a VOS device boots only software components that are trusted by the original equipment manufacturer (OEM), which, in this case, is Versa Networks. See Verify Support for UEFI Secure Boot.
  • Session limits—The default maximum number of sessions that a VOS device supports is now automatically adjusted down or up based on the total amount of system memory. (In releases prior to Release 21.2.1, the default maximum number of sessions was fixed at 1,000,000.) Note that you should change the maximum number of sessions only during a service maintenance window, because as soon as you click OK, all services on the VOS device restart automatically.
    Note that because the earlier default value for the session limit was 1,000,000, if you configure a value of 1,000,000, it becomes impossible to distinguish between an explicitly configured value and the earlier system default. It is recommended that you configure a value slightly more or less than 1,000,000 to override the older default value of 1,000,000.
    The following table shows the maximum number of sessions supported for different amounts of memory. It is recommended that you not increase the number of sessions beyond the maximum values shown in the table, because the VOS software is tuned to handle values up to the listed maximums.
     
    Total Memory (RAM) Maximum Number of Sessions
    4 GB 32,000
    8 GB 100,000
    16 GB 500,000
    32 GB 1,000,000
    64 GB 2,500,000
    96 GB 4,000,000
    > 96 GB 5,000,000

See Configure Service Options.

  • TPM1.2 password encryption—The TPM cryptographic module provides a hardware-based approach to manage user authentication, network access, data protection.
  • TPM2.0 PSK—CSG series appliances and certified white-box platforms support TPM2.0 with an Ubuntu 18.04 image, and they support PSK storage in the TPM2.0 chipset. VOS devices use TPM to authenticate CSG appliances.
  • Traffic policing for source IP address or per originating device—You can police traffic generated by end stations. Each end station is organized by source IP address (that is, by a /32 address). Policing allows you to rate-limit traffic generated by end stations so that WAN bandwidth can be shared more fairly among the end stations on a LAN.
  • TWAMP-light—Two-Way Active Measurement Protocol light (TWAMP-light) allows you to measure network performance and send multivendor interoperable probes on LAN interfaces, WAN interfaces, and IKEv2-based IPsec tunnels. See Configure TWAMP-Light Test Sessions.
  • USGv6 compliance—Versa Networks complies with USGv6 testing scope and criteria, and also initiated testing and certification of Versa solution for USGv6 compliance.

SASE

  • Application reverse proxy—(For Releases 21.2.1 and later.) Application reverse proxy protects software as a service (SaaS) applications from direct access from unmanaged devices that do not have Versa client installed to connect to Versa Cloud Gateways. See Configure Application Reverse Proxy.
  • Cloud access security broker—(For Releases 21.2.1 and later.) CASB is on-premises or cloud-based policy enforcement software that secures the data flowing between users and cloud applications to comply with corporate and regulatory requirements. CASB applies enterprise security policies when users access cloud-based resources. See Configure CASB Profiles.
  • Data loss prevention—(For Releases 21.2.1 and later.) DLP is a set of tools and processes for detecting and preventing data breaches, cyber exfiltration, and unwanted destruction of sensitive data. The VOS DLP oversees, tracks, and reports all data transactions in the network, scanning all content that passes through an organization's ports and protocols to ensure data security in the organization. 
  • Endpoint information profiles—(For Releases 21.2.1 and later.) You can configure an endpoint information profile (EIP) to classify endpoints based on various endpoint posture information, including SASE policy, security, traffic steering, and public and private application access entitlements. 
  • Malware sandboxing—(For Releases 21.2.1 and later.) VOS devices identify zero-day malware risks by performing malware analysis in a sandbox environment. The VOS file reputation and sandboxing services allow VOS devices to check for the presence of malware in files being downloaded. 
  • MDM profile—You can create a mobile device management (MDM) profile to retrieve device information from a graph server and associate the MDM profiles with a Secure Access Portal or a Secure Access Gateway to verify device information during Versa secure access (VSA) client registration (portal) and after registration (gateway). See Configure MDM Profiles.
  • User and entity behavior analytics—(For Releases 21.2.1 and later.) UEBA provides a custom combination of predefined rules that can be associated with a tenant.
  • Versa Director–managed site-to-site tunnels—You can create a Versa Director–managed IPsec site-to-site tunnel between a provider Director node and a tenant Director node so that the tenant can use services available from the provider Director node as if the services were available directly from the tenant Director node. See Configure Site-to-Site Tunnels.
  • VSA application-based traffic steering—The Versa secure access (VSA) client supports traffic steering on Windows 10 and MacOS clients. The application-based traffic steering features allow you to determine breakout traffic based on Layer 7 criteria, such as application name and FQDN. See Configure the Versa Secure Access Service.
  • VSA granular user profile administration—You can use profiles to control user behavior even before the connectivity is completed. Profiles determine behavior such as tunnel characteristics and gateways to which the users can connect. See Configure the Versa Secure Access Service.
  • VSA multiple policy support for portal and gateway—You can configure multiple policies for the portal and gateway. Contextual information, such as username, user group, location, and device compliance status, are used to download and apply the appropriate portal or gateway policy. See Configure the Versa Secure Access Service.
  • VSA OTP support over email—You can send an authentication one-time password (OTP) over email. Prior to Release 21.2.1, you could send the authentication code only using SMS. See Configure the Versa Secure Access Service.
  • VSA SAML—VSA supports SAML-based integration with identity providers. See Configure the Versa Secure Access Service.
  • VSA subscriptions—You can configure an on-premises VSA subscription license for each authorized user who is allowed to access the VSA client service. See Configure Versa Secure Access Subscriptions.
  • VSA time-based OTP (TOTP)—VSA supports TOTP, which generates a one-time password generator that uses the current time as a unique factor. See Configure the Versa Secure Access Service.

SD-WAN

  • Adaptive traffic bandwidth shaping—You can configure the bandwidth available on a link to upload and download data. This information is used in computing adaptive traffic shaping. See Configure Interfaces.
  • Codec and MOS score and policy-based traffic management—VOS devices support additional uCAAS applications, including Zoom, Cisco Webex, and Ring Central. You can apply MOS detection, reporting, and traffic engineering to these uCAAS applications. See Configure MOS Score Monitoring.
  • Destination zone matching in SD-WAN policies—SD-WAN policy rules can match based on the destination zone. See Configure SD-WAN Policy.
  • DIA traffic load-balancing methods—DIA traffic load-balancing methods, weighted round-robin and high available bandwidth, are supported. See Configure SD-WAN Traffic Steering.
  • Inherit uplink or downlink bandwidth of paired site—An active-active setup automatically inherits the configured physical interface uplink or downlink bandwidth of a paired site as the reference bandwidth for corresponding cross-connect links to use for load-balancing logic. See Configure SD-WAN Traffic Steering.
  • Per-user policers—(For Releases 21.2.2 and later.) You can configure and monitor per-user policers for QoS Profiles. See Configure CoS.
  • Riverbed compatibility mode—The VOS software Riverbed compatibility mode allows you to deploy WAN optimization and SD-WAN products together while retaining the full functionality of each product, allowing you to make full use of the features and benefits of Versa Networks for SD-WAN and WAN Edge and Riverbed for WAN optimization.
  • Traffic steering based on monitored bandwidth—Policy-based forwarding (PBF) can use monitored bandwidth as the reference bandwidth used to calculate the remaining capacity of each access circuit. The bandwidth monitor module maintains a historical maximum of monitored bandwidth for each WAN link and uses the monitored bandwidth as reference bandwidth in PBF. Using the monitored bandwidth as the PBF reference bandwidth helps identify the long-term stable bandwidth at a specific time of the day that has been offered or guaranteed by a service-provider for that WAN circuit. See Configure Layer 3 SD-WAN Traffic Steering Based on Available Bandwidth.
  • Traffic steering enhancements—The following enhancements have been made to traffic steering:
    • SD-WAN policy and traffic management capabilities, including Layer 2 traffic pinning and Layer 2 flow management across SD-WAN tunnels, so that you can use existing SD-WAN policies for Layer 3 flows on Layer 2 flows.
    • MAC address, IP address, and URL filtering to drop, forward, and accept Layer 2 traffic.

See Configure SD-WAN Traffic Steering.

Security

  • Dynamic assignment of VLANs using the 802.1X device authentication—You can configure an authentication server to dynamically assign VLANs to bridge ports using the 802.1X device authentication flow. After a port is authenticated using 802.1X device authentication, the authentication server assigns a VLAN to the port. See Configure Dynamic VLANs Using 802.1X Authentication Flow.
  • Firewall rules management enhancements—Whenn you create a security rule, you can select the priority, and you can add a rule above or below an existing rule. You can disable a rule. See Configure NGFW.
  • Layer 7 device authentication and compliance—You can authenticate client devices based on client or user certificates. Client certificate based-authentication is a function of VOS TLS proxy, and you configure it in a decryption profile. See Configure HTTP/HTTPS Proxy.
  • Network DLP—You can configure Data Loss Prevention (DLP) on VOS devices and Versa Cloud Gateways. In conjunction with Security Access Control policy, the DLP module ensures that the data that is exported does not contain any sensitive information. See Versa Data Loss Prevention.
  • Service endpoints—You can configure service endpoints with captive portal, which allow you to install service filters for each routing instance. See Configure URL Filtering.
  • Upgrade the application engine protocol bundle—You can upgrade the application engine protocol bundle, which is a database that contains 3600+ signatures that are used to detect and identify applications. It is included in the SPacks. See Use Security Packages.

Fixed Bugs

The following tables list the critical and major defects that were fixed in Release 21.2.

Fixed Bugs in Release 21.2.1

Bug ID

Summary

35738

Upgrade various third-party and open source packages that VOS devices use to address vulnerabilities.

38310

A defect in the IPsec module caused the versa-service process to crash and caused a service restart. This issue has been fixed.

45615

Unable to move an OSPF network between OSPF areas of the same routing instance within a single commit. This issue has been fixed.

48993

CPU load statistics sometimes display values greater than 100%. This issue has been fixed.

52361

BGP neighbor alarms do not display the complete site name, depending on the number of address families and capabilities that are exchanged. This issue has been fixed.

52874

IPsec alarm configuration is not honored, and destination and soak intervals are not activated. This issue has been fixed.

54127 When a VOS device receives more than four fragments that constitute an IP packet, sometimes the fragments are not reassembled correctly, cause the packets to be dropped. This issue has been fixed.

54479

Python binary might have the incorrect permissions or capabilities set, which prevents the SPACKMGR process from starting. This issue has been fixed. The permissions and capabilities are now forcibly set.

58693

The versa-certd process crashes when handling USER certificate. This issue has been fixed. VOS devices now handle a USER certificate in addition to the SIGN (signing) and ENCR (encryption) certificates.

59618

The versa-infmgr process crashes because it incorrectly handles a stale link-update message, which causes services to restart. This issue has been fixed.

59972

The versa-services process might restart during a security pack (SPack) upgrade because of a race condition that occurs when accessing an internal data structure. This issue has been fixed.

60526

New branch staging might fail if IKE flaps or if the WAN IP address keeps changing. The result is that the IP address pool runs out of addresses, because older IKE connections linger on, and because of this, the staging of a new device to fail. This issue has been fixed. Now, the DPD process is more aggressive.

60708

Because of timing conditions, older software-upgraded alarms and service-restarted alarms might be generated after a service restart. This issue has been fixed.

60879

When multiple CoS OIDs are passed in the same snmpget request, the versa-vmod process does not clear some internal tables, causing this process to restart. This issue has been fixed.

60968

When you upgrade the software, a redistribution policy term that has DHCP as the match protocol might the match protocol, and the term ends up matching all protocols. This issue has been fixed.

61174

If the export-vrf global-vrf-id pushed from a Director node to hub devices is greater than 16000, the resulting reserved label overlaps with the signaled label space, causing incorrect packet forwarding. This issue has been fixed. Now, the reserved label space does not overlap with signaled label space.

61177

During failover on an active-active node with replication enabled, some packet buffers are leaked. This issue may occur if FEC is enabled on remote sites and FEC is not enabled on local site or hub, but Preserve Order is enabled. As a workaround, disable the FEC Preserve Order at the local site and disable reorder in the forwarding profile. This issue has been fixed.

61705 VOS image upgrade might fail because the /opt/versa/upgrade/scripts/nacm-edit.lua script fails. The failure occurs because NACM rules are missing. This issue has been fixed.
61998

When a VOS device receives IPv6 Multicast Listener Discovery (MLD) packets, a crash may occur. This issue happens only if the multicast/broadcast domain has IPv6 MLD speakers and the IPv6 MLD packets, which are multicast packets embedded in ICMPv6, reach a VOS vni interfacs. (MLD is an IPv6 protocol that IPv6 routers use to discover multicast listeners on a directly attached link, just as IPv4 routers use IGMP. MLD is embedded in ICMPv6 and not in a separate protocol.) As a workaround, prevent or block IPv6 MLD packets from reaching VOS devices. If you have not configured IPv6 WAN/LAN/control network, use external firewalls and iptables to block IPv6 packets from reaching VOS devices. This issue has been fixed.

62268

When services start, the branch-to-branch IPsec tunnel might not be set up because of a race condition between two threads completing initialization at startup. This issue has been fixed.

62429 Traceroute command had a command Injection vulnerability. This issue has been fixed.

62758

The IPsec history CLI command output sometimes displays an incorrect error or reason. This issue has been fixed.

62793

Static ARP entries might not be activated in the data path. This issue has been fixed. The entries are now resilient to all timing conditions (for example, whether an interface is not up).

62800

A Versa service crash might occur because of invalid memory access in the SD-WAN module. This issue has been fixed.

62805

During the upgrade process, MPLS tenant ID changes might be lost, leading to tenant ID mismatch for the VPN label and causing packets to blackhole. As a workaround, update the mplsvpnentry tenant ID and restart the services. This issue has been fixed.

62856

When you configure the out-of-band management interface, eth0, for speed and duplex, extra commands might be appended to the network configuration file. This issue has been fixed.

62883

Issuing the show orgs org-services organizaton lef collectors collector status CLI command might cause the versa-vmod process to restart. One cause was a leak of a resources under certain error conditions: A slow leak eventually causes the process to restart but does not cause a service restart. Another cause was when the Versa Director dashboard triggered this command to fetch LEF statistics. This issue has been fixed.

62931

The sdwan-datapath-up alarm might not be generated. This issue has been fixed. Now, the alarm is triggered unconditionally when a path to a remote site is removed for any reason.

62955

When QoS policy rules were being evaluated, services might restart because the versa-service process crashes. The versa-service process crashes after repeated crashes of the versa-vmod process, and it is the result of a race condition in the security and policy rule compilation and data path. This issue has been fixed.

63104

Sporadic packet latency is observed in Microsoft Azure virtual instances of VOS devices. This issue has been fixed.

63151

When a standby router comes back up, VRRP hello packets are sent with virtual MAC addresses. As a result, switches see dupicate MAC addresses and MAC moves, resulting in packet loss for 1 to 3 seconds. This issue has been fixed.

63173

A site-to-site IPsec tunnel over IPv6 on a bare-metal system with Quick Assist Technology (QAT) might drop packets because of defective logic in computing the packet length after decryption. This issue has been fixed.

63354

The memory consumption of the zone protection logic has been optimized to consume less memory without affecting performance.

63356

The software-upgrade-success alarm is not raised after you upgrade a device. Sometimes the alarm is incorrectly deferred until the next service restart. This issue has been fixed.

63481, 63543

When a large volume of IKE SA init traffic arrives at a VOS device, a memory leak is observed in the versa-service process. This issue has been fixed.

63506

When a configuration is pushed to create system users, user creation is noticeably slow. This issue has been fixed. Now, user creation is faster.

63593

When a user's group membership changes in Active Directory, this information might not be updated on the VOS device, and so the VOS device applies group-based policies based on previous membership details. This issue has been fixed. Now, when membership details are refreshed at the configured refresh interval, the details are updated in the live-user table and the new group-based policy is applied.

63594

When you configure IPS detection and IPS-based application identification reporting, a recursion might cause Versa services to crash and restart. This issue has been fixed. Now, the IPS-based application ID reporting is separated from IPS detection.

63612

For traffic monitoring policies, you could not configure a match destination for zone information. This issue has been fixed in the Director GUI and VOS CLI.

63647

Option-82 is not stripped by a VOS device functioning as a DHCP relay agent, causing clients to drop the DHCP response packets from the server. This issue has been fixed.

63699

Jumbo frame packets larger than 1686 bytes are not forwarded over the SD-WAN. This issue has been fixed.

63755

A memory leak is observed in the IKE-ESP ALG. This issue has been fixed.

63777, 63902

In the GUI, when you delete all the terms of redistribution policy, the VOS devices deletes the policy itself, causing the configurations on Director node and the VOS device to be out of sync. This issue has been fixed.

63949

Having a large number of FQDN address objects might lead to a memory leak in the versa-certd and versa-addrmgr processes. This leak causes these processes to bloat in size, and eventually they terminate and restart. However, there was no service disruption. This issue has been fixed.

64148

The sulogin binary process might be triggered and might then crashes, causing the system to reboot. This issue has been fixed. The sulogin binary has been replaced with one that does not crash.

64311

When you change a BGP peering policy from denying all prefixes to allowing only some prefixes, for the first 30 to 60 seconds, the VOS device advertises all prefixes. This issue has been fixed.

64333

The show alarms CLI command displays a truncated timezone offset. This issue has been fixed. Now, the full timezone offset information is displayed.

64400 For V1000/V1800/V1500/V930, V810 (FWA-3260), and CSG1300 platforms, the packet TX counter does not increment to indicate an issue on the VOS CPE device, for issues specific to the driver(i40e) of this port. The TX operation gets stuck because of the multisegment packets that are pushed to the NIC. The maximum number of segments that the i40e supports is 8. Sending more places the NIC TX ring into this state. This issue has been fixed.

64444

When a destination is reachable through two or more remote SD-WAN sites and all the paths to at least one of the sites are in SLA-violated state, the Versa services daemon may experience a segmentation fault and restart. The workaround is to switch to active/standby routing instead of equal cost SD-WAN routes to the destination. This issue has been fixed.

64513

Fix a core in the routing CLI transformer process that occurs when an external peer group does not have peer AS configured and when the peer AS configuration is removed from a neighbor belonging to this group.

64514

If you set up a site-to-site IPsec tunnel with a non-Versa peer and an aggressive DPD timeout (1-2 seconds) in configured on the peer (which is not a typical use case), the tunnel on the Versa side might go down. This issue has been fixed.

64733, 64826

When LEF establishes a TCP connection to the destination collector, during overloaded conditions, if the server is slow, the connection moves to a write-blocked state. During this time, logs queued to the collector are dropped instead of being held until the connection is unblocked. This issue has been fixed.

64738 Improve SD-WAN site-to-site throughput performance, to regain the performance available in earlier releases.

64811

Having a large number of FQDN objects (more than 100) slows the versa-service process and causes high CPU usage and failure of some show commands. This issue has been fixed.

64844

The .ncconnect file has invalid permissions, which might prevent the recognition of a successful connection between a Director node and a VOS device. This issue causes the trial period countdown to begin and eventually degrades VOS services. This issue has been fixed.

65115

When an IPv6 destination is reachable through multiple remote SD-WAN sites (that is, there are equal-cost routes through multiple sites), the circuit priorities specified in an SD-WAN forwarding profile may not be honored. Also, an SD-WAN or PBF policy rule that is used to override routing and enforce a specific next hop does not work for IPv6. This issue has been fixed.

65292

When you upgrade from an older release such as Release 16.1R2Sx to a newer release, if the address object contains an invalid wildcard FQDN object, the versa-vmod process might crash. This issue has been fixed. Now, a misconfigured FQDN object is ignored.

65293 The IPv6 debug packet trace command is not activated. This issue has been fixed.

65294

When you perform an IPv6 traceroute between a source and a destination, a VOS device might drop IPv6 traceroute response packets, because it incorrectly parsing the length of the ICMP time exceeded in transit. This issue has been fixed.

65319 In service flow chaining (SFC), add support for Layer 3 rewrite for inner, Layer 3 rewrite for outer, copy from outer, and copy from inner.

65505

Intermittent packet loss might occur when you enable packet replication for large packets that require fragmentation. This issue has been fixed.

65809

The show route table ipv4.unicast CLI command does not display the desired output when you specify both the detail and prefix options. This issue has been fixed.

65843 The versa-vmod process may restart during a Qualys scan directed at a VOS device. This occurs because the Qualys client tries to connect to servers running inside the VOS device. This issue has been fixed. The software has been enhanced and is now resilient to any clients that connect to internal Versa services.

65953

In an active-active SD-WAN CPE deployment, when you change the paired-site location ID of any CPE, SLA contexts between the two CPEs are created. These SLA contexts are not deleted when the matching location ID is updated on another CPE to pair the two CPEs. This issue has been fixed.

66136

The versa-services process restarts once because of an invalid timer (uninitialized value) in the application monitor module. This issue has been fixed.

Fixed Bugs in Release 21.2.2

Bug ID

Summary

20557

When you commit a VOS device configuration now from the Director node, the VOS device waits up to 10 minutes to determine whether it has connectivity to at least one Controller node. If not, the VOS device performs a rollback operation. Previously, if there was no connectivity to any Controller node, the VOS device rolled back an operation immediately after the commit.

30728

When a VOS device is a DHCP client, the DHCP renew packet must be a unicast packet to the DHCP server and not a broadcast packet.

33184

Controller node has only internet connectivity and branches have internet and MPLS connectivity. Whenever the internet link goes down at the Branch1 VOS device, all the routes of the Branch1 device may be removed from other remote branches by the Controller node even though SLA is up between Branch1 and the remote branches.

37411

Versa services may restart because of an incorrect reference count in the IPsec IP address object. This issue has been fixed.

42640

Could not configure LTE parameters while doing URL ZTP. Add support for specifying APN, PIN, username and password.

43497, 66215

Commit fails when address group is referenced before it is defined. Support has been added to handle this gracefully.

45301

Running tcpdump on the vni-0/2 interface in system with WiFi interfaces (vni-0/20*) fails because of unsuccessful cleanup after previous invocations of the command.

46302

The performance of Config Sync-from-Appliance has been improved. This operation used to take many minutes on systems with large routing configuration.

50689

The show orgs org-services organization dhcp statistics dhcp interface CLI command may cause a timing issue that causes the versa-infmgr process to restart, which restarts all services. This crash and restart have been fixed.

51784

URL ZTP was marked as failure if the ping to the controller WAN IP was not successful. Now, the URL ZTP process pings the next-hop gateway and 8.8.8.8 to check for reachability.

53547 The DHCP address pools, service, and lease option profiles limit has been increased to handle up to 256 profiles. The previous limit was 100.

57029

For destination NAT (DNAT), if the range of NAT IP addresses and the size of the IP address pool do not match, Versa services enforced a strict check that caused services to restart. The check has been relaxed to prevent restart of services.

58454

Enabling device Identification feature causes intermittent service disruption because of a process crash and restart. The workaround is not to enable this feature.

58509

URL ZTP with special characters in any of the encoded attribute values (such as the Controller PSK) results in improper configuration of the VOS CPE device.

60879

SNMP Get on QoS MIB values may cause the versa-vmod process to restart. This process restart does not impact the service.

61985

IPsec alarm has been enhanced to include the name of VPN profile associated with the IPsec tunnel or to include the name of the tunnel interface if it is a route-based IPsec unnel.

62187

DIA traffic controlled by SD-WAN policy is not reported on Analytics nodes.

62578

Platform watchdog service was not enabled on Caswell white boxes.

62978

SLA metrics are not displayed when the interval is more than 150 seconds.

63569

The IF-MIB field ifOperStatus shows as Up even if the tunnel interface is down.

63976

When two Controller nodes have at least two WAN interfaces each with disjoint transport domains (such as one for internet and a second for MPLS) and a branch device connects to the Controller node using one of the transport domains, one of the Controller WAN interfaces goes down and comes back up. When the Controller interface is down, if the branch's WAN interface for the other transport domain goes down and stays down even when the Controller node's WAN interface comes back up, the branch device may retain stale state for the Controller node's MP-BGP information until the configured graceful restart time expires. This does not allow the branch to establish MP-BGP peering with the Controller node until the graceful restart time expires. This issue has been fixed to ensure that when the underlay connectivity from a branch to the Controller node is restored, the branch reestablishes MP-BGP peering with the Controller node.

64067

After the routing process restarts because of a core, the SD-WAN Controller node may not install the host routes for the branches in a scaled environment. This issue has been fixed.

64685

When the first packet in a session is received and the group is already known, security policy rules that contain a group match condition are not evaluated and matched for the first packet of the session.

64790

The memory footprint of the security and policy contexts increase with each commit, causing memory load issues on firewalls with large configurations. The increase is capped to an older context.

64811

The Versa service process slows down when there are more than 100 FQDN objects because of defective logic in maintaining the list of resolved IP addresses. The causes high CPU usage, and some show commands fail. This issue has been fixed.

65114

Certain threshold and utilization alarms are not cleared intermittently.

65373

Manually changing the /etc/ssh/sshd_config file (for example, adding match commands) on a VOS device and then updating the SSH keepalive and timeout using the CLI cripples SSH access to the VOS deevice.

65435

DIA traffic switches to SD-WAN when SD-WAN route flaps.

65501

TCP evasion check incorrectly drops the 1-byte payload TCP keepalive packets because it assumes that they are an overlapping segment.

65536

The vni interface displays the correct RX BPS value for PPPoE, but not for TVI interfaces.

65643

First-time configuration of twice-napt-44 requires a reconfiguration to activate it.

65904

Top-N application computation that happens every 5 minutes causes increased packet latency and loss for traffic processed by worker thread 0.

65926

Site name in SLA alarms is truncated to 32 characters. Add support for 128-character site names.

66097

Path MTU is incorrectly calculated when the same source IP and destination IP address pairs are present in two different VRFs.

66252

VOS instance on OpenStack and SR-IOV enabled interface results in a continuous crash.

66395

The show ospf neighbor brief CLI command may restart the routing CLI process, causing the show command to fail.

66435

SNMP Get/Walk failure seen because the Redis database is cleared, leading to failure of the SNMP walk.

66583

The device model, SKU, and serial number are now available in an additional MIB container that does not require the serial number as a key.

66599

The show orgs org organization-name sd-wan statistics vni CLI command for TX BPS and RX BPS is now displayed in bits per second instead of bytes per second.

66617

The staging.py script saves the staging.cfg file to the current directory; however, some scripts search for it in /opt/versa/scripts. The new behavior saves the configuration in both locations.

66768

A memory leak in the QoS data structure may occur when preclassified packets arrive over a cross-connect link from the peer and if App-QoS policy is configured on the device. This issue has been fixed.

66789

A core occurs in the routing CLI transformer process when you move the terms of a redistribution policy after a previous commit to delete a routing instance that was using this redistribution policy for instance import. This issue has been fixed.

66817

With packet replication and per-packet load balancing, packets are cached and released from the buffer to reorder out-of-order packets. In some cases, the released packets use stale, which can cause Versa services process to crash. This issue has been fixed.

66856

Deleting a routing instance sometimes causes a service restart because of a crash.

67147

Changed the behavior to propagate the origin of a BGP route in VRF to Layer 3 VPN and vice versa, by default, and is overridden by origin if it is configured in the redistribution policy.

67168

The SCP command has been enhanced to filter any extraneous arguments passed to command.

67179

When the first packet of captive portal session is a non-SYN packet, processing this request may result in a crash and service restart.

67253

Application route cache show command was causing a crash when a user-defined application was deleted.

67266

Speed test to public Internet speed-test servers does not work.

67276

SD-WAN steering policy is now applied to traffic originating from another branch and steered to another branch. Earlier, SD-WAN steering was not allowed when the ingress and egress were SD-WAN branches.

67404

Versa service process may crash when VSA is enabled with TCP optimization auto-mode. This issue has been fixed.

67446

Fix an issue with Versa 810 devices sometimes reporting incorrect power supply status “Either PSU2 cable is unplugged or PSU2 is unplugged”.

67456

Externally authenticated users belonging to admin group could not run show alarms or other privileged CLI commands. This issue has fixed, and these users can now run these commands.

67491

Modified the default method of defining strings in the CLI to use quotes instead of backslash.

67583

WWAN username field length has been increased from 31 characters to 63 characters.

67598

Unable to onboard branches/controller with vni subunits in the 40x[6-9] because of an invalid regex in the YANG definition.

67629

The routing process may crash when you issue a CLI command to display the BGP route table for a specific routing instance and an extended community. This issue has been fixed.

67659

Enhance show interface info CLI command to include DSL interface information.

67707

Fix an issue with timezone settings that occurs if /etc/localtime is not a symbolic link.

67751

If a redistribute policy contains a set-community attribute and is used for redistribution to OSPF, commit fails with a cryptic message. This issue has been fixed. Now, a more descriptive error message is shown.

67817

The show log CLI command has been modified to scan only the /var/log/ directory.

68087

When an ifTable MIB walk is followed by a show interface vni/x/x, the versa-infmgr process restarts, causing the service to restart.

68103, 68124

Management and configuration process may crash when a VOS device is upgraded from Release 16.1R2S10.4 to Release 20.2.2 because of an invalid tenant ID in the SNMP query. This issue has been fixed.

68157

Fix the timeout error displayed in the show orgs org-services organization dns-proxy profile-monitor CLI command.

68198

Fix an issue in handling modification of LEF profile in ADC module, resulting in missing ADC logs on Versa Analytics.

68226

Versa services crashes because of incorrect reference counting of IP routes. This issue has been fixed.

68266

If a PPPoE interface receives a PPP reset from a peer and not from the PPP server, the PPPoE interface stays down and does not transition to the Up state until a service is restarted.

68516

DSL interface uptime is included in the CLI output for troubleshooting assistance.

68677

Versa services process crashes because of a malformed packet recovered by FEC module. This issue has been fixed by dropping the malformed packet.

68911

After unsuccessful attempts to ssh login as root, the root account may be disabled. This prevents changing running sudo su to drop to the root shell. This issue has been fixed.

69080

On clicking Menu and navigating to any option on Advantech devices with LCD screens, the lcd4linux service continuously invokes the command to fetch system status at a high rate. On systems with TACACS+ accounting enabled, this leads to a large buildup of account records, causing a memory overload of the versa-vmod process.

69114

Allow special characters in the SCP password field.

69175

If the IP lookup database is corrupted, services do not start because continuous restarting of Versa services. The process has been made more resilient and continues to run if the database is corrupted.

69188

Installation of a security pack (SPack) was reporting a failure even when it was installed successfully because it took more than five minutes. The timeout has now been extended to 10 minutes to accommodate a slower installation.

69282

On Rangeley (C2xxx)–CPUbased systems, if the QAT is stressed by traffic requiring crypto processing, the Versa service process may stop all further processing of crypto traffic, requiring a restart to recover the system.

69369

When you apply a configuration change that reconfigures the Layer 3 VPN module, you may see a core in the routing process.

69409

The show arp kernel CLI command incorrectly displays all entries as permanent (local).

69430

Address group objects that reference other address group objects defined later in the configuration cause the versa-vsmd process to crash, and services restart.

69452 The packets from the uCPE-Mgmt interface get routed to the global routing-instance, which results in connectivity issues. This is now fixed by adding an iptables filter rule in the global routing-instance to drop such packets from the uCPE-MGMT interface.

69461

A rapid continuous link flap on a local site may result in a remote site still having a route even if all SLAs towards this site are marked down.

69517

The static source NAT and twice static NAT are bidirectional NAT policies for which sessions can also be initiated from the server-to-client (out to in) direction. For such sessions matching the NAT policy in the server-to-client direction, the reevaluation of the NAT policy was not correct and resulted in the NAT session being torn down.

69582

TCP optimization auto mode does not work for IPv6 traffic.

69815

Moving existing BGP neighbor addresses to a new BGP group causes a commit failure.

69921

When the same application is defined in two different organizations in a VOS instance, the application reporting is not consistent. It may report correctly in one organization but not the other.

69935

The ipsecIkeDown and ipsecIkeUp alarms do not have matching alarm key values and cause the SNMP application to not reconcile.

69956

LEF multithread statistics aggregation issue may lead to incorrect statistics reports.
69991

For the Ubuntu 18.04 OS, incorrect interface speeds are reported for some types of network interfaces.

70029

TCP MSS on an unencrypted SD-WAN tunnel does not adjust up, but rather it stays the same as the encrypted tunnel MSS.

70036

The show system status CLI command crashes the vmod process because of stale status files.

70106

The "TVI interface type change not allowed" message prevents a template deploymeent even if the reboot option is selected.

70185

SNMP trap is no longer generated for high disk usage.

70206

When a branch-to-branch SD-WAN tunnel goes down, the IpsecTunnelDown alarm is incorrectly generated.

70233

In an SD-WAN network with a hierarchical set of Controller nodes, if the spoke loses connectivity with T1 controller1 and then at T0 Controllers, the routes of T1 controller1 are selected because the T1 Controller node's IP address is smaller.

70289 If both HA quorum and interface/route tracker configurations are changed together and vsh is restarted for the configuration to take effect, the quorum configuration may arrive at RFD before the parent HA configuration because of a configuration order issue. This crashes the RFD, while attempting to save the quorum configuration.

70314

In file-based actions, if the file size limit is specified, downloading any file exceeding that size is not blocked unless the blacklist option is also specified.

70315

Auto-SIM detection issue in CSG300 Series seen with Ubuntu 18.04.

70363

The Don’t-Fragment override configuration option does not work for PIM register packets.

70366

For Ethernet ports using i354 MAC controllers, when the remote end is running at 100M/FD with AutoNeg ON, disabling the port on the local side causes the interface to freeze. In this situation, the local side link LED is Down, while the remote side link LED is still On. To recover the interface from thee stuck state, power-cycle the device.

  • Versa—CSG350/CSG355/CSG365
  • Advantech—FWA-1320/FWA-2320, FWA1010VC
  • Lanner—FW7525, FW7551
  • Silicom—80500
  • Nexcom—DTA1152AC4
70604 SSH public key for a system user does not work.

70662

When a traffic-identification configuration contains more than 200 interfaces, a commit change can take up to 3 minutes.

70823

Security package installation fails if an earlier commit contained more than four attributes configured under system parameters.

70832

Application monitor’s last status of Up remains the same if the WAN interface is disabled and the monitoring threshold is more than 20 seconds (default is 3 seconds).

70844 Trusted network does not map SAML token groups attribute to the live users table.

70893

Issues with OCSP monitoring when there is a failure in private-key decoding.

70906

The alarmDevice field in the SNMP trap messages now includes the name of the device originating the trap. Earlier, it contained only the name of the module that originates the traffic.

71182

When SIP ALG is enabled, SIP confirmed dialogs may not be cleaned up, which causes a memory leak over time in Versa service process. This issue has been fixed

71199

Organization names with more than 27 characters result in longer term names in Versa Director workflow-generated templates and cause device on-boarding failures. This issue has been fixed. Now, the routing peer policy name, term name, redistribution policy name, term name, and prefix list name can be up 127 characers.

71212

When captive portal is enabled, 404 response for invalid request received on the captive portal port causes the Versa service process crash. This issue has been fixed by closing the connection when an invalid request is received.

71256

Moving a BGP neighbor address from one BGP group to another is not reflected in the output of the show bgp neighbor brief CLI command and causes inconsistency in the Versa Director and device configurations. This issue has been fixed

71310

Fix negative value displayed in Versa log collector’s process debug memory statistics.

71338

Fix an issue in loading IPS signatures when the actions specified in the action filter are reject and drop session.

71397 Destination site name in the match rule of SD-WAN policy does not work if the site ID is greater than 4096.

71424

SSL handshake fails for domains starting with the letter 'a' in Google Chrome because of a recent CECPQ2 update. This issue has been fixed

71437

The Versa services process consistently uses high amounts of memory because unused memory is not released to the system. This issue has been fixed.

71528

SASE client may not connect to the gateway when TCP SYN is not retransmitted. This issue has been fixed.

71543

Fix a memory corruption issue in Versa services process, caused because of premature freeing of out-of-order TCP segments used for reassembly. This can occur only if the session is partially offloaded.

71569

Add support for 1K or more static BGP peers by increasing the filter table space.

71590

Versa services crashes if URL filtering or other services that require captive portal support is enabled and if captive portal is not configured. This issue has been fixed

71625 Collector group list does not work. This issue has been fixed.

71669

Memory leak in Layer 2 control process results in high memory utilization when Layer 2 services with STP are enabled. This issue has been fixed.

71901

BGP does not advertise the slave local preference value configured in redistribution policy for a static route when the static route is added after configuring the slave local preference. This issue has been fixed.

71911

Configuration commit fails when a user-defined URL category name contains ‘.’ (dot). This has been fixed by allowing only alphanumeric, '-', and '_' characters during commit check.

71992

Versa services daemon may get stuck in repeated attempts to select an SD-WAN path for a session. This issue has been fixed.

72189

Continuous IKE flaps towards SD-WAN branch appliance are seen on the SD-WAN controller because of mismatch of information between the two modules. This issue has been fixed.

72198

Fix checksum mismatch errors for multiple modules after OS SPack installation when secure mode is enabled.

72544 Versa services may restart because of a slow leak in a critical data structure that occurs when SD-WAN tunnels flap constantly.

Fixed Bugs in Release 21.2.3

Bug ID Summary

45840

SNMP walk fails to fetch SD-WAN policy if address monitors are attached to the policy.

63230

Disabled reloading of ixgbe/i40e drivers during a service restart, which may put an interface in the unknown-list.

63959

Missing error handling in automatic steering caused versa-vsmd service to restart. This is a rare condition.

63645

An optimization in the IPsec module caused regression where IKE sessions sometimes fail with an out-of-memory error.

64067

Missing route updates after controller node restart.

64533

Open source Python package audisp-aaa module, which is used TACACS+ auditing, has a memory leak.

65953

Reduce the memory used to maintain paired-site map per tenant. Optimize by storing only the needed paired-site map.

67660

Add support for importing private keys using AES-256 encryption.

69064

Because of a timing issue, physical interfaces may not be recognized as vni-x/x and would sometimes appear as unknown-x/x.

69347

Add support for setting the maximum number of URLs per file for URL filtering.

69649

Add pre-upgrade check for package consistency for VOS upgrade.

70089

With isolate-cpu enabled, upgrade causes the Versa services process to keep restarting after the upgrade.

70601

Add support to run file system check automatically during boot for VOS devices running on Ubuntu Bionic to fix any file system errors.

70908

CPE power alarm does node include the appliance name, so the alarm source may be unknown.

71088

Upgrading from Release 16.1R2 to Release 20.2.4 or 21.2.2 GA image causes the SLA configuration under the WAN interfaces of the VOS nodes to not be saved, and so SLA for the WAN interfaces is not enabled.

71256

Moving a BGP neighbor address from one BGP group to another is not reflected in the show bgp neighbor brief”CLI command output and causes an inconsistency between the Director and device configurations. This issue has been fixed

71485

Port bind issue when multiple certificates must be validated by OCSP caused by connect_fail issue because of a single client port.

71717

When you configure the share-aro option for a BGP instance, the controller node may not synchronize some of the routes to a peer when a reconnection occurs.

72306

A core in interface manager process occurs when user issues the show interface info org-name CLI command for a specific interface.

72313

QoS interface part of SNMPwalk was stopping because of an interface that was not enabled.

72319

A core in the Versa management process occurs when a user enters the show org org-services adc persistence CLI command for an unconfigured persistence name.

72363

When an SD-WAN network has more than six SD-WAN Controllers nodes, routing process may go to high CPU state when network failures occur.

72374

Bootup messages were missing on VOS console running on Ubuntu Bionic. This issue has been fixed

72410

A race condition caused CGNAT module to crash and restart the services.

72514

Logging related to an error condition in the routing process fills up the logs.

72610

Add support for an additional PLMN for Verizon 311270.

72792

Routing process stops and then restarts because of a buffer overflow caused by a show command printing too many communities in a routing loop situation.

72915

Management traffic from a Director node to SD-WAN branches sometimes blackholed.

72953

Routing process stops and then restarts when handling an aggregate route for which the discard option is set.

73079

A reachability issue may occur because of improper route installation when a PPPoE interface has different subnets at the two ends.

73118

If you issue a ping or traceroute command to a FQDN destination and also specify a source interface, the command may fail because of a defect in how the dig command output is parsed.

73234

Fix crash triggered by ADC server down.

73262

When an FQDN object is resolved via multiple routing instances and one routing instance stops resolving, the policy module cannot obtain the resolved address from the other routing instances.

73305

Fix an issue in the cloud-init module that deleted Director keys for VOS instances running on AWS.

73428

Multiple IPsec Up alarms occurred without any Down alarms.

73518

Routing peer policy terms that contain prefix lists leave the internal configuration database in an inconsistent state and on box reboot, the Versa routing process (rtd) keeps restarting.

73587

Add support for handling 16K jumbo frames in QAT to perform fast cryptographic operations in hardware.

73608

Issue in DNS zone transfer is fixed by allowing multiple DNS responses in a single query for AXFR/IXFR.

73702

Routing process crashes when running the clear bgp neighbor CLI command. This issue has been fixed.

73780

Crash occurs when selecting the best next hop when all access circuits are down.

73839

Control-VR VRF tunnel interface MTU is not updated with the lowest identified path MTU. This affects the BGP update exchange when using a path with an MTU lower than 1500.

73896

EVPN remote MAC entries are deleted when a Layer 3 interface is removed when the same core virtual router instance is used for the Layer 3 and Layer 2 VPNs. This issue has been fixed.

73957

Versa services process crashes when traffic goes through CGNAT service and an SD-WAN policy configured with a next-hop priority.

74182

DHCP static mapping from a file did not work correctly because of incorrect parsing of the subnet mask.

74235

The isolate-cpu CLI command does not show the current active state of the isolated CPUR if the intermediate reboot is not performed.

74239

Versa forward proxy does not work if more than 255 domain patterns are configured in the domain match rule.

74333

If icmp-check is enabled in the DHCP server profile on a VOS device, offering an address takes more time than anticipated, causing the DHCP client to repeatedly request an IP address and then causing the DHCP process to fail.

74378

Packets are dropped on a TCP SIP session after the session idle timeout is reached.

74429

When multiple rollbacks of the IPsec VPN rule configuration are performed, a services process crash may occur. This issue has been fixed.

74955

Fixed private key Export/Preview with TPM-enabled hardware.

74936

Automatically exclude statically mapped IP addressed from the DHCP server's dynamic IP address pool.

74976

Sessions of all GRE encapsulated packets are not load-balanced across all the worker CPU threads. After the fix, the inner tuple is also inspected to load-balance GRE traffic.

74988

IKE route installation in the routing table has an issue after a network disruption when the device has more than 1 million routes.

75050

Fix upgrade script timeout on appliances with large configurations.

75129

Issuing the show interfaces port statistics brief eth-0/0 CLI command on the eth0 management interface causes services to restart.

75267

In the DHCP configuration, if the lease time for an existing DHCP lease profile is changed and at the same time profiles are reordered in a single commit, the configuration change is not propagated correctly to the DHCP server.

75283

CMP server entry missing from address manager database after services restart when OSCP is configured.

75402

SIP INVITE confirm dialog deletion timer has been increased to 6 hours.

75629

BGP does not advertise the configured VRRP slave priority when multiple interfaces are configured as VRRP slaves. This issue has been fixed

75704

Some access policy rules may be incorrectly removed from the firewall engine during an SPack update after a failed commit, if the failed commit includes any access policy rule changes.

75967

Monitor down with maximum threshold of 60 seconds.

76115

Monitor group state remains in inactive after reboot. The issue is seen when more than two monitor groups are configured.

76290

An externally authenticated user sometimes cannot execute sudo commands without passwords.

76587

When a circuit for a remote site, say B2, is removed, the updates are propagated and consumed by all SD-WAN sites. For example, for a site called B1, when the associated transport paths are cleaned up, corresponding to the deleted B2 circuit, it is important to ensure that the transport path table is not cleaned up. This bug fix adds a defensive check for this purpose. This issue is seen only if all circuits for a remote site are progressively cleaned up.

76829

Incorrect domain name is appended in Option-12 to DHCP Offer and DHCP ACK packets.

76896

Memory leak may occur during SD-WAN policy evaluation.

76913

Do not send LEF logs for file-filtering "allow" action to prevent LEF logs overflow.

77039

Operator (oper)-level users cannot execute python-based commands, such as show alarms.

77096

Internet speed test does not work if you add a captive portal configuration.

77295

For SSL proxy and TLSv1.3, if the server sends server_hello_retry message, the VOS device sends the server certificate message to the client before the server side negotiation is complete, causing the SSL connection to fail.

77357

VOS device does not mark host-generated traffic with 802.1p. The P bit is always 0 for host-generated packets (such as SLA).

77401

ICMP packets destined to a TVI or tunnel interface and received on a VLAN-tagged WAN interface are dropped.

77431

Services process crashes on an unprogrammed interface and can occur if the same interface flaps multiple times.

77723

Packets are dropped on the receiver when a rule switches on the sender side after the session starts. This is a rare case where packet is processed through FEC and then APPID detection causes a rule that did not have FEC enabled to match. This happened before the packet egresses. As a result, the same packet is processed again and end notification is not sent, causing the receiver to assume that FEC is still active on sender.

77781

ARP entries are not cleared when a VOS device is the VRRP active node and the interface on which VRRP is configured is shut down.

77786

802.1p rewrite does not work as expected for outgoing fragmented IP packets.

78021

URL ZTP on a CPE with an LTE-only transport interface does not work if the SIM is locked.

78114

SNMPwalk of the VRRP group MIB returns just the first entry and not all the groups.

78266

Unable to configure an attribute policy while using the summary option for aggregate route.

78357

A memory leak occurs Versa services process if a packet loops between a VOS device and a peer node when service chaining is enabled.

78483

Display only the active DHCP lease entry for a DHCP client.

78484

Add support for enabling fiber interfaces for V1800 platforms in the default configuration during ZTP.

78584

Monitor does not come up during bootup, resulting in an inactive IP SLA.

78778

Routing process crashes when deleting a routing instance.

78786

Issue in accessing the debug CLI when TACACS+ is used as the authentication mechanism.

78816

Services process crashes when a mobile device management query is enabled for secure access service.

78817

For data traffic, the VOS device that is used as a VRRP active node uses the interface MAC address as the source address in the ARP request or reply for the virtual IP address. This issue has been fixed. Now, the virtual MAC address is used.

78876

Long-lived RTP sessions accumulate memory and cause the Versa service process memory usage to increase.

79163

URL cloud lookup may fail after many days because of a memory leak.

79449

Fix device GUI is not disabled for VOS systems running Ubuntu Bionic.

79488

VSMD control thread go into a stuck state when you delete an organization and its dependencies, and services must be restarted.

79662

SRIOV support for i40e interface was not working for VLAN sub interface and host-bound traffic.

79713

Fix a core in the routing CLI transformer process that happens when a user tries to remove the ICMP configuration from the DHCP client options for an interface.

79998

In an SSL proxy deployment, the VOS device must respond to a client certificate request from a server with certificate unavailability and not with the configured decryption certificate.

80011

If you rearrange the terms in a redistribution policy while the policy is being used for redistribution to BGP for IPv6, the Versa routing transformer process may restart.

80074

A memory leak in the Infmgr process may occur under some conditions.

80241

Add a sanity check that prevents a VOS device from crashing when there is an unknown interface or a failsafe interface and you generate a tech-support-dump or issue the show vsm interface detail command.

80397

An IPsec VPN profile with an invalid private key for the certificate causes a memory leak in the Versa service manager process.

80497

When handling handshake failure event and/or when incoming TLS record decryption fails (post handshake), a packet buffer leak in the SSL decryption may occur.

80537

Tenant QoS policer may sometimes skip policing the reverse traffic and only police the forward traffic.

80541

TACACS+ accounting logs may not be sent to the TACACS+ server.

805,90, 81254, 81260

Slow memory leak in the Versa vsmd process seen on Controllers and Hub-Controllers. This is observed when branches are unable to establish connections with the Controller, becuase the objects are created and destroyed in a short time interval.

80598

RFD process may restart during service startup because of a race condition during initialization.

80707

DHCP server on a VOS device stops giving IPv4 address if the interface has both IPv4 and IPv6 addresses configured and the IPv4 address is changed.

80808

Service node group with a zero weight should not be considered for weighted round-robin load balancing.

80822, 82038

In SSL proxy mode, a TLS v1.3 packet containing multiple TLS records is not handled correctly.

80953

In a site-to-site IPsec profile configuration, if the peer address is configured as an FQDN and the FQDN resolves to contain both IPv4 and IPv6 addresses, the tunnel is not established and the first address returned does not match the local IP family. The fix choose the correct address family.

80971

RPC error when next-hop address is deleted in the redistribution policy, and then default address is set. During the deletion, the "type" was set to unknown, causing this exception on the VOS device.

80988

Memory corruption is seen while handling SIP control message with replaces call-id of another data session that is totally independent. This is observed in networks using Cisco UCM (CUCM) and certain call flows.

80989

ip2usr process memory leak causes slow depletion of system memory.

81055

Packet buffer leak in SSL decryption module occurs when a TLS record spans multiple packet buffers.

81255

Invalidate stale NAT EIF entry when the interface IP address changes.

81303

A port that frequently changes link state during the start of services could potentially leave the port in a partially configured state and lead to a service restart later when the port is actually configured.

81457

Deleting the SD-WAN datapath down and SLA violation alarm configuration also stops the events from getting generated in VersaAnalytics.

81469

Memory leak in the versa-vmod because SNMPv3 user-accounting records.

81536

In the show bgp neighbor (brief | detail) command, the number of BGP prefix lists displayed is double the actual value.

81662

Improve the traffic shaper performance to decrease anomalies.

81699

When DNS proxy is enabled, address-managed DNS traffic may incorrectly recognize the SNATed proxied transit DNS traffic because of a port clash, causing FQDN resolution to fail.

81716

Upgrade to Releases 21.2.x does not work if shaping is already configured on tvi and tunnel interfaces.

81784

Removed an old upgrade script that used for an upgrade to an earlier release and that was causing the BFD configuration to be updated incorrectly.

81818

Memory leak in IPS Applayer parser causes a slow memory buildup.

81860

Static route missing from vunet Each update to static route is treated as del and add, as interface down vunet is cleaning up the routes and when the interface comes up, from the RTD, sending an update of route when OSPF also points to the same next hop for the route.

81888

When the same FQDN address is configured under two different tenants and one of them is deleted from the configuration, the Versa services restart.

81924

Fixed issue of OCSP signature verification failure. This fix is to delay signature verification till TLS handshake is completed to avoid signature verification failure.

81940

VOS device in SSL Forward Proxy Decrypt mode may restart services.

81991

During an interface up notification, the port's link speed is fetched from two different places. If there is inconsistency in the speed when bringing the interface up, vsmd may crash.

81992

When the underlay transport devices between a branch and a Controller nodes fragment IKE packets, the Controller node slowly leaks security association contexts, leading to a state in which the Controller node no longer accepts new IKE SA connections.

81993

IKE fragmentation packets that is passed by the tunnel infrastructure to the IPsec module are not setting the first segment length correctly, which may cause incorrect processing in downstream modules.

82015

A core occurs in the routing process due to unwanted handling of the VPN's IPv6 address family.

82143

Captive portal module drops transit packets if the traffic’s HOST header has port numbers that match the captive portal configured port. Not all DIA traffic has port numbers in HOST header. Port number are seen only in case of an explicit proxy or if the end application explicitly adds port numbers in the HOST header.

82282

Add nomodeset to the default grub configuration to handle an OS upgrade corner case.

82358

In Google Cloud Platform (GCP), if we receive a /32 subnet for DHCP, it is changed to a /30 subnet.

82432

ICMP error packets with an inner header source IP address of 0.0.0.0 can cause service a restart if a CGNAT rule is applied.

82487

Decapsulation context leak from Eth/IP/IPv6-over-GRE packets

82570

VOS interface ordering on VMware ESXi is now persistent across VM reboots even when new interfaces are added or existing ones are removed.

82978

Fix a commit error that happens when a user is adding new terms to a prefix list and also moving the terms of the routing peer policy that uses this prefix list as part of the same configuration commit.

83007

On a VOS device running Ubuntu 18.04 (Bionic), the disk size reported is more than the actual size because tmpfs file systems is incorrectly included in the calculations.

83142

When a large number of monitor sessions is configured, the Versa services may restart because of a crash in the TCP monitor module.

83173

Dynamic DNS update packet may contain records (such as A/AAAA/CNAME) with a zero length. This way client notifies server to delete particular record on the server side. While parsing records with zero length data, the VOS device’s DNS parser fails and does not apply DNS proxy on the packet.

83193 During initialization of  VOS services, a TPM 1.2–based CPE may fail because of incorrect logic in the initialization of the TPM chip.

83737,
83830

Versa service may restart when SSL proxy or decryption is enabled because of a memory corruption.

83858

The VOS show session extensive CLI command sometimes fails to display output when it is exiting over an IPsec tunnel.

Limitations and Behavior Changes

The following are the limitations and behavior changes in Release 21.2.

  • The global VRRP Unicast Peer IP Address option has been removed. For unicast configuration, use the Unicast Peer IP Address option for the VRRP Group. See Configure VRRP.
  • For each DHCP request from a client, the IP address is assigned only when you configure the request match criteria in the service profile and the DHCP request matches all the request match criteria in the service profile. Prior to Release 21.2.1, the client was assigned an IP address even if you configured no request match criteria . This wildcard match is now ignored, and you must ensure that there is a valid rule in the request match.
  • Release 21.2.1 includes software that can read optical information from the SFP on Dell VEP4600 vni-0/4 and 5. To take advantage of this, you must upgrade the i40e MAC device NVM firmware to a minimum of Dell version 4.11.
  • For the Advantech plugin NIC module NMC-4005, the minimum NVM package version be version 6.01, to support 1-GB SFP on the ports. To upgrade the package, download the support package from the Advantech website.
  • On Dell VEP4600, redundant PSU monitoring and alarms are not supported. To view the current operational status of the device, issue the show device sensors CLI command.
  • Do not configure both SD-WAN and DIA bandwidth monitors on the same WAN link. Doing so can cause incorrect calculation of the background traffic, and, if PBF monitoring is enabled, it can also lead to incorrect traffic steering.
  • The bandwidth monitor maintains historical statistics to report maximum receive/transmit (Rx/Tx) statistics to PBF for traffic steering. Currently, you cannot reset the historical maximum values of the Tx/Rx statistics.
  • The rule-number security rule attribute is deprecated and is replaced with the rule-alias attribute. The upgrade scripts automatically upgrade the system to set the rule-alias attribute to the same value as the rule-number attribute.
  • You can enable or disable asynchronous compilation of the IPS rule using the system configuration parameter. The default value is False, which disables async compilation. When you newly configure a device or upgrade a device without an explicitly configuration for this parameter, async compilation of IPS signatures is now enabled by default. When you upgrade a device and if you do not explicitly configure this value to False, async compilation is enabled as part of the upgrade but the configuration shows the parameter value as False (that is, disabled). Note that this inconsistency is observed only when you upgrade a device on which you have not configured this parameter. After the upgrade, you can enable or disable this parameter, and the configuration displays correctly.
  • Asynchronous compilation of IPS signatures (system parameter ips-async-signature-compilation) is enabled by default, and the default ips-action-during-async-sig-compilation is to deny all the traffic with IPS enabled. As a result, traffic drops may occur when the IPS signature is being compiled. Signature compilation is performed at the start of services, during the SPack upgrade and or during any IPS configuration update.
  • It is recommended that you do not set ips-action-during-async-sig-compilation to allow, because this allows traffic that should be subjected to IPS to pass without inspection.
  • The rule-alias security rule attribute has been restricted to allow only a single keyword as an alias. Earlier, this attribute allowed text including multiple words.
  • Application route cache entries now age out after 1 hour. Previously, these entries were never cleared.
  • You cannot add an interface directly under a routing protocol if that interface is part of a network object. This change was made to provide consistent behavior across all routing protocols.
  • The number of configurable next-hop priorities has been changed from 4 to 8, and the number of next hops at a given priority is now limited to 8.
  • An active–active setup automatically inherits the configured uplink and downlink bandwidth of the paired site's physical interface as the reference bandwidth for corresponding cross-connect links for SD-WAN load-balancing. The values are propagated over MP-BGP, thus eliminating the need for additional configuration (shaping or port uplink/downlink) on the cross-connect link.
  • TWAMP-light supports only symmetric path for one-way metrics.
  • TWAMP-light supports performance evaluation only over vni and site-to-site IPsec tvi interfaces. TWAMP-light is not supported on Layer 2 vni interfaces, and it is not supported on IRB interfaces.
  • On Layer 2 logical interfaces, dual-tagged packets are processed based only on the outer VLAN tag. The inner VLAN tag is ignored.
  • Shaping on IRB and native fragmentation of large Layer 2 frames (those exceeding the MTU) over SD-WAN are not supported.
  • The sla-not-met alarm may not be generated for the path from a branch to a Controller node if there is no transit traffic between the two devices. In earlier releases, host-generated traffic was considered as activity, and because there is always control traffic between the branch and the Controller node, any SLA parameter violation triggered an alarm.
  • When you want to change the maximum number of tenants and make other configuration changes, you must first change the maximum number of tenants and then commit the change. After this commit, a service restart occurs. Then make the other configuration changes after the restart.
  • Whenever you use an SD-WAN or a PBF policy rule to enforce a next hop and thus override routing, you must configure a source zone in the rule in addition to other match criteria to prevent traffic that is not intended for the rule from inadvertently matching it. An example is when you use an SD-WAN or a PBF policy rule to perform application-based DIA. This scenario requires a rule to identify the traffic originating from the LAN (typically, some Intf-<>-LAN-zone). You use this rule to send the traffic to the required transport virtual router (VR), where a second session is created. CGNAT rules are used to source NAT this traffic. If the source zone is omitted in the SD-WAN or PBF rule match condition, the second session also matches the traffic, resulting in a packet loop. Adding the source zone Intf-<>-LAN-zone as match condition prevents the second session from matching the PBF rule.
  • The DHCP client configuration is enabled for the out-of-band management interface, eth0, so that it can acquire a DHCP IP address in addition to a static IP address that is already configured.
  • SD-WAN sessions (UDP port 4790) on cross-connect paired device are now shown as versa_sdwan_xconnect instead of unknown_udp. Note that this information is displayed only for traffic originating from a paired site.
  • Release 21.2.1 introduces a per-interface path MTU discovery interval. If you do not configure a per-interface interval, the global value is used. If a per-interface configuration is present only on one end of an SD-WAN path, the value is used by both ends.
  • When you configure the circuit media as LTE and the LTE interface is the only operational WAN interface, the IKE retry interval becomes 10 minutes.
  • The sdwan-branch-lte-only-transport Controller alarm has been added. The Controller node sends this alarm to the Director node via Netconf after a soak interval of 60 seconds. You can also configure this alarm to be forwarded to Versa Analytics. This alarm is triggered when the data path towards a branch is on an LTE-only transport, which is determined based on setting the circuit media to LTE.
  • You can modify the CGNAT pool without having to perform a service restart or reboot.
  • When an LEF connection disconnects, pending messages are held in queue until the connection reestablishes, which ensures that LEF logs are not lost or dropped. Starting in Release 21.2.1, the default time to hold high-priority messages in the queue is 900 seconds (15 minutes), and low-priority messages are held in the queue for 60 seconds.
  • The default number of WiFi interfaces has been reduced from 8 to 4. However, you can still configure up to 8 WiFi interfaces.
  • For EVPN multihoming, VOS devices support only manual configuration mode, which is used to derive the Ethernet segment identifier (ESI).
  • You can set the packet padding size of the TWAMP-light sender test-session to a value from 27 through 4000 bytes. (From the CLI use the orgs org-services organization-name twamp-light twamp-light-session-sender test-session test-session-name packet-padding-size command.) This value defines how much to pad each probe packet of the sender test session. The padding is done using pseudorandom data to avoid data compression by WAN optimizers in the packet path. The don't fragment (DF) bit in the IP header is enabled in all probe packets, as mandated by standard. If you configure the packet padding size to a value greater than the MTU of the interface that the test session is configured to use, IP fragmentation is performed on the packet at the source. If the value is higher than the path MTU of the probe packet but less than the MTU of the interface, the packet is dropped on the path because of the DF-bit in the IP header.
  • EVPN does not support a hub-and-spoke topology with a Hub Controller.
  • Traffic ingress to or egress from a VSA client application is implicitly marked as remote-client zone.
  • If you upgrade a Versa speed-test client or server to Release 21.2.1, you must also update the corresponding Versa speed-test client or server to Release 21.2.1. The Versa speed test does not work if one of the devices (Versa speed-test server or Versa speed-test client) is running Release 21.2.1 and the other device is not running Release 21.2.1.
  • In Releases 20.2 and later, the BGP AS path loop check behavior has been changed to prevent BGP routes that contain the local AS number of the BGP instance from being installed even when they are received from IBGP peers. (In software releases prior to Release 20.2, an AS loop check was performed only for routes received from EBGP peers). This change was made to comply with RFC 4271, to prevent loops in all cases. When you upgrade a VOS devices from Release 16.1R2 to Release 21.2, if the VOS device is configured the overlay AS number in the BGP AS path to the Controller node, the Controller node no longer installs these routes and therefore does not propagate the routes to other branches. As a result, you might encounter one the following situations:
    • The local AS number configured in the branch VRF BGP group or neighbor may be same as the overlay control VR. If so, do one of the following as part of upgrade:
      • Ensure that the local AS number configured for the group or neighbor in the VRF is different from the overlay BGP AS number in the control VR. If the AS numbers are different, the controller node does not receive its own overlay AS number in the AS path, and the route is installed.
      • Check whether the default local AS mode to mode-2, which adds the configured local AS in the BGP group or neighbor level to the AS path when the route is imported. If so, change the mode to mode-4, which does not add the AS number to the AS path. As a result, this route passes the AS loop check on the Controller node and is installed.
      • Configure the loops option in the BGP group corresponding to the branches in the Controller’s control VR as well as in the control VR in the branches. This option allows routes with as many loops as specified in the configuration to be installed.
    • The AS path received from the BGP peers in the VRF may already contain the overlay AS number. If so, do one of the following as part of upgrade:
      • Ensure that the customer network does not use the overlay BGP AS number in the control VR, with the result that the controller will not receive its own overlay AS number in the AS path and the route will be installed.
      • Configure the loops option in the BGP group corresponding to the branches in the Controller’s control VR as well as in the control VR in the branches. This option allows routes with as many loops as specified in the configuration to be installed.
  • When you upgrade a VOS device to Release 21.2 on a high-end hardware appliance, QAT is disabled, because a slight performance drop for smaller packets in pure SD-WAN use case is observed. (High-end appliances include Advantech FWA-3260, Advantech FWA-5020, Advantech FWA-5070, Dell VEP-1485-V240, Dell VEP-4600-V910, Dell VEP-4600-V930, Lanner NCA4010, Lanner NCA5510, Lanner NCA5520, Riverbed EX-6080, Versa CSG1300, Versa CSG1500, and Versa CSG2500.) To re-enable QAT, issue the following commands:

admin@Branch-cli(config)% set system platform crypto-accelerator-support true
admin@Branch-cli(config)% commit
admin@Branch-cli(config)% exit
admin@Branch-cli> request system restart
  • When you use SD-WAN with UTM or an IPsec concentrator, it is recommended that you enable QAT so that the cryptographic functionality, including bulk cryptographic and asymmetric cryptographic operations, can be offloaded and CPU resources can be utilized by other workloads.

Known Issues

The following are the known issues in Releases 21.2.1, 21.2.2, and 21.2.3:

  • On VOS instances based on Ubuntu 18.04, the CLI command to download OS SPacks directly from the Versa cloud instance does not work. As a workaround, use the Versa Director to push OS SPacks to these VOS instances.
  • In multicast routing, when you enable the anycast-RP mechanism on a first-hop router, the source information is not shared between anycast-RP peers through PIM register packets. As a workaround, do not enable anycast-RP on a first-hop router.
  • When a MAC move occurs between a local and remote site learned over EVPN, the MAC move action configuration does not work.
  • If a VOS node is part of an inter-chassis HA pair (active-standby stateful HA), you must first upgrade it to Release 16.1R2S11 before upgrading to Release 21.2.1. When an interchassis HA pair is running Release 16.1R2S9 or later, you must set the probe type to none on both the nodes before the upgrade. Otherwise, the standby device continuously restarts after the upgrade. After the upgrade, you can return the HA probe-type value to the originally configured value.
    To upgrade an interchassis HA pair from Release 20.2.2 to 21.2.1, it is recommended that you upgrade the VOS device from Release 20.2.2 to Release 20.2.3, and then upgrade to Release 21.2.1.
  • A tenant-based traffic shaper expects the shaper on the physical interface to be configured on the provider organization. If this is not the case and if you have multitenant CPE or hub VOS instances, you need to perform the commit in two steps. First, delete the shaping configuration from the non-provider organization and commit the configuration. Then, configure the shaper on the provider organization and configure the provider limit on the customer organization, and commit the configuration a second time.
  • For a VOS device on which uCPE is enabled (hypervisor installed), you cannot automatically upgrade it from Release 16.1R2 to Release 21.2.1. For assistance, contact Versa Networks Customer Support and see the following Knowledge Base article:
    https://support.versa-networks.com/a/solutions/articles/23000021050
  • When you enable the info-validation feature in a stateful HA branch deployment, there might be a huge delay might in bringing up the interfaces in the global VRF, and the info-validation client may fail to register with the info-validation server on the peer VNF. As a workaround, restart only the versa-vmod service on the affected VOS device.
  • If you configure an SLA profile at the next-hop level in conjunction with configuration application monitors, the SLA profile options to select a path based on the lowest latency and on the lowest packet loss are ignored. To utilize these best-path selection features, configure the SLA profile at the global level.

Request Technical Support

To request technical support, visit http://support.versa-networks.com. If you are contacting support for the first time, register and create an account. You can also send email to support@versa-networks.com or contact your Versa Networks sales account team.

Revision History

Revision 1—Release 21.2.1, March 20, 2021
Revision 2—Release 21.2.2, September 12, 2021
Revision 3—Release 21.2.3, August 2, 2022

 

  • Was this article helpful?