Consolidated Release Notes for Release 22.1
- Last updated
- Save as PDF
Versa Analytics Release Notes for Release 22.1
This document describes features, enhancements, fixes, and known issues in the Release 22.1 Versa Analytics software, for Releases 22.1.1 through 22.1.4. Releases 22.1.1 and later are general available (GA) releases and are supported for use in production networks.
July 1, 2024
Revision 4
Product Documentation
The Versa Networks product documentation is located at https://docs.versa-networks.com.
Install the Versa Analytics Software
To install the Versa Analytics software, see the Deployment and Initial Configuration articles.
Before You Upgrade
Caution: You must upgrade Analytics nodes to Release 22.1.3 or 22.1.4 before upgrading Director nodes to Release 22.1.4.
Before you upgrade the Analytics software to Release 22.1:
- It is recommended that you upgrade the OS SPack on all Analytics nodes following the steps in Use OS Security Packages.
- To install Release 22.1.1, the Analytics nodes must be running Ubuntu 18.04 (Bionic). If the underlying operating system is not Ubuntu 18.04, upgrade the nodes to Ubuntu 18.04 before you upgrade to Release 22.1.1. For more information, see Upgrade Versa Networks Operating System to Ubuntu 18.04.
- Release 22.1 requires that Analytics nodes run the Fusion database platform; the DSE database platform is not supported. To check whether the database is using the DSE or Fusion package, in Director view, select Analytics > Administration > Version in the left menu bar. If the string in the Database Version field ends with F, the database is Fusion. If it ends with E or does not display any character, the database is DSE.
- If the database is DSE, SSH to any of the analytics or search nodes, and then issue the following command:
admin@versa-analytics:~$ dse -v 4.5.2
- If the database is DSE 4.5.x, upgrade to DSE 4.8 using the DSE migration scripts in the Customer Support article at https://support.versa-networks.com/support/solutions/articles/23000019690
- After you upgrade to DSE 4.8, upgrade the Analytics software to Release 22.1, as described in Upgrade to Release 22.1, below.
- You must upgrade the Cassandra database files on all analytics-types nodes to remove any deprecated sstable files. Upgrading these files is required so that the database is compatible with Release 22.1.1. Note that it can take a fair amount of time to upgrade the sstable files, depending on the sizes of the tables, and also note that you can perform this check and upgrading of the sstable files outside of an upgrade window.
To determine whether any such files are present, issue the following commands on all analytics-types nodes:
sudo find /var/lib/cassandra/data -name '*ka*.db' sudo find /var/lib/cassandra/data -name '*jb*.db'
If the output of either command displays any files, issue the following command from the shell of all analytics-type nodes to upgrade the sstable files to a version compatible with Release 22.1.1.
sudo nodetool upgradesstables &
Issue the two find commands again periodically to verify that all database files have been upgraded, and if not, please wait until all such files have been upgraded. After all the Cassandra files have been upgraded, the output of the find commands will be empty.
- The Release 22.1 Analytics search engine uses Lucene 8.0. If Analytics search nodes still contain Lucene 6.0 objects, you must recreate the Solr search logs to upgrade objects to Lucene 8.0. For information about determining the Lucene version and upgrading objects to Lucene 8.0, see https://support.versa-networks.com/support/solutions/articles/23000026656-solr-collection-failure-post-upgrade-to-22-1-x.
Upgrade to Release 22.1
Caution: You must upgrade Analytics nodes to Release 22.1.3 or 22.1.4 before upgrading Director nodes to Release 22.1.4.
You can upgrade Versa Analytics nodes to Release 22.1 from Releases 20.2 or any later release. Release 22.1.4 Analytics is compatible only with Director nodes running Releases 22.1.3 or later.
To upgrade to Release 22.1:
- Copy the appropriate binary package file to the /home/versa/packages/ directory on the Analytics node. Ensure that the file has +x execute permission. Alternatively, issue the following CLI command, which copies the file to the /home/versa/packages directory:
admin@versa-analytics> request system package fetch uri uri
- Install the new software package:
admin@versa-analytics> request system package upgrade filename.bin
- Check the status of the Versa services to determine whether they have started by issuing the following shell command:
admin@versa-analytics:~$ vsh status
- If the services have not started, start them:
admin@versa-analytics:~$ vsh start
- Ensure that the Analytics IP addresses are present:
- Search node IP addresses are listed under Search Hosts
- Analytics node IP addresses are listed under Analytics Hosts
- All log collector or forwarder IP addresses are listed under Driver Hosts
- After the upgrade completes, a message may display indicating that you should reboot the system. Even if a message does not display, it is recommended that you reboot the system to account for any GRUB or kernel parameter changes. To reboot the system:
admin@versa-analytics:~$ sudo reboot
After the reboot completes, the Versa services automatically restart.
Checks To Perform after the Upgrade
Starting with Release 22.1, you cannot access the Versa Analytics application using port 8080, to avoid security vulnerabilities. By default, only secure ports 443 and 8443 are enabled on Analytics. Port 8443 is used for communication between the Director and Analytics nodes. When you upgrade to Release 22.1 on Director nodes, the upgrade process automatically changes the northbound interface port number from 8080 to 8443, and it automatically synchronizes the certificates required for SSL communication between the Analytics and Director nodes.
After the upgrade completes, if there is no communication between the Director and Analytics nodes:
- Check whether any firewall rule is blocking communication between the Director and Analytics nodes on port 8443.
- Connect to the Analytics node directly using https://analytics-ip-address:8443 to determine whether it is accessible and reachable using a secure port and that the SSL certificate is valid.
- Log in to the Analytics node using the same username and password as the Director node. If the login is successful, it indicates that RBAC between the Analytics and Director nodes is working using a secure connection. If the login is not successful, install the Director certificates on the Analytics nodes, as described in https://support.versa-networks.com/a/solutions/articles/23000010418.
- Log in to the Director shell and issue the following shell command to check whether the Analytics truststore has been created on the Director node:
admin@versa-director:/var/versa/vnms/data/certs$ ls -tlr versa_analytics_truststore.ts -rw-rw---- 1 versa versa 1274 Jul 30 05:42 versa_analytics_truststore.ts
- If the truststore file does not exist or if the Analytics certificates were regenerated, resynchronize and import the Analytics certificates by running the vd-van-cert-upgrade.sh script in the shell of the active Director node. This script transfers the Analytics certificates from each of the Analytics nodes configured under the connectors and then imports them. You must restart the Director node for the certificate to take effect.
admin@versa-director:~$ sudo su – versa versa@versa-director:~$ /opt/versa/vnms/scripts/vd-van-cert-upgrade.sh --pull
For example:
versa@versa-director:.../vnms/scripts$ ./vd-van-cert-upgrade.sh --pull Pulling Analytics certificates to Director key store Checking previous version config path Changing port for [Analytics] No modifications to commit. Port Migration completed VAN Clusters IPs: [ 10.48.189.23 ] Removing previous analystics cert store Getting Certificate for : 10.48.189.23 depth=0 C = US, ST = California, L = Santa Clara, O = versa-networks, OU = VersaAnalytics, CN = versa-analytics verify error:num=18:self signed certificate verify return:1 depth=0 C = US, ST = California, L = Santa Clara, O = versa-networks, OU = VersaAnalytics, CN = versa-analytics verify return:1 DONE Importing Certificate for : 10.48.189.23 Certificate was added to keystore Certificates Imported... Requires restart.. Do you want to postpone restart (y/N): N [sudo] password for versa: Stopping VNMS service ------------------------------------ Stopping TOMCAT................[Stopped] Stopping REDIS.................[Stopped] Stopping NETBOX-IPAM...........[Stopped] Stopping POSTGRE...............[Stopped] Stopping SPRING-BOOT...........[Stopped] Stopping SPACKMGR..............[Stopped] Stopping NCS...................[Stopped] * Stopping daemon monitor monit Starting VNMS service ------------------------------------ Starting NCS...................[Started] Starting POSTGRE...............[Started] Starting NETBOX-IPAM...........[Started] Starting SPRING-BOOT.......... [Started] Starting REDIS.................[Started] Starting TOMCAT................[Started]
New Features
This section describes the new Analytics features in Release 22.1. All features are introduced in Release 22.1.1 unless otherwise noted. Releases 22.1.1 and later are backwards compatible with Releases 20.2 and later of the Versa Operating SystemTM (VOSTM) software.
- Aggregator service—To provide a single pane-of-glass view for all VOS devices, you can configure an Analytics aggregator cluster, which can consolidate and aggregate data from multiple Analytics clusters. Aggregator clusters generate aggregated reports by pulling data individually from each of the clusters. Without aggregator clusters, when tenant data is stored on multiple Analytics clusters, you must switch between Analytics clusters to view reports, and there is no consolidated view.
You might choose to deploy multiple Analytics clusters to meet the following requirements:
- Scalability—It is recommended that a single Analytics cluster have a maximum of 2500 VOS devices to ensure easier management and reduce the impact of multiple failures. For deployments of more than 2500 devices, it is recommended that you install multiple Analytics clusters.
- Compliance—You can install regional clusters to meet local data privacy and compliance requirements. For example, you can have multiple clusters to meet the General Data Protection Regulation (GDPR) requirements that data must reside in a specific country or regional boundary.
See Configure Analytics Aggregator Nodes.
- Analytics cluster groups in workflows—You can configure workflows in the Director GUI to automatically generate Controller and branch templates that are compatible with active–active and active–backup Analytics clusters. In the workflow for Controller nodes, you configure an Analytics cluster group, which consists of the primary and secondary Analytics clusters. Then, when you are configuring organization workflows, you select the Analytics cluster group. When you commit the templates to the Controller and branch devices, the appropriate ADC services and LEF profiles are automatically configured on the devices. See Analytics Cluster Groups in Configure a Secondary Cluster for Log Collection.
- Analytics driver statistics—You can view statistics for the Versa Analytics driver program by Analytics node. Select Analytics > Admin > System Status > Log Collector Exporter, and then select the Driver Statistics tab in the main pane.
- Analytics GUI enhancements—The look and feel of the Analytics graphical user interface (GUI) has been updated to be consistent with the Concerto and Director GUIs, as illustrated by the following screenshot.
The general behavior of the Analytics GUI, the organization of the screens, and the fields and buttons on the screens are unchanged.
Note: The screenshots in articles on the documentation portal show both the older GUI and the new GUI, so the screenshots you see may not match what is shown in the documentation articles. Because the general behavior of the GUI, the organization of the screens, and the fields and buttons on the screens are unchanged, you will be able to use the information and procedures in the articles.
- Availability computation optimization—Computing the availability for a tenant with thousands of CPEs can be very resource intensive because of the need to analyze granular data per site. To address this, a rollup task computes the historic availability and store it optimally so that applications can retrieve it. The rollup task, along with several other improvements to the Analytics application, allow site, link, and path availability to be computed quickly.
- Business-report generation—You can create business reports by loading a business template, which can contain embedded text, images, and queries. When you generate a report associated with the business template, the embedded items are populated. To display business templates, select Analytics > Admin > Configuration > Settings, and then select the Reporting tab in the main pane. For Release 22.1, the number of business templates is limited.
A sample business template is included. You can download and modify the template based on your business requirements.
To download the PDF file for the tenant to the local system, click the Build and Download Report icon.
- Cluster configuration file template—(For Releases 22.1.4 and later.) You can use a template to update the Analytics cluster configuration file, clustersetup.conf. The cluster installation script, van_cluster_installer.py, uses the clustersetup.conf file to configure the nodes in an Analytics cluster. The template for the configuration file is named clustersetup_def.conf. To upgrade to release 22.1.4, compare the clustersetup_def.conf file to your existing clustersetup.conf file to identify new entries. Modify clustersetup.conf and add the new entries from clustersetup_def.conf. (If no clustersetup.conf file exists, create a copy from clustersetup_def.conf.)
admin@Director01$ cd /opt/versa/vnms/scripts/van-cluster-config/van_cluster_install admin@Director01$ vi clustersetup.conf
For example, if the clustersetup_def.conf file includes the following lines, add them to clustersetup.conf and then modify the values to match your configuration.
[IPTABLE-WHITELIST] INTERNAL:1.1.1.1, 2.2.2.0/24 MANAGEMENT:3.3.3.3
For more information, see the Set Up an Analytics Cluster section in Perform Initial Sofware Configuration.
- Cluster installation script enhancements—(For Releases 22.1.3 and later.) The Analytics cluster installation script, van_cluster_installer.py, is used inside Versa Director to freshly install/setup a cluster.
This script has been enhanced to perform the additional operations listed below:- Enable secure connectivity—To ensure secure connectivity between various components running on different nodes of the cluster, you can run the commands in the following steps on the Director node after post-setup is executed.
- Enter “sudo su” and login as root.
- Enter “cd /opt/versa/vnms/scripts/van-cluster-config/van_cluster_install/”.
- To harden security (for encrypted communication between DB components), enter “./van_cluster_installer.py --secure”.
- To remove hardening, enter “./van_cluster_installer.py --nosecure”.
- Upgrade software on the Analytics nodes—Execute the following steps on the Director:
- Copy/download the binary file that will be used to upgrade.
- Enter “sudo su” and login as root.
- Enter “cd /opt/versa/vnms/scripts/van-cluster-config/van_cluster_install/”.
- Execute the command to upgrade as shown below. The package can include a relative path or an absolute path.
“./van_cluster_installer.py --pkg-upgrade package”
After the command in Step 8 is executed, the following messages indicate whether the upgrade succeeded or failed.
If at any point the upgrade times out, you can execute the same command again. It will skip the nodes that are already upgraded and upgrade the rest of the nodes.
- Destination prefix reports display—(For Releases 22.1.2 and later.) You can display the top destination prefixes for a source when you drill down on a user or source IP address on the SD-WAN > Site Users tab. To populate data on this graph, the destination prefixes must be exported from the VOS device in the application subscriber logs.
- Digital experience monitoring (DEM)—(For Releases 22.1.3 and later.) You can enable Digital Experience Monitoring in remote secure access clients to periodically monitor end-to-end network and application performance for the user’s device. Secure access clients collect the following metrics on behalf of the user’s device:
- Device (memory, CPU, disk utilization, and battery life)
- Wi-Fi (SSID, signal strength, Rx, and Tx)
- Local network Segment (latency, jitter, packet loss)
- Internet segment (number of hops, and hop-by-hop latency, jitter, and packet loss)
- Applications (DNS lookup time, TCP connection establishment time, TLS handshake time, HTTP latency, time to first byte, time to last byte, latency, jitter, packet loss)
These metrics are exported to Analytics clusters for visibility by the SASE gateway handling the client. The Analytics cluster, in turn, derives an experience rank ranging from 1 to 100, with 1 being the best and 100 being the worst experience for the user’s device and applications it accesses. Analytics also provides in-depth information on the experience at a tenant, gateway, device as well as application level.
You display digital experience views from the Dashboard > Secure Access> Digital Experience tab.
See View Digital Experience Monitoring Dashboards.
- DEM Enhancements—(For Releases 22.1.4 and later.)
-
Application map displays break down of users by rank
To display the application map, select Analytics > Dashboards > Secure Access > Digital Monitoring > Applications. Then, in Application User Experience Metrics table, select an application name. The screen displays the DEM Application Server Locations map, which contains the location of the application server and users connected to it.
In 22.1.4, the screen can also display the number of users with Good/Poor/Fair rank, as shown below.
-
Application map showing gateway locations and users connected to gateway by rank
Select Gateways from the drop-down menu in the upper right corner of the DEM Application Server Locations map to displays gateways for the application.
-
Traceroute information updated with ISP and ISP location
The traceroute to the gateway and application server has the public IP address of each hop that responds. From the public IP address, we derive the ISP and location of the hop. This helps track the path traffic took from the source to the destination.
-
Support for inactivity data in application rank chart
Instead of displaying a blank space in a chart when there is no data, charts display an inactivity bar in the x-axis as shown below.
-
- Director service account—(For Releases 22.1.3 and later.) A service account is created on the Director node for Analytics clusters to use to periodically synchronize tenants, sites, HA pair sites, appliance tags, and resource tags. After you upgrade to Release 22.1.3, when a user with the admin role logs in to the Analytics platform, a service account with the username analytics_service_account is created, and this username is assigned a random password.
The Director service account regularly synchronizes tenants, appliances, appliance tags and resource tags. The default synchronization frequency is 15 minutes. You can change the frequency using the /opt/versa/var/van-app/properties/application.properties file:- Appliance and appliance-pair synchronization—Appliances and corresponding HA pairs are synchronize with the assigned Director node at a frequency specified in the cron.appliance.freq entry in the application.properties file. Synchronizing is a two-step process. First, the inactive appliances that exist in the Analytics cluster but that have been removed from the Director configuration are deleted. Second, new appliances from the Director node are inserted on the Analytics node. A similar two-step process is used for site HA pairs to remove and insert pairs.
- Appliance and resource tags synchronization—Synchronization for appliance and resource tags is similar the synchronization for appliances and appliance pairs. You can change the synchronization frequency using the cron.tag.freq entry in the application.properties file. If there isf a mismatch between the resource tag list or the appliance tag list and what is present on the Director node, the new list is updated on the Analytics node.
To reset the password for the analytics_service_account account, select Analytics > Administration > Configuration > Authentication > Service Account.
To display information about the account, in Director view, select Administration > Director User Management > Provider > Users.
You can also create the analytics_service_account account by issuing the following shell command on an Analytics node:
admin@Analytics$ sudo python3 /opt/versa/scripts/van-scripts/director_account_service.py create-director-service-account \ --host director-hostname --username director-username --password director-password
- Display events lists for Analytics nodes—(For Releases 22.1.3 and later.) The Analytics monitor periodically scans nodes for high resource utilization and provides the potential reason and required action to be taken per Analytics host. This helps you to troubleshoot Analytics resource issues quickly.
From Analytics > Administration > System Status> Log Collector Exporter, select the Events List tab to display the following screen. Then, in the Driver Hosts field, select an individual node or select All to display resource events for Analytics nodes.
- Display OS SPack information for individual Analytics nodes—(For Releases 22.1.3 and later.) You can display SPack information for individual Analytics nodes.
From Analytics > Administration > System Status> Log Collector Exporter > OSS you can display OS SPack information for individual Analytics hosts.
- DNS monitoring logging—You can export DNS monitoring logs and display the DNS monitoring dashboard. See Configure DNS Monitoring Logging in Apply Log Export Functionality.
- Endpoint information logs—(For Releases 22.1.3 and later.) VOS devices export EIP logs when an EIP profile is associated with a policy rule for decryption, microsegmentation, SD-WAN, secure access gateway, and security profiles. See Configure EIP Logging in Apply Log Export Functionality.
- Email configuration settings—You can configure email settings for all connected hosts in an Analytics cluster. The configuration is stored in the Analytics database. In earlier releases, email was configured separately for each connected host in an Analytics cluster, and the configuration was stored in the local filesystem on the host. Note that after you upgrade to Releases 22.1.1 and later, you must reconfigure email settings, because the previous email settings are not migrated to the database.
To configure email settings for all connected hosts, select Analytics > Admin > Settings, and then select the Email Configuration tab in the main pane. To test whether the configuration is valid, click Test Configuration.
- Enable optimized dashboards—(For Releases 22.1.2 and later.) To reduce the time required to load dashboards in large, scaled environments, you can disable the display of some dashboard reports that use many resources. To disable the display of reports, select Enable Optimized Dashboard in the Administration> Configuration> Settings> Display Settings page. To generate these reports, use the reporting tool instead.
- Export QoS status logs by forwarding class—You can export QoS status logs by forwarding class. There are up to four traffic classes and four queues for a maximum of 16 forwarding classes, and they are exported simultaneously. See Apply Log Export Functionality.
- Flexible log filtering—On Analytics log screens, you can right-click and add filters for one or more columns or for an entire row. To clear a filter, click Clear. To copy the entire filter, click Copy Filter.
- GPS location display for sites—(For Releases 22.1.2 and later.) If a device is moving and its GPS location has been sent, the Analytics nodes shows the last known location of the device on the map.
Example log:
2023-07-20T23:00:00+0000 gpsLocationLog, applianceName=Ananda-Stolen-Device-Site-1, tenantName=QA, generateTime=1689894000, applianceId=0, vsnId=0, tenantId=2, gpsSource=Platform, latitude="37.4148 N", longitude="75.9733 W", gpsDate="2023-01-13 22:54:29 (GPS)", altitude="12.9"
You can also view the last known location under the SD-WAN > Sites> Usage tab.
You can display all appliances whose GPS locations have changed under the Dashboards > System tab.
Drill down to display all locations of a specific device.
- IPsec tunnel statistics—You can export IPsec tunnel statistics from VOS devices by enabling the associated LEF configuration. You can view the statistics from the Analytics > Dashboards > System > Interfaces > Tunnels dashboard.
-
LCED statistics for logs exported and archived—(For Releases 22.1.2 and later.) For the log collector/exporter, you can display tenant-level statistics about the number of logs archived and exported. These statistics are sent to the Analytics node every 5 minutes.
To enable the statistics from the CLI:admin@Analytics% show log-collector-exporter settings tenant { stats-enable true; }
To enable the statistics, in Director view, select the Analytics tab, and then select Administration > Settings > Log Collector Exporter > System > Other Settings:
- LEF settings for application performance monitoring—You can stream performance-monitoring logs to a non-default LEF profile. See Configure Historical APM in Configure Application Performance Monitoring.
- LEF setting for alarm logs—You can stream alarm logs to a non-default LEF profile. In Appliance view, select Objects and Connectors > Connectors > Reporting > Logging Export Function, and then select the Profiles tab in the main pane. Next, select a LEF profile to display the Edit Profile popup window, and then click Default For Alarms.
- Log collector exporter enhancements—The following enhancements have been made to the log collector exporter:
-
The cluster node’s system logs can be exported to an external syslog server through the rsyslogd daemon—(For Releases 22.1.4 and later.) Configuration is available through the CLI.
admin@Search1$ cli
admin@Search1> configure
admin@Search1% show system syslog
server 10.48.189.23 {
port 514;
enabled;
selector 123 {
facility-list [ all ];
}
}The configuration options are listed below.
- Exporter rule configuration to match alarm logs based on alarm text—When you configure export rules for the log collector exporter program, you can match alarm logs based on alarm text. You can match up to four alarm text strings in match criteria per exporter rule. Issue the following CLI command on the Analytics node running the log collector exporter:
admin@Search1% set log-collector-exporter exporter rules alarm-rule match features alarm-log alarm-text list
- Exporter rule option to set Kafka topic map to send logs to specific topic—When you configure export rules for the log collector exporter program, you can enable streaming of logs to a Kafka cluster with different Kafka topics per exporter rule. Issue the following CLI command on the Analytics node running the log collector exporter:
admin@Analytics% set log-collector-exporter exporter rules threat-rule set parameters topic topic-map-number
The topic map number is an integer between 1 and 7, and corresponds to a topic map number assigned in the remote collector Kafka configuration. The following example associates topic map number 1 to topic name HI-PRI for a remote collector named kafka1.
admin@Analytics% set log-collector-exporter remote collectors kafka1 kafka topic-map 1 topic HI-PRI
- Console timeout and SSH client alive interval—You can configure a console timeout period and a secure shell client-alive value from the Analytics CLI.
To configure a console timeout, issue the following command from the CLI on the Analytics node:
admin@Search1% set system console idle-timeout seconds
To configure SSH client-alive interval values, issue the following command from the CLI on the Analytics node:
admin@Search1% set system ssh client-alive-interval seconds
-
Logging control setting for alarms—You can stream security session logs to a non-default LEF profile. In Appliance view, select Services > Next-Gen Firewall > Security Settings > Logging Control, and then click the Edit icon and select a LEF profile in the Sessions pane.
-
Obfuscation—(For Releases 22.1.2 and later.) You can configure custom user roles in Director with the USERNAME_OBFUSCATION privilege.
When users associated with this custom role access Analytics screens, user information in all reports containing usernames is obfuscated.
-
Reporting enhancements—The following enhancements have been made to reports:
-
Access to saved reports—You can control access to saved reports by setting the reports as Private, Shared, or Shared Read Only for users with tenant RBAC roles.
To set report access, select Analytics > Reporting > Build to access the report template builder. Then, add at least one chart or table, and then select the Save template icon to display the Save and Schedule popup window.
In the Access field, select the access option:-
Private—Tenant user who created the report and provider users with tenant access can view, edit, and delete the report.
-
Shared—Any tenant user and provider users with tenant access can view, edit, and delete the report.
-
Shared Read Only—Any tenant user and provider users with tenant access can view the report. Only the tenant user who created the report and provider users with tenant access can edit and delete the report.
The following example screenshot shows reports created by user tenantuser1. The reports are configured with different access permissions.
A separate user for the same tenant, tenantuser2, can view only shared and shared-read-only reports, as shown in the following screenshot.
When tenantuser2 tries to delete a shared-read-only report, the operation is not permitted, as shown in the following screenshot. Shared reports can be deleted by any tenant users.
-
- ALS usage statistics—(For Releases 22.1.2 and later.) You can generate ALS usage statistics reports from the on-premises (client) Analytics cluster for a tenant. In multitenant environments, if you click Include Subtenants, the reports include per subtenant statistics.
You can generate ALS usage event report from on-premise (client) Analytics clusters for a tenant.
- Analytics cluster usage—(For Releases 22.1.2 and later.) The Analytics cluster usage report for a provider tenant displays data for each subtenant. If you do not click Include Subtenants, only provider-level statistics display.
- Appliance usage report type—(For Releases 22.1.4 and later.) A new report for per-tenant, per gateway/branch utilization is available under Analytics > Reporting > Build > Builders by selecting service System and report type Appliance Usage in the report template builder. Selecting option “Include Sub Tenants” will include per sub tenant data, as follows:
- SD-WAN site HA-pair availability—(For Releases 22.1.3 and later.) You can display a report of the combined availability of HA-pair SD-WAN sites under Dashboards > SD-WAN > Sites. This report merges availability data for the HA pair sites. The states Up, Down, and Degraded apply to the site HA pair. When any site is available for a time period, the collective availability state is Up. If either of the two sites is up, but one of them is degraded, the collective availability of the pair is Degraded. If both sites are down, the HA-pair status is Down.
- SD-WAN sites and link availability reports—(For Releases 22.1.3 and later.) You can sort SD-WAN site and link availability reports by ascending and descending metrics.
- SD-WAN statistics block —(For Releases 22.1.4 and later.) In the SD-WAN dashboard statistics block, the Site with Threats tile name is changed to Sites with Security Incidents.
On drilldown, per-site statistics for various security threat functions are seen as follows.
This report requires SD-WAN appliances to be running Release 22.1.4, as it uses the new log type secStatsLog.
- SD-WAN user report group by IP prefix—(For Releases 22.1.2 and later.) You can group the SD-WAN usage report with user IP addresses by prefix to generate aggregated reports.
- Tenant usage report type—(For Releases 22.1.4 and later.) A new report for per-tenant utilization is available under Analytics > Reporting > Build > Builders by selecting service System and report type Tenant Usage in the report template builder. Selecting the “Include Sub Tenants” option will include per sub tenant data, as follows:
-
- Reporting template customization—You can customize reporting templates with your enterprise logo, fonts, and color, from the Analytics GUI. In earlier releases, you had to save a template file in the /opt/versa/var/van-app/templates/reporting directory on the Analytics nodes.
To customize report templates, select Analytics > Admin > Settings, and then select the Reporting tab in the main pane.
You can upload a Microsoft Word-based template for a specific tenant.
The uploaded template displays in the PDF Template field on the Save and Schedule popup window that you use to save a report template. When you generate a report from the report template, the PDF template indicates how to format the report.
- Resource tag-based RBAC—On a Director node, you can associate one or more labels, called resource tags, with a VOS device. You then use the resource tags to restrict user accounts so that they can view only specific devices on Director and Analytics nodes.
To configure resource tags for a VOS device, in Director view select the Administration tab in the top menu bar, and then select Appliances in the left menu bar.
Click the Filter Column icon, and then click the Resource Tags box. The Resource Tags column displays in the table in the main pane.
In the Resource Tags column, click the Edit icon in the row containing the VOS device. The Edit Tags popup window displays.
In the Tags field, enter a list of resource tags, pressing the Enter key between each tag. Tags are automatically converted to icons as you press Enter. Click OK to save the tags. In the example above, resource tags Branch and Branch1 are associated with VOS device SDWAN-Branch1.
To associate the resource tag with a role, in Director view select Administration > Director User Management > Resource Tags > Tenant Resource Tags, and then click the + Add icon in the main pane.
Select a role from in the Role Name field, and then enter a list of resource tags in the Tags field. Click OK.
To associate the role with a user account, select Administration > Director User Management > Organization Users, and then in the main pane select a user account. The Edit Organization User popup window displays.
Select the role you associated with the resource tag. In the example above, user Branch1User is assigned role Branch1Role. This role is associated with resource tag Branch1 which is associated with VOS device SDWAN-Branch1.
When a user logs in and accesses the Analytics tab, only data related to VOS devices associated with the resource tag display.
- Rolling restart—(For Releases 22.1.3 and later.) A rolling restart allows you to safely restart Solr and Zookeeper by refreshing all available nodes in sequential order. To perform a rolling restart, select Administration > System Status, and then click the Refresh button. To display the status for individual components, click the Refresh Status icon near the Rolling Restart button. The Analytics cluster nodes listed on the following screen include analytics, search and driver hosts.
- SaaS application active monitoring reports—You can export active SaaS application monitoring logs. See Configure SaaS Application Monitoring.
To display the active APM dashboard, in Director view, select Analytics > Dashboards > SD-WAN. Then, in the main pane, select a VOS device from the second drop-down menu in the main pane and then select APM > Active APM. The following screen displays.
Active APM logs use syslog identifier activeAppMonLog, as shown in the following example.
2023-04-27T18:21:38+0000 activeAppMonLog, applianceName=SDWAN-Branch1, tenantName=Tenant1, mstatsTimeBlock=1682619710, tenantId=2, applianceId=1, vsnId=0, actMonPktsSent=100, actMonPktsRecv=88, actMonLatency=3677, actMonLoss=12.00, actMonJitter=556, appMonName=GMAIL, appMonType=icmp, routingInst=WAN1-Transport-VR, networkPrefix=142.251.46.165/32
-
Site and link availability pagination—You can paginate reports, for example, when there are a large number of sites or links, to avoid a delay in loading the report data.
-
Unknown host-bound packet report—(For Releases 22.1.2 and later.) You can track unknown host-bound packets under Logs > Exception Traffic.
- User configurable TACACS+ port—(For Releases 22.1.3 and later.) You can configure TACACS+ server ports using the Administration> Configuration> Log Collector Exporter > System tab. Select the External Authentication tab, and then click Edit.
- Versa Analytics driver settings—(For Releases 22.1.4 and later.) The Versa Analytics driver (also known as VAN Driver) is used for ingesting logs into Analytics and search engines. The following performance tuning parameter settings can be configured from Admin> Configuration> Log Collector Exporter> System> Driver Settings.
- Analytics Batch Max Size: Maximum number of logs per batch. The default value is set to 50. Can be configured in the range of 1 to 1000. If the database is heavily loaded, a large batch size can cause database slowness.
- Analytics Batch Min Size: Minimum number of logs per batch. The default value is set to 10. Can be configured in the range of 1 to 100.
- Analytics Max Concurrent Batch: Maximum number of concurrent batch write queries an Analytics driver process sends to the Analytics database. The default value is set to 1000. Can be configured in the range of 1 to 2000. If database is heavily loaded, a large number of concurrent batches can cause database slowness.
- Search Stats Aggregation: Search statistics aggregation is useful for aggregating search fields into the database for faster retrieval of summary reports. We recommend that it be kept enabled. Can be disabled, in which case the queries are sent directly to the search engine.
- Driver Process Count: Number of Analytics driver processes running in parallel. Can be configured in the range of 1 to 4.
NOTE: Any change in the above parameters will result in a restart of the driver process.
Fixed Bugs
The following are the critical and major defects fixed in Release 22.1.
Fixed Bugs in Release 22.1.1
Note that fixes for all bugs found in Release 20.2.3, in Release 21.1.2, and in Release 21.2.x are available in Release 22.1.1.
Bug ID |
Summary |
---|---|
72104 | Fix to display Guest-VNF health monitoring values as floating-point values in the Analytics GUI. |
72448 | Proper usage statistics reporting for remote Solr cluster in the Analytics GUI. |
73053 | Fix Analytics vulnerability issues for HTTP host header attack scenarios. |
76107 | Add configurable property to change Analytics-to-Director request timeouts. |
77022 | Fix for exporting availability information in a user-friendly manner when you use CSV format. |
78639 | Fix for Analytics database schema upgrade failures during software upgrade that caused data to go missing from the GUI. |
80975 |
Fix to handle LCED remote collector syslog attribute during configuration change. |
85824 | Fix for missing data in time series charts (fix for data partition key). |
85953 | Scheduled reports are not generated when you use site tags as filters. |
86697 | Fix for versa-spackmgr service start failures on Analytics Lite. |
87006 | Fix to create conditional report with metrics. |
88081 | When a VOS devices establishes an LEF session for the first time and sdwanBranchInfoLog is not received, the device is classified as a Controller node. This has been fixed, and now branches are available in the Analytics GUI. |
88614 | You can now add a report with or without a preview. For tenant-level reports with many VOS devices, report generation can take a significant amount of time, and the GUI might timeout. You can add reports without preview and scheduling. When the report generation completes, it is available for download in the Completed Reports section. It is recommended that you download table data in CSV format and not in PDF. |
89272 | For Analytics remote collector connections, when the server (remote collector) sends a message to the client (Analytics node), versa-lced on the Analytics node might crash. This issue has been fixed. |
89517 |
LCED remote collector Kafka topic size has been increased to 128 characters. |
89712 | Fix for the link and site availability not showing data correctly for certain time zones and ranges because of a data table library issue. |
90553 |
Fix for a memory leak when there is a misconfiguration on the TLS remote collectors between the key and the certificate. |
91297 | Fix to display the proper system status in the Analytics GUI when the CPU percentage is zero. |
91345 | Fix to display the proper NTP configuration in the Analytics GUI when the NTP configuration is empty. |
91648 | Suppress irrelevant error logging for the Analytics web application. |
92534 | Fix Analytics reporting to load reports created in older releases properly. |
93450 | Fix for regular deletion of Analytics historical data because of incorrect timestamp handling. |
93841 | Fix to honor Analytics operator role when displaying logs in the Analytics GUI. |
94354 | Add missing alarm subtypes to Analytics remote collector exporter rules. |
Fixed Bugs in Release 22.1.2
Note that fixes for all bugs found in Release 20.2.4, in Release 21.1.3, in Release 21.2.3, and in Release 22.1.1 are available in Release 22.1.2.
Bug ID |
Summary |
---|---|
74137 |
Add support for the SASE features advanced threat protection (ATP), cloud access security broker (CASB), data loss prevention (DLP), and remote browser isolation (RBI). |
76076 |
Add support for the downtime metric in the site and link availability report. |
81440 | The Python plugin to audit process (auditd) uses excess memory. This issue has been fixed. |
82014 | An LCE process (lced) may occur when AAA accounting is enabled. This issue has been fixed. |
82025 |
Platforms that support GPS location can periodically send location logs to the Analytics node. Map views now use the live location from the logs. |
91359 |
Add support in SD-WAN path-level reporting for setting tags for local and remote sites. |
92566 |
Optimize memory for availability reports. |
94367 |
Appliance drop-down does not list the device name in the the System-Guest-VNF screen. |
93450 |
Setup data manager cron job—Upgrading to Release 22.1.2 sets up an Analytics data manager cron job to automatically delete data and to schedule Cassandra repairs and compactions on each node of the cluster. |
93982 |
The time time-series popup does not show accurate data for different timezones and does not show the correct data, because the drill-down values are not passed correctly. |
94101 |
Remove the Refresh option on the Administration page. |
94103 |
If the state of the replica from the backend returns as empty, the UI displays it as normal. The state is now shown as Unknown. |
94520 |
Fix to use the correct business hour boundaries in reports if you choose a custom time selector for business hours. |
94823 |
Fix for breadcrumbs issues. |
95268 |
The number of total sites that the metric widget shows might be incorrect. |
95513 |
Validate the host IP address's peer connector by deduplicating and checking whether the username and password works. |
95792 |
Fixes in reporting to display the previously saved metrics while editing a report. |
96011 |
Delete data for availability, and preserve availability data for the full duration of the configured hourly TTL. |
96162 |
Add support to detect the search database health and then stream it as alarms to the remote collector. |
96318 |
Add support in log collector exporter for performing tenant-level throttling of flow logs. |
96597 |
When you try to filter firewall logs in Analytics using Address, Port, or Protocol by adding two or more filters of the same key, you might see an "Invalid filter query" error. |
96778 |
Fix for per-pipe CoS statistics not displaying if you select a specific WAN interface. |
96644 |
Fix for availability sometimes displaying as negative. |
96772 |
Fix for user role settings for default role under Administration> Authentication> Roles Configuration. |
96812 |
Add support for MD5 and SHA1 NTP authentication configuration from the CLI. |
96883 |
Add support for SCRAM-SHA-512 in the Kafka TLS SASL mechanism for the remote collector configuration. |
96971 |
Clean up solr metadata in ZK. During cluster reinitialization, Solr state was not cleaned up in Zookeeper, which resulted in Collection showing the Down state. The fix cleans up the stale state. |
96977 |
Fix for email notifications sometimes not being sent. |
97029 |
Add Analytics cluster usage reports for stored and exported logs. |
97303 |
Fix a bug with process ID handling for log archive job. |
97764 |
Scheduled reports that use site tags are sometimes empty. |
97765 |
Fix to refresh reporting schedules periodically. |
97955 |
Add support for predefined business report template for ALS usage. |
97986 |
Download report was not considering the custom time range selection and business hours. All custom and business hours are now considered. |
98104 |
Persist DHCP request expiration timer. The DHCP expiration timer from DHCP logs did not persist. |
98106 |
In the SD-WAN traffic monitor log, add forward and reverse flow ID in sdwanFlowMonLog. |
98420 |
Add support for deleting log archives using a cron script for archives older than 95 days. The script is set up when you upgrade the software. |
98574 |
Fix for PDF file rendering empty values in reporting for when a column is empty. |
98603 |
Fix to treat hub-controller as site. Hub-controllers were treated as controllers and so, any roles created with Show Controllers disabled would not see those sites. |
98283 |
Fix for slowness in displaying the Administration > Configuration screen when the Analytics node manages a large number of tenants. |
98929 | Disable Cassandra, Solr, Tomcat, and Zookeeper on log forwarders to reduce unnecessary utilization of resources. |
98982 |
Add support for encrypted username and password when user logs into to Analytics directly to avoid them displaying in developer tools. |
Fixed Bugs in Release 22.1.3
Note that fixes for all bugs found in Release 20.2.4, in Release 21.1.3, in Release 21.2.3, and in Releases 22.1.1 and 22.1.2 are available in Release 22.1.3.
Bug ID |
Summary |
---|---|
97376 |
Fix to edit firewall log filters with filters that have already been added. |
99505 |
In Release 22.1.2, the map configuration settings were not saved. This issue has been fixed. |
100426 |
For log forwarders, the application (Tomcat) is stopped deliberately using a script or, in recent releases, using the upgrade path. When you issue the vsh status command, the versa-analytics-app is marked as deactivated instead of stopped. |
100602 |
Fix for an issue rendering Google maps. |
100686 |
Fix for incorrect data in the scheduled reports for access circuit usage with specific metrics. |
101157 |
Fix for an OSM map issue in the Release 22.1.2. |
102177 |
Fix to log filters when selecting the same column twice for a filter. |
103115 |
Enhancements to remote collector TLS to avoid remaining in the blocked state for a long time and to support batching of logs. |
Fixed Bugs in Release 22.1.4
Note that fixes for all bugs found in Release 20.2.4, in Release 21.1.3, in Release 21.2.3, and in Releases 22.1.1, 22.1.2, and 22.1.3 are available in Release 22.1.4.
Bug ID |
Summary |
---|---|
71335 |
Fixes for Content Security Policy (CSP). |
90239 |
Fix to avoid clustersetup.conf file getting overwritten when we are upgrading director |
99348 |
Tenant user roles with show controllers disabled should not show controller data in reports/logs |
100186 |
Cosmetic fix for proper rendering of selected entry in various charts dropdown. |
101043 |
Fix to include older alarm logs in search engine read aliases. |
101876 |
Added ability to have a custom port configuration for TACACS+ on Analytics. |
103270 |
Fix an issue with timeblock computation in summary calculations. |
103381 |
Ability to configure remote collector with Kafka configurations from Analytics UI. |
103756 |
Disable ICMP timestamp vulnerability fixes. |
104627 |
Support for DHCP logs in reporting. |
104633 |
Fix and issue with Versa Analytics monitor retry logic for Cassandra connections. |
105130 |
Ability to save large reports to disk than storing in database. |
105162 |
Analytics application system monitoring for disk/memory usage default threshold set to 70 % instead of 40 % |
105260 |
Versa analytics driver scaling and performance tuning parameter configuration thru UI. |
105448 |
Reporting feature optimization fixes. |
105470 |
Fix an issue with versa-analytics-app service start in securemode enabled setups. |
105588 |
Fix for an issue with SLA violations drill down in tenant insights |
105772 |
Fix an issue with HA pair sync from versa director by versa-analytics-monitor. |
105846 |
Allow upto 4k open files for versa-lced. |
106160 |
Site/Link availability to use only hourly data as daily data is not relevant for this report. |
106201 |
LEF should use the uplink/downlink bandwidth on the logical interface (instead of always picking from main interface) if it is configured. This impacts the interface utilization computation |
106524 |
Fix an issue with Analytics UI options for users with tenant roles. |
106658 |
Fix for analytics login failing if there is special char (@) in password |
106783 |
Support for refresh button in completed report page |
106802 |
Fix to upgrade inconsistent UI roles configuration in database. |
106887 |
Fix a display issue with Firewall-> Source/Destinations for certain filters. |
107078 |
Fix an issue with Zookeeper start/stop via monit |
107274 |
Exported report cancellation does not work consistently |
107386 |
Fix a cosmetic issue of log restore status in VAN UI. |
107671 |
Fixes for some XSS vulnerabilities |
107971 |
Analytics Admin> Configuration> Settings> Data Configuration page enhanced to show reports by category and tooltip |
107976 |
Fix an issue with drilldown in Appliance Health Monitoring screen. |
108215 |
Upgrade Versa Analytics application (tomcat) to 9.0.87 |
108392 |
Ability to get tenant level usage report for SECACC clients |
108676 |
IoT dashboard showing incorrect device count as it was not considering both MAC and IP address. |
108748 |
Fix for google maps not showing icon for the SDWAN site location |
109054 |
Fix an issue with HA-pair sync into Versa Analytics from Director. |
109227 |
Analytics log tab for Private Mobility logs renamed to SASE-on-SIM. |
109237 |
When cpu or memory threshold breach alarms are raised, before someone can take a look for occasional spikes, the spikes stabilizes - but at times the spikes happen many times. When alarms are raised, record the top-5 procs hogging memory or cpu as part of event list written to disk and also log in versa-analytics-monitor log |
109246 |
Disable shadow IT feature by default |
109322 |
Fix an issue with incorrect display of category names in summary charts. |
109739 |
Fix an issue with mandatory username/password in Email notifications settings. |
109744 |
Fixes for incorrect access circuit uplink/downlink bandwidth information in reporting PDF. |
109748 |
Remove rolling restart information in exported reports |
109814 |
Fix issues with application cache expiry and refresh. Even when application cache was disabled sites where fetched from cache. |
109933 |
Added new field application in urlfLog and urlReputation in saseWebLog and accessLog |
109948 |
Support for new threatStatsLog for getting count of various threats per type from the VOS |
110116 |
Added ability to test email configuration settings with defaults already stored. |
110117 |
Administator priviledge users should be able to change the access rights of reports created with private access |
110191 |
Fix an issue with rendering of bandwidth values for tenant usage. |
110260 |
Fix an issue with display of “Sites with threats” in SD-WAN dashboard. |
110267 |
Upgrade Bionic kernel to 5.4.0-181 to address reported vulnerabilities. |
110354 |
Fix an issue with updating report with filters in Reporting page. |
110358 |
Fix an issue with log archive cleanup script. |
110687 |
Fix for PDF report not showing business hour timezone in the header and timeseries charts not showing day in x-axis |
110740 |
Fix an issue with unclean termination of versa-spackmgr service on restart. |
110881 |
Disable ability for unprivileged users to create namespaces via sysctl configuration. |
110903 |
Disable Log Forwarder nodes from synching tenant hierarchy/tags |
111068 |
Fix an issue with search statistics in Versa analytics driver. |
111068 |
Fix for VAN usage stats computation when a feature is disabled |
111114 |
Fixes for HA-Pair availability issues |
111392 |
DEM report for a user device CPU/memory/battery utilization over time incorrect in some scenarios. |
111455 |
Fix for incorrect data shown with time selector Last x weeks ( x > 1) |
111628 |
Added ability to filter based on appliance, user and device name on DEM application user grid data |
111703 |
Support for EIP logs in reporting under Security service |
Behavioral Changes
The following are behavioral changes in Release 22.1:
- The download functionality for charts in the dashboard is deprecated. In their place, use the reporting tool to generate reports in CSV or PDF format.
- The Analytics software does not support Ubuntu 14.04 (Trusty). Versa Networks provides upgrade orchestration software so that you can upgrade all Versa components from Ubuntu 14.04 to Ubuntu 18.04. For more information, see Upgrade Versa Networks Operating System to Ubuntu 18.04.
- You cannot SSH from a Director node running Ubuntu 14.04 into an Analytics node running Ubuntu 18.04. The Director node must be running Ubuntu 18.04.
- Log in and SSH as the user "versa" will be deprecated in a future release. It is recommended that you transition to the user "admin".
- The Analytics graphical user interface (GUI) has changed to provide a modern look.
- The screens for changing the email configuration have moved to a new tab, Admin > Settings, in the Analytics GUI.
- The database software has been upgraded, which means that the Analytics software upgrade process can take up to 45 minutes to complete, depending on the amount of data on the system. To monitor the upgrade logs from the Analytics node shell, check the /var/log/versa/upgrade.log log file.
- The signature priority field in the Security IDP logs has changed from a numerical value to a string to make it more descriptive. The string values are critical, high, medium, low, and informational. For example, in releases prior to Release 22.1.1, the signature priority field would show as signaturePriority=1. In Releases 22.1.1 and later, the signature field shows as signaturePriority=critical.
Limitations and Known Issues
The following are the known issues in Release 22.1, for Releases 22.1.1, 22.1.2, 22.1.3, and 22.1.4.
Bug ID |
Summary |
---|---|
42468 |
Search collection creation fails during installation if a hostname is not bound to the IP address on which the search node is listening (the interconnect IP address). As a workaround, use the first IP address in /etc/hosts as the search node's interconnect IP address. |
42469 |
If you select a VOS device in a map filter, to change the device name, you must erase the existing name and then choose another name. |
42555 |
The standby Director is not responding to REST API calls, so it can be registered until a failover is performed. |
46001 |
Maintaining accounting records stops working and starts working after you restart audited. |
54713 |
The secure access dashboard has Users Map that works only if you select Google maps as the map provider under Administrator > Settings > Display Settings. |
58931 |
The site tag in maps is supported only for Google maps |
59517 |
As part of the statistics rollup infrastructure changes for Release 21.2, there is a delay in populating historical firewall source and destination statistics reports in the GUI after you upgrade to Release 22.1. A daily cron job handles migration of historical firewall source and destination data to new rollup infrastructure. There is no impact to new data after the upgrade. The historical data is migrated over time. |
72972 |
Under Reporting, when you load a report for a tenant and then click Save, a copy settings displays, with a drop-down that lists the devices for the selected tenant. However, the list is not the correct list of devices for selected Tenants. The behavior is not seen during initial creation of the report. |
95783 |
On the Dashboard, Insights is disabled by default, and it is recommended that you do not enable it in Release 22.1. |
95789 |
Upgrading to Release 22.1 does not automatically migrate email configuration to new infrastructure. You need to manually update email settings under Admin > Configuration > Settings > Email Configuration. |
95791 |
After a new installation of Release 22.1, schema check with /opt/versa/scripts/van-scripts/schema-check.sh does not show the expected schema difference. To validate the schema, run the /opt/versa/scripts/van-scripts/schema-manager.py schema-check script. |
95792 |
Editing metrics of an already created reports may not show the correct data. As a workaround, create a new report with the required metrics. |
95971 |
(For Release 22.1.1 only.) During a greenfield installation, the first time you install an ISO, an OVA, or a qcow2 image, issue the following command on each Analytics node after running the Analytics setup or cluster setup script on that node: sudo /opt/versa/scripts/van-scripts/van-cert-install.sh |
99153 | Manual NTP configuration in /etc/ntp/ntp.servers may get overwritten when you upgrade Analytics software. As a workaround, configure NTP from the CLI to make it persistent. |
Request Technical Support
To request technical support, visit http://support.versa-networks.com. If you are contacting support for the first time, register and create an account. You can also send email to support@versa-networks.com or contact your Versa Networks sales account team.
Revision History
Revision 1—Release 22.1.1, May 5, 2023
Revision 2—Release 22.1.2, July 31, 2023
Revision 3—Release 22.1.3, December 30, 2023
Revision 4—Release 22.1.4, July 1, 2024
Versa Director Release Notes for Release 22.1
These release notes describe features, enhancements, fixes, and known issues in the Release 22.1 Versa Director software, for Releases 22.1.1 through 22.1.4. Releases 22.1.1 and later are general available (GA) releases and are supported for use in production networks.
July 1, 2024
Revision 4
Product Documentation
The Versa Networks product documentation is located at https://docs.versa-networks.com.
Install the Versa Director Software
To install the Versa Director software, see the Deployment and Initial Configuration articles.
Note: Releases 22.1 and later support only Ubuntu 18.04. For any Director nodes running Ubuntu 14.04 (Trusty), you must upgrade them to Ubuntu 18.04 (Bionic) before you can use Releases 22.1 and later. However, to provide a bridge so that you can upgrade to Release 22.1.1, an Ubuntu 14.04 image of the Director software is being provided. Deploy the Ubuntu 14.04 version of the Release 22.1.1 image immediately before you begin your upgrade to Ubuntu 18.04. For more information, see Upgrade Versa Networks Operating System to Ubuntu 18.04.
Caution: Before upgrading Versa Director to Release 22.1.4, the Analytics nodes must be running Release 22.1.4 or Release 22.1.3 dated May 2024 or later. See Versa Analytics Release Notes for Release 22.1 for information about upgrading the Analytics nodes.
Before You Upgrade to Release 22.1
Before you upgrade to Release 22.1, you must run a validation script to identify any configuration discrepancies, and you must fix them before you start the upgrade process.
Caution: Versa Director Releases 22.1 and later enforce stringent validation checks on configurations. If any of the following Versa Director misconfigurations exist, the upgrade to Release 22.1 will fail:
- Duplicate site or device IDs
- Duplicate paired location IDs
- Missing organization attributes such as VRF IDs or UUIDs
- Authentication connectors with partial information
- Duplicate overlay IP addresses used on different devices
To run the validation script:
- Download the validation script, which is the file versa-director-pre-upgrade-check-package.bin, from the Versa Director software release folder. package is a string that identifies the software package, for example, 20230914-22.1.3 or 20230816-22.2.1.
- Issue the following commands from the Director Linux shell to run the pre-upgrade check script. This script applies any patches that are required so that the validation script can run successfully. If your topology uses a high availability (HA) setup, issue the commands on both Director nodes. Note that performing this step is mandatory.
chmod +x ./versa-director-pre-upgrade-check-package.bin sudo ./versa-director-pre-upgrade-check-package.bin
The validation script creates the validate.py file and places it in the /opt/versa/vnms/upgrade/scripts directory.
- Run the validation script:
sudo -E /opt/versa/vnms/upgrade/scripts/validate.py -n director-package.bin
Note: The new Director image must be present in /var/versa/packages/vnms/ before you run the validation script.
When the validation script runs successfully, the following console output displays:
INFO - Pre-Upgrade Validation Initiated INFO - Executing validation script: ha-pair-config-validation.py ... INFO - Successfully executed ha-pair-config-validation.py INFO - Executing validation script: auth-connector-validation.lua ... INFO - Successfully executed auth-connector-validation.lua INFO - Executing validation script: org-validation.py ... INFO - Successfully executed org-validation.py INFO - Executing validation script: ip-address-config-validation.py ... INFO - Successfully executed ip-address-config-validation.py
If the validation script identifies misconfigurations, it displays error messages and logs the details to the /var/log/vnms/upgrade.log file. The following sample console output shows the error messages that display because of a validation failure:
Note: In the sudo /opt/versa/vnms/upgrade/scripts/validate.py -f xx.x-t 22.1 command below, xx.x is the current software version number, such as 21.1 or 21.2.
[Administrator@StandbyDirector: ~] $ sudo /opt/versa/vnms/upgrade/scripts/validate.py -f xx.x -t 22.1 INFO - Pre-Upgrade Validation Initiated Pre-Upgrade Validation Initiated INFO - Executing validation script: auth-connector-validation.lua ... Executing validation script: auth-connector-validation.lua ... ERROR - Errors encountered during execution of auth-connector-validation.lua Errors encountered during execution of auth-connector-validation.lua INFO - Executing validation script: ha-pair-config-validation.py ... Executing validation script: ha-pair-config-validation.py ... INFO - Successfully executed ha-pair-config-validation.py Successfully executed ha-pair-config-validation.py INFO - Executing validation script: org-validation.py ... Executing validation script: org-validation.py ... INFO - Successfully executed org-validation.py Successfully executed org-validation.py INFO - Executing validation script: ip-address-config-validation.py ... Executing validation script: ip-address-config-validation.py ... INFO - Successfully executed ip-address-config-validation.py Successfully executed ip-address-config-validation.py ERROR - Validation failed for following scripts: auth-connector-validation.lua Validation failed for following scripts: auth-connector-validation.lua
The following sample snippet from the /var/log/vnms/upgrade.log file explains the failures reported in the output above:
12-August-2020, 12:01:10 __main__ [INFO] Executing validation script: auth-connector-validation.lua ... 12-August-2020, 12:01:10 __main__ [DEBUG] Executing command su root -c "source /etc/profile.d/versa-profile.sh && /opt/versa/util/runlua -n confd -e confu /opt/versa/vnms/upgrade/validate/scripts/auth-connector-validation.lua" 12-August-2020, 12:01:10 __main__ [DEBUG] Command Output of auth-connector-validation.lua" is 12-August-2020, 12:01:12 __main__ [DEBUG] DEBUG badly formatted or nonexistent path - Bad path element "radius-server-details" after: /nms/provider/auth-connectors/auth-connector 12-August-2020, 12:01:12 __main__ [DEBUG] secret is not configured for authentication connector Name versaAuth Type radius 12-August-2020, 12:01:12 __main__ [DEBUG] Command exit status/return code is 1 12-August-2020, 12:01:12 __main__ [ERROR] Errors encountered during execution of auth-connector-validation.lua
As the first step in the software upgrade, the validation script runs automatically. If the validation fails, the software upgrade aborts immediately. If the following error is displayed when upgrading to Release 22.1 from the Director CLI, refer to the validation error mitigation guide or contact Versa Networks Customer Support:
Administrator@SDWAN-VOAE1> request system package upgrade package-name Will restart Versa Director (all processes). Are you sure? [no,yes] yes Pre-Upgrade Validation Initiated Executing validation script: org-validation.py … Successfully executed org-validation.py Executing validation script: ip-address-config-validation.py … Errors encountered during execution of ip-address-config-validation.py Executing validation script: auth-connector-validation.lua … Successfully executed auth-connector-validation.luaExecuting validation script: ha-pair-config-validation.py … Successfully executed ha-pair-config-validation.py Validation failed for following scripts: ip-address-config-validation.py Pre-Upgrade-Validation Failed. Please refer to /var/log/vnms/upgrade.log for more details.
Caution: For systems running Ubuntu 14.04, before you upgrade to Versa Director Release 22.1, you must upgrade the OS SPacks on all Director nodes to the latest version, which you can find at https://versanetworks.app.box.com/v/osspack or https://upload.versa-networks.com/index.php/s/nEkF9xOO3e7BA9Z. If you do not upgrade the OS SPacks, the software upgrade may fail. The OS Spacks upgrade is not required for systems running Ubuntu 18.04.
When you upgrade to Release 22.1 from the Director CLI, the following error may display:
Administrator@director1> request system package upgrade package-name Will restart Versa Director (all processes). Are you sure? [no,yes] yes Verify package checksum.. status Some of the packages on this system are not correctly installed, please resolve before upgrading Versa Director Desired=Unknown/Install/Remove/Purge/Hold| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend|/ Err?=(none)/Reinst-required (Status,Err:uppercase=bad) ||/ Name Version Architecture Description ============================================================================================================================= rc amd64-microcode 3.20180524.1~ubuntu0.14.04.2+really20130710.1ubuntu1 amd64 Processor microcode firmware for AMD CPUs rc intel-microcode 3.20180807a.0ubuntu0.14.04.1 amd64 Processor microcode firmware for Intel CPUs
To resolve this error, issue the following commands to manually remove the offending packages from Linux shell before you again attempt to upgrade the Director node from the CLI:
Administrator@director1> sudo dpkg --purge amd64-microcode Administrator@director1> sudo dpkg --purge intel-microcode
To install or upgrade to the Release 22.1 Director software, each Director node, whether a virtual machine (VM) or a bare-metal server, must have a minimum disk size of 150 GB.
If your deployment includes an HTTP proxy, see the section Enable HTTP 2.0 on Proxies, below.
Upgrade to Release 22.1
Caution: Before upgrading Versa Director to Release 22.1.4, the Analytics nodes must be running Release 22.1.4 or Release 22.1.3 dated May 2024 or later. See Versa Analytics Release Notes for Release 22.1 for information about upgrading the Analytics nodes.
To upgrade to Release 22.1, see the Upgrade Software on Headend and Branch article.
Note: When you upgrade HA-enabled Director nodes, if you see the message, "Disable HA before upgrading director to 22.1.x", you must disable HA and then re-enable it after the upgrade of both the active and standby Director nodes.
Downgrade the Software
To downgrade to the software image that had been installed immediately before you performed the upgrade, issue the following command:
Administrator@versa-director> request system rollback to snapshot-timestamp
The Versa Director configuration and image are restored to the state when the snapshot was taken. Note that any configuration changes done since the snapshot was taken are lost when you perform the rollback operation.
Install the Software License for Versa Director
Versa Director is controlled by a software license. To obtain a valid license file, contact Versa Networks Customer Support.
Note the following:
- The Director software ceases to operate after a 15-day trial period, so you must obtain a license key within that time.
- On all newly installed Director nodes, you must run the Director startup script, /opt/versa/vnms/scripts/vnms-startup.sh, to correctly configure the Director network interfaces for their intended function (for example, interface eth0 for northbound communication towards OSS systems and for UI access, and interface eth1 for southbound communication towards Versa Operating SystemTM [VOSTM ] devices).
VOS Version Compatibility
Release 22.1 of Versa Director is compatible with the following VOS software versions:
- Release 21.1.x
- Release 21.2.x
Release 22.1 of Versa Director is not fully configuration-compliant with other versions of VOS software. If you commit templates or make direct configuration changes in Appliance view to non-compatible VOS releases, the commit or configuration changes may be rejected with an RPC error.
New Features
This section describes the new Versa Director features in Release 22.1. All features are introduced in Release 22.1.1 unless otherwise noted.
- Address object references—(For Releases 22.1.3 and later.) You can view, edit, and delete address object references. See Configure Address Objects.
- Audit logs in GUI and through APIs—You can view audit logs in the Director GUI, and Versa Director provides REST APIs for accessing audit logs.
- AWS transit gateway connect—Versa Director supports native integration with AWS APIs. This allows you to use configure AWS transit gateway to create a transit gateway connection. See Configure Site-to-Site Tunnels.
- Bypass console authentication—(For Releases 22.1.2 and later.) For external AAA, you can bypass console authentication. See Configure AAA.
- Central authentication—(For Releases 22.1.3 and later.) For remote authentication, you can create a user on a central authentication server. See Configure AAA.
- Commit or remove selected templates from the templates applied to devices—You can select an individual template to apply to a device instead of applying all the latest templates to the device. You can disassociate a single template from a device.
- Director GUI enhancements—The look and feel of the Director graphical user interface (GUI) has been updated. Wizards for initial site and VOS device configuration workflows, or wizards, have been added. Buttons have been added in the top menu bar to allow you to directly change the Versa Director view to Director view, Template view, or Appliance view. With the exception of these new features, the general behavior of the Director GUI, the organization of the screens, and the fields and buttons on the screens are unchanged. See Director GUI Overview.
Note: The screenshots in articles on the documentation portal show both the older GUI and the new GUI, so the screenshots you see on your Director node may not match what is shown in the documentation articles. Because the general behavior of the Director GUI, the organization of the screens, and the fields and buttons on the screens are unchanged, you will be able to use the information and procedures in the articles.
- Email notifications for alarms enhancements—You can include additional variables when configuring the email subject, and you can include variables in the message of the email and SMS text message. Note that for existing notification rules (without variable substitution), there are no significant changes, and you continue receiving mostly the same email as before. The only difference is that if you had configured an email subject, that subject shows up as the title in the email message. (In previous releases, the title in all emails is the string "Alarm Alert".) Also, in previous releases, some details about the alarm (such as device name, tenant, severity, alarm type, and alarm text) are included at the bottom of all notification emails. If the email message contains no variable substitution, these details continue to be included. If the email message contains substitution for alarm severity and either for device name or alarm type, these details are not included. This means that, for existing customers, if you do not change their email message, the email content remains the same as before, and if you customize the email body using variable substitution, the email body contains only what you configure, with no redundant details included at the bottom of the message. See Configure Notifications for Alarms.
- Enable inbound access to ports—(For Releases 22.1.4 and later.) You must enable inbound access to ports 9182 and 9183 in Versa Director between an HA pair of Director nodes. See Firewall Requirements.
- RBAC resource tag permission—You can define resource tag to group objects logically for provider roles and tenant roles. You specify the same tag name for all the objects, such as devices, device workflows, and device groups. When all the objects are logically grouped, you can apply RBAC based on the logical grouping tag.
- SMS text messaging—(For Releases 22.1.3 and later.) The SMS and SMTP notification configurations no longer appear on the same screen. There are now separate SMS and SMTP notification configuration screens. See Enable SMS Text Messaging and Configure SMTP Notifications.
- SMTP notifications—(For Releases 22.1.3 and later.) You can configure Simple Mail Transfer Protocol notifications at the system level and for tenants. See Configure SMTP Notifications.
- Two-factor authentication—When you use external authentication, you can configure two-factor authentication (2FA) to provide additional authentication for users who log in to Director nodes. With two-factor authentication, the user receives an authentication code either in email or as an SMS. See Configure AAA.
- VersaGPT—(For Releases 22.1.4 and later.) The Versa Verbo platform adds support for VersaGPT. See Use Versa Chatbot.
- Webhook notifications for alarms—(For Releases 22.1.3 and later.) When a VOS device generates an alarm, the alarm is sent to the Director and Analytics nodes. On the Director node, you can configure webhooks to forward the alarms and notifications to an external HTTP or HTTPS server and to a ServiceNow platform, and you can then incorporate the notification details into your web services. See Configure Webhook Notifications for Alarms.
Fixed Bugs
The following are the critical and major defects fixed in Release 22.1.
Fixed Bugs in Release 22.1.1
The following tables lists the critical and major defects that were fixed in Release 22.1.1.
Bug ID |
Summary |
---|---|
81516 | Revert the change "Block LAN routes to Transport VR with DIA". |
82224 | For Director HA deployments, improve the upgrade process for the standby Director node. |
82484 | Default URL for the OS SPack is not correct. |
82965 | Support for external authentication that contained @ character in the name was incomplete. This issue has been fixed. |
83891 | Restrict tenant custom role users to view other tenant data, such as network, interfaces, and system. |
84195 | Do not change the interface naming to ethx when upgrading to Ubuntu 18.04 (Bionic). |
85412 | Unable to commit configuration to a device, with the error message, "RPC error towards device-name: invalid_value: inconsistent value: Interface Manager: ptvixxx is not in same tenant as parent interface tvi-0/x.0". ptvi interfaces are not shown in the traffic identification even though the backend returns the value. |
85823 | After upgrading the Director node to Release 21.2.3, VOS devices stopped receiving Netconf transactions when the devices were monitored by the Director node. This caused many devices to announce license expiration, because the VOS devices depend on receiving Netconf transactions from the Director node to keep the license state intact. (After 7 days of inactivity, the VOS device starts decrementing the 45-day license period.) |
85852 | Routing instance is now mandatory in IPsec VPN Profiles when you use the local interfaces list |
86077 | Director node has been optimized so it can fetch the VOS device OS type using direct SSH during a VOS upgrade. |
86359 | A user logging in as TenantSuperAdmin can see all templates and devices, but when they click any template or device, the following message displays: “No organizations are associated with the device.” |
86632 | Bulk delete of a device group does not have a check-in place. |
86882 | In a workflow template, spoke-to-spoke direct has a routing peer policy Import-From-Hubs-Policy (on spokes) with a local preference for hub routes greater than 110. |
87228 | DNS entries were removed from the resolv.conf file after the OS SPack update and reboot of the Director node. |
87944 | The device tag search does not work consistently. |
88103 | Apply template is failing after upgrading the Director node from Release 21.2.2 to Release 21.2.3 if the template or device has a decryption profile with a full proxy. |
88314 | Upgrade spring security to address vulnerability, and fix other REST information leaks. |
88410 | In Release 21.2.3, if you use LDAP and local authentication for Director authentication, with the authentication order local-then-remote, the local authentication may fail. |
89898 | In a shared service template with a parameterized Org-Name, policy and rule reordering in the GUI does not work. |
90038 |
When Concerto tries to publish, the Director node may not be able to connect to the Kafka server. The Director node now first checks whether the Kafka server is reachable. |
90075 | Director HA sync state to include the data in bytes, which is not present in the standby Postgres in sync-status.log. |
90291 | During a VOS device upgrade, if sync-from fails, the Director node automatically perform a fetch host key to update the devce SSH host keys. |
90291 | If a sync-from appliance fails after a VOS device upgrade, fetch the host SSH keys again to automatically heal the erroneous condition. |
90414 | When you use Active Directory as the default external authentication, the external authentication login may fail, because the ncs_cmd utility used in the external authentication script cannot connect to the configuration database (CDB). |
90617 | Address object search with more than 10,000 records is not working. This issue has been fixed. |
90744 | Deleting a VOS device may fail because of a database transaction ID issue. This issue has been fixed. |
91313 | In a multiregion hub–spoke topology, the import policy on the spoke may set an incorrect local preference (to the highest) for the route received from unused bubs (hub with no configured priority). This causes the spoke to use the route received from unused hub in the remote region instead of the hubs in the local region, which have explicit priorities of 1 through 8. |
91947 | SAML login fails with SiteMinder IDP, because the login SAML response from the IDP is parsed incorrectly |
93179 | Under Workflows > Devices, when you enter a hash (#) in the address field, the address after the hash is ignored, causing the Director node to show incorrect latitude and longitude. |
93272 | In Release 21.2.3, the dashboard APIs may fail to pull Monitor APIs using external OAuth, but they still work with basic authentication. |
93816 | You can now configure bridge mode as trunk and add a VLAN list. |
94041 | New AWS regions are not listed when you a device using a CMS connector. This issue has been fixed. |
94074 | Because of an NCS database lock exception of some API calls, subsequent calls are blocked, and config-db goes into a stuck state. |
Fixed Bugs in Release 22.1.2
The following table lists the critical and major defects that were fixed in Release 22.1.2.
Bug ID |
Summary |
---|---|
42744 |
Add bypass console configuration option under Templates > System > External AAA. See Configure AAA. |
44330 |
Display default alarm destinations in the device GUI, and add option to reset. |
46538 |
Add ability to edit shaping rate in Organization Limits > QoS tab. |
47784 |
Value for VRRP advertising interval field is not mandatory. |
57078 |
If you create a template with parameterized value of VLANs with EVPN, the template is rejected. |
57349 |
When you edit an organization, adding a role across accounts does not work. This issue has been fixed. |
57693 |
Applying a template fails when quotation marks are present in one of the configuration fields. |
67231 |
On the Device Bind Data page, the Site_Id__siteSiteID and _Chassis_Id__sitesChassisId fields should be greyed out. |
69642 |
Add DHCP as an option in the Device Workflow Bind Data tab. |
71115 |
For multiple subinterfaces for Azure virtual WAN (vWAN) and Amazon transit gateway (TGW), always set the BGP local address be set as same as LAN interface for subinterface 0. |
74211 |
Bul deletion of referenced objects succeeds with no error or warning. |
75653 |
TACACS+ user cannot scp a file from remote server to Versa Director. |
77063 |
To match based on geolocation for an anycast IP address, the VOS device must recognize the IP address as an anycast address and provide the ability to bypass the geolocation-based match. A configuration option has been added to bypass the geolocation lookup for anycast IP addresses. |
78407 |
Deprecate the AP isolation UI and backend. |
79651 |
Add support for page number search on the Director Monitor tab. |
80983 |
For externally authenticated users, increase the default login timeout from 15 seconds to 30 seconds. |
82544 |
The owner and group for the /var/log/lastlog file is not configure correctly. This issue has been fixed. |
82619 |
When a standby Director node becomes the active node after a failover, such as NTP or DNS configuration in Ubuntu, some configuration changes may not take effect on the standby Director node. This issue has been fixed. |
82637 |
The device workflow management in custom user roles does not include a Deploy option, thus preventing users with this RBAC privilege from being able to deploy device workflow templates. |
84308 |
If the maximum number of authentication attempts exceeds a configurable limit, enforce a lockout. |
84312 |
Add support for configurable password strength for administrative passwords. |
84326 |
Enforce access banners before web, SSH, and console logins. |
84827 |
Add ability to configure how to handle multiple concurrent login sessions on Versa Director. |
86500 |
You could change the site ID when redeploying a device workflow. |
87444 |
The service start time may not be displayed in the device listing screen. This issue has been fixed. |
87955 |
You can now create only one provider organization. |
88136 |
When you configure banner for SSH on a VOS device, staging gets stuck at 30 percent. This issue has been fixed. |
89402 |
Cannot enable Session Reevaluate and TCP Send Reset in a device template under Edit Session. |
90203 |
IPsec shared key parameterization does not work. The parameterized variables are not seen in the bind data. |
90482 |
Add new CLI command to display sync status for the designated active and standby Director nodes. |
92397 |
You cannot delete system static routes. |
92528 |
Increase the max_connection value in the postgressql.conf script. |
93142 |
Audit Log API failed for a tenant operator user. This issue has been fixed. |
93799 |
The Template Status field in the Director Monitor screen does not populate you add the field exclusively. This issue has been fixed. |
94054, 96985 |
Referrer Policy and Permission Policy headers are missing when you access the Director UI. This issue has been fixed |
94074 |
NCS database was locked while updating global IDs. This issue has been fixed. |
94723 |
Tenant super admin cannot see routes in the Monitor screen for their tenant. |
95043 |
Add privilege called USERNAME_OBFUSCATION to obfuscate usernames in reports. |
95550 |
After you install OS SPack 20230320, RADIUS authentication to GUI may stop. This is packaging issue and has been fixed. |
95691 |
Show end date for installed keys in the output of the vstrial license. |
95800 |
Add file limit option for OS SPack. |
95808 |
In Objects and Connectors > Objects > Predefined > IP Filtering Profile > Versa Recommended Profile, when you click Versa Recommended Profile, the Reputation-Based Action Names includes only Proxy. This issue has been fixed. |
95820 |
Director may assign the same variable name for per-tenant shaping rate. This issue has been fixed. |
95834 |
Disable Verbo in the Director UI. |
95956 |
Add reporting and logging export functionality for NGFW template. |
95964 |
Make login and password for KMIP profile a variable in templates, and ensure that the password is hashed. |
95985 |
OS SPack installation may be reported as successful when the installation is actually failing. This issue has been fixed. |
96113 |
In Director view, when devices for a tenant are listed, the UI shows all devices from all tenants. This issue has been fixed. |
96192 |
Error-403 Current usage API in Director UI, monitor as with TSA user. This issue has been fixed. |
96860 |
The Release 22.1 CGNAT UI breaks CGNAT rules in Release 21.2.3 R21.2.3: The destination address was missing. This issue has been fixed. |
97194 |
When an organization has 500 devices, viewing the device bind data can take more than 20 seconds. This issue has been fixed. |
97369 |
When the Director node is running Release 22.1, the RMA of a device may fail because of an upgrade-related issue. This issue has been fixed. |
97460 |
Remove scroll bar for routes view on the Monitor screen |
97478 |
You cannot change the VOS admin user login to "cl"' or "no login". |
97817 |
When the UI sends nothing, the backend defaults to 0 for latitude and longitude. This issue has been fixed. |
98082 |
Prioritizing URL reputation over IP reputation is using the wrong categories. This issue has been fixed. |
98262 |
In the external authentication remote then local screen, the expiration and interval time information is displayed. |
98284 |
Add confirmation dialog before restoring a snapshot. |
98408 |
In Director view, when you click the first device in the list, the dropdown shows the second device. This issue has been fixed. |
98509 |
Versa Director Bionic image was missing the package munin-node, which was present in Trusty. |
98585 | If a service template contains parameterized variables, the position of a policy or rule referred to by the service template does not update, even if its position in the device group list is lower compared to the other templates that refer to the same policy or rule. |
98868 |
Allow IPAM migration when multiple tenants on the same device share an IP address. |
99296 |
Cannot add PTVI tunnel interface because it also validates data on the Release 22.1.1 Tunnel Interface tab. This issue has been fixed. |
Fixed Bugs in Release 22.1.3
The following table lists the critical and major defects that were fixed in Release 22.1.3.
Bug ID |
Summary |
---|---|
63844 |
Selection of non-default regions should be allowed during the CMS connector creation for AWS. |
68625 |
During bulk SPack upgrade, the Task status is not updated correctly for the failed devices. |
69677 |
Added option to map WAN interfaces to any organization. |
70309 |
DHCP relay logging is not supported but logging options are shown in the Director. |
75649 |
The Versioned Service template is not pushing the configuration to the device even though the task shows that the template push is successful. |
76197 |
VLAN ID parametrization in the template causes the AWS transit gateway device deployment to fail. |
79031 |
The Local Auth Shared Key and Identity on VPN profile for staging is grayed out. |
80327 |
Package upgrade fails with the error "vnms backup failed" on Bionic. |
83662 |
UI does not show all details of the DSL interface in the template workflow when it includes one DSL and one LAN interface. |
84326 |
Enforcement of access banners prior to Web/SSH/Console logins is required. |
89844 |
Director failover triggers a flood of stale alarm notifications from the new active Director. |
90038 |
When Kafka goes down, all the messages are dropped. |
90075 |
Director HA sync status is sometimes unreliable. |
91030 |
Unable to check the Auto merge diff as it encounters the error message: "prefix "lef" not found!" |
93900 |
Device reachability status is shown incorrectly for multiple devices. Multiple devices are shown as UNKNOWN/UNREACHABLE. |
93944 |
Domain search under system dns-servers is not accepting two letter suffixes. |
94108 |
Unable to delete exceptions on the Edit Proxy Setting page. |
94723 |
Tenant Super Admin cannot see routes in the monitor UI for the tenant that includes the Tenant Super Admin. |
96860 |
After the upgrade from 21.2.3 to 22.1, the UI does not show the attributes of existing CGNAT rules in the edit mode. |
97219 |
CGNAT MATCH IP Address is not an object and is not parametrized in the UI. |
98082 |
Prioritizing URL reputation over IP reputation results in the wrong categories. |
98200 |
The reason for upload package failure is not included in task error details. |
98816 |
The cloned Default Service Template is missing changes. |
99064 |
Optimization for alarm summary calls for monitor status. |
99094 |
Device name output is truncated for "show devices list" in the Director CLI. |
99470 |
Issue with fetching keys while onboarding 16.1R2S11 branches. |
99471 |
SAML integration with Google IDP fails due to delay in IDP response processing. |
99569 |
SPack installation task gets stuck at 0%. |
99666 |
Commits are delayed when the Kafka server is unreachable. |
99742 |
The encryption key is shown in plain text in the configuration page when configured from the workflow. |
99956 |
Wrong appliance status shown under Monitoring. |
100063 |
Anyone can become a root user using the CLI. |
100146 |
The custom user screen is populating items for which it does not have privilege. |
100218 |
Upgrade fails if the organization name has a space. |
100286 |
The organization navigation tree does not show the newly deployed organization until the user refreshes the whole browser window. |
100347 |
The spinning wheel rotates indefinitely when a user with the Custom User Role clicks on the Edit OS SPack Config icon. |
100363 |
Software images are not listed during the VOS software upgrade. |
100399 |
The same Shared Service template association in Device Specific templates for different tenants causes a Duplicate key error. |
100479 |
When Concerto users are logged into Director, the Director UI does not display the active users. |
100480 |
When Concerto users are logged into Director, changes to Updating Personal Information and Change Session Timeout are not working. |
100491 |
Setting an arbitrary value of Content-Security-Policy Header is allowed, which can be exploited. |
100577 |
AD users configured with same first name or last name under different OUs are not showing up on the Director. |
100597 |
The VLAN min/max range needs to be from 0 through 4094, not 1 through 4094. |
100723 |
The device workflow has IPv4 enabled for URL Z, but the corresponding interface on the controller is not IPv4. |
100799 |
Device deployment on AWS is failing with the error message: "Error applying post-staging template". |
100810 |
The Director node is not receiving keys from the VOS software. |
100811 |
Two factor authentication is not working for branch deployment. |
100821 |
BGP Extended Community is changing while recreating from the workflow. |
100865 |
Config Import fails for Shared Service Templates. |
100869 |
Changing the provider-org to sub-org causes a commit template error. |
100976 |
Pagination is not present for monitor APIs. |
101098 |
Add Service VNF appliance is failing with transport timeout. |
101124 |
WWAN password is altered once it is saved. |
101363 |
Not able to commit ingress-policer configuration. |
101448 |
Bandwidth under WAN subinterface is not created by workflows. |
101496 |
Device Type in the Template workflow should not create SLAs with other sites. |
101497 |
Support for passwords up to 64 characters in length for Director UI. |
101624 |
Option to add multiple IPs for DHCP relay server. |
101649 |
Auto switchover with preemption incorrectly reflects as a manual failover in the HA redundancy page. |
101722 |
Non-availability of WAN networks while adding a subinterface in Workflows. |
101938 |
Updating the bw-measurement action on one term in path policy will wipe out other settings |
101995 |
Missing Staging Bind Data on Bind Data UI. |
102322 |
The mapped routing instance for an interface is removed if there are multiple routing instance options. |
102530 |
Fetch Devices for the Commit Service template is not showing devices where ST is added to Workflow > Devices > Device. |
102597 |
Red flag in the UI is not shown for empty Bind Data Variables in the Post Staging template under Devices while editing Devices. |
102722 |
RBAC and pagination support for APIs used for fetching the appliance status. |
102848 |
Clicking on Clear does not work for Cloud File Export on the Monitor page in the Versa Director UI. |
102871 |
Monitor status stops pulling because of errors while pulling HA data. |
102957 |
In the Monitor Summary screen the count for SD-WAN Branches that are down does not match the Provider Health stats for Reachability Status. |
102970 |
Failures are seen while trying to delete an organization from the Workflow->Infra->Organization page. |
102994 |
Public Cloud type deployment is blocked because there is only one interface shown in the UI on the Cloud Profile tab. |
103072 |
Hit count columns are not showing in the monitor page. |
103122 |
The ATP and Cloud File Export stats do not display on the Monitor page in the Director UI. |
103174 |
The SAML connector does not have to option to view the certificate. |
103216 |
The S2S tunnel information object cannot be edited during the Device workflow. |
103245 |
On the Organization Limit screen, the UI loses user selected options, if the options are deleted from the source location. |
103366 |
Issues with loading the Spoke Group Inventory. |
103512 |
Webhook notifications are not working. |
103692 |
SPack/OSSPack upload to appliance fails with the error message: “SSH_MSG_DISCONNECT: 2. Too many authentication failures for admin when secure mode is enabled on the VOS software. |
103716 |
Root login should be allowed only from the system console. |
103810 |
IPAM needs to be more conservative while deleting addresses. |
103820 |
Enforcement of VRF Name. |
103932 |
Check for non-UTF8 characters (auto transition from Latin-1 to UTF8) during upgrade. |
103983 |
Appliance Page filtering is not case insensitive, which makes searching difficult. |
104064 |
Tenant Operator can view other tenant names in a Master Template View list. |
104068 |
Commit template is failing for the Tenant users. |
Fixed Bugs in Release 22.1.4
The following table lists the critical and major defects that were fixed in Release 22.1.4.
Bug ID |
Summary |
---|---|
37995 |
The Template Status column has been added in Administration and Monitor screens. This helps in knowing the device configuration status with regards to the associated template. |
64206 |
Devices workflow now allows to changes associated organizations. |
68625 |
During the bulk SPACK upgrade, the tasks were not updated correctly for the failed devices. |
69128 |
When you create routing instance, the “geneve” interfaces are now displayed under the Interfaces drop-down in the UI. |
71335 |
The Vulnerability: eval function has been removed. |
72380 |
API Added to refresh LDAP user cache. |
79363 |
Passwords in templates, which are stored in plain text for local users, are now hashed. |
86479 |
Task pages now display an error message if bionic-osspack is pushed to trusty appliance, and vice-versa. |
89827 |
The cloning of templates/service templates from one organization to another was producing a remote server exception error. This is fixed. |
92538 |
An appropriate error message displays in the task page when SPack or OS Spack uploads fail because of the SSH protocol. |
94059 |
Enabling HA was failing on secondary due to a postgres DB errors. This is fixed. |
94300 |
Exceptions configured in Proxy settings are not honored for SPack and OS Spack downloads. This is fixed now. |
96432 |
RBAC to support allow user to perform only commit template without modifying configuration. |
98448 |
Now unique secret is generated for every HA Pair of Directors for NCS communication |
98671 |
Support for interface description in Workflows |
99173 |
Under System-> Static Routes screen, "Edit" button was not Present and "Clone" option was not working. This is fixed. |
100128 |
During onboarding of bcm devices, they get rebooted twice. This is fixed |
101624 |
Support to add multiple IP Addresses in Workflow template under DHCP Relay Server |
101627 |
Active-Online and Standby-Online alarms were not raised. This is fixed. |
102058 |
node-status field was displayed as UnKnown when /vnms/system/ping is called on Standby Node of Director. This is fixed. |
102278 |
HA failover operation was failing because of incorrect file permission for id_rsa file for vnmshauser. This is fixed |
103307 |
Parameterization support added for Vlan id and vnid in sdlan templates with vxlan |
103382 |
Support for drill down for the Asset Summary area on Monitor GUI is added. Ability to click on the row for "Branch", and being able to see which branches are up and which ones are down are available now. |
103594 |
Template Versioning Not Visible for CustomRole Users. This is fixed. |
103713 |
'request vnmsha actions disable-ha' – will disable HA on both nodes now. |
103765 |
Disable ICMP timestamp responses |
103767 |
HTTP OPTIONS method was enabled on API Interface. This is fixed now |
103786 |
Restrict the user home directory mode to at most 750 in Ubuntu. |
103873 |
Same IRB interface was allowed to select with two VLANs for routing under Switching Management. This is fixed. |
103893 |
A standby Director now stops listening on 20514 port. |
103934 |
Postgres port 5432 is blocked for access outside except from peer Director. |
104246 |
Template State doesn't go Out-of-Sync when a local user database is deleted from the template. This is fixed |
104215 |
Apply Template performance is improved now in Template Override Mode. |
104257 |
sftp is allowed for TACACs users on Director. |
104259 |
uCPE VM was auto starting when the apply template was called unexpectedly though it is shut off manually. This is fixed. |
104390 |
The SSO login process now verifies role association with the organization for custom roles. |
104391 |
Versa cloud-init deployment fails on Hypervisor Harvester HCI v1.2. This is fixed |
104439 |
IPAM cache was not working as expected. This cache has been removed. |
104440 |
Updating the overlay IP address in the bind data page was not working. This is fixed. |
104599 |
Device workflows can now edit sub organizations. |
104619 |
Support for HUB and HUB-CONTROLLER TOPOLOGY is added. |
104863 |
Some hierarchy’s passwords were displayed in clear text in the audit log. This is fixed. |
104858 |
Audit logs for Director NCS API does not show the difference in the case of POST or PUT requests This is fixed. |
104890 |
You could see TACACS/RADIUS passwords in diff view in workflow templates. This is fixed. |
104891 |
"Export as plain text template" option was displaying the system user in plain text. This is fixed. |
104978 |
ThepPre-upgrade patch script was failing to execute. This was fixed. |
105066 |
The Director CLI does npt allow a user to login if multiple servers were added to same TACACS authentication connector. This is fixed. |
105047 |
The Disable HA task was getting stuck in the In-Progress state in the secondary Director. This is fixed. |
105229 |
Director upgrade was failing with an error related to the template_sync_status table. This is fixed. |
105244 |
Plivo SMS account details were seen in an internal XML file on Versa Director. This is removed. |
105257 |
Monitor data polling, which builds caches, has been optimized. |
105267 |
386 architecture packages getting installed in OVA/QCOW2/AMI images built from Director FIPS ISO image. This is fixed |
105384 |
Template commit does not consider interfaces in a disabled state into account during a commit. In the case of key names being variables, the leaf values were taken from the template with a lower priority. This has been addressed, but because multiple deployments are accustomed to this erroneous behavior, the fix is property-driven. By default, the older behavior continues but the strictly correct behavior can be obtained by setting RETAIN_VARIABLE_PRIORITY=true in vnms.properties and performing a vsh restart for this to take effect. |
105399 |
A post-staging task was not created if the preferred software version was configured in a template and deployed when instance is on AWS. This is fixed. |
105412 |
Live status calls to devices are not made now when applying a template. |
105452 |
Browser (Client) IP addresses are now in Tomcat logs. |
105714 |
OAUTH access tokens are no longer audited. |
105777 |
NCS was consuming higher memory with a leak in NCS transactions. This is fixed. |
105826 |
Alerts are not sent to WebHook server when reachability goes down and comes back to the server. This is fixed. |
105832 |
Sometimes the creation of an AWS-based public cloud instance was failing with a “transport closed” error. This is fixed. |
105948 |
While uploading SPack and OS Spack an error was seen related to SCP. This is fixed. |
106033 |
When a Kafka server was unreachable, commits were delayed. This is fixed. |
106223 |
Common-Template/Datastore template variablization does not show up in both auto/user input for device workflows. This is fixed |
106228 |
Some of the monitoring APIs are now allowed to execute on secondary Director. |
106290 |
Pagination was not working on the Scheduled Jobs screen. This is fixed. |
106653 |
When a customer using an external role moved from PDCO to PDCSA, VOS upgrade was failing with an error. This is fixed. |
106800 |
The staging pool was being reserved for a hub-controller even after disabling the "staging" function in workflow. |
106829 |
When a device group with redundant templates is selected when deploying a device to the public cloud device, the template configuration was not returning the interfaces and any other details. |
106864 |
Duplicate entries in the encryption table resulted in a commit diff view error. Entries are now made using upsert to avoid duplicates. |
107146 |
Manual switchover was failing under certain conditions. This is fixed. |
107263 |
Whenthe SSO use length was exceeded by 50 characters, some API calls were not working. This is fixed. |
107759 |
The encryption enable flag was ignored in a few places. This is fixed. |
107766 |
Organization deployment was failing when adding a new organization. This is fixed. |
107821 |
Rollback was failing from Release 22.1.3 to Release 22.1.2. This is fixed. |
107832 |
OAUTH token was logged many times in the audit log. This is fixed. |
107863 |
Enet interfaces are now supported in workflows. |
107867 |
The REST API 'vnms/dashboard/vdStatus/haDetails' is taking 5 minutes when connectivity is lost between Versa Directors in an HA configuration. This is fixed. |
107897 |
Certificate upload was failing from DIrector Release 22.1.x to Release 21.2.x appliances. This is fixed. |
108135 |
Device workflow was not able to assign autogenerated variable values under some conditions. This is fixed. |
108182 |
Allow WAN Pool size to be reduced up to 8. |
108359 |
RMA was failing with package upgrade error. |
108672 |
On FIPS Director, CSR with keypass generation was failing. |
109689 |
Restore Standby from NONE mode after restoring connectivity between Directors. |
109791 |
Email notification is sent when NCS and Postgres are out of sync between two HA Directors. |
109832 |
The snapshot compare operation was failing with the error ncs:config/system:system/system:external-aaa/system:tacacs-plus/system:use-remote-group. This is fixed. |
109885 |
KafkaProducer non-thread-safe code sometimes causes all tasks to be blocked. This is fixed. |
109975 |
A typographical error in a Task error message is fixed. |
110078 |
vnms/template/deviceGroup/deviceStatus was returning data which was not backward compatible. This is fixed. |
110270 |
Unable to use shellinabox for appliance login when username is in the format name@domain.com. This is fixed. |
110393 |
An entry is made early in the Appliance Status table of the database so that a newly added appliance is visible in the appliance listing screen faster. |
110431 |
Add logs to debug if alarms are not received from Analytics. |
110576 |
Periodic monitoring is blocked for LTE devices |
110759 |
Address group filtering UI was not working with name and members. This is fixed. |
110817 |
Hub Controller Staging IP was not being populated for redundant templates. This is fixed. |
110843 |
Sync from appliance done by Director after RMA has failed and as a result the configuration is reset to the staging configuration. |
111034 |
VACCUM FULL is run weekly on Director to increase Postgres performance. |
111140 |
The address-list that is configured in a CGNAT pool/rule is not properly rendered in the Director UI. This is fixed. |
111262 |
A post-staging task was not initiated in some scenarios. This is fixed. |
111485 | Template redeployment is possible with system core-profile configured. |
111576 |
The UI Tomcat layer now rejects uploading files using a rest API other than images. |
111579 |
Only the ProviderDataCenterSystemAdmin user is allowed to change Logo/Footer/Favicon. |
111658 |
In the UI, added support for tcp-memory-quantum configuration in service-options. |
Limitations and Known Issues
The following are the limitations in Release 22.1:
- For Director high availability (HA), you can no longer edit the High Availability pane on the Administration > System High Availability screen. The editable Designated Active and Designated Standby IP address fields are moved to the High Availability Configuration pane.
- Due to vulnerability fix, Analytics needs to be running Release 22.1.4 or 22.1.3 dated May 2024 or later before upgrading Versa Director to Release 22.1.4.
- NCS IPC access check (ncs.pass) feature has been introduced in Releases 22.1.3 and 22.1.4 to limit CLI, NCS_CLI and NCS_CMD shell access to local node and to peer node in an HA setup. To use the CLI, you must logout or exit from shell after successfully upgrading the Director from Releases 21.x.x or 22.1.1 or Release 22.1.2 to Releases 22.1.3 or 22.1.4.
Enable HTTP 2.0 on Proxies
In Release 21.1.1, the Director web server (Apache Tomcat) was upgraded to support HTTP 2.0, also called HTTP/2 or H2. Newer versions of Chrome and Firefox browsers automatically take advantage of the HTTP/2 protocol when supported by the web servers.
If an HTTP proxy, such as Load Balancer, HA Proxy, and NGINX, is deployed between web clients (browsers) and a Director node, you must enable HTTP/2 with TLS 1.2 on them with the following cipher set:
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
When users access the Director node using secure proxies, such as ZScaler, inspection done by the proxy of the sessions to the Director node must be bypassed or the proxy must be enabled with HTTP/2 and TLS 1.2 protocols with the above cipher set.
After you update the configuration on the proxy to enable HTTP/2, use the browser's Dev/Inspect tools to verify that the browser is using the HTTP/2 protocol:
- On the Director login page, right click and select Inspect to display the Dev/Inspect tools. The following screenshot shows how to do this in Google Chrome:
- In the Inspect window, select the Network tab.
- Right-click the column selector and select Protocol to display the Protocol column.
- Reload the portal page and check the Protocol column for the H2 protocol (for the API calls made to the server).
Request Technical Support
To request technical support, visit http://support.versa-networks.com. If you are contacting support for the first time, register and create an account. You can also send email to support@versa-networks.com or contact your Versa Networks sales account team.
Additional Information
Revision History
Revision 1—Release 22.1.1, May 5, 2023
Revision 2—Release 22.1.2, July 31, 2023
Revision 3—Release 22.1.3, December 30, 2023
Revision 4—Release 22.1.4, July 1, 2024
Versa Operating System (VOS) Release Notes for Release 22.1
These release notes describe features, enhancements, fixes, known issues, and limitations in the Release 22.1 Versa Operating SystemTM (VOSTM) software, for Releases 22.1.1 through 22.1.4. Release 22.1.1 and later are general available (GA) releases and are supported for use in production networks.
July 1, 2024
Revision 4
Product Documentation
The Versa Networks product documentation is located at https://docs.versa-networks.com.
Install the VOS Software
You can install the VOS software on a standard Intel server or as a virtual machine (VM) based on ESXi or KVM. For installation instructions, see the Deployment and Initial Configuration articles.
Note: Releases 22.1 and later support only Ubuntu 18.04. For any VOS devices running Ubuntu 14.04 (Trusty), you must upgrade them to Ubuntu 18.04 (Bionic) before you can use Releases 22.1 and later. For more information, see Upgrade Versa Networks Operating System to Ubuntu 18.04.
Versa Networks provides the following versions of the VOS software for systems running Ubuntu 18.04:
- *-B-wsm.bin—Install this image on physical CPE branch devices that use the Atom-based processor.
- *-.B-bin—Install this image on all VMs and high-end CPEs and on bare-metal servers with Xeon or later classes of CPU.
- *-B-lite.wsm.bin—Install this image on Versa ARM CPU–based wireless access points (APs) and on Intel Atom-based two-core and four-core CPU-based Versa CSG350 and CSG730 appliances and others with up to 4GB of RAM.
Upgrade to Release 22.1
Note: Starting from VOS 22.1.4, strict SSL certificate checks for LDAP server communication are now enforced. Ensure your certificates have valid Certificate Authorities (CAs) for uninterrupted service. Before upgrading, download and run the "validate_ca_chains_for_ldap.sh" command from the VOS shell to verify the SSL certificates. This proactive step prevents issues during and after the upgrade, ensuring smooth LDAP authentication. The shell script is available to download from the software download portal. For more information about valid CA certificate, please refer to https://datatracker.ietf.org/doc/html/rfc5280.
If you are upgrading from Release 20.2 to Release 22.1 or later on HA nodes, if you have enabled information validation (info-valid) in the configuration of one or both HA nodes, you must disable the info-valid configuration before you perform the software upgrade. After the upgrade completes, you can re-enable the info-valid configuration.
To upgrade to Release 22.1 from the CLI:
- Ensure the current running package is present in the /home/versa/packages/ directory.
- Save the existing version of the configuration:
admin@vnf-cli(config)% save /var/tmp/backup.cfg
Note that if the premium version of the security package (SPack) is already installed on the VOS device, you must upgrade to Version 2057 or later before you upgrade the VOS device. To display the version of the installed SPack, issue the show security security-package information CLI command or, in the Versa Director monitor screen, view the security package information under Next-Gen Firewall. - Copy the .bin package file to the /home/versa/packages/ directory on the VOS node. Ensure that the file has +x execute permission. Alternatively, use the following command, which copies the file to the /home/versa/packages directory:
admin@vnf-cli> request system package fetch uri uri
- Install the new software package:
admin@vnf-cli> request system package upgrade filename.bin
Follow the prompts, and wait until the upgrade status shows that the upgrade is complete. Note that if a reboot is required during the upgrade process, the VOS device automatically reboots. - Confirm that the new software has been installed:
admin@vnf-cli> show system package-info
Downgrade the Software
To downgrade to the software image that had been installed immediately before you performed the upgrade, issue the following command. This command restored the VOS device's configuration to the same state it was in just before the upgrade. Any configuration changes that you made since the upgrade are lost.
admin@vnf-cli> request system rollback to PRE-UPGRADE-1
Install a Software License for VOS Devices
A VOS device does not require a license if it is managed by Versa Director. If the VOS device is not subjugated to a functioning Versa Director, the software continues to operate after the initial trial period of 45 days. However, the number of data path sessions is limited to 30 sessions.
New Features
This section describes the new VOS device features in Release 22.1. All features are introduced in Release 22.1.1 unless otherwise noted.
Director GUI
- Director GUI enhancements—The look and feel of the Director graphical user interface (GUI) have been updated. Wizards for initial site and VOS device configuration workflows, or wizards, have been added. Buttons have been added in the top menu bar to allow you to directly change the Versa Director view to Director view, Template view, or Appliance view. With the exception of these new features, the general behavior of the Director GUI, the organization of the screens, and the fields and buttons on the screens are unchanged.
Note: The screenshots in articles on the documentation portal show both the older GUI and the new GUI, so the screenshots you see on your Director node may not match what is shown in the documentation articles. Because the general behavior of the Director GUI, the organization of the screens, and the fields and buttons on the screens are unchanged, you will be able to use the information and procedures in the articles.
Hardware Platforms
- Ethernet switches and hybrid platforms—The CSG3300 and CSG3500 appliances perform line-rate switching and high compute capacity for enterprise-grade routing. The CSX4300 and CSX4500 appliances are a next-generation software-defined LAN (SD-LAN) edge and access layer appliances. See Hardware.
- WAN edge platforms—The CSG5000 Series appliances deliver carrier-grade reliability, high performance, and high compute capacity for enterprise-grade routing. Support is also provided for Silicom Cordoba, Dell R7515-V2800, and Dell VEP1420N/VEP1420/VEP1420-LTE platforms for use as WAN edge devices.
Common and Platform Software
- AES 128-GCM and AES 256-GCM encryption for IKE—You can configure AES 128-GCM and AES 256-GCM encryption for IKE. See Configure IPsec VPN Profiles.
- Available servers for application delivery controller—When configuring an application delivery controller (ADC), you can set the minimum number of available ADC servers required for the server pool to be marked as Up. See Configure an Application Delivery Controller.
- BGP local AS mode 5—You can configure BGP AS mode 5. See Configure Virtual Routers.
- BGP SLA community action—You can configure BGP peer and peer group policy matches based on SLA parameters. See Configure Virtual Routers.
- DHCP default route and subnet mask—(For Releases 22.1.3 and later.) When you configure an IP address pool, you can configure a default route and a subnet mask for the pool. See Configure DHCP.
- DNS monitoring logs—You can configure traffic-monitoring policies to export DNS monitoring logs to Versa Analytics. See Configure Log Export Functionality.
- Dynamic tenant configuration—(For Releases 22.1.3 and later.) For service templates, you can dynamically configure tenants. See Configure Basic Features and Configure the Versa Secure Access Service.
- Field customization and soak time for alarm notifications—For alarm notifications, you can customize the content in the Message and SMS text fields, you can add additional customization in the Subject field, and you can configure the soak time condition. See Configure Notifications for Alarms.
- Google Cloud Platform—You can use a cloud management system (CMS) connector in the Versa Director node to install, or instantiate, a Versa branch device on Google Cloud Platform. See Install on Google Cloud Platform.
- GPS location tracking—For CSG700 series appliances, you can configure the Director node to track the GPS location of the device. See Configure Device Location Tracking.
- GRE site-to-site tunnels—You can create secure IPsec tunnels and GRE tunnels between a VOS device and an AWS Transit Gateway that is registered to the AWS global network under the Network Manager. See Configure Site-to-Site Tunnels.
- IKE fragment size—You can configure the IKE fragment size. See Configure IPsec VPN Profiles.
- Ingress policers—(For Releases 22.1.3 and later.) You can configure policers on ingress interfaces. See Configure Organization Limits.
- IPsec cipher key check—You can configure a VOS device to meet NIAP FCS_IPSEC_EXT.1.14 requirements by enabling the IPsec cipher key check option. Enabling the IPsec cipher key check affects the VOS device only when FIPS mode is enabled on the device. See Configure Service and Session Options.
- IP SLA monitoring with FQDNs and with HTTP and raw HTTP raw monitor types—You can configure HTTP and HTTP raw monitor types, and you can monitor using FQDNs. See Configure IP SLA Monitor Objects.
- IPv4 IPIP tunnels—You can configure IPv4 IPIP tunnels. See Configure Interfaces.
- Logging enhancements—VOS devices support SASE web and DNS-monitoring logs. See Configure Log Export Functionality, Configure Log Collectors and Log Exporter Rules, Analytics Log Collector Log Types Overview, and Apply Log Export Functionality.
- Maintenance mode—(For Releases 22.1.2 and later.) You can enable maintenance mode so that you can perform administrative tasks, such as upgrading a VOS device. Other routers are expected to route around a VOS device that is in maintenance mode. See Configure Maintenance Mode.
- NAT64 and DNS64—You can configure NAT64 and DNS64. NAT64, defined in RFC 6146, provides a mechanism to translate IPv4 addresses to IPv6 addresses, and vice versa. DNS64, defined in RFC 6147, allows an IPv6-only client to initiate communication, by name, to an IPv4-only server. See Configure CGNAT.
- OSPF sham links—You can configure OSPF sham links. See Configure Virtual Routers.
- QoS support for 100-Gbps interfaces on CSG5000 and Dell R7515 platforms—CSG5000 series appliances and Dell R7515 devices support hardware-based egress class of service (CoS) and shaping for Intel E810-based adapters, which support data rates up to 100 Gbps interfaces. You can configure four traffic classes at the interface level. The four interface-level traffic classes are scheduled as priority queues. There is only a single queue per traffic class. You can configure each traffic class for committed and maximum bandwidths as a percentage of line rate (that is, the interface transmit, or Tx, rate) or as an absolute rate, in kilobits per second. The traffic classes are scheduled as work conserving; that is, a traffic class can burst to its peak rate to consume any unused bandwidth from other traffic classes that are operating below their committed rate. Note that for hardware-based QoS, only interface-level shaping is supported. No other egress CoS and shaping configurations, including VLAN and adaptive shaping, are supported. See Configure CoS.
- Session Load balancing using DSCP/802.1p—(For Releases 22.1.4 and later.) To ensure optimal performance for high bandwidth IPsec and other tunnel flows, DSCP or 802.1p values are used along with the existing 5-tuple for efficient traffic load balancing across cores. To enable this feature, you must configure it using one of the following methods:
- From the CLI:
versa@versa-admin% set system session additional-flow-key-attribute ? Description: Additional attribute used to identify a flow Possible completions: [dscp] dscp - IPv4/IPv6 DSCP ieee-802.1p - IEEE 802.1p Priority Code Point (PCP) none - No additional attribute
- From Versa Director:
- In Director view, select the Configuration tab in the top menu bar.
- Select Templates > Device Templates in the left menu bar.
- Select an organization in the left menu bar.
- Select a template from the main panel. The view changes to Template view.
- In the left menu bar, select Others > System > Configuration > Configuration.
- In the Sessions pane, click the Edit icon. The Edit Sessions window displays.
- In the Additional Flow Key Attribute field, select DSCP or IEEE-802.1p.
- Click OK.
- From the CLI:
- SSL VPN profiles—(For Releases 22.1.4 and later.) SSL VPN is an alternative to IPsec VPN for allowing remote users to connect to Versa gateways using the Versa SASE client. You configure SSL VPN profiles to allow remote users to connect to an enterprise network on an SSL tunnel using a Versa SASE client. See Configure SSL VPN Profiles.
- T1 interface cable length—You can configure the cable length for T1 interfaces. See Configure Interfaces.
- Theft protection and unauthorized movement protection—You can track the location and movement of devices. See Configure Device Location Tracking.
- TWAMP Light test sessions—(For Releases 22.1.3 and later.) You can associate a TWAMP Light sender test session with a TWAMP Control client connection and a TWAMP Light reflector test session with a TWAMP Control server connection. Also, TWAMP Light reflector test sessions support auto start. See Configure TWAMP Light Sessions.
- Versa speed test with latency—(For Releases 22.1.3 and later.) The speed test factors in a link's bandwidth before running the test. See Troubleshoot Link Bandwidth Issues.
- VOS Lite—(For Releases 22.1.3 and later.) VOS Lite is a version of the VOS software that has been optimized for use on small form-factor devices. Specifically, you can use the VOS Lite software on Versa ARM CPU–based wireless access points (APs) and on Intel Atom-based two-core and four-core CPU-based Versa Cloud Service Gateway 350 (CSG350) and Versa CSG730 appliances that have 4 GB of RAM and that are running Ubuntu 18.04 (Bionic) as their base operating system. See Deploy the VOS Lite Software.
- VOS network driver support for Azure accelerated networking—VOS network drivers support Azure accelerated networking. Accelerated Networking enables single root I/O virtualization (SR-IOV), greatly improving networking performance. This high-performance data path bypasses the host, which reduces latency, jitter, and CPU utilization for the most demanding network workloads.
- VRRP-aware PIM—You can configure VRRP-aware PIM. In a redundant network with virtual routing groups enabled, VRRP-aware PIM provides consistent IP multicast forwarding by allowing PIM to track the VRRP state and to preserve multicast traffic when a failover occurs. See Configure IP Multicast.
- WAN links—The number of WAN interfaces supported has been increased from 8 to 15 for single-stack (IPv4 or IPv6) and from 4 to 7 for dual-stack (IPv4 and IPv6). See Configure Basic Features.
- WAN link priority value—When you create a WAN interface, the WAN link priority can be a value from 1 through 15. See Configure Basic Features.
- Web-monitoring logs—(For Releases 22.1.3 and later.) You can configure traffic-monitoring policies to export web-monitoring logs to Versa Analytics. See Configure Log Export Functionality.
Layer 2 and SD-LAN
- Anycast gateway—When using software based forwarding, you can configure a distributed anycast gateway, which facilitates workload mobility by allowing multiple VXLAN branches to act as the default IP gateway for all clients that are attached to them. See Configure Layer 2 Forwarding.
- ARP suppression—You use the ARP suppression feature to prevent the flooding of ARP requests across an EVPN network. See Configure Layer 2 Forwarding.
- LAN Ethernet interfaces—On Versa CSG 3000 and CSX 4000 series appliances, you can configure LAN Ethernet interfaces. See Configure Interfaces.
- NPU policy-based forwarding—For Versa Networks devices that use network processing (NPU) switching hardware, including CSG3000 and CSX4000 series devices, you can configure NPU access list (ACL) policies that affect how Layer 2 and Layer 3 packets are forwarded. See Configure NPU Policy-Based Forwarding.
- SD-LAN configuration wizard—(For Releases 22.1.3 and later.) You can configure SD-LAN Workflow templates using a Versa Director GUI wizard. See Configure SD-LAN Using Workflow Templates.
- ZT-LAN—Versa Zero-Trust (ZT)-LAN solutions address the evolving security and networking needs of Enterprises. Versa ZT-LAN comprises two main component solution: ZT Edge and Secure SD-LAN. See ZT-LAN Overview.
SASE
- Application reverse proxy and IdP proxy—(For Releases 22.1.3 and later.) Application reverse proxy protects software as a service (SaaS) applications from direct access from unmanaged devices that do not have Versa client installed to connect to Versa Cloud Gateways. It uses an identity provider (IdP) for user authentication. See Configure Application Reverse Proxy.
- CASB—(For Releases 22.1.3 and later.) Cloud Access Security Broker is on-premises or cloud-based policy enforcement software that secures the data flowing between users and cloud applications to comply with corporate and regulatory requirements. For Releases 22.1.4 and later, you can specify an MDM profile when you configure a CASB constraint.
- DLP—(For Releases 22.1.3 and later.) Data loss prevention is a set of tools and processes for detecting and preventing data breaches, cyber exfiltration, and unwanted destruction of sensitive data.
- Endpoint information profiles—(For Releases 22.1.3 and later.) Endpoint information profiles (EIPs) classify endpoints based on multiple types endpoint posture information.
- Terminal server agent—A Versa terminal server agent (TSA) identifies users from virtual desktops, especially from virtual desktop environments such as Citrix XenApp and Microsoft Terminal Services, where many users share the same IP address. TSA allows a VOS node and VOS cloud gateways to uniquely identify user traffic originating from virtual desktop infrastructure (VDI) instances. See Configure a Terminal Server Agent.
SD-LAN
- Endpoint information profiles—(For Releases 22.1.3 and later.) You can configure microsegmentation using EIPs for SD-LAN. See Configure EIP-Based Microsegmentation for SD-LAN.
SD-WAN
- Dynamic destination NAT IP addresses—(For Releases 22.1.3 and later.) When you configure a CGNAT address pool, you create a dynamic IP address–only pool, which allocates dynamic destination NAT (DNAT) IP addresses. See Configure CGNAT.
- EVPN IRB distributed gateway—Enables connectivity among tenants and end devices that are on different subnets (inter-subnet forwarding) while still maintaining the multihoming capabilities of EVPN. See Configure an EVPN IRB Distributed Gateway.
- EVPN Type 5 routes—EVPN type 5 routes are used to advertise EVPN routes using IP prefixes and decouple the IP prefix advertisements from the MAC/IP advertisement routes in EVPN. See Configure EVPN VXLAN for SD-WAN and Configure EVPN VXLAN for ZT-LAN.
- Forward error correction and replication—You can now configure Forward Error Correction (FEC) and replication for Layer 2 SD-WAN traffic steering. See Configure Forward Error Correction for SD-WAN Traffic Steering and Configure Replication for SD-WAN Traffic Steering.
- Monitor SaaS applications with traceroute—(For Releases 22.1.3 and later.) You can use the traceroute command to monitor SaaS applications. See Configure SaaS Application Monitoring
- Passive application performance monitoring—VOS devices can passively collect application performance monitoring (APM) data for TCP performance measurement metrics, including connection setup time, server connection reset rate, application response time, retransmission rate, and network round-trip time. See Configure Application Performance Monitoring.
- SD-WAN header compression—SD-WAN header compression provides a tunnel-free, bandwidth-saving method to address the issue of additional overhead in packets introduced by overlay and tunnel headers. See Configure SD-WAN Header Compression.
- Traffic engineering—SD-WAN traffic engineering evaluates all the alternate paths (direct and indirect) to reach a destination site and provides the optimal path for the data traffic in terms of link metrics (delay and loss). See Configure SD-WAN Traffic Engineering.
- Traffic-steering enhancements—The circuit priority and next-hop priority values have increased from 8 to 15, and support for replication and FEC in Layer 2 SD-WAN traffic-steering forwarding profiles has been added. See Configure SD-WAN Traffic Steering.
Security
- Active user distribution for VMS—You use active user distribution to apply uniform user or group-based policies for user traffic across gateways. When you enable active user distribution, when a user connects to a gateway or branch, the user login or logout information is shared across all branches or gateways using a Versa Messaging Server (VMS). See Configure User and Group Policy.
- Advanced Threat Protection—Advanced Threat Protection (ATP) is an all-encompassing security solution designed to defend organizations from sophisticated cyber threats that often bypass conventional security measures.
- Application performance monitoring enhancements—You can configure VOS devices to capture application performance in two-minute rolling windows so that you can monitor application performance in real time. See Configure Application Performance Monitoring.
- Automatic certificate provisioning, distribution, and renewal—(For Releases 22.1.3 and later.) You can use the Automated Certificate Management Environment (ACME) protocol to automatically provision, distribute, and renew certificates for SASE services. See Configure Certificate Servers.
- Certificate manager—(For Releases 22.1.3 and later.) When configuring a certificate manager, you can configure the Default CSR and On Response Unknown fields in the Add Server popup window and the Expiry Alarm Threshold, Renew Threshold, Subject Alt Name, and Onboard Notification fields in the Add Request popup window. See Configure Certificate Servers.
- DHCP snooping—For Releases 22.1.3 and later, you can configure DHCP snooping to identify and monitor unauthorized DHCP servers and prevent them from offering IP addresses to DHCP clients. For Releases 22.1.4 and later, you can configure DHCP snooping at the virtual switch level and at the bridge domain level, and you can monitor DHCP snooping. See Configure DHCP Snooping and Configure Layer 2 Forwarding.
- DNS filtering—(For Releases 22.1.3 and later.) In a DNS-filtering profile, you can configure the identification of tunnel detection, which is a type of cyberattack that encodes data from other programs or protocols in DNS queries and responses, and you can configure a sinkhole action. See Configure DNS Filtering.
- Exact data match and fingerprinting—(For Releases 22.1.3 and later.) You can configure EDM and document fingerprinting for data loss prevention (DLP).
- Files and folders—(For Releases 22.1.3 and later.) You can upload DLP, captive portal, and certificate files to Versa Director, and you can create folders on the Director node. See Manage Files and Folders and Configure URL Filtering.
- Google Cloud Platform certificate server—(For Releases 22.1.3 and later.) You can configure a Google Cloud Platform to be a certificate server. See Configure Certificate Servers.
- HTTP header profiles—(For Releases 22.1.3 and later.) You can configure HTTP header insertion and modification profiles for use with SaaS applications. See Configure HTTP Header Profiles and Configure HTTP/HTTPS Proxy.
- IDP dropped packets—(For Releases 22.1.3 and later.) When a new version of the IPS signature is being compiled, traffic is processed using the previous version of the IPS signature. See Configure Intrusion Detection and Prevention.
- IoT security—(For Releases 22.1.3 and later.) You can configure security for internet-of-things devices. Please contact Versa Networks Customer Support before deploying this feature. See Configure IoT Security.
- IP source guard—(For Releases 22.1.3 and later.) You can configure IP source guard to prevent IP and source MAC address spoofing attacks on untrusted Layer 2 interfaces. See Configure IP Source Guard.
- IPv6 wildcard mask—(For Releases 22.1.2 and later.) For match criteria, you can specify a wildcard mask in IPv6 addresses. See Configure Address Objects.
- KMIP client—You can configure a VOS device to use the Key Management Interoperability Protocol. KMIP is a client–server communication protocol that enables key management and cryptographic operations on a key management server (KMS). KMIP simplifies cryptographic key management and allows you to store and maintain keys, certificates, and secret objects. See Configure a KMIP Client.
- MAB and RADIUS for 802.1X—(For Releases 22.1.3 and later.) You can configure MAC authentication bypass, RADIUS accounting, RADIUS failover, and RADIUS tracking. See Configure IEEE 802.1X Device Authentication.
- Microsegmentation—(For Releases 22.1.3 and later.) You can place user client devices and headless IoT devices into microsegments, which are smaller, isolated network segments. Please contact Versa Networks Customer Support before deploying this feature. See Configure Microsegmentation.
- Network obfuscation—(For Releases 22.1.3 and later.) When you create a DNS proxy, you can configure network obfuscation and DHCP server monitors. See Configure a DNS Proxy.
- NTP server authentication—(For Releases 22.1.4 and later.) You can configure authentication for NTP by creating an authentication key, using either MD5 or SHA1, and then associating it with an NTP server. See Configure Systemwide Functions.
- Optical Character Recognition—(For Releases 22.1.4 and later.) You can configure optical character recognition (OCR) for data loss prevention (DLP).
- Private key files—(For Releases 22.1.3 and later.) You can upload private key files to Director and VOS devices. See Configure CA Certificates, Key File, and CA Chains.
- Proxy ARP—(For Releases 22.1.3 and later.) You can disable proxy ARP. See Configure CGNAT.
- Queries in HTTP header insertion profiles—(For Releases 22.1.3 and later.) You can modify HTTP queries in HTTP header insertion profile rules. See Configure HTTP Header Profiles.
- Secure web gateway—(For Releases 22.1.3 and later.) NGFW supports SWG (explicit proxy) user authentication using LDAP and local authentication. See Configure User and Group Policy.
- User-defined sessions—(For Releases 22.1.3 and later.) When you configure a user-defined session, you can configure the action to be sinkhole. See Configure User-Defined Actions.
- User and user group authentication—(For Releases 22.1.3 and later.) NGFW can use certificate, LDAP, local profile, Kerberos, RADIUS, and SAML for user and group authentication, and you can configure RADIUS servers. See Configure User and Group Policy.
Fixed Bugs
The following tables list the critical and major defects that were fixed in Release 22.1.
Fixed Bugs in Release 22.1.1
The following tables lists the critical and major defects that were fixed in Release 22.1.1.
Bug ID | Summary |
---|---|
42652 | A routing process core may occur when an end-of-RIB message is sent to a BGP peer belonging to a peer group when shared ARO is configured. |
54892 | Decoding the SSL certificate may fail on a TPM-enabled CPE device. |
67385 | Disabling hypervisor/uCPE functionality on VOS devices running on Ubuntu Bionic may not work. |
71821 | Overall system memory usage is reported to Analytics instead of begin reported as vsmd memory consumption. |
73125 | When an IP address is NATed to use a CGNAT pool different from the egress network/interface, a routing change can trigger incorrect CGNAT re-evaluation. |
75974 | Generate an alarm if there is duplicate tunnel IP address or site ID in the SD-WAN fabric. |
77318 | When qat_offload isset to False and QAT_WT is initialized, a service restart may be triggered in the IPsec module. |
78087 | Security access policy with address negation may not reach the access policy rule. |
80074 | A slow memory leak may occur in the versa-infmgr process. |
80532 | When the address object ID allocation is managed incorrectly, an error maybe prevents an upgrade to Release 21.2.3. |
80624 | When the user changed the address/mask and “ge” and “le” were already configured, the values of “ge” and “le “ were recalculated incorrectly. |
80989 | ip2usr process memory leak may cause slow depletion of system memory. |
82572 | When SSL decryption is enabled, a Versa service process crash may occur. The crash is caused by a race condition between the QAT offload result processing and the job submission. |
82978 | Some stale configurations related to a prefix list used in a BGP routing peer policy may be present. This fix removes those stale entries when running the upgrade scripts. |
83375 | When a tvi (PPPoE) interface with an interface description is mapped to the underlying vni (PPPoE base interface), if the vni interface flags, a service restart is triggered. |
84073 | Issuing the request ike rekey or request ipsec rekey CLI command may cause VSMD to crash. |
84087 | When the subnet mask of the peer interface changes, routes learned by BGP may get lost in the forwarding plane. |
84253 | Mbuf leak when running endurance tests. |
84305 | IPS crash because of memory corruption. |
84426 | Leak in versa-vmod process because the accounting records queue overflows during congestion. |
84442 | When a dynamic tunnel interface goes down, the deleted information may not processed by the software, and so an assert can occur when a new interface is created with the same index. |
84506 | If you trigger multiple instances of SCP from the CLI, the data path filters for file transfer are not cleaned up. |
84595 | On a VOS device configured as a uCPE, virt-manager does not start because of missing Python 3.8 egg files. |
84722 | When an interface goes down, SD-WAN pipes may not be cleaned up. When the interface comes back up, the P2MP layer tries to create a pipe for that path and fails because the pipe ID already exists, and the result is that the P2MP layer assigns an invalid pipe ID for that path. The fix is to clear the SD-WAN pipes when the interface goes down. |
84896 | One data cores was stuck with a very low LTE signal strength, and the link flapped periodically. The fix involves adding checks in the AF_PACKET poll mode driver. |
85094 | Memory leak in IPS because of IPS HTTP transaction in the VDETECT_MEM_ID_HTP_TX module. |
85369 | BGP prefix_list with ge_le is not working when applied with a redistribution policy. |
85558 | DSCP rewrite rules are not applied to SD-WAN traffic when the sessions are TCP-optimized. |
85563 | When you enable TCP optimization on a high latency WAN link, a service restart may occur because of a Versa- ervice crash. The crash is caused by a divide-by-zero error. |
85690 | A memory leak may occur in the file filter feature when the file size is less than 50 bytes. |
85756 | The LTE interface is not operational after an upgrade from Ubuntu Trusty to Ubuntu Bionic. |
86314 | Data transfer may stall for an SSL decryption-enabled TLS session when there is memory pressure and end hosts send TLS records that are 16K bytes. |
86414 | Expired SIP dialogs are not cleaned up if the walk hits the first 25 active unexpired dialogs. |
86763 | Add a secure option for the internet speed test module, and fix the lo interface going down for the versa-speedtest VR. |
86776 | Memory corruption is seen if, during IPS signature compilation, another commit is performed related to security configuration. IPS signature compilation occurs during the SPack upgrade, during system startup, and after any configuration commit that changes the IPS security profile. |
87036 | When the AS number in the AS path is longer than 64, there is a display issue in the CLI (cosmetic). |
87120 | For transit SD-WAN packets, clean up decap contexts during vxlan-gpe decap if packets are inadvertently seen to avoid a crash. |
87419 | An incorrect freeing of memory in the firewall policy module may cause random crashes elsewhere. |
87521 | When Layer 2 MPLS services are enabled, Layer 2–switched MPLS fragmented packets may be dropped because of a packet parsing issue. |
87641 | When upgrading from Release 20.2.x or Release 21.1.x to Release 21.2.x, FQDN resolution may fail to work as before the upgrade. |
87709 | In a static NAT scenario, when the first packet of a session lands on a different worker and is punted to another worker thread, the filter lookup information may not persist in CGNAT when a packet is punted to another worker. |
87754 | When serving the DNS request from the cache, the response was trimmed because of buffer limitations. The buffer size has been increased to 65535, as per the RFC. |
88340 | Where there are more than 1365 ARP entries, polling for ARP entries using SNMP may cause a critical process to restart. |
88474 | When data-drive SLA is configured an incorrect reference counting of a route structure may lead to a service restart. |
88669 | Application QoS policy rule statistics for the forward byte counter is incorrect. |
88967 | IPsec tunnel traffic originating from the SD-WAN branch takes the SD-WAN path, which is down. |
89152 | Donot update the eth0 configuration during package installation. |
89846 | LAN interface route is advertised to customer EBGP peers when an SLA endpoint is configured on the interface. The same route is also advertised to the WAN over BGP enabled for DIA. The fix is not to advertise the LAN interface /32 route over IBGP/EBGP. |
89886 | When a suspend-backup-collector is configured for a collector group, the backup collector may not go into a suspended state. Rather, it remains established, which results in unnecessary resource utilization in log collector. This fix ensures that the suspended collector is not activated in all conditions. |
90382 | Services may restart with some specific order of SNMP get/get-next for ARP entries. |
91129 | Setting the next hop using the SD-WAN/PBF module impacts the reverse direction symmetric SD-WAN traffic. |
91263 | When an intermediate router sends an ICMP Need Fragmentation error packet with a very MTU large value (> 8K) in response to a Path MTU discovery packet from a VOS device, invalid memory access occurs and leads to a service restart. |
91569 | BGP is processed in a different RFC phase when a site delete event is received on a branch. RTD may restart services when this process is postponed. |
91575 | Alarm soak logic for Versa service process worker threads was not working as designed, leading to spurious and too many alarms. |
92019 | Reduce burstiness during child SA update for a branch when propagating to other branches via the main control thread. Doing this reduces tail drops, which ensures that all updates are sent, propagated by the source SD-WAN node, and processed appropriately at the peer SD-WAN node. Also, add a self-healing mechanism in case a stall is seen on the control thread to postpone propagation of the SA update. |
92107 | The traceroute CLI command was not behaving as expected if the source and routing-instance parameters were not entered in a specific order. The command now accept all arguments in any order. |
92124 | Services may restart even if the external IP addresses has not changed, but a mobile client RAC user may disconnect and connect back quickly. |
92156, 92070 | svc-load alarm default soak time has been changed to 300 seconds. |
92367 | Fixed a corner case to gracefully exit the certificate search, returning the appropriate error codes instead of asserting, if the PKI certificate is not found. The condition is now reported by log “Certificate not found” errors in versa-ipsec-ctrl.log. |
92423 | System-level user credentials do not roll back to the snapshot configured system credentials. |
92733 | Issuing the show orgs org tenant-name sessions extensive command may cause an error if any session goes through a site-to-site IPsec tunnel. The fix is to include some of the fields the backend code was trying to display in the CLI command output. |
92745 | vstated is not sending the current time it receives from NTP, causing the T-OPT to be marked as invalid when RAC users try to connect to the VSA portal or gateway. |
92791 | If OSPF MD5 authentication and authentication-key-id are already configured for a network name, and if either address is changed on the interface that is part of the network, or if an interface is added to a network, the interface does not use the configured authentication-key-id and instead uses the default of 0. |
92859 | Riverbed EX-385 WiFi configuration is not pushed. The fix is to update the WLAN configuration function to read the entire line, because there was a space in the model name. |
92918 | Deleting an NTP server that is not enabled may cause vmod to restart. |
93020 | Fragmented IPv4 packets over GRE tunnels might be dropped, because the inner fragments in the IO thread were parsed and load balancing was done based on the inner IP tuple to the worker thread. This process caused incorrect anchoring of the GRE tunnel with the inner fragmented IP packet and, eventually, IP reassembly failure. |
93131 | ICMP error packets did not include the correct checksum of the original IP packet in the ICMP payload. |
93295 | Avoid sending kernel NIC interface alarms to both alarms and alarm_local when we trigger WAN internet speed test. |
93535 | When VOS device is in full proxy mode, the connection for VOS device acting as the TLS server is completed before the VOS device acting as the TLS client. If the server phase connection setup fails, the session handle within SSL session is accessed to close the NFP session, which may cause a service restart. |
93755 | The disk size and available disk space should exclude the NFS and TMPS filesystems. Not doing gives incorrect file sizes. |
94232 | When selecting a path based on load-balancing credits assigned to the paths, the VOS software iterates through the list of paths. The iteration may have to be done more than once if all paths run out of credits. In one case, this loop was being asserted incorrectly, causing it to never terminate and triggering a service restart. |
94241 | The captive portal module does not free the packet buffer during an error condition, causing a slow leak of the packet buffer. |
94511 | Increase the SNMP transaction timeout in the versa-vmod process to avoid a timeout that was occurring during a high load of parallel transactions. |
94607 | VRRPv6 configured in physical MAC mode sometimes sends a router advertisement packet with the virtual MAC address instead of the physical MAC address. |
94620 | Service load alarms, under System > Appliance Anomalies, have been optimized to trigger a count increment only when a worker hits 600 seconds consistently above 85 percent. If the worker thread continues to be busy after 10 minutes, with a 5 percent increment in the worker CPU utilization variable, the count is incremented again. You can configure these values in the alarms section. |
94698 | The priv-run binary file permissions may not be set correctly during package installation. This issue has been fixed. |
94959 | The use of the routing-instance option for the mtr command does not work. This issue has been fixed. |
94960 | When you enabled a uCPE or hypervisor on the VOS device, incorrect versions of the Debian packages might be installed. |
96683 | Consider network-control traffic forward loss ratio for management traffic path selection when management traffic priorities are configured. |
Fixed Bugs in Release 22.1.2
The following tables lists the critical and major defects that were fixed in Release 22.1.2.
Bug ID | Summary |
---|---|
42744 |
Add a configuration option to bypass external TACACS+ authentication when logging in from console. |
64705 |
Fix vulnerability of possible command injection over Netconf interface. |
81781 |
Application monitor HTTP ping may fail to some sites because of an incorrect or a malformed HTTP header. |
82335 |
Increase the number of custom user-defined URL categories from 256 to 512. |
84590 |
When you issue a vsh stop command on a VOS device running Ubuntu 18.08 (Bionic), Linux interfaces may not be deleted properly, causing improper resource reclamation. |
84684 |
Add a fix to force the monitor to the Down state if you delete the monitoring organization from the local organization list. |
85402 |
When you turn on debug packet tracing for IPv6 packets, a service restart may occur. |
90415 |
On VOS nodes on which SD-WAN tunnels flap frequently, the system may restart because of incorrect reference-counting of the interface object, which may eventually leading to a system crash. |
91319 |
Fix a situation in which the monitor group may not be processed from the waitlist, causing the monitor to be placed in an inactive state. |
92120 |
When the search domain format received from DHCP is invalid, the program updating the DNS resolver configuration file may restart, and an update then fails for the specific routing instance. |
93457 |
Fix for dynamically updating the IPsec profile CA chains, which takes effect during the Versa services process. |
94008 |
SD-WAN routes may not be installed in the LAN-VRF. |
94959 |
Add support for specifying a routing instance in the mytraceroute (mtr) command. |
94986 |
When you configure active standby mode and information validation for high availability, Port 5556 may be reported as being open. |
94999 |
The rate of ARP processing was a global limit, but it is now a per-interface limit. |
95429 |
Add enhancements for MS Windows and Aruba uCPE images when the VOS device is the hypervisor. |
95668 |
Incorrect username ID is sent in the accounting logs (TACACS+), so the VOS device uses the last logged-in user in the logs instead of the actual user. |
95698 |
With a blanket DDoS rule, a memory leak may occur in the ITC infrastructure. Optimization has been done to bundle the DDoS reports from each worker thread to a collector, to improve efficiency, thus reducing the number of ITCs a control thread must handle from each worker thread. |
95846 |
If you reboot a device, automatic update of SPacks may not be triggered during the configured time interval. |
95933 |
DDoS alarms are sent in spite of the block-unit duration. |
96050 |
SNMP ifSpeed values are wrong for logical interfaces, and the physical interface speed is being returned instead. |
96164 |
Erasing the running configuration does not clean up non-system users. |
96193 |
Fix for VOS reporting incorrect username in secure access statistics log to Analytics. |
96300 |
Fix a rare case in which static route ICMP probes stop sending probes after some time. |
96489 |
TCP port 2024 on VOS devices running Ubuntu 18.04 are open, while on VOS devices running Ubuntu 14.04 this port is closed |
96774 |
Fix a vulnerability in which aaauser and aaaadmin cannot log in with the default credentials, because the DenyUser configuration is missing in the /etc/ssh/sshd_config directory. |
97089 |
SLA probes are sent to the gateway of the cold standby interface even if the local interface on the VOS device is operationally down. |
97182 |
Not all sdwan-datapath-sla-not-met alerts are cleared, because only one is cleared. |
97279 |
Add an alarm when ARP packet thresholds are exceeded. |
97298 |
In an active–standby VOS topology, fix an issue in which the session lookup failed on the standby VOS device during a session modify that triggered a service restart of the standby VOS device. |
97419 |
Enhance the monitor alarms so that regardless of the monitor state, a monitor up alarm is sent when the device boots. This action is needed to clear any down alarms sent before the reboot. |
97477 |
kni interfaces used for tcpdump are not cleaned up if a session in which tcpdump is active is abruptly closed without gracefully terminating the tcpdump. |
97708 |
The show forwarding-table CLI command does not progress correctly, because confd expects the prefixes to be in ascending order for length comparison. |
97865 |
Fix an issue in which the PPPoE link does not come up after a service restart if the physical interface has multiple VLANs in different routing instances. |
97909 |
For a large configuration, FQDN resolution from addrmgr may be received before the application monitor configuration is received from vmod. Add check to prevent monitor registration with RFM if the monitor type is invalid (which indicates a pending configuration). A side effect of this issue is a service restart. |
97964 |
Earlier version of the VOS software did not clean up tap interfaces when services were stopped, so,the kernel complained about the tap interface being referenced. With this fix, the tap interfaces are cleaned up during a software upgrade, before the installation of a new VOS software version. |
97965 |
The show orgs org tenant sdwan sla status command may time out because the Versa service is busy, and as a result the next command triggers a service restart. |
98075 |
When updating the CA chain in a tunnel object and the CA chain data is empty, add a check that causes a service restart. |
98173 |
The wget CLI command fails to fetch a file if the URL includes a question mark (?). |
98183 |
For an HTTP-based session, if the URL is not present in the session, the AppID classification remains in the Pending state. |
Fixed Bugs in Release 22.1.3
The following tables lists the critical and major defects that were fixed in Release 22.1.3.
Bug ID | Summary |
---|---|
62369 | The commit error “Please configure base objects like org with name global” sometimes displays when an earlier configuration commit attempt fails. The failed commit triggers an accidental deletion in the backend of some necessary configuration. |
73518 |
A crash may happen in the routing configuration processing daemon when you commit multiple additions and deletions of terms in prefix lists at the same time that you move terms in routing peer policies that refer to these prefix lists. This issue has been fixed. |
86424 |
Ignore incomplete configuration reprocessing at Versa services, which is triggered by multiple sequential Versa service restarts. |
88921 |
A crash may occur in the routing daemon when you use BFD with BGP when BGP is also configured with graceful restart. This issue has been fixed. |
90954 |
When an appliance receives the same prefix through BGP in the control VR as the aggregate route configured in the LAN VRF, the BGP prefix was preferred compared to the local aggregate route. With this fix, the default preference (admin distance) of aggregate route is now better than BGP route preference as part of the fix. Also, you can now configure the preference of the aggregate route. |
93366 |
Add support to send the NAS IP address and NAS identifier to RADIUS server access in a WLAN configuration |
93471 |
In Releases 20.2.x, if EVPN was not configured, it is not explicitly disabled. In Releases 21.2.2 and later, when you upgrade from Release 20.2.x, EVPN is explicitly disabled. This change was made to prevent the backend from sending an update to a remote non-VOS firewall that causes BGP to stay in the Connect state. |
94511 |
If a large number of SNMP traps or informs are generated, the VMOD process cannot read the worker socket and Confd closes the connection, causing the VMOD process to restart. |
94514 |
When TCP optimization is enabled, the client TCP is already in the remote closed state, and the local device receives a SYN-ACK packet from the server, Versa services restart. When processing the SYN-ACK packet, the local device finds that the client side has already closed, and it calls a specific API call to close the connection and propagate the Rclose event in the rest of the service chain. |
95073 |
When you enable the BGP announce-remote option in a Versa-private TLV, the site information in the Versa service process can potentially grow larger than 65535 bytes, resulting in service restart. This issue has been fixed. |
97016 |
Incorrect application identification results in sessions being identified as DNS for some applications when DNS proxy is configured. This issue has been fixed. |
97143 |
Improve IP lease assignment time, perform an ARP/ICMP check for IP renewals, and clean up stale lease files during the DHCP process restart. |
97620 |
Add a commit check to disallow specifying a named PTVI interface in a VPN profile of type branch-prestaging. |
97965 |
show arp command timeout was not handled gracefully resulting in the Versa interface manager restarting. |
98108 | Optimize the packet replication and FEC reorder buffer to make efficient use of available buffer space and minimize packet drops. Also, in a corner case, initialization of the FEC reorder buffer caused an issue in which invalid memory was accessed, resulting in a services process crash. |
98170 |
The interchassis HA sync alarm is not get cleared after the nodes are back in sync. |
98441 |
When a speed-test fails for any reason, the branch stops advertising any rate to its peers, including not advertising the configured advertised rate. This issue has been fixed |
98700 |
When the Versa service restarts, the VMOD service may not fully come up, causing port 2022 to remain in a blocked state. |
98893 |
Add the ability to send an explicitly defined subnet mask per pool and the ability to explicitly define the gateways to send in the DHCP Offer. |
99341 |
For RAC RAS, when multiple tunnels are behind same public IP or WAN IP, Versa services may restart. This issue has been fixed. |
99377 |
The previous limit of 500 entries fetched from LDAP has been changed. LDAP can now fetch an unlimited number of entries. |
99517 |
Static routes installed using IPSec as the next hop are not removed from the routing table when the IPSec tunnel goes down. |
99606 |
SNMP polling for ARP when there are over 256 VNI interfaces with unit configured may have empty responses. |
99674 |
CSG7xx appliances are experiencing an issue with PoE reset, resulting in a delay in power delivery following a system reset or reboot because of a stuck PoE reset command. |
99725 |
LTE modem manager package fixes in VOS devices running Bionic to avoid LTE flaps. |
99747 |
Fix the iptable rule addition on VOS devices for Azure WALinuxAgent so that the backup operation on Azure can function correctly. |
99776 |
The routing process (RTD) restarts when you delete an organization. |
99804 |
Optimize and reduce the downtime experienced when a hub–controller is involved when a failover occurs on an active–active, remote spoke. |
99910 |
The results of speed test, especially for VSAT links whose bandwidth is less than 2 Mbps, was unreliable. This issue has been fixed. |
100054 |
VMOD process restarts when you delete an organization. This issue has been fixed. |
100389 |
Provide configuration options to change the mem-quantum for TCP optimization. |
100589 |
DIA next-hop load-balancing does not work correctly when all the WAN circuits flap at the same time. |
100652 |
DSCP rewrite does not work when the traffic uses DNAT or static NAT. |
100681 |
When a session context async operation is in progress for server–client sessions, Versa services may restart. |
100694 |
When routing services are processing a monitor event, a service loop may occur. This issue has been fixed. |
100770 | Optimizations to per-packet load balancing for TCP traffic using high varying latency links. |
100780 |
Issuing the show orgs org tenant-name sd-wan bw-measurement status CLI command may cause a service restart. This issue has been fixed. |
100816 |
After a user has been logged out for more than 10 minutes, accounting logs may be sent to the remote TACACS servers. This issue has been fixed. |
100851 |
If the peer is specified using a FQDN, if the FQDN resolves to multiple IPv4 addresses, and if the first IP address is not reachable, a site-to-site IPsec tunnel may not be set up correctly. |
100884 |
In a VOS device is disconnected from the Director node for more than 7 days and the license expired on the VOS device, license restrictions are applied. If the Director nodes reconnects and the Netconf connection locks the configuration database because a configuration is being pushed to the device, the VMOD/configuration module cannot remove the restrictions, because the configuration database is locked by another session. |
100905 |
Address a service restart by adding checks for invalid packet length manipulation operations in SD-WAN and IPsec. |
101445 |
Clean up partially download SPacks in the VO device's download directory. |
101455 |
When BGP session between a hub–controller and a branch goes down, the route becomes stale and becomes preferred because it has better local preference and AS paths, and the SLA stays up. This causes issues when the branch restarts. |
101560 |
PIM Register messages are sent to the RP even if the SD-WAN device is not the first-hop router in multicast distribution tree. |
101572 |
When a VOS device is functioning as DHCP relay, a server can send more than one response packet as the DHCP Offer packet. The fix is to remove restriction on how many Offer packets to forward. |
101677 |
CoS statistics for PPPoE based interface were not reported. |
101715 |
Memory leak observed in the ip2usr process |
101792 |
In some cases, especially with VSAT links, the measured bandwidth can really be low and that results in applying a very low shaping rate on the remote branch. This also causes the speed test to fail in the next runs, and then the low shaping value is applied permanently, impairing the operation of the lin. The minimum input rate value should be enforced to ensure that the shaper applied on the remote site does not go below this value, to ensure that the link is usable. |
101820 |
When you delete and add WAN links in the same commit, the SLA path may stay in the Init/Absent state. |
101848 |
Speed test on a AWS VOS instance is not triggered and shows an error because of incorrect reporting of the link speeds. |
101886 |
IWhen you change a configuration and an FEC parity packet carrying the new configuration is received out of order and exceeds the holding buffer limit, the holding buffer may reinitialize incorrectly, causing the Versa services process crash. This issue has been fixed. |
101887 |
DHCP Offer sends an incorrect packet (without END option 255) when Option 81 (FQDN) is requested. This issue has been fixed. |
101898 |
Advantech V510 FWA-2320 LCD panel displays unreadable text on a VOS Bionic device. |
101964 |
Next-hop monitor status changes from Up to Down when you attach the monitor to an SD-WAN forwarding profile. |
101988 |
The maximum length of site name referenced in the monitor next hop has been changed from 31 characters to 127 characters. |
102030 |
When the path tags list in the forwarding profile circuit priorities has multiple paths containing any (wildcard), the second and subsequent match might fail, leading to the incorrect assignment of priority to paths. This issue has been fixed. |
102054 |
The current time maintained in the Versa service process (vsmd) may drift over a period of time. When the drift accumulates to over 5 minutes, time-based OTP (TOTP) for SASE client login may fail, reporting a false negative error about the incorrect TOTP. |
102213 |
The Avoid option in SD-WAN forwarding profiles does not take effect for unmatched priorities. |
102361 |
When TCP optimization is enabled and the first packet of a session matches an SD-WAN rule, when the policy is re-evaluated based on application or URL category identification, the session now matches a rule whose action is to bypass TCP optimization. As a result, the TCP optimization module fails to correctly reset TCP optimization state for the session, and Versa services restarts. This issue has been fixed. |
102362 |
When you configure the maximum number of tenants is configured as 255, an internal construct is not updated to forward data traffic correctly. This issue has been fixed. |
102386 |
After you enable secure mode, operator external users are unable to issue show alarms CLI commands, and the receive a permission denied error. This issue has been fixed. |
102470 |
Gracefully handle invalid responses from cloud URL lookup queries. |
102571 |
CPU temperature is reported incorrectly for AMD CPU-based Dell R7515 systems. This issue has been fixed. |
102618 |
When the routing peer policy term is updated to refer to a new prefix list, the older entries in the backend are not cleaned up correctly. |
102759 |
Add a null check to prevent the Versa services from restarting when you detach a splicer in TCP optimization. |
102988 |
The system was trying to increment session level statistics for packets from host-initiated IPsec packets. This should not be occurring, because it is a host-generated control packet and does not have a session associated with it. As a result, the Versa services restart. Now, the packet type is validated before accessing the session. |
103085 |
A leak may occur in the host receive path for the Versa NAT Binding protocol (VBP). In a transport where the incoming VBP tunnel packets are fragmented, there was an issue with packet buffer chaining, where the first packet buffer segment memory was not freed correctly. |
103191 |
On FWA-1010VC appliances, the gpio-mdio driver may not be loaded for Bionic, which may cause an invalid link status for the vni-0/2 switch port. |
103237 |
When you remove the power supply cable from an Advantech FWA-5020 appliance the PSU alarm is not triggered. |
103436 |
Forward proxy inspection may trigger a Versa services restart. This issue has been fixed. |
103555 |
When DHCP ping settings are set, stale ARP entries in the routing name space must be ignored and then the ping should be initiated. |
103746 |
Limit the number of multicast resolve route and PIM assert notifications sent to the control thread from the data threads to avoid overwhelming the control thread and causing high memory utilization. |
103835 |
For a CoS configuration, when you enable LEF loggin on a PPPoE interface, the Versa services process may get stuck in a loop. This issue has been fixed. |
Fixed Bugs in Release 22.1.4
The following tables lists the critical and major defects that were fixed in Release 22.1.4.
Bug ID | Summary |
---|---|
107261, 107302 |
25 Gig links do not come up between CSX8300 and CSX4500 devices. 10 Gig links do not come up between CSX4X00 and CSG2500 devices. |
102744, 102745 |
Optimized the throughput/speed over TLS/DTLS based VPN. |
111561 |
Sessions which get closed before being assigned to a policy are not logged. This has been fixed. |
111220 |
Add a preventive check to ensure invalid lengths (less than 64B) are not supplied to the port for transmission. |
111126 |
SPack downgrade from 2173/2175 was causing a service restart. |
110864 |
When tcpdump is triggered on two different interfaces simultaneously and later stopped on one of the interfaces, the other tcpdump stops receiving packets. This has been fixed. |
110859 |
SRIOV Support VLAN tagging for i350 NIC has been fixed. |
110825 |
Add a utility to control strict checks on TCPDUMP filter metacharacters: vsh tcpdump-strict enable/disable. |
110688 |
When SSL Client Hello packets arrive as fragmented packets and if they arrive out of order, VOS would process them incorrectly leading to the web connection to not go through. |
110638 |
Disable SLA for all paths between Active-Active paired sites. |
110585 |
Upgrade to Release 22.1.3 of VOS in Azure would cause the services to not come up. |
110527 |
Software tweaks to better manage storage on devices with smaller disk size (< 32GB). |
110334 |
Software upgrades on security hardened VOS instances were not successful. |
110287 |
Depending on which end of the IPsec tunnel triggers an IKE re-key event, the security association does not get re-established, leading to the tunnel remaining in operationally down state. |
110269 |
Fixed DHCP Relay process to pick the incoming interface IP address as the source IP address to forward DHCP packets. |
110267 |
Upgrade Bionic kernel to 5.4.0-181 to address reported vulnerabilities. |
110202 |
Administrative state of eth-0/0 interface shows as ‘down’ in the CLI show command; this was only a display issue. |
110040 |
Fixed an issue where CSG5000 devices reboot when Versa services are stopped or restarted. |
109907 |
Fixed a service restart issue with site-to-site IPsec module, where the policy context is already freed up, but the rule is not mapped to a correct tunnel-ID, which leads to a service restart. |
109663 |
Addressed a Versa service restart by changing the maximum length of the array to 40, since there can be a maximum of 40 bytes of TCP options. |
109604 |
A slow packet buffer leak was observed when File Filtering and Anti-Virus are both configured, and File Filtering drops the first packet and Anti-Virus has TCP splicing enabled. |
109513 |
Disabled TPM1.2 on CSX4300, 4500, 8300, 8500 to improve switch performance. |
109508 |
Unable to configure the shaping rate to a value equal to the link rate for 10G interfaces. |
108997 |
When a LDAP certificate is updated, the configuration in the LDA-Profile is not updated. The certificate path remains the same, but only the certificate gets updated. |
108967 |
For VIRTIO interfaces where the speed is not negotiated, software will now default to 10G speed for other features like shaping and bandwidth measurement to function as expected. |
108855 |
In the file filtering module, there is a defect where an uninitialized data structure is being accessed, leading to Versa service restart. The data structure is not initialized during some error conditions. The software fix is to handle these errors gracefully. |
108843 |
Versa VMOD process restarts if the Host record standard MIB is requested with an invalid index. |
108776 |
High availability IP-SLA monitors may stay in the 'Unknown' state during service start. |
108678 |
Traffic does not resume post Layer-2 interface flap in a bridge-domain. |
108291 |
When a BGP peer policy term's match configuration with extended community is modified to match based on community, then the match condition will fail. |
108278 |
Fix a slow memory in the SSL decryption module. |
108200 |
A "show arp kernel all" command issued while an SNMP walk also fetching ARP was in progress caused the Versa interface manager to restart. |
107940 |
Fixed a Versa process restart, when APM is enabled for Layer-2 based sessions. |
107926 |
Drop SNMP requests during service start/initialization to enable faster service start time. |
107672 |
Fixed an issue where IXGBE-based 10 Gig SFPs on VEP-14X5 stay down, post upgrade to 22.1.3-Bionic. |
107668 |
Disable QAT for Rangeley-based C2XXX processors to avoid QAT stalling, which can cause the tunnels in the branches to go down. |
107586 |
Fixed a Content Security Policy (CSP) vulnerability. |
107515 |
Fixed an issue with LEF primary collector configuration. |
107461 |
Unable to ping the nexthop of a PPPoE interface. |
107316 |
The internal tracking file (that governs SSH key regeneration) for Ubuntu Bionic was incorrect (due to change in format of "ifconfig" between Ubuntu Trusty vs Bionic). This is fixed. |
107158 |
Optimize versa-DHCPd process for supporting a larger number of routing instances and interfaces. |
106832 |
The grace period for subjugation check has been changed from 7 days to 14 days. |
106668 |
Optimize TPM operations by not decrypting private keys multiple times if multiple configuration objects are referring to the same key. |
106596 |
When a transaction paused, some packet buffers were not properly released, leading to the Versa services to restart when trying to process them again. To fix this, we release all header packet buffers when holding packet buffers, ensuring they are cleared correctly. |
106591 |
Fixed an Interface Manager restart issue triggered by a memory corruption. |
106461 |
Addressed a memory leak in EIP ITC's that caused the Versa services to eventually restart when the device runs out of memory. |
106221 |
When creating 2 uCPE's with exclusive CPU core pinning, the cores were incorrectly assigned. Fixed it to map unique CPUs for the hosts and make it persistent upon reboots. |
106201 |
Fixed an issue with bandwidth reporting in interface utilization logs to Analytics. |
106103 |
This performance optimization opts out SSL-VPN service for a session that is deemed to be non-VPN. Prior to this fix, the VPN module would receive the packet but not process it. With this fix, the infrastructure will not deliver the packet to the module once an opt-out is indicated by the SSL-VPN service. |
106067 |
Send an explicit delete message to notify clients when VRRP groups are deleted either directly or by deleting the interface configuration. This is to differentiate between interface shut (INIT) state and delete to notify clients like Versa routing process to take different actions. |
105936 |
Versa services restart after triggering the "request clear statistics class-of-service interface-policer all". Fixed by adding a NULL check in the clearing interface policer. |
105891 |
Fixed an invalid assertion encountered during the processing of selective acknowledgement packets which was triggering a Versa service restart. |
105838 |
Added the ability to display organization-specific bandwidth utilization using the command "show interfaces info <Tenant-Name>", if reference-bandwidth is configured under SD-WAN site WAN interfaces of the tenant. |
105713 |
Flow start/end milliseconds for security flow logs is getting the incorrect Epoch time. |
105654 |
Upgraded VOS custom-kernel to 5.4.0-170. |
105581 |
Fixed an issue where the Versa interface process gets restarted when running the "show interface brief" command. This issue can occur when eth0 is configured on the VOS and interface is set to DHCP but there is no DHCP server to hand out an IP address. |
105413 |
Force re-program the Scheduler Mapping when mapped to a tunnel interface. A configuration change was not taking effect immediately when adaptive shaping is configured. |
105411 |
Restore Path MTU values for SD-WAN topology to the same values as earlier versions of software. |
105368 |
ICMP error packets received in response to broadcast or multicast packets are processed. Now such packets will be dropped. |
105366 |
If SD-WAN-TE is enabled in the configuration, but the nexthop may not be present in transient scenarios, ensure we do not overwrite the forwarding interface object, which may cause a Versa service restart downstream. |
105363 |
Rate-limit SNMP packets to 100/second to protect the ConfD process. |
105289 |
Memory leak observed in versa-rfd process when active-standby configuration and HA monitors are configured. |
105255 |
A race condition during tenant deletion causes messages to be delivered out of order to the versa-service process. The out-of-order messages cause an irrecoverable condition leading versa-service process to restart. |
105166 |
With secure-mode enabled, increase the monit start from 30 seconds to 60 seconds for high-end appliances and 240 seconds for all other appliances. |
105164 |
On low-end Atom CPU-based devices, QAT stalls and IPsec crypto calls fail. This is observed after the upgrade to the 22.1.3 GA image after a few days of activity. |
105082 |
When the length of the BGP message for the versa-private specific route crosses 65K of length, this causes Versa services to restart on the Controller. This applies only when SD-WAN-TE is enabled. |
104972 |
Fixed/enhanced the KMS server use case to not use locally generated keys in case reachability to the external KMS server is down and instead continue to use the keys provided by the KMS until the external server service is restored. |
104830 |
With the tunnel-less header compression feature, and FEC/Replication enabled, IPv6 traffic is getting dropped sporadically. |
104758 |
A regression issue was introduced whereupon during an upgrade from an earlier version, the routing process would restart. This issue would be observed only if BGP is configured for peering with IPv6 neighbors. |
104663 |
Fixed an issue where DLP and IP-Filtering policies were enabled. The application final event was being processed first by DLP and then by IP filtering. DLP would hold and then un-hold the packet while processing the event. IP filtering was trying to reset the session after DLP had finished processing the event, which resulted in the Versa service restart. |
104646 |
On the Controller, a flood of notifications to be sent to the Director during service start caused the control and management path to be paused for 2-3 seconds, since the confd was not able to schedule and drain the socket, while the Interface Manager daemon was pushing data continuously. |
104600 |
Fixed the interface ordering to sort alphabetically, use vni-0/0 first for URL-ZTP, and then move to vni-0/2 in case ping test fails on vni-0/0. |
104565 |
Fixed an issue where Versa services due to an access to a null pointer. Set the NAT flag only when a CGNAT flow is present. |
104503 |
Optimize the memory usage for firewall rule configuration on a multi-tenant setup. |
104468 |
The NTP process would run on high CPU when a different NTP server FQDN resolves to the same IP address. |
103497, 104402 |
Fixed an issue where if versa-versable "Bluetooth" is disabled, Versa services in the Director GUI shows as degraded. The "show system status" VOS command should not show versa-versable in the stopped state, in case Bluetooth is disabled. |
104358 |
Use the if-index in vIfAddrEntry polling in the VERSA-IF MIB. This makes the vIfAddrEntry and vIfEntry consistent. The index used in the vIfAddrEntry used to be a running serial number, now it will be an interface index; the resulting key will be "vIfIndex vIfName vIfAddress" now. |
104321 |
Fixed an issue for email-based OTP related to VSA users. |
104292 |
Fixed an issue with URL ZTP taking longer than expected to onboard an appliance. |
104279 |
Fixed an issue with cloud instances not showing up the vni interfaces after upgrading to 22.1.3-GA build. |
103922 |
Optimized the IPsec code to not trigger a service restart, when 100+ branches try to connect to the controller with an authentication failure. |
103908 |
Optimize TPM private key decrypt calls. Instead of calling the TPM private key decrypt every time an OCSP request is made, the TPM private key decrypt call is made only once, and the private key is cached and used for subsequent calls. This reduces repeated calls to TPM, overloading the CERTD daemon. If the private key changes, then the cache is updated. |
103596 |
Fixed an issue with interface policer for fragmented packets. |
103403 |
Fix the DHCP Relay functionality to not forward the DHCP Offer to a client as a Layer-3 broadcast when the broadcast bit of BootP is not set, implying unicast. |
102799 |
Fix to send some secure access logs from VSM control thread/worker thread instead of IPsec control thread. |
102698 |
DHCP lease sync channel is used to exchange DHCP lease database between peers which is carried over a TCP sync channel. If reset is received from the peer over the sync channel or if the sync channel is closed due to a network issue (interface down, etc.), then the TCP connection is closed and reinitiated after a small wait time (typically 2 seconds). The Sync channel is also closed if an HA configuration (or a DHCP-lease-sync configuration) is deleted from the appliance. In a corner case scenario, if configuration delete event is received during sync channel reinit wait time (as explained above), the configuration cleanup also initiates sync channel close sequence, which resulted in an assert/crash (since the channel is already closed due to error). |
102316 |
Added the ability to support header compression only when it is enabled at the Forwarding Profile besides the global knob. |
101398 |
If there is no IKE server available or if the IKE server is disabled for a particular IP address or interface, any IKE packet coming to that IP address should not be passed to the IKE stack for processing. With this change, VOS drops the packet if no IKE server is enabled. |
100530 |
Fixed an issue where the Versa SSPFD service is getting restarted. |
98493 |
Do not use port-id 0 in LACP-PDU to follow the IEEE standards. |
95237 |
Added better recoverability by fixing the system package state when there is an upgrade failure in case the VOS node is rolled back to a software version prior to 202302 release with the latest OS Spack (any OS SPack released after 202302). |
94751 |
Increased the IPsec profile to include the WAN interface count from 10 to 15, for GZTP. |
89572 |
ADC monitor with TCP Monitor to the LEF is creating a stale connection with an unknown tenant. Fixed this by adding a check on the VOS/Controller. |
86705 |
Added an enhancement to support 8 traffic classes for the hardware-based egress shaper/schedulers in CSG5000. |
85942 |
Fixed a service restart by disabling cache usage of the RAC zone lookup (SASE) and performing the filter lookup each time. |
84303 |
This fix addresses the requirements of supporting ECDSA signatures in IKEv2 negotiations. We now support ECDSA certificate authentication for P-224, P-256, and P-384 curves. |
81255 |
Enhanced SLA's from the cross-connect. Bypass re-evaluation for reverse flow packets in policy engine. For any catastrophic changes in the CGNAT module, drop the reverse flow packets. |
80035 |
The MAC-addresses column width was not aligned properly with the VOS CLI show command. |
74395 |
Increased the burst factor to 1 second from 5ms on the Control Plane Protection [CoPP] in the backend. |
52503 |
Fixed an issue with /etc/network/interfaces incorrectly having the DOS file-format when upgrading from VOS Release 21.X to VOS Release 22.1. |
Limitations and Behavior Changes
The following are the limitations and behavior changes in Release 22.1:
- When you configure WAN interfaces, you can configure the interface priority to be a value from 1 through 15. Previously, the maximum priority value was 8. See Configure Basic Features.
- QAT is disabled for some low-end devices , such as C2xxx CPU-based devices.
- The following VOS features are not supported on LAN Ethernet (enet) interfaces:
- Anycast gateway IP address
- ARP suppression
- Bridge-domain-level MAC age timer. This configuration is a systemwide configuration.
- EVPN Type-5 symmetric IRB
- Layer 3 multicast
- MPLS-based VPN
- The following are the QoS limitations for 100-Gbps interfaces on CSG5000 and Dell R7515 platforms:
- No support for aggregate IFD shaping, that is, for all traffic classes together egressing on an IFD/port.
- Eight transmit-side scaling queues (TSS) per real CoS queue. This limits the number of pollers that can be used for Tx shaping to 8 Tx pollers.
- No support for pipe or IFL level shaping, adaptive shaping, multiple queues per-TC, tenant shaping, or WRED dropping.
- No support for dynamic update to the shaper rates. As a result, any configuration changes to shaping parameters for a port result in the deletion of the topology and reconstruction, which disrupts all traffic egressing on that port.
- The framing (FCS and so forth) overheads are not accounted for by the driver, which results in the observed actual shape rate to be higher by 2 to 10 percent, depending on packet sizes.
- A VOS device running Release 22.1 and that has more than eight WAN interfaces cannot communicate with VOS device running a software version earlier than Release 22.1 (for example, Release 21.2.3).
- For Versa Networks appliances that have NPU switching hardware, if you enable ARP suppression on a specific bridge domain, it is enabled for all bridge domains.
- Data Loss Prevention (DLP), Application Reverse Proxy does not work when the Cloud Lookup feature is enabled for URL and IP reputation.
- If you configured tenant shaper on VOS nodes running Release 21.2, connectivity issues may arise with new or existing branches running Release 22.1.X. To avoid these issues, you can either disable tenant shaper until all nodes are upgraded or upgrade the remote 22.1.X node to a hotfix image released on or after October 22, 2024.
- It is recommended that you upgrade both the paired sites to VOS Release 22.1.2 or later. If the paired sites are running a combination of VOS Release 22.x and 21.x, traffic may not be queued in the correct forwarding class when using a cross-connect link. For example, if HA Site-1 is running VOS Release 22.1.x and HA Site-2 is running Release 21.2.x, traffic egressing from the HA Site-1 to a remote branch running VOS Release 22.1.x using the cross-connect of HA Site-2, may face this issue.
Request Technical Support
To request technical support, visit http://support.versa-networks.com. If you are contacting support for the first time, register and create an account. You can also send email to support@versa-networks.com or contact your Versa Networks sales account team.
Revision History
Revision 1—Release 22.1.1, May 5, 2023
Revision 2—Release 22.1.2, July 31, 2023
Revision 3—Release 22.1.3, December 30, 2023
Revision 4—Release 22.1.4, July 1, 2024