Skip to main content
Versa Networks

Versa Director Release Notes for Release 21.2

These release notes describe features, enhancements, fixes, and known issues in the Release 21.2 Versa Director software, for Releases 21.2.0 (simply called 21.2) through 21.2.3. Releases 21.2.1 and later are general available (GA) releases and are supported for use in production networks.

August 2, 2022
Revision 3

Product Documentation

The Versa Networks product documentation is located at https://docs.versa-networks.com.

Install the Versa Director Software

To install the Versa Director software, see the Deployment and Initial Configuration articles.

Upgrade to Release 21.2

To upgrade to Release 21.2, see the Upgrade Software on Headend and Branch article.

Downgrade the Software

To downgrade to the software image that had been installed immediately before you performed the upgrade, issue the following command:

Administrator@versa-director> request system rollback to snapshot-timestamp

The Versa Director configuration and image are restored to the state when the snapshot was taken. Note that any configuration changes done since the snapshot was taken are lost when you perform the rollback operation.

Install the Software License for Versa Director

Versa Director is controlled by a software license. You must obtain a valid license file by contacting Versa Networks Customer Support.

Note the following:

  • Versa Director software ceases to operate after a 15-day trial period, so you must obtain a license key within that time.
  • On all newly installed Versa Directors, you must run the Versa Director startup script, /opt/versa/vnms/scripts/vnms-startup.sh, to correctly configure the Director network interfaces for their intended function (for example, interface eth0 for northbound communication towards OSS systems and for UI access, and eth1 for southbound communication towards VOS devices).

VOS Version Compatibility

Release 21.2 of Versa Director is compatible with the following Versa Operating SystemTM (VOSTM) software versions:

  • Release 20.2.x
  • Release 21.1.x
  • Release 21.2.x

Release 21.2 of Versa Director is not fully configuration-compliant with other versions of VOS software. If you commit templates or make direct configuration changes in Appliance view to non-compatible VOS releases, the commit or configuration changes may be rejected with an RPC error.

New Features

This section describes the new Versa Director features in Release 21.2. All features are introduced in Release 21.2.1 unless otherwise noted.

  • Cloud API enhancements—API-based integration in Azure virtual WAN and AWS transit gateway supports scenarios in which the branch is behind a NAT. See Configure Site-to-Site Tunnels.
  • Filter BGP path attributes—(For Releases 21.2.3 and later.) On the Monitoring > Service BGP screen, you can filter BGP on additional path attributes, include community, extended community, and AS path.

    filter-bgp-path-attributes.png
  • NAT in site-to-site tunnels—When creating site-to-site tunnel between a branch and an Azure Virtual WAN or AWS Transit Gateway, the WAN interface can use the NATed IP address. You can also configure the NATed IP address when deploying Workflows. See Configure Site-to-Site Tunnels.
  • Option to set RequestedAuthnContext value in SSO—(For Releases 21.2.2 and later.) Add an option to set Requested Auth Context Comparison in an SSO SAML connector. You can set the value to "minimum" or "exact" depending on your authentication type.
  • Total Site Up/Down in Tenant Summary window—(For Releases 21.2.2 and later.) In the Tenant Summary window, add the count of the number of sites that are up and down, and add a card that summarizes the status of all assets.

    clipboard_ea5f6d913a41ac73759e061c694ff8577.png
     
  • Versa Director central authentication—(For Releases 21.2.2 and later.) In a topology with more than one Director node, you can have one of the Director nodes be the central authentication Director node. The central authentication Director node verifies all authentication requests, and it issues a token that can be used for making APIs calls to any Director node. Director central authentication is useful for Concerto use cases.

    central-auth.png

    You enable central authentication from the CLI:

    Administrator@versa-director% show nms provider central-auth-connector
    enable-central-auth enabled;
    director-ips        [ 10.192.63.14 ];   Provide IP addresses of primary and secondary Director nodes
    
  • Versa Director–managed site-to-site tunnels—You can create a Versa Director–managed IPsec site-to-site tunnel between a provider Versa Director node and a customer Versa Director node to allow the customer Versa Director node to use available services from the provider Director node as if the services were directly available from the customer Director node. These services include:
    • On-ramp to SaaS providers, such as Box, Google, Microsoft Office, and Salesforce
    • Cloud Service Gateways (CSGs)
    • Application reverse proxies
    • Titan hubs

Director–managed site-to-site tunnels support EBGP, IKE, and IPsec, IKE. See Configure Site-to-Site Tunnels.

  • VMS passive authentication enhancements—Versa messaging server (VMS) supports the following:
    • Administrative container for VMS to manage services and the VMS deployment, including Rest API capabilities to manage the VMS features and infrastructure.
    • High availability for VMS infrastructure and containers.
    • Passive authentication. See Configure Passive Authentication for VMS.
  • VSA subscription—You can configure the number of Versa secure access (VSA) licenses for both basic and advanced users per organization using Versa Director. After you configure the VSA subscription information, it is tracked in the subscription monthly and the entitlement reports, and on the Entitlement Manager query page. See Configure Versa Secure Access Subscriptions.
  • Workflow support for T1/E1 and ADSL2+/VDSL2+ interfaces—You can use Workflows to configure T1/E1 and ADSL2+/VDSL2+ interfaces, making configuration of these interfaces easier and integral part of SD-WAN workflows. See Configure Interfaces.

Fixed Bugs

The following are the critical and major defects fixed in Release 21.2.

Fixed Bugs in Release 21.2.1

The following tables lists the critical and major defects that were fixed in Release 21.2.1.

Tracking Bug

Description

34494

Subscription Query page shows state as automatically renewed after device is automatically renewed instead of showing automatically activated. This issue has been fixed.

40095

Add enable and disable policy rules.

40157

Add support for TCP-based syslog remote connector.

42494

Snapshot creation is now audited and present in the audit log.

43124

Custom role editing is now audited.

45549

Add alarm for when AMQP/Kafka connector is not reachable from Director node.

46789

Add Total column, which was missing in Entitlement summary report.

47781

Spoke group search is now done by making query to the backend instead of performing a UI-level search.

47998

For a device managed with LTE as WAN, the Director node now decreases polling cycles and netconf notifications to reduce management traffic.

48207

Asset Inventory is not showing the count of hub-controllers under both Summary and Details tabs under Versa Director > Monitor > Provider > Summary. This issue has been fixed.

48431

Virtual router UI screen access was slow. This issue has been fixed.

49326

Add cloud-connector support, with type as Versa. This enables a client Versa Director to create site-to-site tunnels between VOS devices managed by different Director nodes.

50511

Add option to enable and disable the sending of device-level alarms to an AMQP server configured as an AMQP connector.

50562

Bulk delete of VRRP configuration fails in UI under template. This issue has been fixed.

50578

Entitlement management/subscription actions are not RBAC-protected from Rest APIs. This issue has been fixed.

52001

NCS crashed with error ''Internal error: Supervision terminated". This issue has been fixed by upgrading NCS to a newer version, version 4.7.8

52518

Add new alerts such as DESIGNATED-MASTER-NOT-ACTIVE, LICENSE-EXPIRY-ALERT, DISK-USAGE-ALERT. Update the alerts naming conventions, changing Master to Active and Slave to Standby.

52665

NCS Java logging does not work. This issue has been fixed.

54006

You can now customize common VOS HTTP/HTTPS credentials. The Director node uses these the in /var/versa/vnms/data/conf/default.conf script.

55106

Validation is missing for cluster list in bind data screen. This issue has been fixed.

55471

Upgrade with customer configuration from Release 16.1R2S10.1 to Release 20.3.1 fails during migrate scripts because of QoS configuration. This issue has been fixed.

55504

Create/delete device group is not notified over AMQP. This issue has been fixed.

55520

If a device in the unknown device list tries to reconnect, a new task is created. This issue has been fixed.

55655

Add support for circuit tag in Workflows > Template > interfaces > WAN Interfaces.

55676

Under Entitle Management, end date calculation for a subscription is wrong. This issue has been fixed.

56584

Director upgrade from Release 16.1R2S10.1 running customer snapshot fails in Workflows module related to split tunnel. This issue has been fixed.

56777

In a multitenant deployment, monitor UI now displays location information with access to the child organization.

57028

Free memory calculation is incorrect. This issue has been fixed.

57369

PPPoE WAN interface network is not added to traffic identification list during template Workflow deployment. This issue has been fixed.

58484

When a user attempts to change their password multiple times, the user account is not locked even after incorrect password attempts defined in max_login_fail_count in UserGlobalSettings. This issue has been fixed.

58749

In uCPE, add support to increase the secondary hard disk size to a maximum of 512 GB.

58828

In some GUIs, time is not displayed in the local time zone. This issue has been fixed.

59034

Local backups cannot be deleted using the Purge command. This issue has been fixed.

59131

Add support to encrypt all passwords in device configuration.

59334

In Entitlement Management Query page, TotalActiveDays is not updated properly. This issue has been fixed.

59426

Appliance location data type changed from varchar to text to accommodate larger location values.

60505

validate.py script does not display the errors from the ha-pair-config-validation.py script. This issue has been fixed.

60653

In the virtual router UI, changing the OSPF network returns the error “invalid byte sequence for encoding UTF8: 0x00..”. This issue has been fixed.

60857

Stale entries in bind data cause Director upgrade from Release 20.2.2 to Release 20.2.3 to fail. This issue has been fixed.

60954

Director upgrade from Releases 16.1R2S10.1/S11 to Release 21.2.1 fails during migrate script because of an incorrect user role, with the error: "Upgrade failed: Upgrade transaction failed to validate: /ncs:devices/device{DCA-Controller-01}/config/system/users{ab16399}/role (value "oper"): oper user cannot land on shell (use 'cli' or 'none')". This issue has been fixed.

60991

When you modify the bandwidth in a Workflow template and apply the changes, they do not take effect on existing SD-WAN branches. This issue has been fixed.

61281

Add support for bandwidth limit configuration when uploading a package to a branch or device.

61475

Add support in monitor screens for application identification.

62155

In an AWS SD-WAN gateway deployment, the DescribeInstances API call may fail, with the error "instance ID does not exist". This issue has been fixed.

62286

Redundant template deployment fails when you configure an AWS transit gateway site-to-site or Azure Virtual WAN tunnel in a Workflow template. This issue has been fixed.

62334

When you select multiple devices from a Director node to upgrade, if one device is not reachable, the task is shown as successful in the progress column. This issue has been fixed.

62346

Move Kerberos virtual URL configuration from captive portal to Kerberos profile.

62352

if you add or remove a service template in a device Workflow or device group, or make a configuration change in a service template, the template state does not go out of sync in the commit window.This issue has been fixed.

62375

Entitlement Management > License period is not updated after performing Workflow organization deploy.This issue has been fixed.

62390

When you change the SSH host keys on a VOS device, subsequent requests to the VOS device fail, with the error “SSH host key error”. This issue has been fixed.

62412

Update software to reduce the number of system/details calls made to each VOS device in each polling cycle.

62433 It is possible to inject comments by entering special characters. This vulnerability has bene fixed by adding careful handling of special characters.

62557

NGFl service is not picked up from default-sng if the services field is empty. This issue has been fixed.

62574

Reachable to unreachable state is not shown at least every 3 minutes. This issue has been fixed.

62608

GUI cursor keeps spinning when a TenantSuperAdmin user who is logged in with email format as the username tries to change session timeout. This issue has been fixed.

62618

Template recreation fails when radius-shared-secret contains special characters, such as ";" which is a valid character. This issue has been fixed.

62709

Cannot save/deploy a Controller node after the Controller node is deleted from the appliance listing screen. This issue has been fixed.

62790

EXTERNAL_USER.log shows bearer token instead of username. This issue has been fixed.

62900

Remove per-organization subscription details from the Entitlement Manager summary page.

62923

In Director GUI, cannot add VLAN to LAN interface on CPE with DF error. This issue has been fixed.

62952

Template regeneration fails when TACACS+ key is parameterized. This issue has been fixed.

63011

Add template sync status to tool tip for an appliance on Appliance Listing screen.

63142

Commit template should not send an email when commit template is set to schedule it now. This issue has been fixed.

63145

Proxy authentication is not working for SPack download. This issue has been fixed.

63185

When user creates new device Workflow and clicks Cancel at bind data, the user cannot create a new device Workflow with the same name. This issue has been fixed.

63206

Local CMS organization update might fail for tenant superadmin user. This issue has been fixed.

63241

After you upgrade to Release 20.2.3, the bind variables of a service template that were attached to all the devices using it are no longer present in the device bind-data tables. This issue has been fixed.

63249

When using the vnms-startup.sh script that is non-interactive, the system addresses are taking the docker IP address when no southbound interface is provided. This issue has been fixed.

63298

LAN routing instance is provisioned incorrectly for TVI interface for GRE-based tunnels when the tunnel start endpoint is LAN network instead of WAN network. This issue has been fixed.

63316

Bind data variable for BGP local AS in Workflow template for IBGP is not populating in the device. This issue has been fixed.

63328

Enabling IPsec for HA secure communication generates unwanted configuration, leading to an IPsec failure. This issue has been fixed.

63382

In Releases 20.2 and 21.1, files are not correctly copied in /var/versa/packages/spack/current/config/. This issue has been fixed.

63397

Redistribution policy Default-Policy-To-BGP on DMZ-VR (not VRF) is not created when you select ST with either DIA or gateway option. This issue has been fixed.

63430

After you delete a device from a Workflow, the device global site ID is not freed. This issue has been fixed.

63455

During URL ZTP, the email notification may not be not sent. This issue has been fixed.

63477

New solution tiers added to support Titan.

63500

Tenants deleted from a branch are still listed in the appliance listing screen. This issue has been fixed.

63525

WPA password or RADIUS shared secret key in Workflow device bind data is not encrypted. This issue has been fixed.

63589

Director failover operation results in application timeout. This issue has been fixed.

63607

Editing WAN circuit tag does not work. This issue has been fixed.

63610

Do not add the default configuration of Layer 2 learning in Workflow templates. This configuration is not needed.

63649

When creating a WiFi template, you can configure a different country for both radios in the wireless configuration. This issue has been fixed.

63714

You cannot delete multiple static routes from the GUI. This issue has been fixed.

63725

Add support for OOKLA speed test from the GUI.

63761

Add support to configure software package upload time under device group.

63769

NullPointerException is seen when you commit a shared service template associated with device group and device level. This issue has been fixed.

63897

Kafka/AMQP message publishing should happen using a separate event bus to handle unreachable or slow brokers. This was impacting ZTP task creation. This issue has been fixed.

63941

Changing the Director timezone causes incorrect timestamp to display in many listing screens. This issue has been fixed.

63977

Creating an AWS Transit Gateway or Azure Virtual WAN tunnel with redundant template creates duplicate tunnels for the primary and redundant templates. This issue has been fixed.

64035

In the entitlement manager, modifying the solution tier modification is not updated using the Workflow template. This issue has been fixed.

64040

Invalid CSRF token message is displayed during sync-from, sync-to, and bulk sync-from. This issue has been fixed.

64111

Deleting the SSO configuration might not work properly. This issue has been fixed.

64118

In the entitlement manager, rename solution tier VSA Basic to VSA Standard.

64169

Director backend has WPA password in encrypted text, but returns it in cleartext to Workflow template API call. This issue has been fixed.

64170

The AWS DeleteOnTermination flag for EBS volume should be set as True during VOS deployment using CMS connector to make sure that stale volumes are not present in the cloud. This issue has been fixed.

64248

SMS messages sent using the Versa account are rate-limited. This issue has been fixed.

64291

OS SPack download task is generated with no description. This issue has been fixed.

64330

TenantSuperAdmin user cannot download OS SPack on appliance page. This issue has been fixed.

64342

PSQL database password change command does not work. This issue has been fixed.

64362

Unable to log in as tenant user when single-idp-connector type selected. This issue has been fixed.

64363

For an incremental SPack upgrade, director.json and other xml files are not copied when incremental SPack is installed via rest API call with update-type "incremental" (in lowercase letters). This issue has been fixed.

64365

ZTP might fail, with a socket close error. This issue has been fixed.

64366

PPPoE password on appliance is now encrypted during communication between the Director node and the appliance.

64373

Upgrading a Director node to Release 21.2.1 fails, with the error "failed to execute migrate script sysusers.lua". This issue has been fixed.

64376

RMA skips upgrade/downgrade and continues with RMA process when software version is blank for existing device, but it prints proper messages in the task. This issue has been fixed.

64426

Include c5a instance type during device deployment on AWS using CMS connector.

64427

Static route screen shows invalid IPv4 or IPv6 address/prefix error for a valid destination. This issue has been fixed.

64467

Template automerge operation may remove configuration added at the template configuration level when recreating the template after adding DNS policy rule. This issue has been fixed.

64479

Unable to ZTP to a device running Release 20.2.2 when Controller and Director nodes are running Release 21.2. This issue has been fixed.

64497

When you delete a Controller device in the GUI, peer controller information is not removed from the database. This issue has been fixed.

64603

Resource groups are not listed during the creation of Azure Virtual WAN tunnels. This issue has been fixed.

64614

Allow only GET and /api/*/actions/* POST APIs. Reject other POST, PUT and DELETE APIs with appropriate error message from standby Director.

64664

Workflow templates deployed with duplicate name as redundant pair are corrected or flagged by validate.py script. This issue has been fixed.

64675

Local user information is pushed only to devices that are in the device group associated with the first template. This issue has been fixed.

64713

Login, logout, and change password time are not captured in the audit log. This issue has been fixed.

64807

TenantSecurityAdmin users cannot download OS security package. This issue has been fixed.

64816

Cannot remove Analytics cluster or all user-supported roles from Workflow organization after redeploying the organization. This issue has been fixed.

64828

In Entitlement Query, rename column State to Event.

64862

Search does not work for Configuration > Objects > VPN Profiles GUI. This issue has been fixed.

64872

After you modify the organization from a template, virtual switches are not populated because the backend sends the previous organization. This issue has been fixed.

64882

Device upgrade might get stuck at 70% even if upgrade is successful. This issue has been fixed.

65064

Cannot see bind data for more than 100 devices in a single device group. This issue has been fixed.

65069

Autogenerated bind data IKE identifier is not updated. This issue has been fixed.

65257

No data displays on Services > Monitor screen. This issue has been fixed.

65260

Audit logs are not reported for any of the operations performed by the local provider-level users. This issue has been fixed.

65335

Import workflow device is deploying devices without bind data variables. This issue has been fixed.

65365

Cannot delete service chain template in Workflows. This issue has been fixed.

65386

Variable bind data loads slowly after being deployed from a device Workflow. This issue has been fixed.

65517

Current user cannot make changes to the branch when the branch is locked for other users. This issue has been fixed.

65646

Cannot commit to multiple devices because of task description length description. This issue has been fixed.

65650

Incorrect configuration under device context when bootstrap fails. This issue has been fixed.

65683

Replacing an appliance with new serial number incorrectly updates lastModifiedBy field with null value in Workflow device. This issue has been fixed.

65696

Deploying application template by TenantSuperAdmin on Workflows > Template > Application Steering may fail. This issue has been fixed.

65718

After HA failover, cannot receive alarm emails. This issue has been fixed.

65735

User authentication now fetches HA status from cache instead of from NCS to improve performance and avoid resource-denied NCS issue.

65753

Enable suspend-backup-collectors as default in Workflow templates.

65774

Update CPE ports object on firewall rule in controller. Remove port 4000.

65775

Error occurs when pushing post-staging template for hub and spoke. This issue has been fixed.

65793

Workflow device deploy using CMS connector does not work in Azure China region. This issue has been fixed.

65818

SD-WAN policies created by Workflow must add action. This issue has been fixed.

65831

Changing SiteId from Workflow devices is shown in the inventory but not on the GUI appliances screen. This issue has been fixed.

65850

After ZTP, appliance shows incorrect subscription state as created in entitlement screen under appliance context. This issue has been fixed.

65960

Upgrade to Tomcat 9.0.43.

65992

Default spring-boot tomcat thread-pool size for ports 9182, 9183, and 8090 is configured incorrectly in application properties. This issue has been fixed.

35962

Update third-party libraries to address vulnerabilities reported by OWASP dependency check tool.

38387

During HA enable operation, task popup disappears from the window before displaying the success prompt. This issue has been fixed.

39367

Add GUI support for displaying PoE statistics.

40103

Remove keepalive timeout for IPsec from CLI and GUI.

42113

Under Device Templates in the Peer IP field, the + icon and parameterize icons are not aligned. This issue has been fixed.

45613

Add support to set and match BGP community in the old format, that is, as a 4-byte number.

45739

Fix OSPF clear neighbor operation in the GUI.

45901

Add GUI support for Director SPack upload and installation.

47699

Add pagination support for IGMP Group Monitor screen.

47781

Add GUI support for search for Spoke Group screen.

47929

Add support for health check for a standby interface.

48207

Asset Inventory does not display a count of Hub-Controllers (under both Summary and Details). This issue has been fixed.

48421

Add support for bulk delete operation for syslog servers in templates configuration.

48481

Fix GUI to gray out code field under DHCP custom options if vendor ID is selected.

48490

Fix Add Appliance screen in Administration tab.

48606

Fix GUI tool tip to show "Undefined" for Director and Analytics Cluster in Monitor > Provider-org > Summary > Asset Inventory.

49322

Add GUI support for Platform > Management Port > Usage Model.

49632

Add parameterization for routing instance in security package update configuration.

50611

Add parameterization for prefix under BGP route aggregation.

52518

Fix to display Director HA critical alarms in notification popup.

54327

Disable No Summaries option for OSPF3 Area 0.

56092

Rename whitelist/blacklist to allowlist/denylist in URL Filtering screen.

56175

In Filtering Profile screen, change incorrectly named Authentication profile to Cloud profile.

58351

Enhance traceroute to support ICMP and TCP probes.

59621

Add GUI support for Layer 2 services.

61617

Add support for IPv6 options on the LTE interfaces vni-0/100 to vni-0/103.

62418

Add new option in uCPE screen to enable and disable multiqueue settings for the VM.

62801

Networks and subinterfaces values are shown incorrectly under Administration > Organizations > Associations. This issue has been fixed.

62933

Remote server exception issue seen when editing global router. This issue has been fixed.

63380

Fix to allow only FIPS-compliant ciphers when FIPS mode is enabled.

63596

Fix issue seen while modifying the configuration of routing instance for speed-test server.

63671

Add support for 10 domains in RAS VPN profile.

63776

Add Director support for secure access server group configuration.

63804

packet-padding-size IMIX is not reflected in show commands. This issue has been fixed.

63895

Enhance Appliance System configuration GUI screen to allow configuration of health object parameters.

63915

Implement LEF-logging configuration under WLAN so that WiFi LEF logs are sent based on user configuration.

64012

Add BGP prefixes for Layer 2 VPN EVPN screens under monitor screen.

64040

Fix invalid CSRF token message seen during sync-from device.

64111

After you delete all SSO configurations, SSO link is now disabled from the login page.

64211

GUI shows error incorrectly as [Object,Object] in task window during replace appliance operation. This issue has been fixed.

64249

Cannot edit or delete SNMP communities, USM, and trap profiles configured with special characters. This issue has been fixed.

64316

When authentication control dot1x was opened and clicked, dynamic VLAN is disabled. This issue has been fixed.

64318

Fix search operation for Application Steering screen.

64323

Fix search operation for Disabled Access Policy rules.

64337

Organization selection is not maintained when moving from objects to services. This issue has been fixed.

64343

Search in DoS policy rules screen does not work for values other than rule name. This issue has been fixed.

64355

For IP SLA monitor of subtype ha-probe, change interval default to 1 second. You cannot change the default.

64361

Neighbor peering is not starting when RIP instance or group password is enabled. This issue has been fixed.

64371

Fix failure in security package screens for TenantSuperAdmin and TenantSecurityAdmin.

64410

Add search bar for DoS profiles screen.

64411

GUI gets stuck when navigating from NTP screen to Objects/Services page. This issue has been fixed.

64437

In BGP, share-aro is enabled if you open advance tab under peer-group twice, and vice versa.

64446

Add select index for routing instance field under Configuration > System > Security Update > Automatic.

64460

Fix search operation on domain name server screen.

64462

When you select the radio button from the popup to search on VRRP Group screen/interfaces screen, it does not go away with one click/enter option. This issue has been fixed.

64468

Creating a new DDoS profile from DoS Policies > Edit DoS Rule > Enforce > Aggregate Profile > +Add New, selects aggregate profile by default, and vice versa, for classified. This issue has been fixed.

64492

Fix sorting on DDoS profiles screen.

64532

Fix missing instance ID in spanning-tree details screen from the second row onwards.

64535

Fix issue seen when updating the transparent proxy match rule configuration.

64550

Form landing is incorrect for the decryption profile. This issue has been fixed.

64559

Rule enable/disable option is not available for traffic monitoring in device configuration page. This issue has been fixed.

64566

Add GUI support to add destination zone as match condition under SD-WAN policy screen.

64580

Some information is not same on Administration page card view and list view. This issue has been fixed.

64581

In CGNAT rule screen, source and destination range is not mandatory, but empty list is sent in payload, causing issue in template commit. This issue has been fixed.

64584

LLDP always shown as true in GUI even after you disable LLDP globally. This issue has been fixed.

64589

Correct name for global routing instance while adding DNS to be Global.

64596

Fix console error when you try to click on site configuration under Services.

64618

Enable caching mode for all profiles types, including local database, LDAP, Kerberos, SAML, and certificate authentication profile.

64639

When you add a static route with same gateway/next-hop IP address, GUI rejects configuration as a duplicate record. This issue has been fixed.

64640

Fix issue in the rearranging templates in the device service templates screen.

64651

VRRP Group ID and Interface are swapped in the VRRP Table. This issue has been fixed.

64652

Template workflow is not working properly for redundant pair cross-connect interface for vni0/2 or greater. This issue has been fixed.

64659

Add parameterization for Certificate Authentication Profile in template.

64669

Fix error in console while clicking redeploy button in organization Workflow.

64671

After committing the BGP general password, you cannot use the BGP GUI without modifying the BGP general password. This issue has been fixed.

64694

Fix issue in HA template screen in which recreate button was not working after re-opening.

64697

NTP configuration screen is not showing interfaces with units. This issue has been fixed.

64724

GUI is showing incorrect details in SAs in Monitor > Services > IPsec > SA screen. This issue has been fixed.

64728

If the appliance count is more than two digits, the number alignment was incorrect under System Summary. This issue has been fixed.

64740

When you try to add or edit decryption server profiles, error 500 is seen. This issue has been fixed.

64744

Under Configuration > Networking > PBF > Policies screen, the column header Status has been changed to Rule Status.

64757

In GUI, creating a new vendor catalog did not indicate any process of adding the new one. This issue has been fixed.

64766

Implement rule insertion for QoS policy, App QoS policy, PBF policy, and DNS proxy screens.

64797

Add Director GUI support for per-interface (SD-WAN) PMTUD interval.

64810

File type qcow2 is not passed in the payload when creating a new vendor catalog. This issue has been fixed.

64849

Fix clear command for the SSL History Monitor screen.

64859

Default zone protection scan interval in GUI changed from 300 seconds to 30 seconds.

64875

Rename SLA Dampen labels to SLA Damp.

64880

Fix issue seen in parameterization for vni under bridge domains.

64923

Fix incorrect message for predefined application groups.

64942

Add parameterization for weight under BGP peer group and under routing peer policy.

64943

Add parameterization for community in peer/group policy under match/action and under redistribution policy.

64945

Caching mode is always set as IP-based when you select local database or LDAP profile in authentication profile. This issue has been fixed.

64958

Change column name from Status to Rule Disabled in secure access portal and gateway rules screen.

65065

Add support to display audit logs under Administration > Troubleshooting screen.

65070

Captive portal is not displayed as a part of secure access. This issue has been fixed.

65071

LDAP user/group is not fetched in Secure Access portal and gateway policy in template. This issue has been fixed.

65175

After changing device ID for an existing device from workflows, user-defined bind data disappears when user attempts to redeploy a device. This issue has been fixed.

65198

Disable virtual service option was checked when controller is deployed but service is not actually disabled. This issue has been fixed.

65222

Tunnel interfaces that you add manually as type IPsec display as Down in monitor GUI when the interface is actually Up in appliance CLI and Director live status CLI. This issue has been fixed.

65229

Jitter value in SLA profile is shown in percentage. This issue has been fixed.

65230

Users cannot create mac-address object with only wildcard mask. This issue has been fixed.

65235

OK button is not working while creating a device after filling bind data information. This issue has been fixed.

65247

Add parameterization for keytab field in Kerberos profile in template.

65249

Add parameterization for virtual URL field in Kerberos profile in template.

65267

Fix GUI alignment issue when trying to create address group from IP filtering profile.

65299

In Secure Access Configuration screen, add the option to display how many characters can be typed for a string variable and the current length of the string typed.

65317

Fix cosmetic issues on File Filtering Profile screen.

65364

Vertical line is seen over the [+] icon in Add Rule window for Source/Destination and Application/URL tabs. This issue has been fixed.

65406

Regex pattern validation is missing in post-staging template under custom URL category. This issue has been fixed.

65431

Add support for Layer 2 services in Monitor Screen.

65458

When device is already deployed, GUI grays out changing tenant name in workflow device deploy. This issue has been fixed. You can now change the tenant name in device deploy Workflow.

65495

Remove OK button in Decryption Settings screen for TenantOperator user.

65549

Add support for secure access gateway and portal policy in Monitor Screen.

65576

Fix GUI issue in requests screen in Certificate Manager under Objects and Connectors.

65578

Tenant selector does not display when user switches from one tab to other in configuration page. This issue has been fixed.

65598

Add pagination on Security Profiles > DNS Filtering page for Device Templates/Service Templates.

65610

Add Director GUI support for new security algorithms.

65628

Remove Dual Tunnel from Gateway General page.

65631

Remove mandatory restriction for IP address in LDAP profile.

65645

Fix to allow maximizing Director task window.

65649

Templates attached to device groups are incorrectly added to Device Service Template. This issue has been fixed.

65658

Cannot select firewall service for fifth tenant when workflow template resolution is set to 1366 x 768. This issue has been fixed.

65661

Server configuration cannot be updated when IP address is not configured in LDAP profile. This issue has been fixed.

65666

Fix SD-WAN rules output in application monitor.

65679

Fix for password field that was displayed in clear text when logging into Versa Director.

65682

Fix for GUI issue that caused multihoming under Aggregated Ethernet interface not to work.

65738

Cannot update client CA Chain in Certificate Auth Profile. This issue has been fixed.

65779

Cannot configure loss as dotted decimal in SLA profile. GUI was pushing only integer values. This issue has been fixed.

65807

Add support for LLDP statistics in Monitor screen.

65817

Fix incorrect staging pool restriction for Hub-Controller nodes.

65857

Remove availability requirement field from Sever pool tab.

65881

VLAN ID is enabled when trunk is configured as interface mode. This issue has been fixed.

65884

Shared control plane field overlaps with organization field. This issue has been fixed.

65894

Fix parameterized values update and validation issue in ILC.

65916

Fix issue in BGP advertised routes that was showing incorrect subnet mask for the advertised prefix.

65948

Cloud profile type is now mandatory field in cloud profile page.

65966

Network addresses are accepted in the dstAddrIpv4 and srcAddrIpv4 fields in the bind data in IPsec section.

65980

Fix Eye icon in login screen so that it does not display password in clear text.

66017

Fix typo in CPE Public Cloud workflow.

66134

Add validation for encrypted keys in template configuration before committing via apply Template to device.

64773

Device deploy with redundant template having site-to-site tunnel for tunnel gateway or Virtual WAN does not creating tunnel objects. This issue has been fixed.

64609

URLs sent in VSA notification mails are updated with appropriate links.

64598

Release 21.1 Director pushes incorrect PSK key to Release 20.2.x devices when applying a template to a mix of Release 20.2.x and Release 21.1 devices. This issue has been fixed.

62422

Add user account type SERVICE/GENERAL to allow customer to use user accounts only for Rest APIs and disallow GUI login.

60805

Fix RBAC cache issues in failover.

59969

Add sort-by name functionality in the Controller listing screen.

63464

Add support for Concerto client SSO screen.

61492

Fix issue in which device software version in postgres was set to blank for devices that were down. This was affecting RMAs.

66040

Fix issue to support IDP and local SSO logout for Versa Director, Analytics, and Concerto.

63987

Remove wait time when stopping appliance monitoring thread and the scheduler is configured run the threads efficiently. This important fix allows a scale setup to run the appliance monitoring efficiently.

59207

Fix issue with sync status when parallel requests made to push configuration in Appliance view.

62205

Fix issue with uCPE VNF creation task when the template is committed to the device from the Diff View screen.

58477

Add support for federated SSO logout and to show custom login page after SSO logout.

60160

Fix issue with publishing appliance generated alarms to Kafka topic and AMQP server.

59464

Devices under Monitoring and Configuration tabs are not shown after HA failover. This issue has been fixed.

58921

Cannot export Versa SSO SP metadata from SSO screen to upload to external IDP. This issue has been fixed.

64445

Fix XPath injection vulnerability that was found in appliance APIs.

64443

FIx information disclosure vulnerability that was found in appliance APIs.

60156

Change SSO SAML samlp:RequestedAuthnContext method from Exact to Minimum to allow multifactor IDP login authentication.

64442 User Enumeration vulnerability seen with user read/creation/update/deletion and change/reset password and unlock user account APIs. This issue has been fixed.
65860 LDAP bind password decryption error seen in template/appliance context. This issue has been fixed.

Many

As part of many bug fixes, many of fields that define appliances are now encrypted when they are sent to appliances, including BGP, OSPF passwords, SNMP user passwords, and the MDM profile client secret.

Fixed Bugs in Release 21.2.2

The following tables lists the critical and major defects that were fixed in Release 21.2.2.

Tracking Bug

Description

43606

Fix drop-down compatibility issues in Firefox browser.

48020

Director uptime screen now reflects timezone data properly.

48033

Fix values shown for source network field on NTP page.

48973

Fix vulnerability regarding HTTP host header injection.

51468

Fix navigation glitches from authentication policy rule screen on address group screen.

52518

Director notification popup now shows different HA alarms, including HA-SLAVE-DIED, SLAVE-DIRECTOR-OFFLINE, and SLAVE-INCORRECT-MODE.

54132

Fix incorrect template status on Apply Template screen.

57028

Fix incorrect values for free memory in System Details card on Monitor screen.

57693

Fix apply template failure when description field contains the quotation (").

58050

Add parameterize validation when field has values such as {$v

62949

Add support for configuring the RADIUS and TACACS+ timeout.

62998

Fix IPv6 VRRP screen for parameterizing variable limitations.

63854

Add support for reordering rules in secure access portal and security gateway policies.

64330

TenantSuperAdmin can now download OS SPacks.

64337

Organiztion context is now maintained when user switches to different tab under the Configuration tab.

65069

Fix refreshing of autogenerated bind data values when device workflow name changes.

65658

Fix template workflow resolution issue that was preventing the user from seeing drop-down values.

65818

Default action is now set for policies added by template workflow.

65964

Director UI does not validate and provide feedback to user if there are errors in adding a user on the User Management screen.

66020

Fix element order issue during apply template

66061

Fix issue that TenantOperator user cannot view device workflow object content.

66257, 66263, 66442

Fix search functionality in Profiles > DHCP and Services > SD-WAN > Controller, Authentication policy rules pages.

66416

Add support for external auth user to take Director snapshot.

66417, 66418

Fix corner cases while taking Director snapshot

66582

Add encryption-proto support in workflow template.

66668

Add supported to show statistics per traffic class or per forwarding class on Monitor > Networking > CoS > Interfaces > Detail/Extensive screen.

66965

Destination IP address and port fields can now be parameterized on log collector screen.

66983

Fix issue of tenant users removing subscription from their own organization when saving it.

67008

Fix to set the correct username for a task.

67305

Fix intermittent LDAP user and group fetch issue.

67327

Fix CGNAT configuration issues when LAN Interface is part of the provider organization.

67582

Fix issue that an organization cannot be deselected if service templates are associated with that organization on the Device Group screen.

67603

TenantSuperAdmin is now allowed to perform sync-from operation.

67628

Fix task messages for bulk VOS device upgrade.

67677

NPE now does not generate an error if an HA pair site location in the asset table is empty.

67758

DSL interface and PPPoE username and password fields can now be parameterized.

67783

Service template bind data is now cleaned up when user deletes a service template from a device group.

67905

Increase FD limit for Director process.

67949

Fix disabling of OK button until the data is loaded on the VR page.

67965

Device name field now has uniform name for Director-generated alarms.

68006

Honor release date in the package to select the latest image during bootstrap of VOS device.

68041

Add support for editing OS SPack settings.

68064

Fix cross-connect select and deselect issues in template workflow for redundant templates.

68104

Fix HTML tags in message body of notification rule.

68231

Add GUI option to restrict routing and connectivity across regions.

68271

Fix CA chain certificate expiration issue in the UI.

68363

User can now make NMS action API calls with external OAuth token.

68372

Monitor screen now supports Layer 2 SD-WAN VOS device traffic.

68718

Custom user role can now create NTP server instance.

68847

Fix to pick correct Trusty/Bionic VOS image while pushing image to VOS device.

68914

Add support for deleting VRFs from the spoke group screen.

68923 NAT traversal configuration is added incorrectly when user modifies data on WAN Interface window.

68978

Fix HA template and Layer 2 interface configuration issue in template workflow.

68996

Fix monitor dashboard LTE display screen.

69246

For the Ubuntu 18.04 OS, if isolate-cpu is enabled on Rangeley CPU–based system, the services sometimes fail to start.

69314

SNMP rap profile does not allow the ‘.’ (dot) character. Only these special characters are allowed: _ # = + ^ $ @ : . { }',

69491

Add support for DNS filters under configuration.

69555

TenantSuperAdmin can now see organization workflows that are in the saved state.

69590

Add pagination for Locked User screen.

69641

Fix duplicate key sdwan-post-staging issues on Device Group screen.

69808

Workflow > Templates > Site > Subscriptions > Solution Tier > Service Bandwidth changes are now recorded in the audit log.

69859

Fix issue of IKE changing on Controller node while redeploying a device workflow.

69860

Path policy configuration now accepts free-form text.

69877

Fix hub template workflow.

69916

PPPoE service name now accepts special characters.

69949

After adding service chain under organization limits, service menu now shows correct options for service chain template.

69987

Entitlement report does not take into account the license year when reporting peak usage metric.

70002

Fix NGFW security policy rules filter issue.

70138

Changing IP address pool using docker-overlay-config.sh now prompts for confirmation to restart service.

70234

Add support for URL ZTP over xDSL interfaces.

70284

Per-user policies now are enabled when rate is parameterized.

70313

Fix sorting functionality for System Summary tables on Monitor screens.

70318

Fix download merge configuration issue on commit template screen.

70336

BGP, IKE, and paths on monitor page now shows correct data after deleting VOS device.

70338

Add support for user type data for IP-SLAM Monitor next-hop fields.

70342

Fix for notification rule payload not having phone number.

70368

Fix issues with importing service template configuration.

70394

Asset summary now shows count for service VNFs

70441

Suppress unwanted logs while fetching get-vnms-ha details from standby Director node.

70459

Fix incorrect security package information on monitor screen

70526

Fix RMA issue when encryption is enabled on Director node.

70560

Fix for calling uCPE VNF operation each time a service chain template is committed.

70585

Fix display of common template address group objects in device template.

70613 TLS v1.3 configuration in Proxy Profile window is not activated.

70647

Fix display of overlay address schema popup if controller already exists in the system.

70649

Fix units in Live monitor graph on monitor screen.

70656

Fix for template failing to add WiFi interfaces added when the security mode is none.

70659

Service template references are now removed from device workflow when service template is deleted.

70661

Fix corner cases when user opens existing device workflow objects.

70789

Add ability to configure port number on secure-access server screen.

70790

Add ability to configure configuring port number in server group URL on secure access server screen.

70814

Fix DHCP mapping file upload issue.

70845 Option to configure custom block action under captive portal in a template is missing.

70857

Add per-user policers under lass of service on monitor dashboard.

70932

Restrict TSA users so they cannot view other tenant appliances in IP SLA next hop UI page.

70955

Fix IPV6 identification in Tools > Ping page.

70956

Allow parameterizing fields in prefix list on device template screen.

70957

Fix autogenerated values that were missing in a secondary Hub Controller.

71004

Allow more than eight interfaces in a Workflows template

71006

RBAC-protect the nms/cloud/systems/getAllApplianceNames API call.

71083

Fix pushing default values along with user changes in the form.

71106

Make APN parameters for WWAN interface optional.

71210

Custom role user now can perform speed test.

71327

Fix bind data page to accept network address for IP address object.

71330

Fix issues with TenantSuperAdmin accessing appliance shell through GUI.

71386

Fix IP address and mask parameterized validation in service templates.

71471

Fix for duplicate key value violating unique constraint appliance_hardware_pkey error while onboarding a VOS device.

71477

TSA users can now take configuration snapshots of the common template.

71515 Fix the display of LEF profiles in secure access service templates that are configured in common templates.

71522

Fix for TenantSuperAdmin failing to delete VOS device.

71530

Fix special cases in Versa Analytics cluster installation script.

71622

Fix issues on DHCP relay profile edit screen.

71623 POE warning prevents configuration of a VNI interface even when the POE attribute is not enabled.

71638

Fix spoke group bulk deletion issue.

71665

Add support for Available Provider Organizations configuration on Org Limits page.

71685

Fix for scheduling image upload task messages that are not progressing.

71686

Fix for scheduling template issues when VOS device not reachable and job triggered.

71749

Fix issues on Hardware UI page.

71757

Add support for the special characters “{“, “}”, “#” in the SNMP manager in Workflow template.

71785

Fix for backup Director node not being able to take over as primary when port 5432 is not available.

71812

Remove autoconfiguration and URI fields from WiFi screen.

71831

Fix for Workflow template going blank while removing suborganization.

71863

Handle automerge gracefully when preserve appliance changes is disabled.

71903

Fix for Director node loading page even after logging out of Director node.

71917

Fix Director login issue for Bionic images.

71944

Fix for reset button not working on monitor screens.

71977

Fix for showing empty content for File Filter field on monitor page.

71983

Fix filter on monitor screen when switching from Appliance > Configuration > Objects > Addresses to the Monitoring tab.

72046

Fix for custom role tenant user not being able to log in to Analytics node from Director node.

72070

Fix incorrect order of BGP policy terms after workflow template is redeployed.

72084

Add missing dot1p-rw-enable filed under QoS profile.

72094

For virtual switches, MAC learning is now enabled by default.

72110

MTU for IRB can be now configured in UI.

72183

Fix to creation of shared service and service template configuration objects.

72186

Fix template workflow blank screen issue.

72215

Fix Director rollback issue.

72305 Fix to reset local preferences for remote region hub.

Fixed Bugs in Release 21.2.3

The following tables lists the critical and major defects that were fixed in Release 21.2.3.

Tracking Bug Description
13550 Update NSO to Version 4.7.10.
38973 Rewrite all NCS bound live-status APIs as dashboard live APIs.
48198 Monitor screen should show appliance system and service uptime.

48560

Remove the failover button from template under high availability.
49052 Sort and search operation issues on Director Monitor > Recent Events details screen.
54430 General service templates to modify BGP configuration without requiring router ID configuration via GUI.
58799 Fix for incorrect appliance type for appliances created on AWS or Azure.
58921 Ability for users to export SSO metadata to upload to external IDP.
59385 OS SPack URL parameter changes to pass Ubuntu Bionic/Trusty OS platform information.
59896 Unable to export keys to appliances.
60588 Notification rules page allows you to create alarms notification rules without a tenant. This issue has been fixed.
62390 Automate appliance host key refresh.
62519 Add support to create region in the Workflows template tab.
63168 Password string should be encrypted from UI browser,
63376 Cookie Without Same Site flag detected.
63733 LTE interface do not display in GUI for a deployed template if PPPoE is configured.
64059 Cannot redeploy the device because the WiFi password is encrypted on the backend, and when the UI applies plain-text validation to the encrypted text, the validation fails.
66012 Add a CLI command to set auto-merge as a default option.
66259 Display timezone details in director-HA failover alarms
66260 HA UI form displays same alarm results multiple times.
66372 Fix for issue sending SMTP email notifications for alarms.
66436 Extend local group name field length from 32 to 64 characters.
67118 Non-associated organization is shown in under Appliance.
67373 Add ability to export the device list on Director GUI pages
67963 Fix for failure to enable HA when Director node has more than 500 appliances.
68231 Add a GUI option to restrict routing and connectivity across regions in an organization workflow.
68466 Add a script or command to reinitiate Kafka connections.
68637 Pagination is not working in task window.
68665 The " and & characters in a description are translated to " and &,respectively
68690 Tomcat HTTP requests to Analytics now clean up or time out properly.
69340 Add an alarm on Concerto and Director if Kafka channel between them is broken.
69404 Performance improvements for appliance monitoring.
69405 Workflow template commit failed when LDAP password is configured with double quote ' " ' in parameterized bind data.
69642 Add support for "DHCP" as a bind variable value for IP addresses.
69920 Fix to ensure that WAN networks updated at the organization level propagate correctly to available networks in a tenant common template (DataStore template).

69996

Add GUI option "Mirror Interface" for uCPE interfaces.
70202 Add kernel version check during preupgrade.
70566

Display serial number on rollover popup window under Administration Appliance list table.

70799 Upgrade changes the custom SLAM path policy applied to WAN interfaces to the default SLAM path policy. This issue has been fixed.
71015 Add ability to change staging pool on Hub-Controller device.
71052 Enable TACACS+ server reachability over multiple transports.
71204 SPack downloads and installation alarms are missing on the Director node.
71336 Vulnerability fix: HTTP public key pinning (HPKP) header cannot be recognized.
71337 Vulnerability fix: HTTP strict transport security (HSTS) header cannot be recognized.
71529 Add ability to push certificates during ZTP and apply template.

71566

Add VOS configuration options for dynamic-scaling parameters in the GUI.
71789 Allow hardware inventory search based on hardware serial number and site ID.
71896 GUI and CLI do not match for name character limits for BGP instance under virtual routers.
72102 Filter is not working on Audit Logs page.
72232 Fix file size issue for captive portal pages.
72321 Cannot set the captive portal parameters such as FQDN and IP address.
72335 Fix for display devices issue on the Template Commit screen.
72388 Huge NCS connections are not closed and are seen as Open in the customer setup. This issue has been fixed.
72396 Add ability to abort an ongoing debugging operation and redirect the context to the Welcome-follow-up on chatbot.
72413

Add validation in the organization workflow to check that suborganizations do not have the same name as the parent organization.

72417 Pagination is not working properly for Bridge Domain screen.
72425 Values are not saved in DHCP Server on the DHCP > Server > Servers screen.
72473 Local database user password that contains an ampersand (&) is pushed incorrectly from the Director node to the appliance.
72480 You can add a ZScaler GRE tunnel without a VPN Profile in the Template workflow.
72485 Allow copying of chatbot text.
72525 Workflow Template creates duplicate neighbor entries in BGP.
72619 LEF profile referred to in the DHCP configuration is not present. This issue has been fixed.
72637 Update APIs to upload and delete tenant-specific CA and CA chain certificates.

72798

WAN interface details are not displayed when template with WAN/LAN on the same port is reopened.
72829 Appliance system informational Kafka message now includes appliance ping and sync state.
72909 Appliance upgrade fails from Director node because of an OS check. This issue has been fixed.
72916 Enabling high availability on the Director does not work consistently. This issue has been fixed
72963 Performance improvement for appliance dashboard APIs.
73026 TDF screen is spinning when trying to access the GUI.
73059 Enable EIM/EIF for dynamic-nat-44.
73063 Director upgrade fails because of database backup and restore issues. This issue has been fixed.
73076 Performance improvements for AMQP and KAFKA object change notifications.
73077 Committing configuration to a template or device generates object change notifications only for the top-level path and does not send notifications for each changed path.
73104 Avoid running validation scripts on standby Director nodes.
73108 Cannot add community options for a spoke group.
73122 Fix for Analytics cluster installer issues.
73183 Incorrect date and time in Live data graph for All Traffic.
73186 OAuth refresh token API now returns the proper roles in the response.
73195 Authenticate user or delete Controller call.
73305 Cloud-init module changed to prevent deletion of Director keys.
73316 Rename branch to release number in Director Appliance Monitor tab under Software Information section.
73423 Director not initiating connection to Analytics because of too many close_wait state to analytics IP:Port.
73472

UI always sets the file-filtering reach limit action to allow.

73501 Invalid characters in cookie.
73537 After clicking refresh button on Services > Sessions screen, the message "No data to display" displays.

73546

Adding a new tenant in an existing post-staging template using the workflows API returns an error.
73610

Keep chatbot from corrupting the dialog flow data for a number of interactions.

73760 Log external authentication time.
73813 Appliance upgrade from Director node fails during ZTP. This issue has been fixed.
73832 Add support for downloading OS security pack for both Trusty and Bionic Ubuntu versions.
73847 European special characters are not accepted by Director in the address field under system configuration.
73854 Save device workflow keeps spinning during a save operation when some variables have no values.
73856 Bulk import of devices from a CSV file fails because of a concurrency issue. This issue has been fixed.
73876 Captive portal configuration is deleted during commit.
73899 After you run the appliance status brief API call, appliances disappear from the appliances listing page. This issue has been fixed.
73974 Authentication type and Auth-Context-Required fields can be configured in the SSO SAML connector page.
74092 Rules columns are blank in the session table.
74213 SSO login fails after running import-key-cert.sh script, because the SSO certificates are moved to the backup folder after running this script. This issue has been fixed.
74276 Show RBAC Permission does not display actions correctly.
74399 Notification rules condition sets do not show all devices.
74578 Service template bind data variables are missing if redeployed from the Basic tab.
74609 Responder only option is missing in GUI for tunnel initiator in IPsec VPN profile.
74614 Fix for Get Director services status API issue.
74629 Director UI not reachable because of java heap space out-of-memory issue. This issue has been fixed.
74683 SD-WAN circuit priority variable created in workflow is overwritten in the device template
74838 Fix issue with checking Service Template bind data.
74926 Vulnerability fix: Options response method enabled.
74941 On NGFW Shared Service Template > Captive Portal, not all parameterized fields are displayed in the Workflows > Devices >Bind Data tab.
74946 Updating a scheduled report returns an error.
75027 Under Monitor Service tab, routes filter action applies only on the current page.
75031 Tooltip shows an error message for invalid characters for SSID input field.
75052 Update ha_pair_validation script to check whether an appliance is present in the inventory table.
75069 Template commit error message on Director node is now sent to Concerto over Kafka.
75100 UI does load and displays the error "Failed to load data from server".
75111 Do not send empty Controllers when creating templates for spoke groups when the Controller is optional.
75112 Validate Controller names when creating and deploying templates.
75117 Director upgrade fails at ip-sla-monitor under redistribution policy configuration. This issue has been fixed.
75133 Cannot upload the certificate for secure LDAP from the GUI.
75186 Director node cannot load Add Controller details under SD-WAN Service.
75236 WAL files do not clean up automatically, causing high disk usage. This issue has been fixed.
75273 Device bind data in the workflows throws a remote server exception when saving or deploying the device.
75389 Issue with setting isStatingController flag has been fixed.
75429 Prevent Postgres logs from getting too large.
75471 Director node does not copy the uCPE custom data file if only the custom data file option is configured in the service chain template. This issue has been fixed.
75512 Remove the reset option in the monitor GUI for guest VNFs.
75527

Monitor Tab > Associate Templates shows duplicates even though the device group has unique templates. This issue has been fixed.

75544

Director upgrade fails when executing the WorkflowsUpgrade script. This issue has been fixed.

75547 Kafka and AMQP messages now contain the Director identifier, which you can configure for Kafka and AMQP connectors.
75880 Deploying a template is failing, with a nested SQL exception.
75925 HTTP Strict Transport Security (HSTS) Policy Not Enabled (Port 443).
75951 Migration scripts now start after spring boot is fully up.
75963 SQL error occurs when creating a spoke template. This issue has been fixed.
75975 External AAA server authentication key displayed in clear text.
75992 On any templates > Objects > Custom Objects > Captive Portal Custom pages, no actions display in the UI.
76052 Authentication profile Caching Mode Setting not available in TenantSuperAdmin access.
76122 Fix for failures when simultaneously deploying multiple organizations.
76316 Director upgrade fails because spring boot does not go to the running state. This issue has been fixed.
76426 PFS set by workflows on peer Controller nodes does not match that of the first Controller node, causing issues during rekeying.
76427 Versa Director vulnerable for CVE-2021-44228: Apache Log4j2.
76487 Site-to-site local interface for HA cannot have quotes when using the active–active workflow template. This issue has been fixed.
76544 Display "B" flag on Director UI when user clicks on "i" in case the build is a Bionic build.
76613 Add available routing instances under the organization in the service chain template generated through Workflows.

76659

Add new vendor Netscout in the predefined vendor catalog list.
76667 Fix template commit issue by incorporating bind data validation for route prefixes.
76680 IPsec Site-To-Site screen should throw an error if no tunnel interface is specified for route-based tunnels.
76710 Template commit window fetches only the first 1000 templates.
76774 Southbound locking an appliance and then committing an unreachable appliance shows successful.
76902 Fix automerge when a list item to be deleted contains a space.
76903

Disable the "Data Interface Enabled" flag in the Service chain workflows VNF attributes for Netscout vendor.

76946 Provide proper error message while deleting an active user.
77061 Task to show reboot message when Commit Template with Reboot is triggered from diff-view screen.
77103 Onboard tenant to gateway is failing with INTERNAL_SQL_ERROR. This issue has been fixed.
77119 fetch=count in the NCS APIs returns the count.
77120 UI does not accept patterns containing any characters after $.
77173 Add a prevalidation check to verify that the staging prefix length is from 8 through 26
77233 Appliances might disappear if the owner organization is missing for some appliances. This issue has been fixed.
77246 Fix commit template task failure issue that occurs because of a concurrent lock.
77249 Make spoke group check and validation optional for a provider organization in s workflow template for multitenant scenario.
77285 Director services status vsh status command output issue has been fixed.
77324 View Profile under classified profile is not working for Edit DoS Rule > Enforce > DDoS Profile.
77337 Add ability to change configure customized IKE key on a VOS device using templates.
77353 System organization should not display on Add Notification Rules page when logged in as TSUPA user.
77379 Search does not work in Card view of Appliances page.
77488 Fix to address redistribution server heap overflow vulnerability.
77602 LEF configuration during spoke template creation on spokes with Hub-Controller Nodes (HCN) using template workflow should not include custom LEF connectors configurations from HCN nodes.
77639 Provide validation for inverse-mask-probability option in CoS drop profile.
77647 Do not allow duplicate Controller nodes to be added under Controllers in the workflow template.
77777 Support for multiple roles (array) in SSO user authentication
77788 Appliance snapshot creation now happens when configuration is committed through the diff view window.
77896 Fix for customer snapshot upgrade failure.
77897 Issue with the Director patch script and validation script has been fixed.
77992 "Force logout" option should logout other active session, not the current one from where the force logout option was executed.
78108 Global ID for devices and organization have a range conflict in the UI.
78172 When you delete a device workflow, the remote PSK authentication client entry is now deleted now from the Controller node.
78218 Fix Out Of Memory Error issue that occurs because of metaspace.
78240 The site-to-site tunnel in the workflow throws an error when you parameterize a WAN or LAN interface.
78296 Fix Appliance Brief API (/vnms/dashboardvnms/applianceStatus/{applianceUUID}/brief), which did not return Onboard status
78340 Commit template fails because of an issue with setting skip-apply. This issue has been fixed.
78391 Cipher suite selection against the selection criteria is not correct.
78434 WAN link monitor configuration for redundant WAN links over a cross-connect link is not updated as expected for HA devices. This issue has been fixed.
78470 Fix to limit side of VOS data for API calls.

78527

Workflow device bind data shows blank values for the variables endin with "-internal".
78648 UI response is slow when displaying IPsec VPN profile data for 300+ remote clients.
78681 Fix for the slowness issue in the diff view page when it is opened from the Template commit page.
78788 Unknown devices pages not updating after upgrate to Release 20.2.4.
78801 Associating organizations throws an exception when onboarding a workflow device in a public cloud deployment. This issue has been fixed.
79135 Fix logical volume extension (lvmextend) script by adding an option "–y" for Ubuntu Bionic platforms. Previously this script was not working on Bionic platforms.
79143 Cannot apply HA configuration when the Director node is running Release 21.2.2 and a VOS device is running Release 20.2.4.
79192 Changing VNI port causes removal of the BGP configuration in template workflows.
79218 To ensure template workflow generated DIA configuration IPv6 WAN should have matching BGP next hop and TVI interface IPv6 addresses in the format ::ffff:169.254.x.y/127.
79331 Provide proper error message when deleting an active user.
79372 Allow the BGP router ID to be changed from the GUI.
79625 Add a check to verify the OS SPack package before installing it on a VOS device.

79626

From the Director UI, uploading the key on an appliance in a tenant organization is failing.
79859 Fix to increase get API NB IP address response time when hostname/IP address mapping is not present in the /etc/hostsfiles
80030 Push-Keys-To-Device shell script now escapes special characters in the password.
80085 Director UI inaccessible because of a kernel out-of-memory issue. This issue has been fixed.
80172 NCS transaction leak issue has been fixed.
80177 Traffic-steering API sends split-tunnel disabled.
80279 Fix an issue with the appliances list page in the Administration tab.
80324 Add refresh option to Monitor > Services/Networking popup windows.
80340 Commit Template option displays a maximum of 1000 entries.
80412 Unable to download reports from Analytics Dashboard on Director UI.
80423 Vulnerability fix for CVE-2022-22965.
80448 Upgrade Apache Tomcat to 9.0.60 to fix multiple vulnerabilities.
80492 Analytics Report after Page Reload gets stuck at /reporting/reportingView/ because an extra ampersand (&) is added at the end of a page reload.
80661 Monitor tenant recent events for specific severity instead of sort showing all severity events.
80687 Fix so that global site ID throw the proper exception if allocation fails.
80815 IPv6 mode as router is added by default when creating an interface in the service template.
80862 Fix to reinitialize HTTP-client connection pool used by the APIs.
80874 When the Kafka server is down, the task-based async procedure takes a long time.
80918 Fix for URL ZTP over Hub-Controller when encryption is enabled.
81062 Fix to make sure alarms listed under Appliance > Configuration are correct.
81094 Appliances not displaying in UI.

81103

Confirm password validation fails with & , <> field.
81201 Fix to ensure Ctrl+C on Shell In A Box remains in the same shell.
81280 Fix to address Director split-brain by ensuring Director uses read-only transaction in standby mode.
81309 Duplicate entries for LAN interface present in the workflow template.
81327 Tenant user cannot create appliance tag when tenant is appliance owner.
81337 Handling CMS connector failures to include new regions.
81379 Add upgrade support for older devices.
81389 Fix issue where organization name does not dispaly in the left tree under Monitor | Cache update.
81435 Fix in commit template sometimes fails with "No such transaction" by opening a new session each time.
81516 Do not advertise any routes from the LAN side to the transport VR to block clients behind those VRFs from communicating.
81698 Search tab under routes under Monitor Dashboard does not work.
81712 Appliance snapshot creation now occurs when configuration is committed through diff view window.
81716 Fix the upgrade script that deletes incorrect shaping-rate configuration on tunnel and tvi interfaces.
81846 Cookie No HttpOnly Flag + Cookie without SameSite attribute.
81849 Fix to address out-of-memory issue with a large number of concurrent requests.
82048 WiFi connected client stats Tx,RX are showing as "Nan undefined" on the Monitor screen.
82166 Webhook rejects anything after the port number.
82182 Interval value under IP SLA monitor is not rendered properly in the UI.
82474 Source map file leak vulnerability.
82525 Devices tab on the Monitor tab sometimes shows an empty screen.
82638 TLS v1.3 does not support all the necessary or matching ciphers.

82674

Handle empty service template dind data values during an upgrade from Release 20.2 to Release 21.2.2.
82750 Update the organization tree on the left side to always point to BeMaster. Issue observed when a Director failover was performed, and the organization tree under Configuration showed stale entries.
82287 Next-hop priorities under SD-WAN forwarding profiles should support values from 1 through 8.
82974 Update SSLv23 to communicate with Cassandra using SSL.
83003 Support in Bionic Director to ssh using DSA keys into Trusty VOS devices.
83153 Support SS) certificate generation on FIPS-enabled Director node.
83310 Add Director site-to-site tunnel validate for LAN VRs.
83319 Destination is shown as undefined/undefined when moving back from a higher page to a lower page.
83465 Download OS security package should support download of both OS SPacks versions (Trusty and Bionic).

83556

Remove restriction of 200-character length for Alarm Specific Problem field.
83626 Upgrade Java SSH library to allow parsing of Open SSH private keys and set FIPS-compliant key exchange algorithms.

Behavioral Changes

The following are behavioral changes in Releases 21.2.1, 21.2.2, and 21.2.3:

  • The CGNAT and DNS configurations are automatically added through template Workflows to support OOKLA-based speed tests.
  • The algorithm used to generate ptvi interface numbers in spoke template to hub controllers has been changed to accommodate hub controllers with large device IDs.
  • When you deploy a template Workflow, the implicit zones "remote-client" are "versa-speedtest" are created in the templates.
  • When you create or redeploy a template, the speed-test configuration is pushed to devices running previous software versions.
  • In Device workflows, when you create a new device, if you have navigated to the bind data tab and you want to change the device name, cancel the popup and repeat the workflow again. This procedure ensures that the correct automatic variable value is generated.
  • The GET /nextgen/applicationserviceTemplate/sample/allSamples API call replaces the GET /nextgen/applicationserviceTemplate/allSamples API call.
  • Under Monitor > Tools > Ping, the default packet size value of 5 has been removed, and the input is now restricted to positive, nonzero numbers. If you choose not to specify a packet size, a default value is provided
  • Under Monitor > Services > Services, the VPN Clients field has been renamed to Secure Access. The options that were available under VPN Clients field are now available under Secure Access > IPsec Profiles.
  • Under Monitor > Tools > Speed Test, the Versa and Internet tabs are added. The options that were available in the Speed Test field are now available under the Versa tab, and the new OOKLA-based speed test is available under the Internet tab.
  • The Routing Instance and Interface drop-down fields are no longer available under Versa speed test configuration. Instead, you must select from a list of WAN networks, and the corresponding routing instance and interface are automatically pushed along with the selected network name.
  • HA-related critical alarms and disk usage-related alarms are shown as notification popups at the top of the GUI when you log in.
  • When a Netconf notification for an SD-WAN branch LTE-only transport is received from a Controller node, the alarm is presented in the alarms GUI, and the branch is marked as being in the LTE-only state. When the device is reachable and in LTE-only state, monitoring is suspended for a period of 2 hours, by default. (This time period is configurable). The LTE-only state is not obvious when navigating the GUI (it is seen only in alarms), but the appliance status API can show the state.

Limitations and Known Issues

The following are the limitations in Releases 21.2.1, 21.2.2, and 21.2.3:

  • If device deployment fails for an active-active scenario, the paired site ID is never generated correctly.
  • If you remove a link monitor from a WAN interface in the Workflow template and then commit the template, the existing configured monitor is removed. (Bug 65897).
  • The Director GUI may not open on Safari and MacOS 10.15, because the self-signed certificates that were used previously are not compatible with the new security requirements of the Apple Safari browser.

To install self-signed certificates, run the following commands:

sudo su - versa
cd  /opt/versa/vnms/scripts/
./vnms-certgen.sh --san example.com --san test.example.com --overwrite --storepass "password"

To install CA-signed certificates, regenerate the CA-signed certificates that honors the new security requirements:

sudo su - versa
cd /var/versa/vnms/data/certs/ 
keytool -import -alias tomcatserver -file {CA_CERTIFICATE}.cer -keystore tomcat_keystore.jks -storepass password

Then, synchronize the new certificate to all the Analytics nodes using the following script, which is located in the /opt/versa/vnms/scripts directory:

./vnms-cert-sync.sh –sync
  • If you do not enable proxies with HTTP 2.0 and TLS 1.2, browsers fall back automatically to use HTTP 1.1. In the newer version of Tomcat, HTTP 1.1–based REST API calls with large payloads might fail, because not all the payload is provided to the backend server. This issue is observed intermittently with configuration diff windows in template workflow and template commit to appliances.
  • When you commit a template, the Director node may display an error when one of the interface description text field contains multiple quotation marks (Bug 57693, Bug 58568).
  • When you create device workflows, if you want to change the name of the device after navigating to the bind data tab, cancel the popup and then recreate the device. This procedure ensures that the variables are autogenerated properly.
  • When you deploy paired devices, if deployment of the first device fails, but deployment of the paired device succeeds, if you want to redeploy the failed device again, manually copy the paired location ID from the paired device to the failed device and then redeploy the first device.
  • For Release 21.2.2, central authentication is not fully implemented and there are few limitations with the feature, including:
    • You cannot use SSO& as central authentication.
    • You must perform user operations such updates and password resets on the central Director node.

Enable HTTP 2.0 on Proxies

In Release 21.1.1, the Director web server (Apache Tomcat) was upgraded to support HTTP 2.0, also called HTTP/2 or H2. Newer versions of Chrome and Firefox browsers automatically take advantage of the HTTP/2 protocol when supported by the web servers.

If an HTTP proxy, such as Load Balancer, HA Proxy, and NGINX, is deployed between web clients (browsers) and a Director node, you must enable HTTP/2 with TLS 1.2 on them with the following cipher set:

  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

When users access the Director node using secure proxies, such as ZScaler, inspection done by the proxy of the sessions to the Director node must be bypassed or the proxy must be enabled with HTTP/2 and TLS 1.2 protocols with the above cipher set.

After you update the configuration on the proxy to enable HTTP/2, use the browser's Dev/Inspect tools to verify that the browser is using the HTTP/2 protocol:

  1. On the Director login page, right click and select Inspect to display the Dev/Inspect tools. The following screenshot shows how to do this in Google Chrome:

    Director_Login_Inspect.PNG
  2. In the Inspect window, select the Network tab.

    Network_Tab.PNG
  3. Right-click the column selector and select Protocol to display the Protocol column.

    Column_Selector_Protocol.PNG
  4. Reload the portal page and check the Protocol column for the H2 protocol (for the API calls made to the server).

    Protocol_H2.PNG

Request Technical Support

To request technical support, visit http://support.versa-networks.com. If you are contacting support for the first time, register and create an account. You can also send email to support@versa-networks.com or contact your Versa Networks sales account team.

Revision History

Revision 1—Release 21.2.1, March 19, 2021
Revision 2—Release 21.2.2, September 12, 2021
Revision 3—Release 21.2.3, August 2, 2022

  • Was this article helpful?