Versa Director Release Notes for Release 21.2
These release notes describe features, enhancements, fixes, and known issues in the Release 21.2 Versa Director software, for Releases 21.2.0 (simply called 21.2) through 21.2.3. Releases 21.2.1 and later are general available (GA) releases and are supported for use in production networks.
August 2, 2022
Revision 3
Product Documentation
The Versa Networks product documentation is located at https://docs.versa-networks.com.
Install the Versa Director Software
To install the Versa Director software, see the Deployment and Initial Configuration articles.
Upgrade to Release 21.2
To upgrade to Release 21.2, see the Upgrade Software on Headend and Branch article.
Downgrade the Software
To downgrade to the software image that had been installed immediately before you performed the upgrade, issue the following command:
Administrator@versa-director> request system rollback to snapshot-timestamp
The Versa Director configuration and image are restored to the state when the snapshot was taken. Note that any configuration changes done since the snapshot was taken are lost when you perform the rollback operation.
Install the Software License for Versa Director
Versa Director is controlled by a software license. You must obtain a valid license file by contacting Versa Networks Customer Support.
Note the following:
- Versa Director software ceases to operate after a 15-day trial period, so you must obtain a license key within that time.
- On all newly installed Versa Directors, you must run the Versa Director startup script, /opt/versa/vnms/scripts/vnms-startup.sh, to correctly configure the Director network interfaces for their intended function (for example, interface eth0 for northbound communication towards OSS systems and for UI access, and eth1 for southbound communication towards VOS devices).
VOS Version Compatibility
Release 21.2 of Versa Director is compatible with the following Versa Operating SystemTM (VOSTM) software versions:
- Release 20.2.x
- Release 21.1.x
- Release 21.2.x
Release 21.2 of Versa Director is not fully configuration-compliant with other versions of VOS software. If you commit templates or make direct configuration changes in Appliance view to non-compatible VOS releases, the commit or configuration changes may be rejected with an RPC error.
New Features
This section describes the new Versa Director features in Release 21.2. All features are introduced in Release 21.2.1 unless otherwise noted.
- Cloud API enhancements—API-based integration in Azure virtual WAN and AWS transit gateway supports scenarios in which the branch is behind a NAT. See Configure Site-to-Site Tunnels.
- Filter BGP path attributes—(For Releases 21.2.3 and later.) On the Monitoring > Service BGP screen, you can filter BGP on additional path attributes, include community, extended community, and AS path.
- NAT in site-to-site tunnels—When creating site-to-site tunnel between a branch and an Azure Virtual WAN or AWS Transit Gateway, the WAN interface can use the NATed IP address. You can also configure the NATed IP address when deploying Workflows. See Configure Site-to-Site Tunnels.
- Option to set RequestedAuthnContext value in SSO—(For Releases 21.2.2 and later.) Add an option to set Requested Auth Context Comparison in an SSO SAML connector. You can set the value to "minimum" or "exact" depending on your authentication type.
- Total Site Up/Down in Tenant Summary window—(For Releases 21.2.2 and later.) In the Tenant Summary window, add the count of the number of sites that are up and down, and add a card that summarizes the status of all assets.
- Versa Director central authentication—(For Releases 21.2.2 and later.) In a topology with more than one Director node, you can have one of the Director nodes be the central authentication Director node. The central authentication Director node verifies all authentication requests, and it issues a token that can be used for making APIs calls to any Director node. Director central authentication is useful for Concerto use cases.
You enable central authentication from the CLI:
Administrator@versa-director% show nms provider central-auth-connector enable-central-auth enabled; director-ips [ 10.192.63.14 ]; Provide IP addresses of primary and secondary Director nodes
- Versa Director–managed site-to-site tunnels—You can create a Versa Director–managed IPsec site-to-site tunnel between a provider Versa Director node and a customer Versa Director node to allow the customer Versa Director node to use available services from the provider Director node as if the services were directly available from the customer Director node. These services include:
- On-ramp to SaaS providers, such as Box, Google, Microsoft Office, and Salesforce
- Cloud Service Gateways (CSGs)
- Application reverse proxies
- Titan hubs
Director–managed site-to-site tunnels support EBGP, IKE, and IPsec, IKE. See Configure Site-to-Site Tunnels.
- VMS passive authentication enhancements—Versa messaging server (VMS) supports the following:
- Administrative container for VMS to manage services and the VMS deployment, including Rest API capabilities to manage the VMS features and infrastructure.
- High availability for VMS infrastructure and containers.
- Passive authentication. See Configure Passive Authentication for VMS.
- VSA subscription—You can configure the number of Versa secure access (VSA) licenses for both basic and advanced users per organization using Versa Director. After you configure the VSA subscription information, it is tracked in the subscription monthly and the entitlement reports, and on the Entitlement Manager query page. See Configure Versa Secure Access Subscriptions.
- Workflow support for T1/E1 and ADSL2+/VDSL2+ interfaces—You can use Workflows to configure T1/E1 and ADSL2+/VDSL2+ interfaces, making configuration of these interfaces easier and integral part of SD-WAN workflows. See Configure Interfaces.
Fixed Bugs
The following are the critical and major defects fixed in Release 21.2.
Fixed Bugs in Release 21.2.1
The following tables lists the critical and major defects that were fixed in Release 21.2.1.
Tracking Bug |
Description |
---|---|
34494 |
Subscription Query page shows state as automatically renewed after device is automatically renewed instead of showing automatically activated. This issue has been fixed. |
40095 |
Add enable and disable policy rules. |
40157 |
Add support for TCP-based syslog remote connector. |
42494 |
Snapshot creation is now audited and present in the audit log. |
43124 |
Custom role editing is now audited. |
45549 |
Add alarm for when AMQP/Kafka connector is not reachable from Director node. |
46789 |
Add Total column, which was missing in Entitlement summary report. |
47781 |
Spoke group search is now done by making query to the backend instead of performing a UI-level search. |
47998 |
For a device managed with LTE as WAN, the Director node now decreases polling cycles and netconf notifications to reduce management traffic. |
48207 |
Asset Inventory is not showing the count of hub-controllers under both Summary and Details tabs under Versa Director > Monitor > Provider > Summary. This issue has been fixed. |
48431 |
Virtual router UI screen access was slow. This issue has been fixed. |
49326 |
Add cloud-connector support, with type as Versa. This enables a client Versa Director to create site-to-site tunnels between VOS devices managed by different Director nodes. |
50511 |
Add option to enable and disable the sending of device-level alarms to an AMQP server configured as an AMQP connector. |
50562 |
Bulk delete of VRRP configuration fails in UI under template. This issue has been fixed. |
50578 |
Entitlement management/subscription actions are not RBAC-protected from Rest APIs. This issue has been fixed. |
52001 |
NCS crashed with error ''Internal error: Supervision terminated". This issue has been fixed by upgrading NCS to a newer version, version 4.7.8 |
52518 |
Add new alerts such as DESIGNATED-MASTER-NOT-ACTIVE, LICENSE-EXPIRY-ALERT, DISK-USAGE-ALERT. Update the alerts naming conventions, changing Master to Active and Slave to Standby. |
52665 |
NCS Java logging does not work. This issue has been fixed. |
54006 |
You can now customize common VOS HTTP/HTTPS credentials. The Director node uses these the in /var/versa/vnms/data/conf/default.conf script. |
55106 |
Validation is missing for cluster list in bind data screen. This issue has been fixed. |
55471 |
Upgrade with customer configuration from Release 16.1R2S10.1 to Release 20.3.1 fails during migrate scripts because of QoS configuration. This issue has been fixed. |
55504 |
Create/delete device group is not notified over AMQP. This issue has been fixed. |
55520 |
If a device in the unknown device list tries to reconnect, a new task is created. This issue has been fixed. |
55655 |
Add support for circuit tag in Workflows > Template > interfaces > WAN Interfaces. |
55676 |
Under Entitle Management, end date calculation for a subscription is wrong. This issue has been fixed. |
56584 |
Director upgrade from Release 16.1R2S10.1 running customer snapshot fails in Workflows module related to split tunnel. This issue has been fixed. |
56777 |
In a multitenant deployment, monitor UI now displays location information with access to the child organization. |
57028 |
Free memory calculation is incorrect. This issue has been fixed. |
57369 |
PPPoE WAN interface network is not added to traffic identification list during template Workflow deployment. This issue has been fixed. |
58484 |
When a user attempts to change their password multiple times, the user account is not locked even after incorrect password attempts defined in max_login_fail_count in UserGlobalSettings. This issue has been fixed. |
58749 |
In uCPE, add support to increase the secondary hard disk size to a maximum of 512 GB. |
58828 |
In some GUIs, time is not displayed in the local time zone. This issue has been fixed. |
59034 |
Local backups cannot be deleted using the Purge command. This issue has been fixed. |
59131 |
Add support to encrypt all passwords in device configuration. |
59334 |
In Entitlement Management Query page, TotalActiveDays is not updated properly. This issue has been fixed. |
59426 |
Appliance location data type changed from varchar to text to accommodate larger location values. |
60505 |
validate.py script does not display the errors from the ha-pair-config-validation.py script. This issue has been fixed. |
60653 |
In the virtual router UI, changing the OSPF network returns the error “invalid byte sequence for encoding UTF8: 0x00..”. This issue has been fixed. |
60857 |
Stale entries in bind data cause Director upgrade from Release 20.2.2 to Release 20.2.3 to fail. This issue has been fixed. |
60954 |
Director upgrade from Releases 16.1R2S10.1/S11 to Release 21.2.1 fails during migrate script because of an incorrect user role, with the error: "Upgrade failed: Upgrade transaction failed to validate: /ncs:devices/device{DCA-Controller-01}/config/system/users{ab16399}/role (value "oper"): oper user cannot land on shell (use 'cli' or 'none')". This issue has been fixed. |
60991 |
When you modify the bandwidth in a Workflow template and apply the changes, they do not take effect on existing SD-WAN branches. This issue has been fixed. |
61281 |
Add support for bandwidth limit configuration when uploading a package to a branch or device. |
61475 |
Add support in monitor screens for application identification. |
62155 |
In an AWS SD-WAN gateway deployment, the DescribeInstances API call may fail, with the error "instance ID does not exist". This issue has been fixed. |
62286 |
Redundant template deployment fails when you configure an AWS transit gateway site-to-site or Azure Virtual WAN tunnel in a Workflow template. This issue has been fixed. |
62334 |
When you select multiple devices from a Director node to upgrade, if one device is not reachable, the task is shown as successful in the progress column. This issue has been fixed. |
62346 |
Move Kerberos virtual URL configuration from captive portal to Kerberos profile. |
62352 |
if you add or remove a service template in a device Workflow or device group, or make a configuration change in a service template, the template state does not go out of sync in the commit window.This issue has been fixed. |
62375 |
Entitlement Management > License period is not updated after performing Workflow organization deploy.This issue has been fixed. |
62390 |
When you change the SSH host keys on a VOS device, subsequent requests to the VOS device fail, with the error “SSH host key error”. This issue has been fixed. |
62412 |
Update software to reduce the number of system/details calls made to each VOS device in each polling cycle. |
62433 | It is possible to inject comments by entering special characters. This vulnerability has bene fixed by adding careful handling of special characters. |
62557 |
NGFl service is not picked up from default-sng if the services field is empty. This issue has been fixed. |
62574 |
Reachable to unreachable state is not shown at least every 3 minutes. This issue has been fixed. |
62608 |
GUI cursor keeps spinning when a TenantSuperAdmin user who is logged in with email format as the username tries to change session timeout. This issue has been fixed. |
62618 |
Template recreation fails when radius-shared-secret contains special characters, such as ";" which is a valid character. This issue has been fixed. |
62709 |
Cannot save/deploy a Controller node after the Controller node is deleted from the appliance listing screen. This issue has been fixed. |
62790 |
EXTERNAL_USER.log shows bearer token instead of username. This issue has been fixed. |
62900 |
Remove per-organization subscription details from the Entitlement Manager summary page. |
62923 |
In Director GUI, cannot add VLAN to LAN interface on CPE with DF error. This issue has been fixed. |
62952 |
Template regeneration fails when TACACS+ key is parameterized. This issue has been fixed. |
63011 |
Add template sync status to tool tip for an appliance on Appliance Listing screen. |
63142 |
Commit template should not send an email when commit template is set to schedule it now. This issue has been fixed. |
63145 |
Proxy authentication is not working for SPack download. This issue has been fixed. |
63185 |
When user creates new device Workflow and clicks Cancel at bind data, the user cannot create a new device Workflow with the same name. This issue has been fixed. |
63206 |
Local CMS organization update might fail for tenant superadmin user. This issue has been fixed. |
63241 |
After you upgrade to Release 20.2.3, the bind variables of a service template that were attached to all the devices using it are no longer present in the device bind-data tables. This issue has been fixed. |
63249 |
When using the vnms-startup.sh script that is non-interactive, the system addresses are taking the docker IP address when no southbound interface is provided. This issue has been fixed. |
63298 |
LAN routing instance is provisioned incorrectly for TVI interface for GRE-based tunnels when the tunnel start endpoint is LAN network instead of WAN network. This issue has been fixed. |
63316 |
Bind data variable for BGP local AS in Workflow template for IBGP is not populating in the device. This issue has been fixed. |
63328 |
Enabling IPsec for HA secure communication generates unwanted configuration, leading to an IPsec failure. This issue has been fixed. |
63382 |
In Releases 20.2 and 21.1, files are not correctly copied in /var/versa/packages/spack/current/config/. This issue has been fixed. |
63397 |
Redistribution policy Default-Policy-To-BGP on DMZ-VR (not VRF) is not created when you select ST with either DIA or gateway option. This issue has been fixed. |
63430 |
After you delete a device from a Workflow, the device global site ID is not freed. This issue has been fixed. |
63455 |
During URL ZTP, the email notification may not be not sent. This issue has been fixed. |
63477 |
New solution tiers added to support Titan. |
63500 |
Tenants deleted from a branch are still listed in the appliance listing screen. This issue has been fixed. |
63525 |
WPA password or RADIUS shared secret key in Workflow device bind data is not encrypted. This issue has been fixed. |
63589 |
Director failover operation results in application timeout. This issue has been fixed. |
63607 |
Editing WAN circuit tag does not work. This issue has been fixed. |
63610 |
Do not add the default configuration of Layer 2 learning in Workflow templates. This configuration is not needed. |
63649 |
When creating a WiFi template, you can configure a different country for both radios in the wireless configuration. This issue has been fixed. |
63714 |
You cannot delete multiple static routes from the GUI. This issue has been fixed. |
63725 |
Add support for OOKLA speed test from the GUI. |
63761 |
Add support to configure software package upload time under device group. |
63769 |
NullPointerException is seen when you commit a shared service template associated with device group and device level. This issue has been fixed. |
63897 |
Kafka/AMQP message publishing should happen using a separate event bus to handle unreachable or slow brokers. This was impacting ZTP task creation. This issue has been fixed. |
63941 |
Changing the Director timezone causes incorrect timestamp to display in many listing screens. This issue has been fixed. |
63977 |
Creating an AWS Transit Gateway or Azure Virtual WAN tunnel with redundant template creates duplicate tunnels for the primary and redundant templates. This issue has been fixed. |
64035 |
In the entitlement manager, modifying the solution tier modification is not updated using the Workflow template. This issue has been fixed. |
64040 |
Invalid CSRF token message is displayed during sync-from, sync-to, and bulk sync-from. This issue has been fixed. |
64111 |
Deleting the SSO configuration might not work properly. This issue has been fixed. |
64118 |
In the entitlement manager, rename solution tier VSA Basic to VSA Standard. |
64169 |
Director backend has WPA password in encrypted text, but returns it in cleartext to Workflow template API call. This issue has been fixed. |
64170 |
The AWS DeleteOnTermination flag for EBS volume should be set as True during VOS deployment using CMS connector to make sure that stale volumes are not present in the cloud. This issue has been fixed. |
64248 |
SMS messages sent using the Versa account are rate-limited. This issue has been fixed. |
64291 |
OS SPack download task is generated with no description. This issue has been fixed. |
64330 |
TenantSuperAdmin user cannot download OS SPack on appliance page. This issue has been fixed. |
64342 |
PSQL database password change command does not work. This issue has been fixed. |
64362 |
Unable to log in as tenant user when single-idp-connector type selected. This issue has been fixed. |
64363 |
For an incremental SPack upgrade, director.json and other xml files are not copied when incremental SPack is installed via rest API call with update-type "incremental" (in lowercase letters). This issue has been fixed. |
64365 |
ZTP might fail, with a socket close error. This issue has been fixed. |
64366 |
PPPoE password on appliance is now encrypted during communication between the Director node and the appliance. |
64373 |
Upgrading a Director node to Release 21.2.1 fails, with the error "failed to execute migrate script sysusers.lua". This issue has been fixed. |
64376 |
RMA skips upgrade/downgrade and continues with RMA process when software version is blank for existing device, but it prints proper messages in the task. This issue has been fixed. |
64426 |
Include c5a instance type during device deployment on AWS using CMS connector. |
64427 |
Static route screen shows invalid IPv4 or IPv6 address/prefix error for a valid destination. This issue has been fixed. |
64467 |
Template automerge operation may remove configuration added at the template configuration level when recreating the template after adding DNS policy rule. This issue has been fixed. |
64479 |
Unable to ZTP to a device running Release 20.2.2 when Controller and Director nodes are running Release 21.2. This issue has been fixed. |
64497 |
When you delete a Controller device in the GUI, peer controller information is not removed from the database. This issue has been fixed. |
64603 |
Resource groups are not listed during the creation of Azure Virtual WAN tunnels. This issue has been fixed. |
64614 |
Allow only GET and /api/*/actions/* POST APIs. Reject other POST, PUT and DELETE APIs with appropriate error message from standby Director. |
64664 |
Workflow templates deployed with duplicate name as redundant pair are corrected or flagged by validate.py script. This issue has been fixed. |
64675 |
Local user information is pushed only to devices that are in the device group associated with the first template. This issue has been fixed. |
64713 |
Login, logout, and change password time are not captured in the audit log. This issue has been fixed. |
64807 |
TenantSecurityAdmin users cannot download OS security package. This issue has been fixed. |
64816 |
Cannot remove Analytics cluster or all user-supported roles from Workflow organization after redeploying the organization. This issue has been fixed. |
64828 |
In Entitlement Query, rename column State to Event. |
64862 |
Search does not work for Configuration > Objects > VPN Profiles GUI. This issue has been fixed. |
64872 |
After you modify the organization from a template, virtual switches are not populated because the backend sends the previous organization. This issue has been fixed. |
64882 |
Device upgrade might get stuck at 70% even if upgrade is successful. This issue has been fixed. |
65064 |
Cannot see bind data for more than 100 devices in a single device group. This issue has been fixed. |
65069 |
Autogenerated bind data IKE identifier is not updated. This issue has been fixed. |
65257 |
No data displays on Services > Monitor screen. This issue has been fixed. |
65260 |
Audit logs are not reported for any of the operations performed by the local provider-level users. This issue has been fixed. |
65335 |
Import workflow device is deploying devices without bind data variables. This issue has been fixed. |
65365 |
Cannot delete service chain template in Workflows. This issue has been fixed. |
65386 |
Variable bind data loads slowly after being deployed from a device Workflow. This issue has been fixed. |
65517 |
Current user cannot make changes to the branch when the branch is locked for other users. This issue has been fixed. |
65646 |
Cannot commit to multiple devices because of task description length description. This issue has been fixed. |
65650 |
Incorrect configuration under device context when bootstrap fails. This issue has been fixed. |
65683 |
Replacing an appliance with new serial number incorrectly updates lastModifiedBy field with null value in Workflow device. This issue has been fixed. |
65696 |
Deploying application template by TenantSuperAdmin on Workflows > Template > Application Steering may fail. This issue has been fixed. |
65718 |
After HA failover, cannot receive alarm emails. This issue has been fixed. |
65735 |
User authentication now fetches HA status from cache instead of from NCS to improve performance and avoid resource-denied NCS issue. |
65753 |
Enable suspend-backup-collectors as default in Workflow templates. |
65774 |
Update CPE ports object on firewall rule in controller. Remove port 4000. |
65775 |
Error occurs when pushing post-staging template for hub and spoke. This issue has been fixed. |
65793 |
Workflow device deploy using CMS connector does not work in Azure China region. This issue has been fixed. |
65818 |
SD-WAN policies created by Workflow must add action. This issue has been fixed. |
65831 |
Changing SiteId from Workflow devices is shown in the inventory but not on the GUI appliances screen. This issue has been fixed. |
65850 |
After ZTP, appliance shows incorrect subscription state as created in entitlement screen under appliance context. This issue has been fixed. |
65960 |
Upgrade to Tomcat 9.0.43. |
65992 |
Default spring-boot tomcat thread-pool size for ports 9182, 9183, and 8090 is configured incorrectly in application properties. This issue has been fixed. |
35962 |
Update third-party libraries to address vulnerabilities reported by OWASP dependency check tool. |
38387 |
During HA enable operation, task popup disappears from the window before displaying the success prompt. This issue has been fixed. |
39367 |
Add GUI support for displaying PoE statistics. |
40103 |
Remove keepalive timeout for IPsec from CLI and GUI. |
42113 |
Under Device Templates in the Peer IP field, the + icon and parameterize icons are not aligned. This issue has been fixed. |
45613 |
Add support to set and match BGP community in the old format, that is, as a 4-byte number. |
45739 |
Fix OSPF clear neighbor operation in the GUI. |
45901 |
Add GUI support for Director SPack upload and installation. |
47699 |
Add pagination support for IGMP Group Monitor screen. |
47781 |
Add GUI support for search for Spoke Group screen. |
47929 |
Add support for health check for a standby interface. |
48207 |
Asset Inventory does not display a count of Hub-Controllers (under both Summary and Details). This issue has been fixed. |
48421 |
Add support for bulk delete operation for syslog servers in templates configuration. |
48481 |
Fix GUI to gray out code field under DHCP custom options if vendor ID is selected. |
48490 |
Fix Add Appliance screen in Administration tab. |
48606 |
Fix GUI tool tip to show "Undefined" for Director and Analytics Cluster in Monitor > Provider-org > Summary > Asset Inventory. |
49322 |
Add GUI support for Platform > Management Port > Usage Model. |
49632 |
Add parameterization for routing instance in security package update configuration. |
50611 |
Add parameterization for prefix under BGP route aggregation. |
52518 |
Fix to display Director HA critical alarms in notification popup. |
54327 |
Disable No Summaries option for OSPF3 Area 0. |
56092 |
Rename whitelist/blacklist to allowlist/denylist in URL Filtering screen. |
56175 |
In Filtering Profile screen, change incorrectly named Authentication profile to Cloud profile. |
58351 |
Enhance traceroute to support ICMP and TCP probes. |
59621 |
Add GUI support for Layer 2 services. |
61617 |
Add support for IPv6 options on the LTE interfaces vni-0/100 to vni-0/103. |
62418 |
Add new option in uCPE screen to enable and disable multiqueue settings for the VM. |
62801 |
Networks and subinterfaces values are shown incorrectly under Administration > Organizations > Associations. This issue has been fixed. |
62933 |
Remote server exception issue seen when editing global router. This issue has been fixed. |
63380 |
Fix to allow only FIPS-compliant ciphers when FIPS mode is enabled. |
63596 |
Fix issue seen while modifying the configuration of routing instance for speed-test server. |
63671 |
Add support for 10 domains in RAS VPN profile. |
63776 |
Add Director support for secure access server group configuration. |
63804 |
packet-padding-size IMIX is not reflected in show commands. This issue has been fixed. |
63895 |
Enhance Appliance System configuration GUI screen to allow configuration of health object parameters. |
63915 |
Implement LEF-logging configuration under WLAN so that WiFi LEF logs are sent based on user configuration. |
64012 |
Add BGP prefixes for Layer 2 VPN EVPN screens under monitor screen. |
64040 |
Fix invalid CSRF token message seen during sync-from device. |
64111 |
After you delete all SSO configurations, SSO link is now disabled from the login page. |
64211 |
GUI shows error incorrectly as [Object,Object] in task window during replace appliance operation. This issue has been fixed. |
64249 |
Cannot edit or delete SNMP communities, USM, and trap profiles configured with special characters. This issue has been fixed. |
64316 |
When authentication control dot1x was opened and clicked, dynamic VLAN is disabled. This issue has been fixed. |
64318 |
Fix search operation for Application Steering screen. |
64323 |
Fix search operation for Disabled Access Policy rules. |
64337 |
Organization selection is not maintained when moving from objects to services. This issue has been fixed. |
64343 |
Search in DoS policy rules screen does not work for values other than rule name. This issue has been fixed. |
64355 |
For IP SLA monitor of subtype ha-probe, change interval default to 1 second. You cannot change the default. |
64361 |
Neighbor peering is not starting when RIP instance or group password is enabled. This issue has been fixed. |
64371 |
Fix failure in security package screens for TenantSuperAdmin and TenantSecurityAdmin. |
64410 |
Add search bar for DoS profiles screen. |
64411 |
GUI gets stuck when navigating from NTP screen to Objects/Services page. This issue has been fixed. |
64437 |
In BGP, share-aro is enabled if you open advance tab under peer-group twice, and vice versa. |
64446 |
Add select index for routing instance field under Configuration > System > Security Update > Automatic. |
64460 |
Fix search operation on domain name server screen. |
64462 |
When you select the radio button from the popup to search on VRRP Group screen/interfaces screen, it does not go away with one click/enter option. This issue has been fixed. |
64468 |
Creating a new DDoS profile from DoS Policies > Edit DoS Rule > Enforce > Aggregate Profile > +Add New, selects aggregate profile by default, and vice versa, for classified. This issue has been fixed. |
64492 |
Fix sorting on DDoS profiles screen. |
64532 |
Fix missing instance ID in spanning-tree details screen from the second row onwards. |
64535 |
Fix issue seen when updating the transparent proxy match rule configuration. |
64550 |
Form landing is incorrect for the decryption profile. This issue has been fixed. |
64559 |
Rule enable/disable option is not available for traffic monitoring in device configuration page. This issue has been fixed. |
64566 |
Add GUI support to add destination zone as match condition under SD-WAN policy screen. |
64580 |
Some information is not same on Administration page card view and list view. This issue has been fixed. |
64581 |
In CGNAT rule screen, source and destination range is not mandatory, but empty list is sent in payload, causing issue in template commit. This issue has been fixed. |
64584 |
LLDP always shown as true in GUI even after you disable LLDP globally. This issue has been fixed. |
64589 |
Correct name for global routing instance while adding DNS to be Global. |
64596 |
Fix console error when you try to click on site configuration under Services. |
64618 |
Enable caching mode for all profiles types, including local database, LDAP, Kerberos, SAML, and certificate authentication profile. |
64639 |
When you add a static route with same gateway/next-hop IP address, GUI rejects configuration as a duplicate record. This issue has been fixed. |
64640 |
Fix issue in the rearranging templates in the device service templates screen. |
64651 |
VRRP Group ID and Interface are swapped in the VRRP Table. This issue has been fixed. |
64652 |
Template workflow is not working properly for redundant pair cross-connect interface for vni0/2 or greater. This issue has been fixed. |
64659 |
Add parameterization for Certificate Authentication Profile in template. |
64669 |
Fix error in console while clicking redeploy button in organization Workflow. |
64671 |
After committing the BGP general password, you cannot use the BGP GUI without modifying the BGP general password. This issue has been fixed. |
64694 |
Fix issue in HA template screen in which recreate button was not working after re-opening. |
64697 |
NTP configuration screen is not showing interfaces with units. This issue has been fixed. |
64724 |
GUI is showing incorrect details in SAs in Monitor > Services > IPsec > SA screen. This issue has been fixed. |
64728 |
If the appliance count is more than two digits, the number alignment was incorrect under System Summary. This issue has been fixed. |
64740 |
When you try to add or edit decryption server profiles, error 500 is seen. This issue has been fixed. |
64744 |
Under Configuration > Networking > PBF > Policies screen, the column header Status has been changed to Rule Status. |
64757 |
In GUI, creating a new vendor catalog did not indicate any process of adding the new one. This issue has been fixed. |
64766 |
Implement rule insertion for QoS policy, App QoS policy, PBF policy, and DNS proxy screens. |
64797 |
Add Director GUI support for per-interface (SD-WAN) PMTUD interval. |
64810 |
File type qcow2 is not passed in the payload when creating a new vendor catalog. This issue has been fixed. |
64849 |
Fix clear command for the SSL History Monitor screen. |
64859 |
Default zone protection scan interval in GUI changed from 300 seconds to 30 seconds. |
64875 |
Rename SLA Dampen labels to SLA Damp. |
64880 |
Fix issue seen in parameterization for vni under bridge domains. |
64923 |
Fix incorrect message for predefined application groups. |
64942 |
Add parameterization for weight under BGP peer group and under routing peer policy. |
64943 |
Add parameterization for community in peer/group policy under match/action and under redistribution policy. |
64945 |
Caching mode is always set as IP-based when you select local database or LDAP profile in authentication profile. This issue has been fixed. |
64958 |
Change column name from Status to Rule Disabled in secure access portal and gateway rules screen. |
65065 |
Add support to display audit logs under Administration > Troubleshooting screen. |
65070 |
Captive portal is not displayed as a part of secure access. This issue has been fixed. |
65071 |
LDAP user/group is not fetched in Secure Access portal and gateway policy in template. This issue has been fixed. |
65175 |
After changing device ID for an existing device from workflows, user-defined bind data disappears when user attempts to redeploy a device. This issue has been fixed. |
65198 |
Disable virtual service option was checked when controller is deployed but service is not actually disabled. This issue has been fixed. |
65222 |
Tunnel interfaces that you add manually as type IPsec display as Down in monitor GUI when the interface is actually Up in appliance CLI and Director live status CLI. This issue has been fixed. |
65229 |
Jitter value in SLA profile is shown in percentage. This issue has been fixed. |
65230 |
Users cannot create mac-address object with only wildcard mask. This issue has been fixed. |
65235 |
OK button is not working while creating a device after filling bind data information. This issue has been fixed. |
65247 |
Add parameterization for keytab field in Kerberos profile in template. |
65249 |
Add parameterization for virtual URL field in Kerberos profile in template. |
65267 |
Fix GUI alignment issue when trying to create address group from IP filtering profile. |
65299 |
In Secure Access Configuration screen, add the option to display how many characters can be typed for a string variable and the current length of the string typed. |
65317 |
Fix cosmetic issues on File Filtering Profile screen. |
65364 |
Vertical line is seen over the [+] icon in Add Rule window for Source/Destination and Application/URL tabs. This issue has been fixed. |
65406 |
Regex pattern validation is missing in post-staging template under custom URL category. This issue has been fixed. |
65431 |
Add support for Layer 2 services in Monitor Screen. |
65458 |
When device is already deployed, GUI grays out changing tenant name in workflow device deploy. This issue has been fixed. You can now change the tenant name in device deploy Workflow. |
65495 |
Remove OK button in Decryption Settings screen for TenantOperator user. |
65549 |
Add support for secure access gateway and portal policy in Monitor Screen. |
65576 |
Fix GUI issue in requests screen in Certificate Manager under Objects and Connectors. |
65578 |
Tenant selector does not display when user switches from one tab to other in configuration page. This issue has been fixed. |
65598 |
Add pagination on Security Profiles > DNS Filtering page for Device Templates/Service Templates. |
65610 |
Add Director GUI support for new security algorithms. |
65628 |
Remove Dual Tunnel from Gateway General page. |
65631 |
Remove mandatory restriction for IP address in LDAP profile. |
65645 |
Fix to allow maximizing Director task window. |
65649 |
Templates attached to device groups are incorrectly added to Device Service Template. This issue has been fixed. |
65658 |
Cannot select firewall service for fifth tenant when workflow template resolution is set to 1366 x 768. This issue has been fixed. |
65661 |
Server configuration cannot be updated when IP address is not configured in LDAP profile. This issue has been fixed. |
65666 |
Fix SD-WAN rules output in application monitor. |
65679 |
Fix for password field that was displayed in clear text when logging into Versa Director. |
65682 |
Fix for GUI issue that caused multihoming under Aggregated Ethernet interface not to work. |
65738 |
Cannot update client CA Chain in Certificate Auth Profile. This issue has been fixed. |
65779 |
Cannot configure loss as dotted decimal in SLA profile. GUI was pushing only integer values. This issue has been fixed. |
65807 |
Add support for LLDP statistics in Monitor screen. |
65817 |
Fix incorrect staging pool restriction for Hub-Controller nodes. |
65857 |
Remove availability requirement field from Sever pool tab. |
65881 |
VLAN ID is enabled when trunk is configured as interface mode. This issue has been fixed. |
65884 |
Shared control plane field overlaps with organization field. This issue has been fixed. |
65894 |
Fix parameterized values update and validation issue in ILC. |
65916 |
Fix issue in BGP advertised routes that was showing incorrect subnet mask for the advertised prefix. |
65948 |
Cloud profile type is now mandatory field in cloud profile page. |
65966 |
Network addresses are accepted in the dstAddrIpv4 and srcAddrIpv4 fields in the bind data in IPsec section. |
65980 |
Fix Eye icon in login screen so that it does not display password in clear text. |
66017 |
Fix typo in CPE Public Cloud workflow. |
66134 |
Add validation for encrypted keys in template configuration before committing via apply Template to device. |
64773 |
Device deploy with redundant template having site-to-site tunnel for tunnel gateway or Virtual WAN does not creating tunnel objects. This issue has been fixed. |
64609 |
URLs sent in VSA notification mails are updated with appropriate links. |
64598 |
Release 21.1 Director pushes incorrect PSK key to Release 20.2.x devices when applying a template to a mix of Release 20.2.x and Release 21.1 devices. This issue has been fixed. |
62422 |
Add user account type SERVICE/GENERAL to allow customer to use user accounts only for Rest APIs and disallow GUI login. |
60805 |
Fix RBAC cache issues in failover. |
59969 |
Add sort-by name functionality in the Controller listing screen. |
63464 |
Add support for Concerto client SSO screen. |
61492 |
Fix issue in which device software version in postgres was set to blank for devices that were down. This was affecting RMAs. |
66040 |
Fix issue to support IDP and local SSO logout for Versa Director, Analytics, and Concerto. |
63987 |
Remove wait time when stopping appliance monitoring thread and the scheduler is configured run the threads efficiently. This important fix allows a scale setup to run the appliance monitoring efficiently. |
59207 |
Fix issue with sync status when parallel requests made to push configuration in Appliance view. |
62205 |
Fix issue with uCPE VNF creation task when the template is committed to the device from the Diff View screen. |
58477 |
Add support for federated SSO logout and to show custom login page after SSO logout. |
60160 |
Fix issue with publishing appliance generated alarms to Kafka topic and AMQP server. |
59464 |
Devices under Monitoring and Configuration tabs are not shown after HA failover. This issue has been fixed. |
58921 |
Cannot export Versa SSO SP metadata from SSO screen to upload to external IDP. This issue has been fixed. |
64445 |
Fix XPath injection vulnerability that was found in appliance APIs. |
64443 |
FIx information disclosure vulnerability that was found in appliance APIs. |
60156 |
Change SSO SAML samlp:RequestedAuthnContext method from Exact to Minimum to allow multifactor IDP login authentication. |
64442 | User Enumeration vulnerability seen with user read/creation/update/deletion and change/reset password and unlock user account APIs. This issue has been fixed. |
65860 | LDAP bind password decryption error seen in template/appliance context. This issue has been fixed. |
Many |
As part of many bug fixes, many of fields that define appliances are now encrypted when they are sent to appliances, including BGP, OSPF passwords, SNMP user passwords, and the MDM profile client secret. |
Fixed Bugs in Release 21.2.2
The following tables lists the critical and major defects that were fixed in Release 21.2.2.
Tracking Bug |
Description |
---|---|
43606 |
Fix drop-down compatibility issues in Firefox browser. |
48020 |
Director uptime screen now reflects timezone data properly. |
48033 |
Fix values shown for source network field on NTP page. |
48973 |
Fix vulnerability regarding HTTP host header injection. |
51468 |
Fix navigation glitches from authentication policy rule screen on address group screen. |
52518 |
Director notification popup now shows different HA alarms, including HA-SLAVE-DIED, SLAVE-DIRECTOR-OFFLINE, and SLAVE-INCORRECT-MODE. |
54132 |
Fix incorrect template status on Apply Template screen. |
57028 |
Fix incorrect values for free memory in System Details card on Monitor screen. |
57693 |
Fix apply template failure when description field contains the quotation ("). |
58050 |
Add parameterize validation when field has values such as {$v |
62949 |
Add support for configuring the RADIUS and TACACS+ timeout. |
62998 |
Fix IPv6 VRRP screen for parameterizing variable limitations. |
63854 |
Add support for reordering rules in secure access portal and security gateway policies. |
64330 |
TenantSuperAdmin can now download OS SPacks. |
64337 |
Organiztion context is now maintained when user switches to different tab under the Configuration tab. |
65069 |
Fix refreshing of autogenerated bind data values when device workflow name changes. |
65658 |
Fix template workflow resolution issue that was preventing the user from seeing drop-down values. |
65818 |
Default action is now set for policies added by template workflow. |
65964 |
Director UI does not validate and provide feedback to user if there are errors in adding a user on the User Management screen. |
66020 |
Fix element order issue during apply template |
66061 |
Fix issue that TenantOperator user cannot view device workflow object content. |
66257, 66263, 66442 |
Fix search functionality in Profiles > DHCP and Services > SD-WAN > Controller, Authentication policy rules pages. |
66416 |
Add support for external auth user to take Director snapshot. |
66417, 66418 |
Fix corner cases while taking Director snapshot |
66582 |
Add encryption-proto support in workflow template. |
66668 |
Add supported to show statistics per traffic class or per forwarding class on Monitor > Networking > CoS > Interfaces > Detail/Extensive screen. |
66965 |
Destination IP address and port fields can now be parameterized on log collector screen. |
66983 |
Fix issue of tenant users removing subscription from their own organization when saving it. |
67008 |
Fix to set the correct username for a task. |
67305 |
Fix intermittent LDAP user and group fetch issue. |
67327 |
Fix CGNAT configuration issues when LAN Interface is part of the provider organization. |
67582 |
Fix issue that an organization cannot be deselected if service templates are associated with that organization on the Device Group screen. |
67603 |
TenantSuperAdmin is now allowed to perform sync-from operation. |
67628 |
Fix task messages for bulk VOS device upgrade. |
67677 |
NPE now does not generate an error if an HA pair site location in the asset table is empty. |
67758 |
DSL interface and PPPoE username and password fields can now be parameterized. |
67783 |
Service template bind data is now cleaned up when user deletes a service template from a device group. |
67905 |
Increase FD limit for Director process. |
67949 |
Fix disabling of OK button until the data is loaded on the VR page. |
67965 |
Device name field now has uniform name for Director-generated alarms. |
68006 |
Honor release date in the package to select the latest image during bootstrap of VOS device. |
68041 |
Add support for editing OS SPack settings. |
68064 |
Fix cross-connect select and deselect issues in template workflow for redundant templates. |
68104 |
Fix HTML tags in message body of notification rule. |
68231 |
Add GUI option to restrict routing and connectivity across regions. |
68271 |
Fix CA chain certificate expiration issue in the UI. |
68363 |
User can now make NMS action API calls with external OAuth token. |
68372 |
Monitor screen now supports Layer 2 SD-WAN VOS device traffic. |
68718 |
Custom user role can now create NTP server instance. |
68847 |
Fix to pick correct Trusty/Bionic VOS image while pushing image to VOS device. |
68914 |
Add support for deleting VRFs from the spoke group screen. |
68923 | NAT traversal configuration is added incorrectly when user modifies data on WAN Interface window. |
68978 |
Fix HA template and Layer 2 interface configuration issue in template workflow. |
68996 |
Fix monitor dashboard LTE display screen. |
69246 |
For the Ubuntu 18.04 OS, if isolate-cpu is enabled on Rangeley CPU–based system, the services sometimes fail to start. |
69314 |
SNMP rap profile does not allow the ‘.’ (dot) character. Only these special characters are allowed: _ # = + ^ $ @ : . { }', |
69491 |
Add support for DNS filters under configuration. |
69555 |
TenantSuperAdmin can now see organization workflows that are in the saved state. |
69590 |
Add pagination for Locked User screen. |
69641 |
Fix duplicate key sdwan-post-staging issues on Device Group screen. |
69808 |
Workflow > Templates > Site > Subscriptions > Solution Tier > Service Bandwidth changes are now recorded in the audit log. |
69859 |
Fix issue of IKE changing on Controller node while redeploying a device workflow. |
69860 |
Path policy configuration now accepts free-form text. |
69877 |
Fix hub template workflow. |
69916 |
PPPoE service name now accepts special characters. |
69949 |
After adding service chain under organization limits, service menu now shows correct options for service chain template. |
69987 |
Entitlement report does not take into account the license year when reporting peak usage metric. |
70002 |
Fix NGFW security policy rules filter issue. |
70138 |
Changing IP address pool using docker-overlay-config.sh now prompts for confirmation to restart service. |
70234 |
Add support for URL ZTP over xDSL interfaces. |
70284 |
Per-user policies now are enabled when rate is parameterized. |
70313 |
Fix sorting functionality for System Summary tables on Monitor screens. |
70318 |
Fix download merge configuration issue on commit template screen. |
70336 |
BGP, IKE, and paths on monitor page now shows correct data after deleting VOS device. |
70338 |
Add support for user type data for IP-SLAM Monitor next-hop fields. |
70342 |
Fix for notification rule payload not having phone number. |
70368 |
Fix issues with importing service template configuration. |
70394 |
Asset summary now shows count for service VNFs |
70441 |
Suppress unwanted logs while fetching get-vnms-ha details from standby Director node. |
70459 |
Fix incorrect security package information on monitor screen |
70526 |
Fix RMA issue when encryption is enabled on Director node. |
70560 |
Fix for calling uCPE VNF operation each time a service chain template is committed. |
70585 |
Fix display of common template address group objects in device template. |
70613 | TLS v1.3 configuration in Proxy Profile window is not activated. |
70647 |
Fix display of overlay address schema popup if controller already exists in the system. |
70649 |
Fix units in Live monitor graph on monitor screen. |
70656 |
Fix for template failing to add WiFi interfaces added when the security mode is none. |
70659 |
Service template references are now removed from device workflow when service template is deleted. |
70661 |
Fix corner cases when user opens existing device workflow objects. |
70789 |
Add ability to configure port number on secure-access server screen. |
70790 |
Add ability to configure configuring port number in server group URL on secure access server screen. |
70814 |
Fix DHCP mapping file upload issue. |
70845 | Option to configure custom block action under captive portal in a template is missing. |
70857 |
Add per-user policers under lass of service on monitor dashboard. |
70932 |
Restrict TSA users so they cannot view other tenant appliances in IP SLA next hop UI page. |
70955 |
Fix IPV6 identification in Tools > Ping page. |
70956 |
Allow parameterizing fields in prefix list on device template screen. |
70957 |
Fix autogenerated values that were missing in a secondary Hub Controller. |
71004 |
Allow more than eight interfaces in a Workflows template |
71006 |
RBAC-protect the nms/cloud/systems/getAllApplianceNames API call. |
71083 |
Fix pushing default values along with user changes in the form. |
71106 |
Make APN parameters for WWAN interface optional. |
71210 |
Custom role user now can perform speed test. |
71327 |
Fix bind data page to accept network address for IP address object. |
71330 |
Fix issues with TenantSuperAdmin accessing appliance shell through GUI. |
71386 |
Fix IP address and mask parameterized validation in service templates. |
71471 |
Fix for duplicate key value violating unique constraint appliance_hardware_pkey error while onboarding a VOS device. |
71477 |
TSA users can now take configuration snapshots of the common template. |
71515 | Fix the display of LEF profiles in secure access service templates that are configured in common templates. |
71522 |
Fix for TenantSuperAdmin failing to delete VOS device. |
71530 |
Fix special cases in Versa Analytics cluster installation script. |
71622 |
Fix issues on DHCP relay profile edit screen. |
71623 | POE warning prevents configuration of a VNI interface even when the POE attribute is not enabled. |
71638 |
Fix spoke group bulk deletion issue. |
71665 |
Add support for Available Provider Organizations configuration on Org Limits page. |
71685 |
Fix for scheduling image upload task messages that are not progressing. |
71686 |
Fix for scheduling template issues when VOS device not reachable and job triggered. |
71749 |
Fix issues on Hardware UI page. |
71757 |
Add support for the special characters “{“, “}”, “#” in the SNMP manager in Workflow template. |
71785 |
Fix for backup Director node not being able to take over as primary when port 5432 is not available. |
71812 |
Remove autoconfiguration and URI fields from WiFi screen. |
71831 |
Fix for Workflow template going blank while removing suborganization. |
71863 |
Handle automerge gracefully when preserve appliance changes is disabled. |
71903 |
Fix for Director node loading page even after logging out of Director node. |
71917 |
Fix Director login issue for Bionic images. |
71944 |
Fix for reset button not working on monitor screens. |
71977 |
Fix for showing empty content for File Filter field on monitor page. |
71983 |
Fix filter on monitor screen when switching from Appliance > Configuration > Objects > Addresses to the Monitoring tab. |
72046 |
Fix for custom role tenant user not being able to log in to Analytics node from Director node. |
72070 |
Fix incorrect order of BGP policy terms after workflow template is redeployed. |
72084 |
Add missing dot1p-rw-enable filed under QoS profile. |
72094 |
For virtual switches, MAC learning is now enabled by default. |
72110 |
MTU for IRB can be now configured in UI. |
72183 |
Fix to creation of shared service and service template configuration objects. |
72186 |
Fix template workflow blank screen issue. |
72215 |
Fix Director rollback issue. |
72305 | Fix to reset local preferences for remote region hub. |
Fixed Bugs in Release 21.2.3
The following tables lists the critical and major defects that were fixed in Release 21.2.3.
Tracking Bug | Description |
---|---|
13550 | Update NSO to Version 4.7.10. |
38973 | Rewrite all NCS bound live-status APIs as dashboard live APIs. |
48198 | Monitor screen should show appliance system and service uptime. |
48560 |
Remove the failover button from template under high availability. |
49052 | Sort and search operation issues on Director Monitor > Recent Events details screen. |
54430 | General service templates to modify BGP configuration without requiring router ID configuration via GUI. |
58799 | Fix for incorrect appliance type for appliances created on AWS or Azure. |
58921 | Ability for users to export SSO metadata to upload to external IDP. |
59385 | OS SPack URL parameter changes to pass Ubuntu Bionic/Trusty OS platform information. |
59896 | Unable to export keys to appliances. |
60588 | Notification rules page allows you to create alarms notification rules without a tenant. This issue has been fixed. |
62390 | Automate appliance host key refresh. |
62519 | Add support to create region in the Workflows template tab. |
63168 | Password string should be encrypted from UI browser, |
63376 | Cookie Without Same Site flag detected. |
63733 | LTE interface do not display in GUI for a deployed template if PPPoE is configured. |
64059 | Cannot redeploy the device because the WiFi password is encrypted on the backend, and when the UI applies plain-text validation to the encrypted text, the validation fails. |
66012 | Add a CLI command to set auto-merge as a default option. |
66259 | Display timezone details in director-HA failover alarms |
66260 | HA UI form displays same alarm results multiple times. |
66372 | Fix for issue sending SMTP email notifications for alarms. |
66436 | Extend local group name field length from 32 to 64 characters. |
67118 | Non-associated organization is shown in under Appliance. |
67373 | Add ability to export the device list on Director GUI pages |
67963 | Fix for failure to enable HA when Director node has more than 500 appliances. |
68231 | Add a GUI option to restrict routing and connectivity across regions in an organization workflow. |
68466 | Add a script or command to reinitiate Kafka connections. |
68637 | Pagination is not working in task window. |
68665 | The " and & characters in a description are translated to " and &,respectively |
68690 | Tomcat HTTP requests to Analytics now clean up or time out properly. |
69340 | Add an alarm on Concerto and Director if Kafka channel between them is broken. |
69404 | Performance improvements for appliance monitoring. |
69405 | Workflow template commit failed when LDAP password is configured with double quote ' " ' in parameterized bind data. |
69642 | Add support for "DHCP" as a bind variable value for IP addresses. |
69920 | Fix to ensure that WAN networks updated at the organization level propagate correctly to available networks in a tenant common template (DataStore template). |
69996 |
Add GUI option "Mirror Interface" for uCPE interfaces. |
70202 | Add kernel version check during preupgrade. |
70566 |
Display serial number on rollover popup window under Administration Appliance list table. |
70799 | Upgrade changes the custom SLAM path policy applied to WAN interfaces to the default SLAM path policy. This issue has been fixed. |
71015 | Add ability to change staging pool on Hub-Controller device. |
71052 | Enable TACACS+ server reachability over multiple transports. |
71204 | SPack downloads and installation alarms are missing on the Director node. |
71336 | Vulnerability fix: HTTP public key pinning (HPKP) header cannot be recognized. |
71337 | Vulnerability fix: HTTP strict transport security (HSTS) header cannot be recognized. |
71529 | Add ability to push certificates during ZTP and apply template. |
71566 |
Add VOS configuration options for dynamic-scaling parameters in the GUI. |
71789 | Allow hardware inventory search based on hardware serial number and site ID. |
71896 | GUI and CLI do not match for name character limits for BGP instance under virtual routers. |
72102 | Filter is not working on Audit Logs page. |
72232 | Fix file size issue for captive portal pages. |
72321 | Cannot set the captive portal parameters such as FQDN and IP address. |
72335 | Fix for display devices issue on the Template Commit screen. |
72388 | Huge NCS connections are not closed and are seen as Open in the customer setup. This issue has been fixed. |
72396 | Add ability to abort an ongoing debugging operation and redirect the context to the Welcome-follow-up on chatbot. |
72413 |
Add validation in the organization workflow to check that suborganizations do not have the same name as the parent organization. |
72417 | Pagination is not working properly for Bridge Domain screen. |
72425 | Values are not saved in DHCP Server on the DHCP > Server > Servers screen. |
72473 | Local database user password that contains an ampersand (&) is pushed incorrectly from the Director node to the appliance. |
72480 | You can add a ZScaler GRE tunnel without a VPN Profile in the Template workflow. |
72485 | Allow copying of chatbot text. |
72525 | Workflow Template creates duplicate neighbor entries in BGP. |
72619 | LEF profile referred to in the DHCP configuration is not present. This issue has been fixed. |
72637 | Update APIs to upload and delete tenant-specific CA and CA chain certificates. |
72798 |
WAN interface details are not displayed when template with WAN/LAN on the same port is reopened. |
72829 | Appliance system informational Kafka message now includes appliance ping and sync state. |
72909 | Appliance upgrade fails from Director node because of an OS check. This issue has been fixed. |
72916 | Enabling high availability on the Director does not work consistently. This issue has been fixed |
72963 | Performance improvement for appliance dashboard APIs. |
73026 | TDF screen is spinning when trying to access the GUI. |
73059 | Enable EIM/EIF for dynamic-nat-44. |
73063 | Director upgrade fails because of database backup and restore issues. This issue has been fixed. |
73076 | Performance improvements for AMQP and KAFKA object change notifications. |
73077 | Committing configuration to a template or device generates object change notifications only for the top-level path and does not send notifications for each changed path. |
73104 | Avoid running validation scripts on standby Director nodes. |
73108 | Cannot add community options for a spoke group. |
73122 | Fix for Analytics cluster installer issues. |
73183 | Incorrect date and time in Live data graph for All Traffic. |
73186 | OAuth refresh token API now returns the proper roles in the response. |
73195 | Authenticate user or delete Controller call. |
73305 | Cloud-init module changed to prevent deletion of Director keys. |
73316 | Rename branch to release number in Director Appliance Monitor tab under Software Information section. |
73423 | Director not initiating connection to Analytics because of too many close_wait state to analytics IP:Port. |
73472 |
UI always sets the file-filtering reach limit action to allow. |
73501 | Invalid characters in cookie. |
73537 | After clicking refresh button on Services > Sessions screen, the message "No data to display" displays. |
73546 |
Adding a new tenant in an existing post-staging template using the workflows API returns an error. |
73610 |
Keep chatbot from corrupting the dialog flow data for a number of interactions. |
73760 | Log external authentication time. |
73813 | Appliance upgrade from Director node fails during ZTP. This issue has been fixed. |
73832 | Add support for downloading OS security pack for both Trusty and Bionic Ubuntu versions. |
73847 | European special characters are not accepted by Director in the address field under system configuration. |
73854 | Save device workflow keeps spinning during a save operation when some variables have no values. |
73856 | Bulk import of devices from a CSV file fails because of a concurrency issue. This issue has been fixed. |
73876 | Captive portal configuration is deleted during commit. |
73899 | After you run the appliance status brief API call, appliances disappear from the appliances listing page. This issue has been fixed. |
73974 | Authentication type and Auth-Context-Required fields can be configured in the SSO SAML connector page. |
74092 | Rules columns are blank in the session table. |
74213 | SSO login fails after running import-key-cert.sh script, because the SSO certificates are moved to the backup folder after running this script. This issue has been fixed. |
74276 | Show RBAC Permission does not display actions correctly. |
74399 | Notification rules condition sets do not show all devices. |
74578 | Service template bind data variables are missing if redeployed from the Basic tab. |
74609 | Responder only option is missing in GUI for tunnel initiator in IPsec VPN profile. |
74614 | Fix for Get Director services status API issue. |
74629 | Director UI not reachable because of java heap space out-of-memory issue. This issue has been fixed. |
74683 | SD-WAN circuit priority variable created in workflow is overwritten in the device template |
74838 | Fix issue with checking Service Template bind data. |
74926 | Vulnerability fix: Options response method enabled. |
74941 | On NGFW Shared Service Template > Captive Portal, not all parameterized fields are displayed in the Workflows > Devices >Bind Data tab. |
74946 | Updating a scheduled report returns an error. |
75027 | Under Monitor Service tab, routes filter action applies only on the current page. |
75031 | Tooltip shows an error message for invalid characters for SSID input field. |
75052 | Update ha_pair_validation script to check whether an appliance is present in the inventory table. |
75069 | Template commit error message on Director node is now sent to Concerto over Kafka. |
75100 | UI does load and displays the error "Failed to load data from server". |
75111 | Do not send empty Controllers when creating templates for spoke groups when the Controller is optional. |
75112 | Validate Controller names when creating and deploying templates. |
75117 | Director upgrade fails at ip-sla-monitor under redistribution policy configuration. This issue has been fixed. |
75133 | Cannot upload the certificate for secure LDAP from the GUI. |
75186 | Director node cannot load Add Controller details under SD-WAN Service. |
75236 | WAL files do not clean up automatically, causing high disk usage. This issue has been fixed. |
75273 | Device bind data in the workflows throws a remote server exception when saving or deploying the device. |
75389 | Issue with setting isStatingController flag has been fixed. |
75429 | Prevent Postgres logs from getting too large. |
75471 | Director node does not copy the uCPE custom data file if only the custom data file option is configured in the service chain template. This issue has been fixed. |
75512 | Remove the reset option in the monitor GUI for guest VNFs. |
75527 |
Monitor Tab > Associate Templates shows duplicates even though the device group has unique templates. This issue has been fixed. |
75544 |
Director upgrade fails when executing the WorkflowsUpgrade script. This issue has been fixed. |
75547 | Kafka and AMQP messages now contain the Director identifier, which you can configure for Kafka and AMQP connectors. |
75880 | Deploying a template is failing, with a nested SQL exception. |
75925 | HTTP Strict Transport Security (HSTS) Policy Not Enabled (Port 443). |
75951 | Migration scripts now start after spring boot is fully up. |
75963 | SQL error occurs when creating a spoke template. This issue has been fixed. |
75975 | External AAA server authentication key displayed in clear text. |
75992 | On any templates > Objects > Custom Objects > Captive Portal Custom pages, no actions display in the UI. |
76052 | Authentication profile Caching Mode Setting not available in TenantSuperAdmin access. |
76122 | Fix for failures when simultaneously deploying multiple organizations. |
76316 | Director upgrade fails because spring boot does not go to the running state. This issue has been fixed. |
76426 | PFS set by workflows on peer Controller nodes does not match that of the first Controller node, causing issues during rekeying. |
76427 | Versa Director vulnerable for CVE-2021-44228: Apache Log4j2. |
76487 | Site-to-site local interface for HA cannot have quotes when using the active–active workflow template. This issue has been fixed. |
76544 | Display "B" flag on Director UI when user clicks on "i" in case the build is a Bionic build. |
76613 | Add available routing instances under the organization in the service chain template generated through Workflows. |
76659 |
Add new vendor Netscout in the predefined vendor catalog list. |
76667 | Fix template commit issue by incorporating bind data validation for route prefixes. |
76680 | IPsec Site-To-Site screen should throw an error if no tunnel interface is specified for route-based tunnels. |
76710 | Template commit window fetches only the first 1000 templates. |
76774 | Southbound locking an appliance and then committing an unreachable appliance shows successful. |
76902 | Fix automerge when a list item to be deleted contains a space. |
76903 |
Disable the "Data Interface Enabled" flag in the Service chain workflows VNF attributes for Netscout vendor. |
76946 | Provide proper error message while deleting an active user. |
77061 | Task to show reboot message when Commit Template with Reboot is triggered from diff-view screen. |
77103 | Onboard tenant to gateway is failing with INTERNAL_SQL_ERROR. This issue has been fixed. |
77119 | fetch=count in the NCS APIs returns the count. |
77120 | UI does not accept patterns containing any characters after $. |
77173 | Add a prevalidation check to verify that the staging prefix length is from 8 through 26 |
77233 | Appliances might disappear if the owner organization is missing for some appliances. This issue has been fixed. |
77246 | Fix commit template task failure issue that occurs because of a concurrent lock. |
77249 | Make spoke group check and validation optional for a provider organization in s workflow template for multitenant scenario. |
77285 | Director services status vsh status command output issue has been fixed. |
77324 | View Profile under classified profile is not working for Edit DoS Rule > Enforce > DDoS Profile. |
77337 | Add ability to change configure customized IKE key on a VOS device using templates. |
77353 | System organization should not display on Add Notification Rules page when logged in as TSUPA user. |
77379 | Search does not work in Card view of Appliances page. |
77488 | Fix to address redistribution server heap overflow vulnerability. |
77602 | LEF configuration during spoke template creation on spokes with Hub-Controller Nodes (HCN) using template workflow should not include custom LEF connectors configurations from HCN nodes. |
77639 | Provide validation for inverse-mask-probability option in CoS drop profile. |
77647 | Do not allow duplicate Controller nodes to be added under Controllers in the workflow template. |
77777 | Support for multiple roles (array) in SSO user authentication |
77788 | Appliance snapshot creation now happens when configuration is committed through the diff view window. |
77896 | Fix for customer snapshot upgrade failure. |
77897 | Issue with the Director patch script and validation script has been fixed. |
77992 | "Force logout" option should logout other active session, not the current one from where the force logout option was executed. |
78108 | Global ID for devices and organization have a range conflict in the UI. |
78172 | When you delete a device workflow, the remote PSK authentication client entry is now deleted now from the Controller node. |
78218 | Fix Out Of Memory Error issue that occurs because of metaspace. |
78240 | The site-to-site tunnel in the workflow throws an error when you parameterize a WAN or LAN interface. |
78296 | Fix Appliance Brief API (/vnms/dashboardvnms/applianceStatus/{applianceUUID}/brief), which did not return Onboard status |
78340 | Commit template fails because of an issue with setting skip-apply. This issue has been fixed. |
78391 | Cipher suite selection against the selection criteria is not correct. |
78434 | WAN link monitor configuration for redundant WAN links over a cross-connect link is not updated as expected for HA devices. This issue has been fixed. |
78470 | Fix to limit side of VOS data for API calls. |
78527 |
Workflow device bind data shows blank values for the variables endin with "-internal". |
78648 | UI response is slow when displaying IPsec VPN profile data for 300+ remote clients. |
78681 | Fix for the slowness issue in the diff view page when it is opened from the Template commit page. |
78788 | Unknown devices pages not updating after upgrate to Release 20.2.4. |
78801 | Associating organizations throws an exception when onboarding a workflow device in a public cloud deployment. This issue has been fixed. |
79135 | Fix logical volume extension (lvmextend) script by adding an option "–y" for Ubuntu Bionic platforms. Previously this script was not working on Bionic platforms. |
79143 | Cannot apply HA configuration when the Director node is running Release 21.2.2 and a VOS device is running Release 20.2.4. |
79192 | Changing VNI port causes removal of the BGP configuration in template workflows. |
79218 | To ensure template workflow generated DIA configuration IPv6 WAN should have matching BGP next hop and TVI interface IPv6 addresses in the format ::ffff:169.254.x.y/127. |
79331 | Provide proper error message when deleting an active user. |
79372 | Allow the BGP router ID to be changed from the GUI. |
79625 | Add a check to verify the OS SPack package before installing it on a VOS device. |
79626 |
From the Director UI, uploading the key on an appliance in a tenant organization is failing. |
79859 | Fix to increase get API NB IP address response time when hostname/IP address mapping is not present in the /etc/hostsfiles |
80030 | Push-Keys-To-Device shell script now escapes special characters in the password. |
80085 | Director UI inaccessible because of a kernel out-of-memory issue. This issue has been fixed. |
80172 | NCS transaction leak issue has been fixed. |
80177 | Traffic-steering API sends split-tunnel disabled. |
80279 | Fix an issue with the appliances list page in the Administration tab. |
80324 | Add refresh option to Monitor > Services/Networking popup windows. |
80340 | Commit Template option displays a maximum of 1000 entries. |
80412 | Unable to download reports from Analytics Dashboard on Director UI. |
80423 | Vulnerability fix for CVE-2022-22965. |
80448 | Upgrade Apache Tomcat to 9.0.60 to fix multiple vulnerabilities. |
80492 | Analytics Report after Page Reload gets stuck at /reporting/reportingView/ because an extra ampersand (&) is added at the end of a page reload. |
80661 | Monitor tenant recent events for specific severity instead of sort showing all severity events. |
80687 | Fix so that global site ID throw the proper exception if allocation fails. |
80815 | IPv6 mode as router is added by default when creating an interface in the service template. |
80862 | Fix to reinitialize HTTP-client connection pool used by the APIs. |
80874 | When the Kafka server is down, the task-based async procedure takes a long time. |
80918 | Fix for URL ZTP over Hub-Controller when encryption is enabled. |
81062 | Fix to make sure alarms listed under Appliance > Configuration are correct. |
81094 | Appliances not displaying in UI. |
81103 |
Confirm password validation fails with & , <> field. |
81201 | Fix to ensure Ctrl+C on Shell In A Box remains in the same shell. |
81280 | Fix to address Director split-brain by ensuring Director uses read-only transaction in standby mode. |
81309 | Duplicate entries for LAN interface present in the workflow template. |
81327 | Tenant user cannot create appliance tag when tenant is appliance owner. |
81337 | Handling CMS connector failures to include new regions. |
81379 | Add upgrade support for older devices. |
81389 | Fix issue where organization name does not dispaly in the left tree under Monitor | Cache update. |
81435 | Fix in commit template sometimes fails with "No such transaction" by opening a new session each time. |
81516 | Do not advertise any routes from the LAN side to the transport VR to block clients behind those VRFs from communicating. |
81698 | Search tab under routes under Monitor Dashboard does not work. |
81712 | Appliance snapshot creation now occurs when configuration is committed through diff view window. |
81716 | Fix the upgrade script that deletes incorrect shaping-rate configuration on tunnel and tvi interfaces. |
81846 | Cookie No HttpOnly Flag + Cookie without SameSite attribute. |
81849 | Fix to address out-of-memory issue with a large number of concurrent requests. |
82048 | WiFi connected client stats Tx,RX are showing as "Nan undefined" on the Monitor screen. |
82166 | Webhook rejects anything after the port number. |
82182 | Interval value under IP SLA monitor is not rendered properly in the UI. |
82474 | Source map file leak vulnerability. |
82525 | Devices tab on the Monitor tab sometimes shows an empty screen. |
82638 | TLS v1.3 does not support all the necessary or matching ciphers. |
82674 |
Handle empty service template dind data values during an upgrade from Release 20.2 to Release 21.2.2. |
82750 | Update the organization tree on the left side to always point to BeMaster. Issue observed when a Director failover was performed, and the organization tree under Configuration showed stale entries. |
82287 | Next-hop priorities under SD-WAN forwarding profiles should support values from 1 through 8. |
82974 | Update SSLv23 to communicate with Cassandra using SSL. |
83003 | Support in Bionic Director to ssh using DSA keys into Trusty VOS devices. |
83153 | Support SS) certificate generation on FIPS-enabled Director node. |
83310 | Add Director site-to-site tunnel validate for LAN VRs. |
83319 | Destination is shown as undefined/undefined when moving back from a higher page to a lower page. |
83465 | Download OS security package should support download of both OS SPacks versions (Trusty and Bionic). |
83556 |
Remove restriction of 200-character length for Alarm Specific Problem field. |
83626 | Upgrade Java SSH library to allow parsing of Open SSH private keys and set FIPS-compliant key exchange algorithms. |
Behavioral Changes
The following are behavioral changes in Releases 21.2.1, 21.2.2, and 21.2.3:
- The CGNAT and DNS configurations are automatically added through template Workflows to support OOKLA-based speed tests.
- The algorithm used to generate ptvi interface numbers in spoke template to hub controllers has been changed to accommodate hub controllers with large device IDs.
- When you deploy a template Workflow, the implicit zones "remote-client" are "versa-speedtest" are created in the templates.
- When you create or redeploy a template, the speed-test configuration is pushed to devices running previous software versions.
- In Device workflows, when you create a new device, if you have navigated to the bind data tab and you want to change the device name, cancel the popup and repeat the workflow again. This procedure ensures that the correct automatic variable value is generated.
- The GET /nextgen/applicationserviceTemplate/sample/allSamples API call replaces the GET /nextgen/applicationserviceTemplate/allSamples API call.
- Under Monitor > Tools > Ping, the default packet size value of 5 has been removed, and the input is now restricted to positive, nonzero numbers. If you choose not to specify a packet size, a default value is provided
- Under Monitor > Services > Services, the VPN Clients field has been renamed to Secure Access. The options that were available under VPN Clients field are now available under Secure Access > IPsec Profiles.
- Under Monitor > Tools > Speed Test, the Versa and Internet tabs are added. The options that were available in the Speed Test field are now available under the Versa tab, and the new OOKLA-based speed test is available under the Internet tab.
- The Routing Instance and Interface drop-down fields are no longer available under Versa speed test configuration. Instead, you must select from a list of WAN networks, and the corresponding routing instance and interface are automatically pushed along with the selected network name.
- HA-related critical alarms and disk usage-related alarms are shown as notification popups at the top of the GUI when you log in.
- When a Netconf notification for an SD-WAN branch LTE-only transport is received from a Controller node, the alarm is presented in the alarms GUI, and the branch is marked as being in the LTE-only state. When the device is reachable and in LTE-only state, monitoring is suspended for a period of 2 hours, by default. (This time period is configurable). The LTE-only state is not obvious when navigating the GUI (it is seen only in alarms), but the appliance status API can show the state.
Limitations and Known Issues
The following are the limitations in Releases 21.2.1, 21.2.2, and 21.2.3:
- If device deployment fails for an active-active scenario, the paired site ID is never generated correctly.
- If you remove a link monitor from a WAN interface in the Workflow template and then commit the template, the existing configured monitor is removed. (Bug 65897).
- The Director GUI may not open on Safari and MacOS 10.15, because the self-signed certificates that were used previously are not compatible with the new security requirements of the Apple Safari browser.
To install self-signed certificates, run the following commands:
sudo su - versa cd /opt/versa/vnms/scripts/ ./vnms-certgen.sh --san example.com --san test.example.com --overwrite --storepass "password"
To install CA-signed certificates, regenerate the CA-signed certificates that honors the new security requirements:
sudo su - versa cd /var/versa/vnms/data/certs/ keytool -import -alias tomcatserver -file {CA_CERTIFICATE}.cer -keystore tomcat_keystore.jks -storepass password
Then, synchronize the new certificate to all the Analytics nodes using the following script, which is located in the /opt/versa/vnms/scripts directory:
./vnms-cert-sync.sh –sync
- If you do not enable proxies with HTTP 2.0 and TLS 1.2, browsers fall back automatically to use HTTP 1.1. In the newer version of Tomcat, HTTP 1.1–based REST API calls with large payloads might fail, because not all the payload is provided to the backend server. This issue is observed intermittently with configuration diff windows in template workflow and template commit to appliances.
- When you commit a template, the Director node may display an error when one of the interface description text field contains multiple quotation marks (Bug 57693, Bug 58568).
- When you create device workflows, if you want to change the name of the device after navigating to the bind data tab, cancel the popup and then recreate the device. This procedure ensures that the variables are autogenerated properly.
- When you deploy paired devices, if deployment of the first device fails, but deployment of the paired device succeeds, if you want to redeploy the failed device again, manually copy the paired location ID from the paired device to the failed device and then redeploy the first device.
- For Release 21.2.2, central authentication is not fully implemented and there are few limitations with the feature, including:
- You cannot use SSO& as central authentication.
- You must perform user operations such updates and password resets on the central Director node.
Enable HTTP 2.0 on Proxies
In Release 21.1.1, the Director web server (Apache Tomcat) was upgraded to support HTTP 2.0, also called HTTP/2 or H2. Newer versions of Chrome and Firefox browsers automatically take advantage of the HTTP/2 protocol when supported by the web servers.
If an HTTP proxy, such as Load Balancer, HA Proxy, and NGINX, is deployed between web clients (browsers) and a Director node, you must enable HTTP/2 with TLS 1.2 on them with the following cipher set:
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
When users access the Director node using secure proxies, such as ZScaler, inspection done by the proxy of the sessions to the Director node must be bypassed or the proxy must be enabled with HTTP/2 and TLS 1.2 protocols with the above cipher set.
After you update the configuration on the proxy to enable HTTP/2, use the browser's Dev/Inspect tools to verify that the browser is using the HTTP/2 protocol:
- On the Director login page, right click and select Inspect to display the Dev/Inspect tools. The following screenshot shows how to do this in Google Chrome:
- In the Inspect window, select the Network tab.
- Right-click the column selector and select Protocol to display the Protocol column.
- Reload the portal page and check the Protocol column for the H2 protocol (for the API calls made to the server).
Request Technical Support
To request technical support, visit http://support.versa-networks.com. If you are contacting support for the first time, register and create an account. You can also send email to support@versa-networks.com or contact your Versa Networks sales account team.
Additional Information
Revision History
Revision 1—Release 21.2.1, March 19, 2021
Revision 2—Release 21.2.2, September 12, 2021
Revision 3—Release 21.2.3, August 2, 2022