Versa Operating System (VOS) Release Notes for Release 21.2

Last updated
Save as PDF

These release notes describe features, enhancements, fixes, known issues, and limitations in the Release 21.2 Versa Operating System^TM (VOS^TM) software, for Releases 21.2.0 (simply called 21.2) through 21.2.3. Releases 21.2.1 and later are general available (GA) releases and are supported for use in production networks.

August 2, 2022
Revision 3

Product Documentation

The Versa Networks product documentation is located at https://docs.versa-networks.com.

Install the VOS Software

You can install the VOS software on a standard Intel server or as a virtual machine (VM) based on ESXi or KVM. For installation instructions, see the Deployment and Initial Configuration articles.

Versa Networks provides the following versions of the VOS software:

For systems running Ubuntu 14.04:
- *-wsm.bin—Install this image on physical CPE branch devices that use the Atom-based processor.
- *.bin—Install this image on all VMs and high-end CPEs and on bare-metal servers with Xeon or later classes of CPU.
For systems running Ubuntu 18.04:
- *-B-wsm.bin—Install this image on physical CPE branch devices that use the Atom-based processor.
- *.B-bin—Install this image on all VMs and high-end CPEs and on bare-metal servers with Xeon or later classes of CPU

Upgrade to Release 21.2

You can upgrade VOS devices to Release 21.2 from Releases 16.1R2 (16.1R2S8) and later. If you are using an earlier software release, upgrade first to the latest Release 16.1R2 service release, and then upgrade to Release 21.2.

If the premium version of the security package (SPack) is already installed on the VOS device, you must upgrade to Version 1878 or later before you upgrade the VOS device. To display the version of the installed SPack, use the show security security-package information CLI command or, in the Versa Director monitor screen, view the security package information under Next-Gen Firewall.

If you are upgrading from Release 20.2 to Release 21.2 or later on HA nodes, and if you have enabled information validation (info-valid) in the configuration of one or both HA nodes, you must disable the info-valid configuration before you perform the software upgrade. After the upgrade completes, you can re-enable the info-valid configuration.

To upgrade to Release 21.2 from the CLI:

Ensure the current running package is present in the /home/versa/packages/ directory.

Save the existing version of the configuration:

admin@vnf-cli(config)% save /var/tmp/backup.cfg

Copy the .bin package file to the /home/versa/packages/ directory on the VOS node. Ensure that the file has +x execute permission. Alternatively, use the following command, which copies the file to the /home/versa/packages directory:
```
admin@vnf-cli> request system package fetch uri uri
```
Install the new software package:
```
admin@vnf-cli> request system package upgrade filename.bin
```
Follow the prompts, and wait until the upgrade status shows that the upgrade is complete.
Confirm that the new software has been installed:
```
admin@vnf-cli> show system package-info
```

Downgrade the Software

To downgrade to the software image that had been installed immediately before you performed the upgrade, issue the following command. This command restored the VOS device's configuration to the same state it was in just before the upgrade. Any configuration changes that you made since the upgrade are lost.

admin@vnf-cli> request system rollback to PRE-UPGRADE-1

Install a Software License for VOS Devices

A VOS device does not require a license if it is managed by Versa Director. If the VOS device is not subjugated to a functioning Versa Director, the software continues to operate after the initial trial period of 45 days. However, the number of data path sessions is limited to 30 sessions.

New Features

This section describes the new VOS device features in Release 21.2. All features are introduced in Release 21.2.1 unless otherwise noted.

Layer 2

EVPN multihoming—You use Ethernet VPN (EVPN) multihoming to connect a customer edge (CE) device with one or more provider edge (PE) devices using EVPNs. EVPN multihoming helps improve network performance and increase the reliability of traffic flows between multihomed devices. The Versa Network EVPN multihoming eliminates the need for proprietary technologies such as MC-LAG, virtual chassis, and VPC. See Configure EVPN Multihoming.
EVPN VXLAN—Virtual extensible LAN (VXLAN) is a data-plane encapsulation technology that allows you to run EVPN over an IP network using standard VXLAN encapsulation over UDP. In multitenant and cloud environments, VXLAN allows a network to handle much larger traffic loads than traditional VLANs, while providing the same traffic isolation and segmentation as classic VLANs. On the LAN or underlay ports, VOS devices use data plane-based learning and forwarding, and across VXLAN peers they uses standards-based EVPN-VXLAN-based reachability exchange and forwarding capabilities. See Configure EVPN VXLAN for SD-WAN.
LACP enhancements—You can configure a unique chassis ID on each VOS device. You can configure an admin key, which allows ports from two separate VOS devices to behave as if they are part of the same aggregate interface. See Configure EVPN Multihoming.

Layer 2 services—You can configure Layer 2 services, allowing you to apply many existing SD-WAN path selection policies to Layer 2 traffic, including Layer 2 SD-WAN policies, SLA profiles for Layer 2 SD-WAN traffic steering, and MOS score monitoring of Layer 2 traffic. See Configure Layer 2 Services.

Platform

APN name in URL ZTP procedure—(For Releases 21.2.2 and later.) As part of the URL ZTP procedure, you now have to provision the APN name, PIN, APN username, and APN password.
Duplicate IP addresses—(For Releases 21.2.2 and later.) If a duplicate IP address is detected to be same as any configured IP address on a VOS device, an alarm is generated.
Embedded 5G module for CSG700 and CSG1000 series appliances—(For Releases 21.2.3 and later.) CSG700 and CSG1000 series appliances can be equipped with factory-installed enterprise-grade 5G modules. The 5G modules support the FR1 mode of operation (also called sub-6) and associated frequencies to provide a consistent, flexible, and optimized WAN connection. You can use the 5G module WAN links as a primary or backup link.
Health checks on interfaces—You can perform periodic health checks on interfaces. See Configure Interfaces.
Internet speed tests—You can run speed tests for VOS devices from a Director node using predeployed internet speed-test servers. To run an internet speed test, you need only an internet connection over a WAN link to reach the internet speed-test server, eliminating the need to deploy an independent speed-test server. See Run Internet Speed Tests.
IP addresses on logical interfaces—(For Releases 21.2.2 and later.) The maximum number of IP addresses that you can configure on a logical interface has increased from 8 to 128.
MLPPP on T1/E1 interfaces—T1/E1 NIC interfaces support multilink PPP (MLPPP) on T1/E1 CSG Series NIC interfaces. MLPPP allows you to bundle separate PPP links into one bundled PPP interface to provide one higher-speed connection across a WAN. See Configure Interfaces.
OS security packages for Ubuntu 18.04–based VOS images—Versa Networks provides two sets of VOS images, one based on Ubuntu 14.04 and the other on Ubuntu 18.04. Prior to Release 21.2.1, Versa Networks provided Ubuntu OS security packages (SPacks) for Ubuntu 14.04–based VOS images. See Use OS Security Packages.
Path MTU aging time—You can configure path MTU aging time, in seconds, at the interface level, after which a process expires. A new probe is initiated within this interval to keep the record fresh. See Configure SD-WAN Sites.
PPP PAP and CHAP on T1/E1 interfaces—You can configure the T1/E1 authentication protocol and associated password using the Password Authentication Protocol (PAP) and Challenge Handshake Authentication Protocol (CHAP) authentication methods for PPP. See Configure Interfaces.
PoE power management on CSG appliances—You can configure PoE parameters on PoE interfaces on Versa Networks CSG appliances. See Configure Interfaces.
Proxy ARP and proxy NDP—Ethernet interfaces on VOS devices support proxy ARP (for IPv4) and proxy NDP (for IPv6). You can now configure proxy ARP for a set of IPv4 subnet prefixes or ranges, and proxy NDP for a set of IPv6 address ranges. Proxy ARP and proxy NDP provide local responses, allowing VOS devices to reduce the amount of broadcast traffic over Layer 2 networks (such as EVPN) across SD-WAN and VXLAN. See Configure Interfaces.
QAT and SSL-TLS proxy—You can offload the SSL/TLS encryption and decryption functions to QAT for hardware-based acceleration for these cryptographic functions, for hardware platforms that use Intel QAT on Rangeley, Denverton embedded QAT blocks, and Coleto Creek cards with dedicated QAT processors. See Configure HTTP/HTTPS Proxy.
Secure boot—CSG700 series appliances running Ubuntu 18.04 support UEFI secure boot. UEFI secure boot is a verification mechanism for ensuring that a VOS device boots only software components that are trusted by the original equipment manufacturer (OEM), which, in this case, is Versa Networks. See Verify Support for UEFI Secure Boot.

Session limits—The default maximum number of sessions that a VOS device supports is now automatically adjusted down or up based on the total amount of system memory. (In releases prior to Release 21.2.1, the default maximum number of sessions was fixed at 1,000,000.) Note that you should change the maximum number of sessions only during a service maintenance window, because as soon as you click OK, all services on the VOS device restart automatically.
Note that because the earlier default value for the session limit was 1,000,000, if you configure a value of 1,000,000, it becomes impossible to distinguish between an explicitly configured value and the earlier system default. It is recommended that you configure a value slightly more or less than 1,000,000 to override the older default value of 1,000,000.
The following table shows the maximum number of sessions supported for different amounts of memory. It is recommended that you not increase the number of sessions beyond the maximum values shown in the table, because the VOS software is tuned to handle values up to the listed maximums.

Total Memory (RAM)	Maximum Number of Sessions
4 GB	32,000
8 GB	100,000
16 GB	500,000
32 GB	1,000,000
64 GB	2,500,000
96 GB	4,000,000
> 96 GB	5,000,000

See Configure Service Options.

TPM1.2 password encryption—The TPM cryptographic module provides a hardware-based approach to manage user authentication, network access, data protection.
TPM2.0 PSK—CSG series appliances and certified white-box platforms support TPM2.0 with an Ubuntu 18.04 image, and they support PSK storage in the TPM2.0 chipset. VOS devices use TPM to authenticate CSG appliances.
Traffic policing for source IP address or per originating device—You can police traffic generated by end stations. Each end station is organized by source IP address (that is, by a /32 address). Policing allows you to rate-limit traffic generated by end stations so that WAN bandwidth can be shared more fairly among the end stations on a LAN.
TWAMP-light—Two-Way Active Measurement Protocol light (TWAMP-light) allows you to measure network performance and send multivendor interoperable probes on LAN interfaces, WAN interfaces, and IKEv2-based IPsec tunnels. See Configure TWAMP-Light Test Sessions.
USGv6 compliance—Versa Networks complies with USGv6 testing scope and criteria, and also initiated testing and certification of Versa solution for USGv6 compliance.

SASE

Application reverse proxy—(For Releases 21.2.1 and later.) Application reverse proxy protects software as a service (SaaS) applications from direct access from unmanaged devices that do not have Versa client installed to connect to Versa Cloud Gateways. See Configure Application Reverse Proxy.
Cloud access security broker—(For Releases 21.2.1 and later.) CASB is on-premises or cloud-based policy enforcement software that secures the data flowing between users and cloud applications to comply with corporate and regulatory requirements. CASB applies enterprise security policies when users access cloud-based resources. See Configure CASB Profiles.
Data loss prevention—(For Releases 21.2.1 and later.) DLP is a set of tools and processes for detecting and preventing data breaches, cyber exfiltration, and unwanted destruction of sensitive data. The VOS DLP oversees, tracks, and reports all data transactions in the network, scanning all content that passes through an organization's ports and protocols to ensure data security in the organization.
Endpoint information profiles—(For Releases 21.2.1 and later.) You can configure an endpoint information profile (EIP) to classify endpoints based on various endpoint posture information, including SASE policy, security, traffic steering, and public and private application access entitlements.
Malware sandboxing—(For Releases 21.2.1 and later.) VOS devices identify zero-day malware risks by performing malware analysis in a sandbox environment. The VOS file reputation and sandboxing services allow VOS devices to check for the presence of malware in files being downloaded.
MDM profile—You can create a mobile device management (MDM) profile to retrieve device information from a graph server and associate the MDM profiles with a Secure Access Portal or a Secure Access Gateway to verify device information during Versa secure access (VSA) client registration (portal) and after registration (gateway). See Configure MDM Profiles.
User and entity behavior analytics—(For Releases 21.2.1 and later.) UEBA provides a custom combination of predefined rules that can be associated with a tenant.
Versa Director–managed site-to-site tunnels—You can create a Versa Director–managed IPsec site-to-site tunnel between a provider Director node and a tenant Director node so that the tenant can use services available from the provider Director node as if the services were available directly from the tenant Director node. See Configure Site-to-Site Tunnels.
VSA application-based traffic steering—The Versa secure access (VSA) client supports traffic steering on Windows 10 and MacOS clients. The application-based traffic steering features allow you to determine breakout traffic based on Layer 7 criteria, such as application name and FQDN. See Configure the Versa Secure Access Service.
VSA granular user profile administration—You can use profiles to control user behavior even before the connectivity is completed. Profiles determine behavior such as tunnel characteristics and gateways to which the users can connect. See Configure the Versa Secure Access Service.
VSA multiple policy support for portal and gateway—You can configure multiple policies for the portal and gateway. Contextual information, such as username, user group, location, and device compliance status, are used to download and apply the appropriate portal or gateway policy. See Configure the Versa Secure Access Service.
VSA OTP support over email—You can send an authentication one-time password (OTP) over email. Prior to Release 21.2.1, you could send the authentication code only using SMS. See Configure the Versa Secure Access Service.
VSA SAML—VSA supports SAML-based integration with identity providers. See Configure the Versa Secure Access Service.
VSA subscriptions—You can configure an on-premises VSA subscription license for each authorized user who is allowed to access the VSA client service. See Configure Versa Secure Access Subscriptions.
VSA time-based OTP (TOTP)—VSA supports TOTP, which generates a one-time password generator that uses the current time as a unique factor. See Configure the Versa Secure Access Service.

SD-WAN

Adaptive traffic bandwidth shaping—You can configure the bandwidth available on a link to upload and download data. This information is used in computing adaptive traffic shaping. See Configure Interfaces.
Codec and MOS score and policy-based traffic management—VOS devices support additional uCAAS applications, including Zoom, Cisco Webex, and Ring Central. You can apply MOS detection, reporting, and traffic engineering to these uCAAS applications. See Configure MOS Score Monitoring.
Destination zone matching in SD-WAN policies—SD-WAN policy rules can match based on the destination zone. See Configure SD-WAN Policy.
DIA traffic load-balancing methods—DIA traffic load-balancing methods, weighted round-robin and high available bandwidth, are supported. See Configure SD-WAN Traffic Steering.
Inherit uplink or downlink bandwidth of paired site—An active-active setup automatically inherits the configured physical interface uplink or downlink bandwidth of a paired site as the reference bandwidth for corresponding cross-connect links to use for load-balancing logic. See Configure SD-WAN Traffic Steering.
Per-user policers—(For Releases 21.2.2 and later.) You can configure and monitor per-user policers for QoS Profiles. See Configure CoS.
Riverbed compatibility mode—The VOS software Riverbed compatibility mode allows you to deploy WAN optimization and SD-WAN products together while retaining the full functionality of each product, allowing you to make full use of the features and benefits of Versa Networks for SD-WAN and WAN Edge and Riverbed for WAN optimization.
Traffic steering based on monitored bandwidth—Policy-based forwarding (PBF) can use monitored bandwidth as the reference bandwidth used to calculate the remaining capacity of each access circuit. The bandwidth monitor module maintains a historical maximum of monitored bandwidth for each WAN link and uses the monitored bandwidth as reference bandwidth in PBF. Using the monitored bandwidth as the PBF reference bandwidth helps identify the long-term stable bandwidth at a specific time of the day that has been offered or guaranteed by a service-provider for that WAN circuit. See Configure Layer 3 SD-WAN Traffic Steering Based on Available Bandwidth.
Traffic steering enhancements—The following enhancements have been made to traffic steering:
- SD-WAN policy and traffic management capabilities, including Layer 2 traffic pinning and Layer 2 flow management across SD-WAN tunnels, so that you can use existing SD-WAN policies for Layer 3 flows on Layer 2 flows.
- MAC address, IP address, and URL filtering to drop, forward, and accept Layer 2 traffic.

See Configure SD-WAN Traffic Steering.

Security

Dynamic assignment of VLANs using the 802.1X device authentication—You can configure an authentication server to dynamically assign VLANs to bridge ports using the 802.1X device authentication flow. After a port is authenticated using 802.1X device authentication, the authentication server assigns a VLAN to the port. See Configure Dynamic VLANs Using 802.1X Authentication Flow.
Firewall rules management enhancements—Whenn you create a security rule, you can select the priority, and you can add a rule above or below an existing rule. You can disable a rule. See Configure NGFW.
Layer 7 device authentication and compliance—You can authenticate client devices based on client or user certificates. Client certificate based-authentication is a function of VOS TLS proxy, and you configure it in a decryption profile. See Configure HTTP/HTTPS Proxy.
Network DLP—You can configure Data Loss Prevention (DLP) on VOS devices and Versa Cloud Gateways. In conjunction with Security Access Control policy, the DLP module ensures that the data that is exported does not contain any sensitive information. See Versa Data Loss Prevention.
Service endpoints—You can configure service endpoints with captive portal, which allow you to install service filters for each routing instance. See Configure URL Filtering.
Upgrade the application engine protocol bundle—You can upgrade the application engine protocol bundle, which is a database that contains 3600+ signatures that are used to detect and identify applications. It is included in the SPacks. See Use Security Packages.

Fixed Bugs

The following tables list the critical and major defects that were fixed in Release 21.2.

Fixed Bugs in Release 21.2.1

Bug ID	Summary
35738	Upgrade various third-party and open source packages that VOS devices use to address vulnerabilities.
38310	A defect in the IPsec module caused the versa-service process to crash and caused a service restart. This issue has been fixed.
45615	Unable to move an OSPF network between OSPF areas of the same routing instance within a single commit. This issue has been fixed.
48993	CPU load statistics sometimes display values greater than 100%. This issue has been fixed.
52361	BGP neighbor alarms do not display the complete site name, depending on the number of address families and capabilities that are exchanged. This issue has been fixed.
52874	IPsec alarm configuration is not honored, and destination and soak intervals are not activated. This issue has been fixed.
54127	When a VOS device receives more than four fragments that constitute an IP packet, sometimes the fragments are not reassembled correctly, cause the packets to be dropped. This issue has been fixed.
54479	Python binary might have the incorrect permissions or capabilities set, which prevents the SPACKMGR process from starting. This issue has been fixed. The permissions and capabilities are now forcibly set.
58693	The versa-certd process crashes when handling USER certificate. This issue has been fixed. VOS devices now handle a USER certificate in addition to the SIGN (signing) and ENCR (encryption) certificates.
59618	The versa-infmgr process crashes because it incorrectly handles a stale link-update message, which causes services to restart. This issue has been fixed.
59972	The versa-services process might restart during a security pack (SPack) upgrade because of a race condition that occurs when accessing an internal data structure. This issue has been fixed.
60526	New branch staging might fail if IKE flaps or if the WAN IP address keeps changing. The result is that the IP address pool runs out of addresses, because older IKE connections linger on, and because of this, the staging of a new device to fail. This issue has been fixed. Now, the DPD process is more aggressive.
60708	Because of timing conditions, older software-upgraded alarms and service-restarted alarms might be generated after a service restart. This issue has been fixed.
60879	When multiple CoS OIDs are passed in the same snmpget request, the versa-vmod process does not clear some internal tables, causing this process to restart. This issue has been fixed.
60968	When you upgrade the software, a redistribution policy term that has DHCP as the match protocol might the match protocol, and the term ends up matching all protocols. This issue has been fixed.
61174	If the export-vrf global-vrf-id pushed from a Director node to hub devices is greater than 16000, the resulting reserved label overlaps with the signaled label space, causing incorrect packet forwarding. This issue has been fixed. Now, the reserved label space does not overlap with signaled label space.
61177	During failover on an active-active node with replication enabled, some packet buffers are leaked. This issue may occur if FEC is enabled on remote sites and FEC is not enabled on local site or hub, but Preserve Order is enabled. As a workaround, disable the FEC Preserve Order at the local site and disable reorder in the forwarding profile. This issue has been fixed.
61705	VOS image upgrade might fail because the /opt/versa/upgrade/scripts/nacm-edit.lua script fails. The failure occurs because NACM rules are missing. This issue has been fixed.
61998	When a VOS device receives IPv6 Multicast Listener Discovery (MLD) packets, a crash may occur. This issue happens only if the multicast/broadcast domain has IPv6 MLD speakers and the IPv6 MLD packets, which are multicast packets embedded in ICMPv6, reach a VOS vni interfacs. (MLD is an IPv6 protocol that IPv6 routers use to discover multicast listeners on a directly attached link, just as IPv4 routers use IGMP. MLD is embedded in ICMPv6 and not in a separate protocol.) As a workaround, prevent or block IPv6 MLD packets from reaching VOS devices. If you have not configured IPv6 WAN/LAN/control network, use external firewalls and iptables to block IPv6 packets from reaching VOS devices. This issue has been fixed.
62268	When services start, the branch-to-branch IPsec tunnel might not be set up because of a race condition between two threads completing initialization at startup. This issue has been fixed.
62429	Traceroute command had a command Injection vulnerability. This issue has been fixed.
62758	The IPsec history CLI command output sometimes displays an incorrect error or reason. This issue has been fixed.
62793	Static ARP entries might not be activated in the data path. This issue has been fixed. The entries are now resilient to all timing conditions (for example, whether an interface is not up).
62800	A Versa service crash might occur because of invalid memory access in the SD-WAN module. This issue has been fixed.
62805	During the upgrade process, MPLS tenant ID changes might be lost, leading to tenant ID mismatch for the VPN label and causing packets to blackhole. As a workaround, update the mplsvpnentry tenant ID and restart the services. This issue has been fixed.
62856	When you configure the out-of-band management interface, eth0, for speed and duplex, extra commands might be appended to the network configuration file. This issue has been fixed.
62883	Issuing the show orgs org-services organizaton lef collectors collector status CLI command might cause the versa-vmod process to restart. One cause was a leak of a resources under certain error conditions: A slow leak eventually causes the process to restart but does not cause a service restart. Another cause was when the Versa Director dashboard triggered this command to fetch LEF statistics. This issue has been fixed.
62931	The sdwan-datapath-up alarm might not be generated. This issue has been fixed. Now, the alarm is triggered unconditionally when a path to a remote site is removed for any reason.
62955	When QoS policy rules were being evaluated, services might restart because the versa-service process crashes. The versa-service process crashes after repeated crashes of the versa-vmod process, and it is the result of a race condition in the security and policy rule compilation and data path. This issue has been fixed.
63104	Sporadic packet latency is observed in Microsoft Azure virtual instances of VOS devices. This issue has been fixed.
63151	When a standby router comes back up, VRRP hello packets are sent with virtual MAC addresses. As a result, switches see dupicate MAC addresses and MAC moves, resulting in packet loss for 1 to 3 seconds. This issue has been fixed.
63173	A site-to-site IPsec tunnel over IPv6 on a bare-metal system with Quick Assist Technology (QAT) might drop packets because of defective logic in computing the packet length after decryption. This issue has been fixed.
63354	The memory consumption of the zone protection logic has been optimized to consume less memory without affecting performance.
63356	The software-upgrade-success alarm is not raised after you upgrade a device. Sometimes the alarm is incorrectly deferred until the next service restart. This issue has been fixed.
63481, 63543	When a large volume of IKE SA init traffic arrives at a VOS device, a memory leak is observed in the versa-service process. This issue has been fixed.
63506	When a configuration is pushed to create system users, user creation is noticeably slow. This issue has been fixed. Now, user creation is faster.
63593	When a user's group membership changes in Active Directory, this information might not be updated on the VOS device, and so the VOS device applies group-based policies based on previous membership details. This issue has been fixed. Now, when membership details are refreshed at the configured refresh interval, the details are updated in the live-user table and the new group-based policy is applied.
63594	When you configure IPS detection and IPS-based application identification reporting, a recursion might cause Versa services to crash and restart. This issue has been fixed. Now, the IPS-based application ID reporting is separated from IPS detection.
63612	For traffic monitoring policies, you could not configure a match destination for zone information. This issue has been fixed in the Director GUI and VOS CLI.
63647	Option-82 is not stripped by a VOS device functioning as a DHCP relay agent, causing clients to drop the DHCP response packets from the server. This issue has been fixed.
63699	Jumbo frame packets larger than 1686 bytes are not forwarded over the SD-WAN. This issue has been fixed.
63755	A memory leak is observed in the IKE-ESP ALG. This issue has been fixed.
63777, 63902	In the GUI, when you delete all the terms of redistribution policy, the VOS devices deletes the policy itself, causing the configurations on Director node and the VOS device to be out of sync. This issue has been fixed.
63949	Having a large number of FQDN address objects might lead to a memory leak in the versa-certd and versa-addrmgr processes. This leak causes these processes to bloat in size, and eventually they terminate and restart. However, there was no service disruption. This issue has been fixed.
64148	The sulogin binary process might be triggered and might then crashes, causing the system to reboot. This issue has been fixed. The sulogin binary has been replaced with one that does not crash.
64311	When you change a BGP peering policy from denying all prefixes to allowing only some prefixes, for the first 30 to 60 seconds, the VOS device advertises all prefixes. This issue has been fixed.
64333	The show alarms CLI command displays a truncated timezone offset. This issue has been fixed. Now, the full timezone offset information is displayed.
64400	For V1000/V1800/V1500/V930, V810 (FWA-3260), and CSG1300 platforms, the packet TX counter does not increment to indicate an issue on the VOS CPE device, for issues specific to the driver(i40e) of this port. The TX operation gets stuck because of the multisegment packets that are pushed to the NIC. The maximum number of segments that the i40e supports is 8. Sending more places the NIC TX ring into this state. This issue has been fixed.
64444	When a destination is reachable through two or more remote SD-WAN sites and all the paths to at least one of the sites are in SLA-violated state, the Versa services daemon may experience a segmentation fault and restart. The workaround is to switch to active/standby routing instead of equal cost SD-WAN routes to the destination. This issue has been fixed.
64513	Fix a core in the routing CLI transformer process that occurs when an external peer group does not have peer AS configured and when the peer AS configuration is removed from a neighbor belonging to this group.
64514	If you set up a site-to-site IPsec tunnel with a non-Versa peer and an aggressive DPD timeout (1-2 seconds) in configured on the peer (which is not a typical use case), the tunnel on the Versa side might go down. This issue has been fixed.
64733, 64826	When LEF establishes a TCP connection to the destination collector, during overloaded conditions, if the server is slow, the connection moves to a write-blocked state. During this time, logs queued to the collector are dropped instead of being held until the connection is unblocked. This issue has been fixed.
64738	Improve SD-WAN site-to-site throughput performance, to regain the performance available in earlier releases.
64811	Having a large number of FQDN objects (more than 100) slows the versa-service process and causes high CPU usage and failure of some show commands. This issue has been fixed.
64844	The .ncconnect file has invalid permissions, which might prevent the recognition of a successful connection between a Director node and a VOS device. This issue causes the trial period countdown to begin and eventually degrades VOS services. This issue has been fixed.
65115	When an IPv6 destination is reachable through multiple remote SD-WAN sites (that is, there are equal-cost routes through multiple sites), the circuit priorities specified in an SD-WAN forwarding profile may not be honored. Also, an SD-WAN or PBF policy rule that is used to override routing and enforce a specific next hop does not work for IPv6. This issue has been fixed.
65292	When you upgrade from an older release such as Release 16.1R2Sx to a newer release, if the address object contains an invalid wildcard FQDN object, the versa-vmod process might crash. This issue has been fixed. Now, a misconfigured FQDN object is ignored.
65293	The IPv6 debug packet trace command is not activated. This issue has been fixed.
65294	When you perform an IPv6 traceroute between a source and a destination, a VOS device might drop IPv6 traceroute response packets, because it incorrectly parsing the length of the ICMP time exceeded in transit. This issue has been fixed.
65319	In service flow chaining (SFC), add support for Layer 3 rewrite for inner, Layer 3 rewrite for outer, copy from outer, and copy from inner.
65505	Intermittent packet loss might occur when you enable packet replication for large packets that require fragmentation. This issue has been fixed.
65809	The show route table ipv4.unicast CLI command does not display the desired output when you specify both the detail and prefix options. This issue has been fixed.
65843	The versa-vmod process may restart during a Qualys scan directed at a VOS device. This occurs because the Qualys client tries to connect to servers running inside the VOS device. This issue has been fixed. The software has been enhanced and is now resilient to any clients that connect to internal Versa services.
65953	In an active-active SD-WAN CPE deployment, when you change the paired-site location ID of any CPE, SLA contexts between the two CPEs are created. These SLA contexts are not deleted when the matching location ID is updated on another CPE to pair the two CPEs. This issue has been fixed.
66136	The versa-services process restarts once because of an invalid timer (uninitialized value) in the application monitor module. This issue has been fixed.

Fixed Bugs in Release 21.2.2

Bug ID	Summary
20557	When you commit a VOS device configuration now from the Director node, the VOS device waits up to 10 minutes to determine whether it has connectivity to at least one Controller node. If not, the VOS device performs a rollback operation. Previously, if there was no connectivity to any Controller node, the VOS device rolled back an operation immediately after the commit.
30728	When a VOS device is a DHCP client, the DHCP renew packet must be a unicast packet to the DHCP server and not a broadcast packet.
33184	Controller node has only internet connectivity and branches have internet and MPLS connectivity. Whenever the internet link goes down at the Branch1 VOS device, all the routes of the Branch1 device may be removed from other remote branches by the Controller node even though SLA is up between Branch1 and the remote branches.
37411	Versa services may restart because of an incorrect reference count in the IPsec IP address object. This issue has been fixed.
42640	Could not configure LTE parameters while doing URL ZTP. Add support for specifying APN, PIN, username and password.
43497, 66215	Commit fails when address group is referenced before it is defined. Support has been added to handle this gracefully.
45301	Running tcpdump on the vni-0/2 interface in system with WiFi interfaces (vni-0/20*) fails because of unsuccessful cleanup after previous invocations of the command.
46302	The performance of Config Sync-from-Appliance has been improved. This operation used to take many minutes on systems with large routing configuration.
50689	The show orgs org-services organization dhcp statistics dhcp interface CLI command may cause a timing issue that causes the versa-infmgr process to restart, which restarts all services. This crash and restart have been fixed.
51784	URL ZTP was marked as failure if the ping to the controller WAN IP was not successful. Now, the URL ZTP process pings the next-hop gateway and 8.8.8.8 to check for reachability.
53547	The DHCP address pools, service, and lease option profiles limit has been increased to handle up to 256 profiles. The previous limit was 100.
57029	For destination NAT (DNAT), if the range of NAT IP addresses and the size of the IP address pool do not match, Versa services enforced a strict check that caused services to restart. The check has been relaxed to prevent restart of services.
58454	Enabling device Identification feature causes intermittent service disruption because of a process crash and restart. The workaround is not to enable this feature.
58509	URL ZTP with special characters in any of the encoded attribute values (such as the Controller PSK) results in improper configuration of the VOS CPE device.
60879	SNMP Get on QoS MIB values may cause the versa-vmod process to restart. This process restart does not impact the service.
61985	IPsec alarm has been enhanced to include the name of VPN profile associated with the IPsec tunnel or to include the name of the tunnel interface if it is a route-based IPsec unnel.
62187	DIA traffic controlled by SD-WAN policy is not reported on Analytics nodes.
62578	Platform watchdog service was not enabled on Caswell white boxes.
62978	SLA metrics are not displayed when the interval is more than 150 seconds.
63569	The IF-MIB field ifOperStatus shows as Up even if the tunnel interface is down.
63976	When two Controller nodes have at least two WAN interfaces each with disjoint transport domains (such as one for internet and a second for MPLS) and a branch device connects to the Controller node using one of the transport domains, one of the Controller WAN interfaces goes down and comes back up. When the Controller interface is down, if the branch's WAN interface for the other transport domain goes down and stays down even when the Controller node's WAN interface comes back up, the branch device may retain stale state for the Controller node's MP-BGP information until the configured graceful restart time expires. This does not allow the branch to establish MP-BGP peering with the Controller node until the graceful restart time expires. This issue has been fixed to ensure that when the underlay connectivity from a branch to the Controller node is restored, the branch reestablishes MP-BGP peering with the Controller node.
64067	After the routing process restarts because of a core, the SD-WAN Controller node may not install the host routes for the branches in a scaled environment. This issue has been fixed.
64685	When the first packet in a session is received and the group is already known, security policy rules that contain a group match condition are not evaluated and matched for the first packet of the session.
64790	The memory footprint of the security and policy contexts increase with each commit, causing memory load issues on firewalls with large configurations. The increase is capped to an older context.
64811	The Versa service process slows down when there are more than 100 FQDN objects because of defective logic in maintaining the list of resolved IP addresses. The causes high CPU usage, and some show commands fail. This issue has been fixed.
65114	Certain threshold and utilization alarms are not cleared intermittently.
65373	Manually changing the /etc/ssh/sshd_config file (for example, adding match commands) on a VOS device and then updating the SSH keepalive and timeout using the CLI cripples SSH access to the VOS deevice.
65435	DIA traffic switches to SD-WAN when SD-WAN route flaps.
65501	TCP evasion check incorrectly drops the 1-byte payload TCP keepalive packets because it assumes that they are an overlapping segment.
65536	The vni interface displays the correct RX BPS value for PPPoE, but not for TVI interfaces.
65643	First-time configuration of twice-napt-44 requires a reconfiguration to activate it.
65904	Top-N application computation that happens every 5 minutes causes increased packet latency and loss for traffic processed by worker thread 0.
65926	Site name in SLA alarms is truncated to 32 characters. Add support for 128-character site names.
66097	Path MTU is incorrectly calculated when the same source IP and destination IP address pairs are present in two different VRFs.
66252	VOS instance on OpenStack and SR-IOV enabled interface results in a continuous crash.
66395	The show ospf neighbor brief CLI command may restart the routing CLI process, causing the show command to fail.
66435	SNMP Get/Walk failure seen because the Redis database is cleared, leading to failure of the SNMP walk.
66583	The device model, SKU, and serial number are now available in an additional MIB container that does not require the serial number as a key.
66599	The show orgs org organization-name sd-wan statistics vni CLI command for TX BPS and RX BPS is now displayed in bits per second instead of bytes per second.
66617	The staging.py script saves the staging.cfg file to the current directory; however, some scripts search for it in /opt/versa/scripts. The new behavior saves the configuration in both locations.
66768	A memory leak in the QoS data structure may occur when preclassified packets arrive over a cross-connect link from the peer and if App-QoS policy is configured on the device. This issue has been fixed.
66789	A core occurs in the routing CLI transformer process when you move the terms of a redistribution policy after a previous commit to delete a routing instance that was using this redistribution policy for instance import. This issue has been fixed.
66817	With packet replication and per-packet load balancing, packets are cached and released from the buffer to reorder out-of-order packets. In some cases, the released packets use stale, which can cause Versa services process to crash. This issue has been fixed.
66856	Deleting a routing instance sometimes causes a service restart because of a crash.
67147	Changed the behavior to propagate the origin of a BGP route in VRF to Layer 3 VPN and vice versa, by default, and is overridden by origin if it is configured in the redistribution policy.
67168	The SCP command has been enhanced to filter any extraneous arguments passed to command.
67179	When the first packet of captive portal session is a non-SYN packet, processing this request may result in a crash and service restart.
67253	Application route cache show command was causing a crash when a user-defined application was deleted.
67266	Speed test to public Internet speed-test servers does not work.
67276	SD-WAN steering policy is now applied to traffic originating from another branch and steered to another branch. Earlier, SD-WAN steering was not allowed when the ingress and egress were SD-WAN branches.
67404	Versa service process may crash when VSA is enabled with TCP optimization auto-mode. This issue has been fixed.
67446	Fix an issue with Versa 810 devices sometimes reporting incorrect power supply status “Either PSU2 cable is unplugged or PSU2 is unplugged”.
67456	Externally authenticated users belonging to admin group could not run show alarms or other privileged CLI commands. This issue has fixed, and these users can now run these commands.
67491	Modified the default method of defining strings in the CLI to use quotes instead of backslash.
67583	WWAN username field length has been increased from 31 characters to 63 characters.
67598	Unable to onboard branches/controller with vni subunits in the 40x[6-9] because of an invalid regex in the YANG definition.
67629	The routing process may crash when you issue a CLI command to display the BGP route table for a specific routing instance and an extended community. This issue has been fixed.
67659	Enhance show interface info CLI command to include DSL interface information.
67707	Fix an issue with timezone settings that occurs if /etc/localtime is not a symbolic link.
67751	If a redistribute policy contains a set-community attribute and is used for redistribution to OSPF, commit fails with a cryptic message. This issue has been fixed. Now, a more descriptive error message is shown.
67817	The show log CLI command has been modified to scan only the /var/log/ directory.
68087	When an ifTable MIB walk is followed by a show interface vni/x/x, the versa-infmgr process restarts, causing the service to restart.
68103, 68124	Management and configuration process may crash when a VOS device is upgraded from Release 16.1R2S10.4 to Release 20.2.2 because of an invalid tenant ID in the SNMP query. This issue has been fixed.
68157	Fix the timeout error displayed in the show orgs org-services organization dns-proxy profile-monitor CLI command.
68198	Fix an issue in handling modification of LEF profile in ADC module, resulting in missing ADC logs on Versa Analytics.
68226	Versa services crashes because of incorrect reference counting of IP routes. This issue has been fixed.
68266	If a PPPoE interface receives a PPP reset from a peer and not from the PPP server, the PPPoE interface stays down and does not transition to the Up state until a service is restarted.
68516	DSL interface uptime is included in the CLI output for troubleshooting assistance.
68677	Versa services process crashes because of a malformed packet recovered by FEC module. This issue has been fixed by dropping the malformed packet.
68911	After unsuccessful attempts to ssh login as root, the root account may be disabled. This prevents changing running sudo su to drop to the root shell. This issue has been fixed.
69080	On clicking Menu and navigating to any option on Advantech devices with LCD screens, the lcd4linux service continuously invokes the command to fetch system status at a high rate. On systems with TACACS+ accounting enabled, this leads to a large buildup of account records, causing a memory overload of the versa-vmod process.
69114	Allow special characters in the SCP password field.
69175	If the IP lookup database is corrupted, services do not start because continuous restarting of Versa services. The process has been made more resilient and continues to run if the database is corrupted.
69188	Installation of a security pack (SPack) was reporting a failure even when it was installed successfully because it took more than five minutes. The timeout has now been extended to 10 minutes to accommodate a slower installation.
69282	On Rangeley (C2xxx)–CPUbased systems, if the QAT is stressed by traffic requiring crypto processing, the Versa service process may stop all further processing of crypto traffic, requiring a restart to recover the system.
69369	When you apply a configuration change that reconfigures the Layer 3 VPN module, you may see a core in the routing process.
69409	The show arp kernel CLI command incorrectly displays all entries as permanent (local).
69430	Address group objects that reference other address group objects defined later in the configuration cause the versa-vsmd process to crash, and services restart.
69452	The packets from the uCPE-Mgmt interface get routed to the global routing-instance, which results in connectivity issues. This is now fixed by adding an iptables filter rule in the global routing-instance to drop such packets from the uCPE-MGMT interface.
69461	A rapid continuous link flap on a local site may result in a remote site still having a route even if all SLAs towards this site are marked down.
69517	The static source NAT and twice static NAT are bidirectional NAT policies for which sessions can also be initiated from the server-to-client (out to in) direction. For such sessions matching the NAT policy in the server-to-client direction, the reevaluation of the NAT policy was not correct and resulted in the NAT session being torn down.
69582	TCP optimization auto mode does not work for IPv6 traffic.
69815	Moving existing BGP neighbor addresses to a new BGP group causes a commit failure.
69921	When the same application is defined in two different organizations in a VOS instance, the application reporting is not consistent. It may report correctly in one organization but not the other.
69935	The ipsecIkeDown and ipsecIkeUp alarms do not have matching alarm key values and cause the SNMP application to not reconcile.
69956	LEF multithread statistics aggregation issue may lead to incorrect statistics reports.
69991	For the Ubuntu 18.04 OS, incorrect interface speeds are reported for some types of network interfaces.
70029	TCP MSS on an unencrypted SD-WAN tunnel does not adjust up, but rather it stays the same as the encrypted tunnel MSS.
70036	The show system status CLI command crashes the vmod process because of stale status files.
70106	The "TVI interface type change not allowed" message prevents a template deploymeent even if the reboot option is selected.
70185	SNMP trap is no longer generated for high disk usage.
70206	When a branch-to-branch SD-WAN tunnel goes down, the IpsecTunnelDown alarm is incorrectly generated.
70233	In an SD-WAN network with a hierarchical set of Controller nodes, if the spoke loses connectivity with T1 controller1 and then at T0 Controllers, the routes of T1 controller1 are selected because the T1 Controller node's IP address is smaller.
70289	If both HA quorum and interface/route tracker configurations are changed together and vsh is restarted for the configuration to take effect, the quorum configuration may arrive at RFD before the parent HA configuration because of a configuration order issue. This crashes the RFD, while attempting to save the quorum configuration.
70314	In file-based actions, if the file size limit is specified, downloading any file exceeding that size is not blocked unless the blacklist option is also specified.
70315	Auto-SIM detection issue in CSG300 Series seen with Ubuntu 18.04.
70363	The Don’t-Fragment override configuration option does not work for PIM register packets.
70366	For Ethernet ports using i354 MAC controllers, when the remote end is running at 100M/FD with AutoNeg ON, disabling the port on the local side causes the interface to freeze. In this situation, the local side link LED is Down, while the remote side link LED is still On. To recover the interface from thee stuck state, power-cycle the device. Versa—CSG350/CSG355/CSG365 Advantech—FWA-1320/FWA-2320, FWA1010VC Lanner—FW7525, FW7551 Silicom—80500 Nexcom—DTA1152AC4
70604	SSH public key for a system user does not work.
70662	When a traffic-identification configuration contains more than 200 interfaces, a commit change can take up to 3 minutes.
70823	Security package installation fails if an earlier commit contained more than four attributes configured under system parameters.
70832	Application monitor’s last status of Up remains the same if the WAN interface is disabled and the monitoring threshold is more than 20 seconds (default is 3 seconds).
70844	Trusted network does not map SAML token groups attribute to the live users table.
70893	Issues with OCSP monitoring when there is a failure in private-key decoding.
70906	The alarmDevice field in the SNMP trap messages now includes the name of the device originating the trap. Earlier, it contained only the name of the module that originates the traffic.
71182	When SIP ALG is enabled, SIP confirmed dialogs may not be cleaned up, which causes a memory leak over time in Versa service process. This issue has been fixed
71199	Organization names with more than 27 characters result in longer term names in Versa Director workflow-generated templates and cause device on-boarding failures. This issue has been fixed. Now, the routing peer policy name, term name, redistribution policy name, term name, and prefix list name can be up 127 characers.
71212	When captive portal is enabled, 404 response for invalid request received on the captive portal port causes the Versa service process crash. This issue has been fixed by closing the connection when an invalid request is received.
71256	Moving a BGP neighbor address from one BGP group to another is not reflected in the output of the show bgp neighbor brief CLI command and causes inconsistency in the Versa Director and device configurations. This issue has been fixed
71310	Fix negative value displayed in Versa log collector’s process debug memory statistics.
71338	Fix an issue in loading IPS signatures when the actions specified in the action filter are reject and drop session.
71397	Destination site name in the match rule of SD-WAN policy does not work if the site ID is greater than 4096.
71424	SSL handshake fails for domains starting with the letter 'a' in Google Chrome because of a recent CECPQ2 update. This issue has been fixed
71437	The Versa services process consistently uses high amounts of memory because unused memory is not released to the system. This issue has been fixed.
71528	SASE client may not connect to the gateway when TCP SYN is not retransmitted. This issue has been fixed.
71543	Fix a memory corruption issue in Versa services process, caused because of premature freeing of out-of-order TCP segments used for reassembly. This can occur only if the session is partially offloaded.
71569	Add support for 1K or more static BGP peers by increasing the filter table space.
71590	Versa services crashes if URL filtering or other services that require captive portal support is enabled and if captive portal is not configured. This issue has been fixed
71625	Collector group list does not work. This issue has been fixed.
71669	Memory leak in Layer 2 control process results in high memory utilization when Layer 2 services with STP are enabled. This issue has been fixed.
71901	BGP does not advertise the slave local preference value configured in redistribution policy for a static route when the static route is added after configuring the slave local preference. This issue has been fixed.
71911	Configuration commit fails when a user-defined URL category name contains ‘.’ (dot). This has been fixed by allowing only alphanumeric, '-', and '_' characters during commit check.
71992	Versa services daemon may get stuck in repeated attempts to select an SD-WAN path for a session. This issue has been fixed.
72189	Continuous IKE flaps towards SD-WAN branch appliance are seen on the SD-WAN controller because of mismatch of information between the two modules. This issue has been fixed.
72198	Fix checksum mismatch errors for multiple modules after OS SPack installation when secure mode is enabled.
72544	Versa services may restart because of a slow leak in a critical data structure that occurs when SD-WAN tunnels flap constantly.

Fixed Bugs in Release 21.2.3

Bug ID	Summary
45840	SNMP walk fails to fetch SD-WAN policy if address monitors are attached to the policy.
63230	Disabled reloading of ixgbe/i40e drivers during a service restart, which may put an interface in the unknown-list.
63959	Missing error handling in automatic steering caused versa-vsmd service to restart. This is a rare condition.
63645	An optimization in the IPsec module caused regression where IKE sessions sometimes fail with an out-of-memory error.
64067	Missing route updates after controller node restart.
64533	Open source Python package audisp-aaa module, which is used TACACS+ auditing, has a memory leak.
65953	Reduce the memory used to maintain paired-site map per tenant. Optimize by storing only the needed paired-site map.
67660	Add support for importing private keys using AES-256 encryption.
69064	Because of a timing issue, physical interfaces may not be recognized as vni-x/x and would sometimes appear as unknown-x/x.
69347	Add support for setting the maximum number of URLs per file for URL filtering.
69649	Add pre-upgrade check for package consistency for VOS upgrade.
70089	With isolate-cpu enabled, upgrade causes the Versa services process to keep restarting after the upgrade.
70601	Add support to run file system check automatically during boot for VOS devices running on Ubuntu Bionic to fix any file system errors.
70908	CPE power alarm does node include the appliance name, so the alarm source may be unknown.
71088	Upgrading from Release 16.1R2 to Release 20.2.4 or 21.2.2 GA image causes the SLA configuration under the WAN interfaces of the VOS nodes to not be saved, and so SLA for the WAN interfaces is not enabled.
71256	Moving a BGP neighbor address from one BGP group to another is not reflected in the show bgp neighbor brief”CLI command output and causes an inconsistency between the Director and device configurations. This issue has been fixed
71485	Port bind issue when multiple certificates must be validated by OCSP caused by connect_fail issue because of a single client port.
71717	When you configure the share-aro option for a BGP instance, the controller node may not synchronize some of the routes to a peer when a reconnection occurs.
72306	A core in interface manager process occurs when user issues the show interface info org-name CLI command for a specific interface.
72313	QoS interface part of SNMPwalk was stopping because of an interface that was not enabled.
72319	A core in the Versa management process occurs when a user enters the show org org-services adc persistence CLI command for an unconfigured persistence name.
72363	When an SD-WAN network has more than six SD-WAN Controllers nodes, routing process may go to high CPU state when network failures occur.
72374	Bootup messages were missing on VOS console running on Ubuntu Bionic. This issue has been fixed
72410	A race condition caused CGNAT module to crash and restart the services.
72514	Logging related to an error condition in the routing process fills up the logs.
72610	Add support for an additional PLMN for Verizon 311270.
72792	Routing process stops and then restarts because of a buffer overflow caused by a show command printing too many communities in a routing loop situation.
72915	Management traffic from a Director node to SD-WAN branches sometimes blackholed.
72953	Routing process stops and then restarts when handling an aggregate route for which the discard option is set.
73079	A reachability issue may occur because of improper route installation when a PPPoE interface has different subnets at the two ends.
73118	If you issue a ping or traceroute command to a FQDN destination and also specify a source interface, the command may fail because of a defect in how the dig command output is parsed.
73234	Fix crash triggered by ADC server down.
73262	When an FQDN object is resolved via multiple routing instances and one routing instance stops resolving, the policy module cannot obtain the resolved address from the other routing instances.
73305	Fix an issue in the cloud-init module that deleted Director keys for VOS instances running on AWS.
73428	Multiple IPsec Up alarms occurred without any Down alarms.
73518	Routing peer policy terms that contain prefix lists leave the internal configuration database in an inconsistent state and on box reboot, the Versa routing process (rtd) keeps restarting.
73587	Add support for handling 16K jumbo frames in QAT to perform fast cryptographic operations in hardware.
73608	Issue in DNS zone transfer is fixed by allowing multiple DNS responses in a single query for AXFR/IXFR.
73702	Routing process crashes when running the clear bgp neighbor CLI command. This issue has been fixed.
73780	Crash occurs when selecting the best next hop when all access circuits are down.
73839	Control-VR VRF tunnel interface MTU is not updated with the lowest identified path MTU. This affects the BGP update exchange when using a path with an MTU lower than 1500.
73896	EVPN remote MAC entries are deleted when a Layer 3 interface is removed when the same core virtual router instance is used for the Layer 3 and Layer 2 VPNs. This issue has been fixed.
73957	Versa services process crashes when traffic goes through CGNAT service and an SD-WAN policy configured with a next-hop priority.
74182	DHCP static mapping from a file did not work correctly because of incorrect parsing of the subnet mask.
74235	The isolate-cpu CLI command does not show the current active state of the isolated CPUR if the intermediate reboot is not performed.
74239	Versa forward proxy does not work if more than 255 domain patterns are configured in the domain match rule.
74333	If icmp-check is enabled in the DHCP server profile on a VOS device, offering an address takes more time than anticipated, causing the DHCP client to repeatedly request an IP address and then causing the DHCP process to fail.
74378	Packets are dropped on a TCP SIP session after the session idle timeout is reached.
74429	When multiple rollbacks of the IPsec VPN rule configuration are performed, a services process crash may occur. This issue has been fixed.
74955	Fixed private key Export/Preview with TPM-enabled hardware.
74936	Automatically exclude statically mapped IP addressed from the DHCP server's dynamic IP address pool.
74976	Sessions of all GRE encapsulated packets are not load-balanced across all the worker CPU threads. After the fix, the inner tuple is also inspected to load-balance GRE traffic.
74988	IKE route installation in the routing table has an issue after a network disruption when the device has more than 1 million routes.
75050	Fix upgrade script timeout on appliances with large configurations.
75129	Issuing the show interfaces port statistics brief eth-0/0 CLI command on the eth0 management interface causes services to restart.
75267	In the DHCP configuration, if the lease time for an existing DHCP lease profile is changed and at the same time profiles are reordered in a single commit, the configuration change is not propagated correctly to the DHCP server.
75283	CMP server entry missing from address manager database after services restart when OSCP is configured.
75402	SIP INVITE confirm dialog deletion timer has been increased to 6 hours.
75629	BGP does not advertise the configured VRRP slave priority when multiple interfaces are configured as VRRP slaves. This issue has been fixed
75704	Some access policy rules may be incorrectly removed from the firewall engine during an SPack update after a failed commit, if the failed commit includes any access policy rule changes.
75967	Monitor down with maximum threshold of 60 seconds.
76115	Monitor group state remains in inactive after reboot. The issue is seen when more than two monitor groups are configured.
76290	An externally authenticated user sometimes cannot execute sudo commands without passwords.
76587	When a circuit for a remote site, say B2, is removed, the updates are propagated and consumed by all SD-WAN sites. For example, for a site called B1, when the associated transport paths are cleaned up, corresponding to the deleted B2 circuit, it is important to ensure that the transport path table is not cleaned up. This bug fix adds a defensive check for this purpose. This issue is seen only if all circuits for a remote site are progressively cleaned up.
76829	Incorrect domain name is appended in Option-12 to DHCP Offer and DHCP ACK packets.
76896	Memory leak may occur during SD-WAN policy evaluation.
76913	Do not send LEF logs for file-filtering "allow" action to prevent LEF logs overflow.
77039	Operator (oper)-level users cannot execute python-based commands, such as show alarms.
77096	Internet speed test does not work if you add a captive portal configuration.
77295	For SSL proxy and TLSv1.3, if the server sends server_hello_retry message, the VOS device sends the server certificate message to the client before the server side negotiation is complete, causing the SSL connection to fail.
77357	VOS device does not mark host-generated traffic with 802.1p. The P bit is always 0 for host-generated packets (such as SLA).
77401	ICMP packets destined to a TVI or tunnel interface and received on a VLAN-tagged WAN interface are dropped.
77431	Services process crashes on an unprogrammed interface and can occur if the same interface flaps multiple times.
77723	Packets are dropped on the receiver when a rule switches on the sender side after the session starts. This is a rare case where packet is processed through FEC and then APPID detection causes a rule that did not have FEC enabled to match. This happened before the packet egresses. As a result, the same packet is processed again and end notification is not sent, causing the receiver to assume that FEC is still active on sender.
77781	ARP entries are not cleared when a VOS device is the VRRP active node and the interface on which VRRP is configured is shut down.
77786	802.1p rewrite does not work as expected for outgoing fragmented IP packets.
78021	URL ZTP on a CPE with an LTE-only transport interface does not work if the SIM is locked.
78114	SNMPwalk of the VRRP group MIB returns just the first entry and not all the groups.
78266	Unable to configure an attribute policy while using the summary option for aggregate route.
78357	A memory leak occurs Versa services process if a packet loops between a VOS device and a peer node when service chaining is enabled.
78483	Display only the active DHCP lease entry for a DHCP client.
78484	Add support for enabling fiber interfaces for V1800 platforms in the default configuration during ZTP.
78584	Monitor does not come up during bootup, resulting in an inactive IP SLA.
78778	Routing process crashes when deleting a routing instance.
78786	Issue in accessing the debug CLI when TACACS+ is used as the authentication mechanism.
78816	Services process crashes when a mobile device management query is enabled for secure access service.
78817	For data traffic, the VOS device that is used as a VRRP active node uses the interface MAC address as the source address in the ARP request or reply for the virtual IP address. This issue has been fixed. Now, the virtual MAC address is used.
78876	Long-lived RTP sessions accumulate memory and cause the Versa service process memory usage to increase.
79163	URL cloud lookup may fail after many days because of a memory leak.
79449	Fix device GUI is not disabled for VOS systems running Ubuntu Bionic.
79488	VSMD control thread go into a stuck state when you delete an organization and its dependencies, and services must be restarted.
79662	SRIOV support for i40e interface was not working for VLAN sub interface and host-bound traffic.
79713	Fix a core in the routing CLI transformer process that happens when a user tries to remove the ICMP configuration from the DHCP client options for an interface.
79998	In an SSL proxy deployment, the VOS device must respond to a client certificate request from a server with certificate unavailability and not with the configured decryption certificate.
80011	If you rearrange the terms in a redistribution policy while the policy is being used for redistribution to BGP for IPv6, the Versa routing transformer process may restart.
80074	A memory leak in the Infmgr process may occur under some conditions.
80241	Add a sanity check that prevents a VOS device from crashing when there is an unknown interface or a failsafe interface and you generate a tech-support-dump or issue the show vsm interface detail command.
80397	An IPsec VPN profile with an invalid private key for the certificate causes a memory leak in the Versa service manager process.
80497	When handling handshake failure event and/or when incoming TLS record decryption fails (post handshake), a packet buffer leak in the SSL decryption may occur.
80537	Tenant QoS policer may sometimes skip policing the reverse traffic and only police the forward traffic.
80541	TACACS+ accounting logs may not be sent to the TACACS+ server.
805,90, 81254, 81260	Slow memory leak in the Versa vsmd process seen on Controllers and Hub-Controllers. This is observed when branches are unable to establish connections with the Controller, becuase the objects are created and destroyed in a short time interval.
80598	RFD process may restart during service startup because of a race condition during initialization.
80707	DHCP server on a VOS device stops giving IPv4 address if the interface has both IPv4 and IPv6 addresses configured and the IPv4 address is changed.
80808	Service node group with a zero weight should not be considered for weighted round-robin load balancing.
80822, 82038	In SSL proxy mode, a TLS v1.3 packet containing multiple TLS records is not handled correctly.
80953	In a site-to-site IPsec profile configuration, if the peer address is configured as an FQDN and the FQDN resolves to contain both IPv4 and IPv6 addresses, the tunnel is not established and the first address returned does not match the local IP family. The fix choose the correct address family.
80971	RPC error when next-hop address is deleted in the redistribution policy, and then default address is set. During the deletion, the "type" was set to unknown, causing this exception on the VOS device.
80988	Memory corruption is seen while handling SIP control message with replaces call-id of another data session that is totally independent. This is observed in networks using Cisco UCM (CUCM) and certain call flows.
80989	ip2usr process memory leak causes slow depletion of system memory.
81055	Packet buffer leak in SSL decryption module occurs when a TLS record spans multiple packet buffers.
81255	Invalidate stale NAT EIF entry when the interface IP address changes.
81303	A port that frequently changes link state during the start of services could potentially leave the port in a partially configured state and lead to a service restart later when the port is actually configured.
81457	Deleting the SD-WAN datapath down and SLA violation alarm configuration also stops the events from getting generated in VersaAnalytics.
81469	Memory leak in the versa-vmod because SNMPv3 user-accounting records.
81536	In the show bgp neighbor (brief \| detail) command, the number of BGP prefix lists displayed is double the actual value.
81662	Improve the traffic shaper performance to decrease anomalies.
81699	When DNS proxy is enabled, address-managed DNS traffic may incorrectly recognize the SNATed proxied transit DNS traffic because of a port clash, causing FQDN resolution to fail.
81716	Upgrade to Releases 21.2.x does not work if shaping is already configured on tvi and tunnel interfaces.
81784	Removed an old upgrade script that used for an upgrade to an earlier release and that was causing the BFD configuration to be updated incorrectly.
81818	Memory leak in IPS Applayer parser causes a slow memory buildup.
81860	Static route missing from vunet Each update to static route is treated as del and add, as interface down vunet is cleaning up the routes and when the interface comes up, from the RTD, sending an update of route when OSPF also points to the same next hop for the route.
81888	When the same FQDN address is configured under two different tenants and one of them is deleted from the configuration, the Versa services restart.
81924	Fixed issue of OCSP signature verification failure. This fix is to delay signature verification till TLS handshake is completed to avoid signature verification failure.
81940	VOS device in SSL Forward Proxy Decrypt mode may restart services.
81991	During an interface up notification, the port's link speed is fetched from two different places. If there is inconsistency in the speed when bringing the interface up, vsmd may crash.
81992	When the underlay transport devices between a branch and a Controller nodes fragment IKE packets, the Controller node slowly leaks security association contexts, leading to a state in which the Controller node no longer accepts new IKE SA connections.
81993	IKE fragmentation packets that is passed by the tunnel infrastructure to the IPsec module are not setting the first segment length correctly, which may cause incorrect processing in downstream modules.
82015	A core occurs in the routing process due to unwanted handling of the VPN's IPv6 address family.
82143	Captive portal module drops transit packets if the traffic’s HOST header has port numbers that match the captive portal configured port. Not all DIA traffic has port numbers in HOST header. Port number are seen only in case of an explicit proxy or if the end application explicitly adds port numbers in the HOST header.
82282	Add nomodeset to the default grub configuration to handle an OS upgrade corner case.
82358	In Google Cloud Platform (GCP), if we receive a /32 subnet for DHCP, it is changed to a /30 subnet.
82432	ICMP error packets with an inner header source IP address of 0.0.0.0 can cause service a restart if a CGNAT rule is applied.
82487	Decapsulation context leak from Eth/IP/IPv6-over-GRE packets
82570	VOS interface ordering on VMware ESXi is now persistent across VM reboots even when new interfaces are added or existing ones are removed.
82978	Fix a commit error that happens when a user is adding new terms to a prefix list and also moving the terms of the routing peer policy that uses this prefix list as part of the same configuration commit.
83007	On a VOS device running Ubuntu 18.04 (Bionic), the disk size reported is more than the actual size because tmpfs file systems is incorrectly included in the calculations.
83142	When a large number of monitor sessions is configured, the Versa services may restart because of a crash in the TCP monitor module.
83173	Dynamic DNS update packet may contain records (such as A/AAAA/CNAME) with a zero length. This way client notifies server to delete particular record on the server side. While parsing records with zero length data, the VOS device’s DNS parser fails and does not apply DNS proxy on the packet.
83193	During initialization of VOS services, a TPM 1.2–based CPE may fail because of incorrect logic in the initialization of the TPM chip.
83737, 83830	Versa service may restart when SSL proxy or decryption is enabled because of a memory corruption.
83858	The VOS show session extensive CLI command sometimes fails to display output when it is exiting over an IPsec tunnel.

Limitations and Behavior Changes

The following are the limitations and behavior changes in Release 21.2.

The global VRRP Unicast Peer IP Address option has been removed. For unicast configuration, use the Unicast Peer IP Address option for the VRRP Group. See Configure VRRP.
For each DHCP request from a client, the IP address is assigned only when you configure the request match criteria in the service profile and the DHCP request matches all the request match criteria in the service profile. Prior to Release 21.2.1, the client was assigned an IP address even if you configured no request match criteria . This wildcard match is now ignored, and you must ensure that there is a valid rule in the request match.
Release 21.2.1 includes software that can read optical information from the SFP on Dell VEP4600 vni-0/4 and 5. To take advantage of this, you must upgrade the i40e MAC device NVM firmware to a minimum of Dell version 4.11.
For the Advantech plugin NIC module NMC-4005, the minimum NVM package version be version 6.01, to support 1-GB SFP on the ports. To upgrade the package, download the support package from the Advantech website.
On Dell VEP4600, redundant PSU monitoring and alarms are not supported. To view the current operational status of the device, issue the show device sensors CLI command.
Do not configure both SD-WAN and DIA bandwidth monitors on the same WAN link. Doing so can cause incorrect calculation of the background traffic, and, if PBF monitoring is enabled, it can also lead to incorrect traffic steering.
The bandwidth monitor maintains historical statistics to report maximum receive/transmit (Rx/Tx) statistics to PBF for traffic steering. Currently, you cannot reset the historical maximum values of the Tx/Rx statistics.
The rule-number security rule attribute is deprecated and is replaced with the rule-alias attribute. The upgrade scripts automatically upgrade the system to set the rule-alias attribute to the same value as the rule-number attribute.
You can enable or disable asynchronous compilation of the IPS rule using the system configuration parameter. The default value is False, which disables async compilation. When you newly configure a device or upgrade a device without an explicitly configuration for this parameter, async compilation of IPS signatures is now enabled by default. When you upgrade a device and if you do not explicitly configure this value to False, async compilation is enabled as part of the upgrade but the configuration shows the parameter value as False (that is, disabled). Note that this inconsistency is observed only when you upgrade a device on which you have not configured this parameter. After the upgrade, you can enable or disable this parameter, and the configuration displays correctly.
Asynchronous compilation of IPS signatures (system parameter ips-async-signature-compilation) is enabled by default, and the default ips-action-during-async-sig-compilation is to deny all the traffic with IPS enabled. As a result, traffic drops may occur when the IPS signature is being compiled. Signature compilation is performed at the start of services, during the SPack upgrade and or during any IPS configuration update.
It is recommended that you do not set ips-action-during-async-sig-compilation to allow, because this allows traffic that should be subjected to IPS to pass without inspection.
The rule-alias security rule attribute has been restricted to allow only a single keyword as an alias. Earlier, this attribute allowed text including multiple words.
Application route cache entries now age out after 1 hour. Previously, these entries were never cleared.
You cannot add an interface directly under a routing protocol if that interface is part of a network object. This change was made to provide consistent behavior across all routing protocols.
The number of configurable next-hop priorities has been changed from 4 to 8, and the number of next hops at a given priority is now limited to 8.
An active–active setup automatically inherits the configured uplink and downlink bandwidth of the paired site's physical interface as the reference bandwidth for corresponding cross-connect links for SD-WAN load-balancing. The values are propagated over MP-BGP, thus eliminating the need for additional configuration (shaping or port uplink/downlink) on the cross-connect link.
TWAMP-light supports only symmetric path for one-way metrics.
TWAMP-light supports performance evaluation only over vni and site-to-site IPsec tvi interfaces. TWAMP-light is not supported on Layer 2 vni interfaces, and it is not supported on IRB interfaces.
On Layer 2 logical interfaces, dual-tagged packets are processed based only on the outer VLAN tag. The inner VLAN tag is ignored.
Shaping on IRB and native fragmentation of large Layer 2 frames (those exceeding the MTU) over SD-WAN are not supported.
The sla-not-met alarm may not be generated for the path from a branch to a Controller node if there is no transit traffic between the two devices. In earlier releases, host-generated traffic was considered as activity, and because there is always control traffic between the branch and the Controller node, any SLA parameter violation triggered an alarm.
When you want to change the maximum number of tenants and make other configuration changes, you must first change the maximum number of tenants and then commit the change. After this commit, a service restart occurs. Then make the other configuration changes after the restart.
Whenever you use an SD-WAN or a PBF policy rule to enforce a next hop and thus override routing, you must configure a source zone in the rule in addition to other match criteria to prevent traffic that is not intended for the rule from inadvertently matching it. An example is when you use an SD-WAN or a PBF policy rule to perform application-based DIA. This scenario requires a rule to identify the traffic originating from the LAN (typically, some Intf-<>-LAN-zone). You use this rule to send the traffic to the required transport virtual router (VR), where a second session is created. CGNAT rules are used to source NAT this traffic. If the source zone is omitted in the SD-WAN or PBF rule match condition, the second session also matches the traffic, resulting in a packet loop. Adding the source zone Intf-<>-LAN-zone as match condition prevents the second session from matching the PBF rule.
The DHCP client configuration is enabled for the out-of-band management interface, eth0, so that it can acquire a DHCP IP address in addition to a static IP address that is already configured.
SD-WAN sessions (UDP port 4790) on cross-connect paired device are now shown as versa_sdwan_xconnect instead of unknown_udp. Note that this information is displayed only for traffic originating from a paired site.
Release 21.2.1 introduces a per-interface path MTU discovery interval. If you do not configure a per-interface interval, the global value is used. If a per-interface configuration is present only on one end of an SD-WAN path, the value is used by both ends.
When you configure the circuit media as LTE and the LTE interface is the only operational WAN interface, the IKE retry interval becomes 10 minutes.
The sdwan-branch-lte-only-transport Controller alarm has been added. The Controller node sends this alarm to the Director node via Netconf after a soak interval of 60 seconds. You can also configure this alarm to be forwarded to Versa Analytics. This alarm is triggered when the data path towards a branch is on an LTE-only transport, which is determined based on setting the circuit media to LTE.
You can modify the CGNAT pool without having to perform a service restart or reboot.
When an LEF connection disconnects, pending messages are held in queue until the connection reestablishes, which ensures that LEF logs are not lost or dropped. Starting in Release 21.2.1, the default time to hold high-priority messages in the queue is 900 seconds (15 minutes), and low-priority messages are held in the queue for 60 seconds.
The default number of WiFi interfaces has been reduced from 8 to 4. However, you can still configure up to 8 WiFi interfaces.
For EVPN multihoming, VOS devices support only manual configuration mode, which is used to derive the Ethernet segment identifier (ESI).
You can set the packet padding size of the TWAMP-light sender test-session to a value from 27 through 4000 bytes. (From the CLI use the orgs org-services organization-name twamp-light twamp-light-session-sender test-session test-session-name packet-padding-size command.) This value defines how much to pad each probe packet of the sender test session. The padding is done using pseudorandom data to avoid data compression by WAN optimizers in the packet path. The don't fragment (DF) bit in the IP header is enabled in all probe packets, as mandated by standard. If you configure the packet padding size to a value greater than the MTU of the interface that the test session is configured to use, IP fragmentation is performed on the packet at the source. If the value is higher than the path MTU of the probe packet but less than the MTU of the interface, the packet is dropped on the path because of the DF-bit in the IP header.
EVPN does not support a hub-and-spoke topology with a Hub Controller.
Traffic ingress to or egress from a VSA client application is implicitly marked as remote-client zone.
If you upgrade a Versa speed-test client or server to Release 21.2.1, you must also update the corresponding Versa speed-test client or server to Release 21.2.1. The Versa speed test does not work if one of the devices (Versa speed-test server or Versa speed-test client) is running Release 21.2.1 and the other device is not running Release 21.2.1.
In Releases 20.2 and later, the BGP AS path loop check behavior has been changed to prevent BGP routes that contain the local AS number of the BGP instance from being installed even when they are received from IBGP peers. (In software releases prior to Release 20.2, an AS loop check was performed only for routes received from EBGP peers). This change was made to comply with RFC 4271, to prevent loops in all cases. When you upgrade a VOS devices from Release 16.1R2 to Release 21.2, if the VOS device is configured the overlay AS number in the BGP AS path to the Controller node, the Controller node no longer installs these routes and therefore does not propagate the routes to other branches. As a result, you might encounter one the following situations:
- The local AS number configured in the branch VRF BGP group or neighbor may be same as the overlay control VR. If so, do one of the following as part of upgrade:
  - Ensure that the local AS number configured for the group or neighbor in the VRF is different from the overlay BGP AS number in the control VR. If the AS numbers are different, the controller node does not receive its own overlay AS number in the AS path, and the route is installed.
  - Check whether the default local AS mode to mode-2, which adds the configured local AS in the BGP group or neighbor level to the AS path when the route is imported. If so, change the mode to mode-4, which does not add the AS number to the AS path. As a result, this route passes the AS loop check on the Controller node and is installed.
  - Configure the loops option in the BGP group corresponding to the branches in the Controller’s control VR as well as in the control VR in the branches. This option allows routes with as many loops as specified in the configuration to be installed.
- The AS path received from the BGP peers in the VRF may already contain the overlay AS number. If so, do one of the following as part of upgrade:
  - Ensure that the customer network does not use the overlay BGP AS number in the control VR, with the result that the controller will not receive its own overlay AS number in the AS path and the route will be installed.
  - Configure the loops option in the BGP group corresponding to the branches in the Controller’s control VR as well as in the control VR in the branches. This option allows routes with as many loops as specified in the configuration to be installed.
When you upgrade a VOS device to Release 21.2 on a high-end hardware appliance, QAT is disabled, because a slight performance drop for smaller packets in pure SD-WAN use case is observed. (High-end appliances include Advantech FWA-3260, Advantech FWA-5020, Advantech FWA-5070, Dell VEP-1485-V240, Dell VEP-4600-V910, Dell VEP-4600-V930, Lanner NCA4010, Lanner NCA5510, Lanner NCA5520, Riverbed EX-6080, Versa CSG1300, Versa CSG1500, and Versa CSG2500.) To re-enable QAT, issue the following commands:

admin@Branch-cli(config)% set system platform crypto-accelerator-support true
admin@Branch-cli(config)% commit
admin@Branch-cli(config)% exit
admin@Branch-cli> request system restart

When you use SD-WAN with UTM or an IPsec concentrator, it is recommended that you enable QAT so that the cryptographic functionality, including bulk cryptographic and asymmetric cryptographic operations, can be offloaded and CPU resources can be utilized by other workloads.

Known Issues

The following are the known issues in Releases 21.2.1, 21.2.2, and 21.2.3:

On VOS instances based on Ubuntu 18.04, the CLI command to download OS SPacks directly from the Versa cloud instance does not work. As a workaround, use the Versa Director to push OS SPacks to these VOS instances.
In multicast routing, when you enable the anycast-RP mechanism on a first-hop router, the source information is not shared between anycast-RP peers through PIM register packets. As a workaround, do not enable anycast-RP on a first-hop router.
When a MAC move occurs between a local and remote site learned over EVPN, the MAC move action configuration does not work.
If a VOS node is part of an inter-chassis HA pair (active-standby stateful HA), you must first upgrade it to Release 16.1R2S11 before upgrading to Release 21.2.1. When an interchassis HA pair is running Release 16.1R2S9 or later, you must set the probe type to none on both the nodes before the upgrade. Otherwise, the standby device continuously restarts after the upgrade. After the upgrade, you can return the HA probe-type value to the originally configured value.
To upgrade an interchassis HA pair from Release 20.2.2 to 21.2.1, it is recommended that you upgrade the VOS device from Release 20.2.2 to Release 20.2.3, and then upgrade to Release 21.2.1.
A tenant-based traffic shaper expects the shaper on the physical interface to be configured on the provider organization. If this is not the case and if you have multitenant CPE or hub VOS instances, you need to perform the commit in two steps. First, delete the shaping configuration from the non-provider organization and commit the configuration. Then, configure the shaper on the provider organization and configure the provider limit on the customer organization, and commit the configuration a second time.
For a VOS device on which uCPE is enabled (hypervisor installed), you cannot automatically upgrade it from Release 16.1R2 to Release 21.2.1. For assistance, contact Versa Networks Customer Support and see the following Knowledge Base article:
https://support.versa-networks.com/a/solutions/articles/23000021050
When you enable the info-validation feature in a stateful HA branch deployment, there might be a huge delay might in bringing up the interfaces in the global VRF, and the info-validation client may fail to register with the info-validation server on the peer VNF. As a workaround, restart only the versa-vmod service on the affected VOS device.
If you configure an SLA profile at the next-hop level in conjunction with configuration application monitors, the SLA profile options to select a path based on the lowest latency and on the lowest packet loss are ignored. To utilize these best-path selection features, configure the SLA profile at the global level.

Request Technical Support

To request technical support, visit http://support.versa-networks.com. If you are contacting support for the first time, register and create an account. You can also send email to support@versa-networks.com or contact your Versa Networks sales account team.

Revision History

Revision 1—Release 21.2.1, March 20, 2021
Revision 2—Release 21.2.2, September 12, 2021
Revision 3—Release 21.2.3, August 2, 2022