Skip to main content
Versa Networks

Versa Operating System (VOS) Release Notes for Release 22.1

These release notes describe features, enhancements, fixes, known issues, and limitations in the Release 22.1 Versa Operating SystemTM (VOSTM) software, for Releases 22.1.1 through 22.1.4. Release 22.1.1 and later are general available (GA) releases and are supported for use in production networks.

July 1, 2024
Revision 4

Product Documentation

The Versa Networks product documentation is located at https://docs.versa-networks.com.

Install the VOS Software

You can install the VOS software on a standard Intel server or as a virtual machine (VM) based on ESXi or KVM. For installation instructions, see the Deployment and Initial Configuration articles.

Note: Releases 22.1 and later support only Ubuntu 18.04. For any VOS devices running Ubuntu 14.04 (Trusty), you must upgrade them to Ubuntu 18.04 (Bionic) before you can use Releases 22.1 and later. For more information, see Upgrade Versa Networks Operating System to Ubuntu 18.04.

Versa Networks provides the following versions of the VOS software for systems running Ubuntu 18.04:

  • *-B-wsm.bin—Install this image on physical CPE branch devices that use the Atom-based processor.
  • *-.B-bin—Install this image on all VMs and high-end CPEs and on bare-metal servers with Xeon or later classes of CPU.
  • *-B-lite.wsm.bin—Install this image on Versa ARM CPU–based wireless access points (APs) and on Intel Atom-based two-core and four-core CPU-based Versa CSG350 and CSG730 appliances and others with up to 4GB of RAM. 

Upgrade to Release 22.1

Note: Starting from VOS 22.1.4, strict SSL certificate checks for LDAP server communication are now enforced. Ensure your certificates have valid Certificate Authorities (CAs) for uninterrupted service. Before upgrading, download and run the "validate_ca_chains_for_ldap.sh" command from the VOS shell to verify the SSL certificates. This proactive step prevents issues during and after the upgrade, ensuring smooth LDAP authentication. The shell script is available to download from the software download portal.  For more information about valid CA certificate, please refer to https://datatracker.ietf.org/doc/html/rfc5280.

If you are upgrading from Release 20.2 to Release 22.1 or later on HA nodes, if you have enabled information validation (info-valid) in the configuration of one or both HA nodes, you must disable the info-valid configuration before you perform the software upgrade. After the upgrade completes, you can re-enable the info-valid configuration.

To upgrade to Release 22.1 from the CLI:

  1. Ensure the current running package is present in the /home/versa/packages/ directory.
  2. Save the existing version of the configuration:
    admin@vnf-cli(config)% save /var/tmp/backup.cfg
    
    Note that if the premium version of the security package (SPack) is already installed on the VOS device, you must upgrade to Version 2057 or later before you upgrade the VOS device. To display the version of the installed SPack, issue the show security security-package information CLI command or, in the Versa Director monitor screen, view the security package information under Next-Gen Firewall.
  3. Copy the .bin package file to the /home/versa/packages/ directory on the VOS node. Ensure that the file has +x execute permission. Alternatively, use the following command, which copies the file to the /home/versa/packages directory:
    admin@vnf-cli> request system package fetch uri uri
    
  4. Install the new software package:
    admin@vnf-cli> request system package upgrade filename.bin
    
    Follow the prompts, and wait until the upgrade status shows that the upgrade is complete. Note that if a reboot is required during the upgrade process, the VOS device automatically reboots.
  5. Confirm that the new software has been installed:
    admin@vnf-cli> show system package-info
    

Downgrade the Software

To downgrade to the software image that had been installed immediately before you performed the upgrade, issue the following command. This command restored the VOS device's configuration to the same state it was in just before the upgrade. Any configuration changes that you made since the upgrade are lost.

admin@vnf-cli> request system rollback to PRE-UPGRADE-1

Install a Software License for VOS Devices

A VOS device does not require a license if it is managed by Versa Director. If the VOS device is not subjugated to a functioning Versa Director, the software continues to operate after the initial trial period of 45 days. However, the number of data path sessions is limited to 30 sessions.

New Features

This section describes the new VOS device features in Release 22.1. All features are introduced in Release 22.1.1 unless otherwise noted.

Director GUI

  • Director GUI enhancements—The look and feel of the Director graphical user interface (GUI) have been updated. Wizards for initial site and VOS device configuration workflows, or wizards, have been added. Buttons have been added in the top menu bar to allow you to directly change the Versa Director view to Director view, Template view, or Appliance view. With the exception of these new features, the general behavior of the Director GUI, the organization of the screens, and the fields and buttons on the screens are unchanged.

Note: The screenshots in articles on the documentation portal show both the older GUI and the new GUI, so the screenshots you see on your Director node may not match what is shown in the documentation articles. Because the general behavior of the Director GUI, the organization of the screens, and the fields and buttons on the screens are unchanged, you will be able to use the information and procedures in the articles.

Hardware Platforms

  • Ethernet switches and hybrid platforms—The CSG3300 and CSG3500 appliances perform line-rate switching and high compute capacity for enterprise-grade routing. The CSX4300 and CSX4500 appliances are a next-generation software-defined LAN (SD-LAN) edge and access layer appliances. See Hardware.
  • WAN edge platforms—The CSG5000 Series appliances deliver carrier-grade reliability, high performance, and high compute capacity for enterprise-grade routing. Support is also provided for Silicom Cordoba, Dell R7515-V2800, and Dell VEP1420N/VEP1420/VEP1420-LTE platforms for use as WAN edge devices.

Common and Platform Software

  • AES 128-GCM and AES 256-GCM encryption for IKE—You can configure AES 128-GCM and AES 256-GCM encryption for IKE. See Configure IPsec VPN Profiles.
  • Available servers for application delivery controller—When configuring an application delivery controller (ADC), you can set the minimum number of available ADC servers required for the server pool to be marked as Up. See Configure an Application Delivery Controller.
  • BGP local AS mode 5—You can configure BGP AS mode 5. See Configure Virtual Routers.
  • BGP SLA community action—You can configure BGP peer and peer group policy matches based on SLA parameters. See Configure Virtual Routers.
  • DHCP default route and subnet mask—(For Releases 22.1.3 and later.) When you configure an IP address pool, you can configure a default route and a subnet mask for the pool. See Configure DHCP.
  • DNS monitoring logs—You can configure traffic-monitoring policies to export DNS monitoring logs to Versa Analytics. See Configure Log Export Functionality.
  • Dynamic tenant configuration—(For Releases 22.1.3 and later.) For service templates, you can dynamically configure tenants. See Configure Basic Features and Configure the Versa Secure Access Service.
  • Field customization and soak time for alarm notifications—For alarm notifications, you can customize the content in the Message and SMS text fields, you can add additional customization in the Subject field, and you can configure the soak time condition. See Configure Notifications for Alarms.
  • Google Cloud Platform—You can use a cloud management system (CMS) connector in the Versa Director node to install, or instantiate, a Versa branch device on Google Cloud Platform. See Install on Google Cloud Platform.
  • GPS location tracking—For CSG700 series appliances, you can configure the Director node to track the GPS location of the device. See Configure Device Location Tracking.
  • GRE site-to-site tunnels—You can create secure IPsec tunnels and GRE tunnels between a VOS device and an AWS Transit Gateway that is registered to the AWS global network under the Network Manager. See Configure Site-to-Site Tunnels.
  • IKE fragment size—You can configure the IKE fragment size. See Configure IPsec VPN Profiles.
  • Ingress policers—(For Releases 22.1.3 and later.) You can configure policers on ingress interfaces. See Configure Organization Limits.
  • IPsec cipher key check—You can configure a VOS device to meet NIAP FCS_IPSEC_EXT.1.14 requirements by enabling the IPsec cipher key check option. Enabling the IPsec cipher key check affects the VOS device only when FIPS mode is enabled on the device. See Configure Service and Session Options.
  • IP SLA monitoring with FQDNs and with HTTP and raw HTTP raw monitor types—You can configure HTTP and HTTP raw monitor types, and you can monitor using FQDNs. See Configure IP SLA Monitor Objects.
  • IPv4 IPIP tunnels—You can configure IPv4 IPIP tunnels. See Configure Interfaces.
  • Logging enhancements—VOS devices support SASE web and DNS-monitoring logs. See Configure Log Export Functionality, Configure Log Collectors and Log Exporter Rules, Analytics Log Collector Log Types Overview, and Apply Log Export Functionality.
  • Maintenance mode—(For Releases 22.1.2 and later.) You can enable maintenance mode so that you can perform administrative tasks, such as upgrading a VOS device. Other routers are expected to route around a VOS device that is in maintenance mode. See Configure Maintenance Mode.
  • NAT64 and DNS64—You can configure NAT64 and DNS64. NAT64, defined in RFC 6146, provides a mechanism to translate IPv4 addresses to IPv6 addresses, and vice versa. DNS64, defined in RFC 6147, allows an IPv6-only client to initiate communication, by name, to an IPv4-only server. See Configure CGNAT.
  • OSPF sham links—You can configure OSPF sham links. See Configure Virtual Routers.
  • QoS support for 100-Gbps interfaces on CSG5000 and Dell R7515 platforms—CSG5000 series appliances and Dell R7515 devices support hardware-based egress class of service (CoS) and shaping for Intel E810-based adapters, which support data rates up to 100 Gbps interfaces. You can configure four traffic classes at the interface level. The four interface-level traffic classes are scheduled as priority queues. There is only a single queue per traffic class. You can configure each traffic class for committed and maximum bandwidths as a percentage of line rate (that is, the interface transmit, or Tx, rate) or as an absolute rate, in kilobits per second. The traffic classes are scheduled as work conserving; that is, a traffic class can burst to its peak rate to consume any unused bandwidth from other traffic classes that are operating below their committed rate. Note that for hardware-based QoS, only interface-level shaping is supported. No other egress CoS and shaping configurations, including VLAN and adaptive shaping, are supported. See Configure CoS.
  • Session Load balancing using DSCP/802.1p—(For Releases 22.1.4 and later.) To ensure optimal performance for high bandwidth IPsec and other tunnel flows, DSCP or 802.1p values are used along with the existing 5-tuple for efficient traffic load balancing across cores. To enable this feature, you must configure it using one of the following methods:
    • From the CLI:
      versa@versa-admin% set system session additional-flow-key-attribute ?
      Description: Additional attribute used to identify a flow
      Possible completions:
        [dscp]
        dscp        - IPv4/IPv6 DSCP
        ieee-802.1p - IEEE 802.1p Priority Code Point (PCP)
        none        - No additional attribute
      
    • From Versa Director:
      1. In Director view, select the Configuration tab in the top menu bar.
      2. Select Templates > Device Templates in the left menu bar.
      3. Select an organization in the left menu bar.
      4. Select a template from the main panel. The view changes to Template view. 
      5. In the left menu bar, select Others > System > Configuration > Configuration.
      6. In the Sessions pane, click the Edit icon. The Edit Sessions window displays. 

        edit-sessions-DSCP.png
      7. In the Additional Flow Key Attribute field, select DSCP or IEEE-802.1p. 
      8. Click OK.
         
  • SSL VPN profiles—(For Releases 22.1.4 and later.) SSL VPN is an alternative to IPsec VPN for allowing remote users to connect to Versa gateways using the Versa SASE client. You configure SSL VPN profiles to allow remote users to connect to an enterprise network on an SSL tunnel using a Versa SASE client. See Configure SSL VPN Profiles.
  • T1 interface cable length—You can configure the cable length for T1 interfaces. See Configure Interfaces.
  • Theft protection and unauthorized movement protection—You can track the location and movement of devices. See Configure Device Location Tracking.
  • TWAMP Light test sessions—(For Releases 22.1.3 and later.) You can associate a TWAMP Light sender test session with a TWAMP Control client connection and a TWAMP Light reflector test session with a TWAMP Control server connection. Also, TWAMP Light reflector test sessions support auto start. See Configure TWAMP Light Sessions.
  • Versa speed test with latency—(For Releases 22.1.3 and later.) The speed test factors in a link's bandwidth before running the test. See Troubleshoot Link Bandwidth Issues.
  • VOS Lite—(For Releases 22.1.3 and later.) VOS Lite is a version of the VOS software that has been optimized for use on small form-factor devices. Specifically, you can use the VOS Lite software on Versa ARM CPU–based wireless access points (APs) and on Intel Atom-based two-core and four-core CPU-based Versa Cloud Service Gateway 350 (CSG350) and Versa CSG730 appliances that have 4 GB of RAM and that are running Ubuntu 18.04 (Bionic) as their base operating system. See Deploy the VOS Lite Software.
  • VOS network driver support for Azure accelerated networking—VOS network drivers support Azure accelerated networking. Accelerated Networking enables single root I/O virtualization (SR-IOV), greatly improving networking performance. This high-performance data path bypasses the host, which reduces latency, jitter, and CPU utilization for the most demanding network workloads.
  • VRRP-aware PIM—You can configure VRRP-aware PIM. In a redundant network with virtual routing groups enabled, VRRP-aware PIM provides consistent IP multicast forwarding by allowing PIM to track the VRRP state and to preserve multicast traffic when a failover occurs. See Configure IP Multicast.
  • WAN links—The number of WAN interfaces supported has been increased from 8 to 15 for single-stack (IPv4 or IPv6) and from 4 to 7 for dual-stack (IPv4 and IPv6). See Configure Basic Features.
  • WAN link priority value—When you create a WAN interface, the WAN link priority can be a value from 1 through 15. See Configure Basic Features.
  • Web-monitoring logs—(For Releases 22.1.3 and later.) You can configure traffic-monitoring policies to export web-monitoring logs to Versa Analytics. See Configure Log Export Functionality.

Layer 2 and SD-LAN

  • Anycast gateway—When using software based forwarding, you can configure a distributed anycast gateway, which facilitates workload mobility by allowing multiple VXLAN branches to act as the default IP gateway for all clients that are attached to them. See Configure Layer 2 Forwarding.
  • ARP suppression—You use the ARP suppression feature to prevent the flooding of ARP requests across an EVPN network. See Configure Layer 2 Forwarding.
  • LAN Ethernet interfaces—On Versa CSG 3000 and CSX 4000 series appliances, you can configure LAN Ethernet interfaces. See Configure Interfaces.
  • NPU policy-based forwarding—For Versa Networks devices that use network processing (NPU) switching hardware, including CSG3000 and CSX4000 series devices, you can configure NPU access list (ACL) policies that affect how Layer 2 and Layer 3 packets are forwarded. See Configure NPU Policy-Based Forwarding.
  • SD-LAN configuration wizard—(For Releases 22.1.3 and later.) You can configure SD-LAN Workflow templates using a Versa Director GUI wizard. See Configure SD-LAN Using Workflow Templates.
  • ZT-LAN—Versa Zero-Trust (ZT)-LAN solutions address the evolving security and networking needs of Enterprises. Versa ZT-LAN comprises two main component solution: ZT Edge and Secure SD-LAN. See ZT-LAN Overview.

SASE

  • Application reverse proxy and IdP proxy—(For Releases 22.1.3 and later.) Application reverse proxy protects software as a service (SaaS) applications from direct access from unmanaged devices that do not have Versa client installed to connect to Versa Cloud Gateways. It uses an identity provider (IdP) for user authentication. See Configure Application Reverse Proxy.
  • CASB—(For Releases 22.1.3 and later.) Cloud Access Security Broker is on-premises or cloud-based policy enforcement software that secures the data flowing between users and cloud applications to comply with corporate and regulatory requirements. For Releases 22.1.4 and later, you can specify an MDM profile when you configure a CASB constraint. 
  • DLP—(For Releases 22.1.3 and later.) Data loss prevention is a set of tools and processes for detecting and preventing data breaches, cyber exfiltration, and unwanted destruction of sensitive data. 
  • Endpoint information profiles—(For Releases 22.1.3 and later.) Endpoint information profiles (EIPs) classify endpoints based on multiple types endpoint posture information. 
  • Terminal server agent—A Versa terminal server agent (TSA) identifies users from virtual desktops, especially from virtual desktop environments such as Citrix XenApp and Microsoft Terminal Services, where many users share the same IP address. TSA allows a VOS node and VOS cloud gateways to uniquely identify user traffic originating from virtual desktop infrastructure (VDI) instances. See Configure a Terminal Server Agent.

SD-LAN

SD-WAN

  • Dynamic destination NAT IP addresses—(For Releases 22.1.3 and later.) When you configure a CGNAT address pool, you create a dynamic IP address–only pool, which allocates dynamic destination NAT (DNAT) IP addresses. See Configure CGNAT.
  • EVPN IRB distributed gateway—Enables connectivity among tenants and end devices that are on different subnets (inter-subnet forwarding) while still maintaining the multihoming capabilities of EVPN. See Configure an EVPN IRB Distributed Gateway.
  • EVPN Type 5 routes—EVPN type 5 routes are used to advertise EVPN routes using IP prefixes and decouple the IP prefix advertisements from the MAC/IP advertisement routes in EVPN. See Configure EVPN VXLAN for SD-WAN and Configure EVPN VXLAN for ZT-LAN.
  • Forward error correction and replication—You can now configure Forward Error Correction (FEC) and replication for Layer 2 SD-WAN traffic steering. See Configure Forward Error Correction for SD-WAN Traffic Steering and Configure Replication for SD-WAN Traffic Steering.
  • Monitor SaaS applications with traceroute—(For Releases 22.1.3 and later.) You can use the traceroute command to monitor SaaS applications. See Configure SaaS Application Monitoring
  • Passive application performance monitoring—VOS devices can passively collect application performance monitoring (APM) data for TCP performance measurement metrics, including connection setup time, server connection reset rate, application response time, retransmission rate, and network round-trip time. See Configure Application Performance Monitoring.
  • SD-WAN header compression—SD-WAN header compression provides a tunnel-free, bandwidth-saving method to address the issue of additional overhead in packets introduced by overlay and tunnel headers. See Configure SD-WAN Header Compression.
  • Traffic engineering—SD-WAN traffic engineering evaluates all the alternate paths (direct and indirect) to reach a destination site and provides the optimal path for the data traffic in terms of link metrics (delay and loss). See Configure SD-WAN Traffic Engineering.
  • Traffic-steering enhancements—The circuit priority and next-hop priority values have increased from 8 to 15, and support for replication and FEC in Layer 2 SD-WAN traffic-steering forwarding profiles has been added. See Configure SD-WAN Traffic Steering.

Security

  • Active user distribution for VMS—You use active user distribution to apply uniform user or group-based policies for user traffic across gateways. When you enable active user distribution, when a user connects to a gateway or branch, the user login or logout information is shared across all branches or gateways using a Versa Messaging Server (VMS). See Configure User and Group Policy.
  • Advanced Threat Protection—Advanced Threat Protection (ATP) is an all-encompassing security solution designed to defend organizations from sophisticated cyber threats that often bypass conventional security measures. 
  • Application performance monitoring enhancements—You can configure VOS devices to capture application performance in two-minute rolling windows so that you can monitor application performance in real time. See Configure Application Performance Monitoring.
  • Automatic certificate provisioning, distribution, and renewal—(For Releases 22.1.3 and later.) You can use the Automated Certificate Management Environment (ACME) protocol to automatically provision, distribute, and renew certificates for SASE services. See Configure Certificate Servers.
  • Certificate manager—(For Releases 22.1.3 and later.) When configuring a certificate manager, you can configure the Default CSR and On Response Unknown fields in the Add Server popup window and the Expiry Alarm Threshold, Renew Threshold, Subject Alt Name, and Onboard Notification fields in the Add Request popup window. See Configure Certificate Servers.
  • DHCP snooping—For Releases 22.1.3 and later, you can configure DHCP snooping to identify and monitor unauthorized DHCP servers and prevent them from offering IP addresses to DHCP clients. For Releases 22.1.4 and later, you can configure DHCP snooping at the virtual switch level and at the bridge domain level, and you can monitor DHCP snooping. See Configure DHCP Snooping and Configure Layer 2 Forwarding.
  • DNS filtering—(For Releases 22.1.3 and later.) In a DNS-filtering profile, you can configure the identification of tunnel detection, which is a type of cyberattack that encodes data from other programs or protocols in DNS queries and responses, and you can configure a sinkhole action. See Configure DNS Filtering.
  • Exact data match and fingerprinting—(For Releases 22.1.3 and later.) You can configure EDM and document fingerprinting for data loss prevention (DLP). 
  • Files and folders—(For Releases 22.1.3 and later.) You can upload DLP, captive portal, and certificate files to Versa Director, and you can create folders on the Director node. See Manage Files and Folders and Configure URL Filtering.
  • Google Cloud Platform certificate server—(For Releases 22.1.3 and later.) You can configure a Google Cloud Platform to be a certificate server. See Configure Certificate Servers.
  • HTTP header profiles—(For Releases 22.1.3 and later.) You can configure HTTP header insertion and modification profiles for use with SaaS applications. See Configure HTTP Header Profiles and Configure HTTP/HTTPS Proxy.
  • IDP dropped packets—(For Releases 22.1.3 and later.) When a new version of the IPS signature is being compiled, traffic is processed using the previous version of the IPS signature. See Configure Intrusion Detection and Prevention.
  • IoT security—(For Releases 22.1.3 and later.) You can configure security for internet-of-things devices. Please contact Versa Networks Customer Support before deploying this feature. See Configure IoT Security.
  • IP source guard—(For Releases 22.1.3 and later.) You can configure IP source guard to prevent IP and source MAC address spoofing attacks on untrusted Layer 2 interfaces. See Configure IP Source Guard.
  • IPv6 wildcard mask—(For Releases 22.1.2 and later.) For match criteria, you can specify a wildcard mask in IPv6 addresses. See Configure Address Objects.
  • KMIP client—You can configure a VOS device to use the Key Management Interoperability Protocol. KMIP is a client–server communication protocol that enables key management and cryptographic operations on a key management server (KMS). KMIP simplifies cryptographic key management and allows you to store and maintain keys, certificates, and secret objects. See Configure a KMIP Client.
  • MAB and RADIUS for 802.1X—(For Releases 22.1.3 and later.) You can configure MAC authentication bypass, RADIUS accounting, RADIUS failover, and RADIUS tracking. See Configure IEEE 802.1X Device Authentication.
  • Microsegmentation—(For Releases 22.1.3 and later.) You can place user client devices and headless IoT devices into microsegments, which are smaller, isolated network segments. Please contact Versa Networks Customer Support before deploying this feature. See Configure Microsegmentation.
  • Network obfuscation—(For Releases 22.1.3 and later.) When you create a DNS proxy, you can configure network obfuscation and DHCP server monitors. See Configure a DNS Proxy.
  • NTP server authentication—(For Releases 22.1.4 and later.) You can configure authentication for NTP by creating an authentication key, using either MD5 or SHA1, and then associating it with an NTP server. See Configure Systemwide Functions.
  • Optical Character Recognition—(For Releases 22.1.4 and later.) You can configure optical character recognition (OCR) for data loss prevention (DLP). 
  • Private key files—(For Releases 22.1.3 and later.) You can upload private key files to Director and VOS devices. See Configure CA Certificates, Key File, and CA Chains.
  • Proxy ARP—(For Releases 22.1.3 and later.) You can disable proxy ARP. See Configure CGNAT.
  • Queries in HTTP header insertion profiles—(For Releases 22.1.3 and later.) You can modify HTTP queries in HTTP header insertion profile rules. See Configure HTTP Header Profiles.
  • Secure web gateway—(For Releases 22.1.3 and later.) NGFW supports SWG (explicit proxy) user authentication using LDAP and local authentication. See Configure User and Group Policy.
  • User-defined sessions—(For Releases 22.1.3 and later.) When you configure a user-defined session, you can configure the action to be sinkhole. See Configure User-Defined Actions.
  • User and user group authentication—(For Releases 22.1.3 and later.) NGFW can use certificate, LDAP, local profile, Kerberos, RADIUS, and SAML for user and group authentication, and you can configure RADIUS servers. See Configure User and Group Policy.

Fixed Bugs

The following tables list the critical and major defects that were fixed in Release 22.1.

Fixed Bugs in Release 22.1.1

The following tables lists the critical and major defects that were fixed in Release 22.1.1.

Bug ID Summary
42652 A routing process core may occur when an end-of-RIB message is sent to a BGP peer belonging to a peer group when shared ARO is configured.
54892 Decoding the SSL certificate may fail on a TPM-enabled CPE device.
67385 Disabling hypervisor/uCPE functionality on VOS devices running on Ubuntu Bionic may not work.
71821 Overall system memory usage is reported to Analytics instead of begin reported as vsmd memory consumption.
73125 When an IP address is NATed to use a CGNAT pool different from the egress network/interface, a routing change can trigger incorrect CGNAT re-evaluation.
75974 Generate an alarm if there is duplicate tunnel IP address or site ID in the SD-WAN fabric.
77318 When qat_offload isset to False and QAT_WT is initialized, a service restart may be triggered in the IPsec module.
78087 Security access policy with address negation may not reach the access policy rule.
80074 A slow memory leak may occur in the versa-infmgr process.
80532 When the address object ID allocation is managed incorrectly, an error maybe prevents an upgrade to Release 21.2.3.
80624 When the user changed the address/mask and “ge” and “le” were already configured, the values of “ge” and “le “ were recalculated incorrectly.
80989 ip2usr process memory leak may cause slow depletion of system memory.
82572 When SSL decryption is enabled, a Versa service process crash may occur. The crash is caused by a race condition between the QAT offload result processing and the job submission.
82978 Some stale configurations related to a prefix list used in a BGP routing peer policy may be present. This fix removes those stale entries when running the upgrade scripts.
83375 When a tvi (PPPoE) interface with an interface description is mapped to the underlying vni (PPPoE base interface), if the vni interface flags, a service restart is triggered.
84073 Issuing the request ike rekey or request ipsec rekey CLI command may cause VSMD to crash.
84087 When the subnet mask of the peer interface changes, routes learned by BGP may get lost in the forwarding plane.
84253 Mbuf leak when running endurance tests.
84305 IPS crash because of memory corruption.
84426 Leak in versa-vmod process because the accounting records queue overflows during congestion.
84442 When a dynamic tunnel interface goes down, the deleted information may not processed by the software, and so an assert can occur when a new interface is created with the same index.
84506 If you trigger multiple instances of SCP from the CLI, the data path filters for file transfer are not cleaned up.
84595 On a VOS device configured as a uCPE, virt-manager does not start because of missing Python 3.8 egg files.
84722 When an interface goes down, SD-WAN pipes may not be cleaned up. When the interface comes back up, the P2MP layer tries to create a pipe for that path and fails because the pipe ID already exists, and the result is that the P2MP layer assigns an invalid pipe ID for that path. The fix is to clear the SD-WAN pipes when the interface goes down.
84896 One data cores was stuck with a very low LTE signal strength, and the link flapped periodically. The fix involves adding checks in the AF_PACKET poll mode driver.
85094 Memory leak in IPS because of IPS HTTP transaction in the VDETECT_MEM_ID_HTP_TX module.
85369 BGP prefix_list with ge_le is not working when applied with a redistribution policy.
85558 DSCP rewrite rules are not applied to SD-WAN traffic when the sessions are TCP-optimized.
85563 When you enable TCP optimization on a high latency WAN link, a service restart may occur because of a Versa- ervice crash. The crash is caused by a divide-by-zero error.
85690 A memory leak may occur in the file filter feature when the file size is less than 50 bytes.
85756 The LTE interface is not operational after an upgrade from Ubuntu Trusty to Ubuntu Bionic.
86314 Data transfer may stall for an SSL decryption-enabled TLS session when there is memory pressure and end hosts send TLS records that are 16K bytes.
86414 Expired SIP dialogs are not cleaned up if the walk hits the first 25 active unexpired dialogs.
86763 Add a secure option for the internet speed test module, and fix the lo interface going down for the versa-speedtest VR.
86776 Memory corruption is seen if, during IPS signature compilation, another commit is performed related to security configuration. IPS signature compilation occurs during the SPack upgrade, during system startup, and after any configuration commit that changes the IPS security profile.
87036 When the AS number in the AS path is longer than 64, there is a display issue in the CLI (cosmetic).
87120 For transit SD-WAN packets, clean up decap contexts during vxlan-gpe decap if packets are inadvertently seen to avoid a crash.
87419 An incorrect freeing of memory in the firewall policy module may cause random crashes elsewhere.
87521 When Layer 2 MPLS services are enabled, Layer 2–switched MPLS fragmented packets may be dropped because of a packet parsing issue.
87641 When upgrading from Release 20.2.x or Release 21.1.x to Release 21.2.x, FQDN resolution may fail to work as before the upgrade.
87709 In a static NAT scenario, when the first packet of a session lands on a different worker and is punted to another worker thread, the filter lookup information may not persist in CGNAT when a packet is punted to another worker.
87754 When serving the DNS request from the cache, the response was trimmed because of buffer limitations. The buffer size has been increased to 65535, as per the RFC.
88340 Where there are more than 1365 ARP entries, polling for ARP entries using SNMP may cause a critical process to restart.
88474 When data-drive SLA is configured an incorrect reference counting of a route structure may lead to a service restart.
88669 Application QoS policy rule statistics for the forward byte counter is incorrect.
88967 IPsec tunnel traffic originating from the SD-WAN branch takes the SD-WAN path, which is down.
89152 Donot update the eth0 configuration during package installation.
89846 LAN interface route is advertised to customer EBGP peers when an SLA endpoint is configured on the interface. The same route is also advertised to the WAN over BGP enabled for DIA. The fix is not to advertise the LAN interface /32 route over IBGP/EBGP.
89886 When a suspend-backup-collector is configured for a collector group, the backup collector may not go into a suspended state. Rather, it remains established, which results in unnecessary resource utilization in log collector. This fix ensures that the suspended collector is not activated in all conditions.
90382 Services may restart with some specific order of SNMP get/get-next for ARP entries.
91129 Setting the next hop using the SD-WAN/PBF module impacts the reverse direction symmetric SD-WAN traffic.
91263 When an intermediate router sends an ICMP Need Fragmentation error packet with a very MTU large value (> 8K) in response to a Path MTU discovery packet from a VOS device, invalid memory access occurs and leads to a service restart.
91569 BGP is processed in a different RFC phase when a site delete event is received on a branch. RTD may restart services when this process is postponed.
91575 Alarm soak logic for Versa service process worker threads was not working as designed, leading to spurious and too many alarms.
92019 Reduce burstiness during child SA update for a branch when propagating to other branches via the main control thread. Doing this reduces tail drops, which ensures that all updates are sent, propagated by the source SD-WAN node, and processed appropriately at the peer SD-WAN node. Also, add a self-healing mechanism in case a stall is seen on the control thread to postpone propagation of the SA update.
92107 The traceroute CLI command was not behaving as expected if the source and routing-instance parameters were not entered in a specific order. The command now accept all arguments in any order.
92124 Services may restart even if the external IP addresses has not changed, but a mobile client RAC user may disconnect and connect back quickly.
92156, 92070 svc-load alarm default soak time has been changed to 300 seconds.
92367 Fixed a corner case to gracefully exit the certificate search, returning the appropriate error codes instead of asserting, if the PKI certificate is not found. The condition is now reported by log “Certificate not found” errors in versa-ipsec-ctrl.log.
92423 System-level user credentials do not roll back to the snapshot configured system credentials.
92733 Issuing the show orgs org tenant-name sessions extensive command may cause an error if any session goes through a site-to-site IPsec tunnel. The fix is to include some of the fields the backend code was trying to display in the CLI command output.
92745 vstated is not sending the current time it receives from NTP, causing the T-OPT to be marked as invalid when RAC users try to connect to the VSA portal or gateway.
92791 If OSPF MD5 authentication and authentication-key-id are already configured for a network name, and if either address is changed on the interface that is part of the network, or if an interface is added to a network, the interface does not use the configured authentication-key-id and instead uses the default of 0.
92859 Riverbed EX-385 WiFi configuration is not pushed. The fix is to update the WLAN configuration function to read the entire line, because there was a space in the model name.
92918 Deleting an NTP server that is not enabled may cause vmod to restart.
93020 Fragmented IPv4 packets over GRE tunnels might be dropped, because the inner fragments in the IO thread were parsed and load balancing was done based on the inner IP tuple to the worker thread. This process caused incorrect anchoring of the GRE tunnel with the inner fragmented IP packet and, eventually, IP reassembly failure.
93131 ICMP error packets did not include the correct checksum of the original IP packet in the ICMP payload.
93295 Avoid sending kernel NIC interface alarms to both alarms and alarm_local when we trigger WAN internet speed test.
93535 When VOS device is in full proxy mode, the connection for VOS device acting as the TLS server is completed before the VOS device acting as the TLS client. If the server phase connection setup fails, the session handle within SSL session is accessed to close the NFP session, which may cause a service restart.
93755 The disk size and available disk space should exclude the NFS and TMPS filesystems. Not doing gives incorrect file sizes.
94232 When selecting a path based on load-balancing credits assigned to the paths, the VOS software iterates through the list of paths. The iteration may have to be done more than once if all paths run out of credits. In one case, this loop was being asserted incorrectly, causing it to never terminate and triggering a service restart.
94241 The captive portal module does not free the packet buffer during an error condition, causing a slow leak of the packet buffer.
94511 Increase the SNMP transaction timeout in the versa-vmod process to avoid a timeout that was occurring during a high load of parallel transactions.
94607 VRRPv6 configured in physical MAC mode sometimes sends a router advertisement packet with the virtual MAC address instead of the physical MAC address.
94620 Service load alarms, under System > Appliance Anomalies, have been optimized to trigger a count increment only when a worker hits 600 seconds consistently above 85 percent. If the worker thread continues to be busy after 10 minutes, with a 5 percent increment in the worker CPU utilization variable, the count is incremented again. You can configure these values in the alarms section.
94698 The priv-run binary file permissions may not be set correctly during package installation. This issue has been fixed.
94959 The use of the routing-instance option for the mtr command does not work. This issue has been fixed.
94960 When you enabled a uCPE or hypervisor on the VOS device, incorrect versions of the Debian packages might be installed.
96683 Consider network-control traffic forward loss ratio for management traffic path selection when management traffic priorities are configured.

Fixed Bugs in Release 22.1.2

The following tables lists the critical and major defects that were fixed in Release 22.1.2.

Bug ID Summary

42744

Add a configuration option to bypass external TACACS+ authentication when logging in from console.

64705

Fix vulnerability of possible command injection over Netconf interface.

81781

Application monitor HTTP ping may fail to some sites because of an incorrect or a malformed HTTP header.

82335

Increase the number of custom user-defined URL categories from 256 to 512.

84590

When you issue a vsh stop command on a VOS device running Ubuntu 18.08 (Bionic), Linux interfaces may not be deleted properly, causing improper resource reclamation.

84684

Add a fix to force the monitor to the Down state if you delete the monitoring organization from the local organization list.

85402

When you turn on debug packet tracing for IPv6 packets, a service restart may occur.

90415

On VOS nodes on which SD-WAN tunnels flap frequently, the system may restart because of incorrect reference-counting of the interface object, which may eventually leading to a system crash.

91319

Fix a situation in which the monitor group may not be processed from the waitlist, causing the monitor to be placed in an inactive state.

92120

When the search domain format received from DHCP is invalid, the program updating the DNS resolver configuration file may restart, and an update then fails for the specific routing instance.

93457

Fix for dynamically updating the IPsec profile CA chains, which takes effect during the Versa services process.

94008

SD-WAN routes may not be installed in the LAN-VRF.

94959

Add support for specifying a routing instance in the mytraceroute (mtr) command.

94986

When you configure active standby mode and information validation for high availability, Port 5556 may be reported as being open.

94999

The rate of ARP processing was a global limit, but it is now a per-interface limit.

95429

Add enhancements for MS Windows and Aruba uCPE images when the VOS device is the hypervisor.

95668

Incorrect username ID is sent in the accounting logs (TACACS+), so the VOS device uses the last logged-in user in the logs instead of the actual user.

95698

With a blanket DDoS rule, a memory leak may occur in the ITC infrastructure. Optimization has been done to bundle the DDoS reports from each worker thread to a collector, to improve efficiency, thus reducing the number of ITCs a control thread must handle from each worker thread.

95846

If you reboot a device, automatic update of SPacks may not be triggered during the configured time interval.

95933

DDoS alarms are sent in spite of the block-unit duration.

96050

SNMP ifSpeed values are wrong for logical interfaces, and the physical interface speed is being returned instead.

96164

Erasing the running configuration does not clean up non-system users.

96193

Fix for VOS reporting incorrect username in secure access statistics log to Analytics.

96300

Fix a rare case in which static route ICMP probes stop sending probes after some time.

96489

TCP port 2024 on VOS devices running Ubuntu 18.04 are open, while on VOS devices running Ubuntu 14.04 this port is closed

96774

Fix a vulnerability in which aaauser and aaaadmin cannot log in with the default credentials, because the DenyUser configuration is missing in the /etc/ssh/sshd_config directory.

97089

SLA probes are sent to the gateway of the cold standby interface even if the local interface on the VOS device is operationally down.

97182

Not all sdwan-datapath-sla-not-met alerts are cleared, because only one is cleared.

97279

Add an alarm when ARP packet thresholds are exceeded.

97298

In an active–standby VOS topology, fix an issue in which the session lookup failed on the standby VOS device during a session modify that triggered a service restart of the standby VOS device.

97419

Enhance the monitor alarms so that regardless of the monitor state, a monitor up alarm is sent when the device boots. This action is needed to clear any down alarms sent before the reboot.

97477

kni interfaces used for tcpdump are not cleaned up if a session in which tcpdump is active is abruptly closed without gracefully terminating the tcpdump.

97708

The show forwarding-table CLI command does not progress correctly, because confd expects the prefixes to be in ascending order for length comparison.

97865

Fix an issue in which the PPPoE link does not come up after a service restart if the physical interface has multiple VLANs in different routing instances.

97909

For a large configuration, FQDN resolution from addrmgr may be received before the application monitor configuration is received from vmod. Add check to prevent monitor registration with RFM if the monitor type is invalid (which indicates a pending configuration). A side effect of this issue is a service restart.

97964

Earlier version of the VOS software did not clean up tap interfaces when services were stopped, so,the kernel complained about the tap interface being referenced. With this fix, the tap interfaces are cleaned up during a software upgrade, before the installation of a new VOS software version.

97965

The show orgs org tenant sdwan sla status command may time out because the Versa service is busy, and as a result the next command triggers a service restart.

98075

When updating the CA chain in a tunnel object and the CA chain data is empty, add a check that causes a service restart.

98173

The wget CLI command fails to fetch a file if the URL includes a question mark (?).

98183

For an HTTP-based session, if the URL is not present in the session, the AppID classification remains in the Pending state.

Fixed Bugs in Release 22.1.3

The following tables lists the critical and major defects that were fixed in Release 22.1.3.

Bug ID Summary
62369 The commit error “Please configure base objects like org with name global” sometimes displays when an earlier configuration commit attempt fails. The failed commit triggers an accidental deletion in the backend of some necessary configuration.

73518

A crash may happen in the routing configuration processing daemon when you commit multiple additions and deletions of terms in prefix lists at the same time that you move terms in routing peer policies that refer to these prefix lists. This issue has been fixed.

86424

Ignore incomplete configuration reprocessing at Versa services, which is triggered by multiple sequential Versa service restarts.

88921

A crash may occur in the routing daemon when you use BFD with BGP when BGP is also configured with graceful restart. This issue has been fixed.

90954

When an appliance receives the same prefix through BGP in the control VR as the aggregate route configured in the LAN VRF, the BGP prefix was preferred compared to the local aggregate route. With this fix, the default preference (admin distance) of aggregate route is now better than BGP route preference as part of the fix. Also, you can now configure the preference of the aggregate route.

93366

Add support to send the NAS IP address and NAS identifier to RADIUS server access in a WLAN configuration

93471

In Releases 20.2.x, if EVPN was not configured, it is not explicitly disabled. In Releases 21.2.2 and later, when you upgrade from Release 20.2.x, EVPN is explicitly disabled. This change was made to prevent the backend from sending an update to a remote non-VOS firewall that causes BGP to stay in the Connect state.

94511

If a large number of SNMP traps or informs are generated, the VMOD process cannot read the worker socket and Confd closes the connection, causing the VMOD process to restart.

94514

When TCP optimization is enabled, the client TCP is already in the remote closed state, and the local device receives a SYN-ACK packet from the server, Versa services restart. When processing the SYN-ACK packet, the local device finds that the client side has already closed, and it calls a specific API call to close the connection and propagate the Rclose event in the rest of the service chain.

95073

When you enable the BGP announce-remote option in a Versa-private TLV, the site information in the Versa service process can potentially grow larger than 65535 bytes, resulting in service restart. This issue has been fixed.

97016

Incorrect application identification results in sessions being identified as DNS for some applications when DNS proxy is configured. This issue has been fixed.

97143

Improve IP lease assignment time, perform an ARP/ICMP check for IP renewals, and clean up stale lease files during the DHCP process restart.

97620

Add a commit check to disallow specifying a named PTVI interface in a VPN profile of type branch-prestaging.

97965

show arp command timeout was not handled gracefully resulting in the Versa interface manager restarting.

98108 Optimize the packet replication and FEC reorder buffer to make efficient use of available buffer space and minimize packet drops. Also, in a corner case, initialization of the FEC reorder buffer caused an issue in which invalid memory was accessed, resulting in a services process crash.

98170

The interchassis HA sync alarm is not get cleared after the nodes are back in sync.

98441

When a speed-test fails for any reason, the branch stops advertising any rate to its peers, including not advertising the configured advertised rate. This issue has been fixed

98700

When the Versa service restarts, the VMOD service may not fully come up, causing port 2022 to remain in a blocked state.

98893

Add the ability to send an explicitly defined subnet mask per pool and the ability to explicitly define the gateways to send in the DHCP Offer.

99341

For RAC RAS, when multiple tunnels are behind same public IP or WAN IP, Versa services may restart. This issue has been fixed.

99377

The previous limit of 500 entries fetched from LDAP has been changed. LDAP can now fetch an unlimited number of entries.

99517

Static routes installed using IPSec as the next hop are not removed from the routing table when the IPSec tunnel goes down.

99606

SNMP polling for ARP when there are over 256 VNI interfaces with unit configured may have empty responses.

99674

CSG7xx appliances are experiencing an issue with PoE reset, resulting in a delay in power delivery following a system reset or reboot because of a stuck PoE reset command.

99725

LTE modem manager package fixes in VOS devices running Bionic to avoid LTE flaps.

99747

Fix the iptable rule addition on VOS devices for Azure WALinuxAgent so that the backup operation on Azure can function correctly.

99776

The routing process (RTD) restarts when you delete an organization.

99804

Optimize and reduce the downtime experienced when a hub–controller is involved when a failover occurs on an active–active, remote spoke.

99910

The results of speed test, especially for VSAT links whose bandwidth is less than 2 Mbps, was unreliable. This issue has been fixed.

100054

VMOD process restarts when you delete an organization. This issue has been fixed.

100389

Provide configuration options to change the mem-quantum for TCP optimization.

100589

DIA next-hop load-balancing does not work correctly when all the WAN circuits flap at the same time.

100652

DSCP rewrite does not work when the traffic uses DNAT or static NAT.

100681

When a session context async operation is in progress for server–client sessions, Versa services may restart.

100694

When routing services are processing a monitor event, a service loop may occur. This issue has been fixed.

100770 Optimizations to per-packet load balancing for TCP traffic using high varying latency links.

100780

Issuing the show orgs org tenant-name sd-wan bw-measurement status CLI command may cause a service restart. This issue has been fixed.

100816

After a user has been logged out for more than 10 minutes, accounting logs may be sent to the remote TACACS servers. This issue has been fixed.

100851

If the peer is specified using a FQDN, if the FQDN resolves to multiple IPv4 addresses, and if the first IP address is not reachable, a site-to-site IPsec tunnel may not be set up correctly.

100884

In a VOS device is disconnected from the Director node for more than 7 days and the license expired on the VOS device, license restrictions are applied. If the Director nodes reconnects and the Netconf connection locks the configuration database because a configuration is being pushed to the device, the VMOD/configuration module cannot remove the restrictions, because the configuration database is locked by another session.

100905

Address a service restart by adding checks for invalid packet length manipulation operations in SD-WAN and IPsec.

101445

Clean up partially download SPacks in the VO device's download directory.

101455

When BGP session between a hub–controller and a branch goes down, the route becomes stale and becomes preferred because it has better local preference and AS paths, and the SLA stays up. This causes issues when the branch restarts.

101560

PIM Register messages are sent to the RP even if the SD-WAN device is not the first-hop router in multicast distribution tree.

101572

When a VOS device is functioning as DHCP relay, a server can send more than one response packet as the DHCP Offer packet. The fix is to remove restriction on how many Offer packets to forward.

101677

CoS statistics for PPPoE based interface were not reported.

101715

Memory leak observed in the ip2usr process

101792

In some cases, especially with VSAT links, the measured bandwidth can really be low and that results in applying a very low shaping rate on the remote branch. This also causes the speed test to fail in the next runs, and then the low shaping value is applied permanently, impairing the operation of the lin. The minimum input rate value should be enforced to ensure that the shaper applied on the remote site does not go below this value, to ensure that the link is usable.

101820

When you delete and add WAN links in the same commit, the SLA path may stay in the Init/Absent state.

101848

Speed test on a AWS VOS instance is not triggered and shows an error because of incorrect reporting of the link speeds.

101886

IWhen you change a configuration and an FEC parity packet carrying the new configuration is received out of order and exceeds the holding buffer limit, the holding buffer may reinitialize incorrectly, causing the Versa services process crash. This issue has been fixed.

101887

DHCP Offer sends an incorrect packet (without END option 255) when Option 81 (FQDN) is requested. This issue has been fixed.

101898

Advantech V510 FWA-2320 LCD panel displays unreadable text on a VOS Bionic device.

101964

Next-hop monitor status changes from Up to Down when you attach the monitor to an SD-WAN forwarding profile.

101988

The maximum length of site name referenced in the monitor next hop has been changed from 31 characters to 127 characters.

102030

When the path tags list in the forwarding profile circuit priorities has multiple paths containing any (wildcard), the second and subsequent match might fail, leading to the incorrect assignment of priority to paths. This issue has been fixed.

102054

The current time maintained in the Versa service process (vsmd) may drift over a period of time. When the drift accumulates to over 5 minutes, time-based OTP (TOTP) for SASE client login may fail, reporting a false negative error about the incorrect TOTP.

102213

The Avoid option in SD-WAN forwarding profiles does not take effect for unmatched priorities.

102361

When TCP optimization is enabled and the first packet of a session matches an SD-WAN rule, when the policy is re-evaluated based on application or URL category identification, the session now matches a rule whose action is to bypass TCP optimization. As a result, the TCP optimization module fails to correctly reset TCP optimization state for the session, and Versa services restarts. This issue has been fixed.

102362

When you configure the maximum number of tenants is configured as 255, an internal construct is not updated to forward data traffic correctly. This issue has been fixed.

102386

After you enable secure mode, operator external users are unable to issue show alarms CLI commands, and the receive a permission denied error. This issue has been fixed.

102470

Gracefully handle invalid responses from cloud URL lookup queries.

102571

CPU temperature is reported incorrectly for AMD CPU-based Dell R7515 systems. This issue has been fixed.

102618

When the routing peer policy term is updated to refer to a new prefix list, the older entries in the backend are not cleaned up correctly.

102759

Add a null check to prevent the Versa services from restarting when you detach a splicer in TCP optimization.

102988

The system was trying to increment session level statistics for packets from host-initiated IPsec packets. This should not be occurring, because it is a host-generated control packet and does not have a session associated with it. As a result, the Versa services restart. Now, the packet type is validated before accessing the session.

103085

A leak may occur in the host receive path for the Versa NAT Binding protocol (VBP). In a transport where the incoming VBP tunnel packets are fragmented, there was an issue with packet buffer chaining, where the first packet buffer segment memory was not freed correctly.

103191

On FWA-1010VC appliances, the gpio-mdio driver may not be loaded for Bionic, which may cause an invalid link status for the vni-0/2 switch port.

103237

When you remove the power supply cable from an Advantech FWA-5020 appliance the PSU alarm is not triggered.

103436

Forward proxy inspection may trigger a Versa services restart. This issue has been fixed.

103555

When DHCP ping settings are set, stale ARP entries in the routing name space must be ignored and then the ping should be initiated.

103746

Limit the number of multicast resolve route and PIM assert notifications sent to the control thread from the data threads to avoid overwhelming the control thread and causing high memory utilization.

103835

For a CoS configuration, when you enable LEF loggin on a PPPoE interface, the Versa services process may get stuck in a loop. This issue has been fixed.

Fixed Bugs in Release 22.1.4

The following tables lists the critical and major defects that were fixed in Release 22.1.4.

Bug ID Summary

107261, 107302

25 Gig links do not come up between CSX8300 and CSX4500 devices. 10 Gig links do not come up between CSX4X00 and CSG2500 devices.

102744, 102745

Optimized the throughput/speed over TLS/DTLS based VPN.

111561

Sessions which get closed before being assigned to a policy are not logged. This has been fixed.

111220

Add a preventive check to ensure invalid lengths (less than 64B) are not supplied to the port for transmission.

111126

SPack downgrade from 2173/2175 was causing a service restart.

110864

When tcpdump is triggered on two different interfaces simultaneously and later stopped on one of the interfaces, the other tcpdump stops receiving packets. This has been fixed.

110859

SRIOV Support VLAN tagging for i350 NIC has been fixed.

110825

Add a utility to control strict checks on TCPDUMP filter metacharacters:  vsh tcpdump-strict enable/disable.

110688

When SSL Client Hello packets arrive as fragmented packets and if they arrive out of order, VOS would process them incorrectly leading to the web connection to not go through.

110638

Disable SLA for all paths between Active-Active paired sites.

110585

Upgrade to Release 22.1.3 of VOS in Azure would cause the services to not come up.

110527

Software tweaks to better manage storage on devices with smaller disk size (< 32GB).

110334

Software upgrades on security hardened VOS instances were not successful.

110287

Depending on which end of the IPsec tunnel triggers an IKE re-key event, the security association does not get re-established, leading to the tunnel remaining in operationally down state.

110269

Fixed DHCP Relay process to pick the incoming interface IP address as the source IP address to forward DHCP packets.

110267

Upgrade Bionic kernel to 5.4.0-181 to address reported vulnerabilities.

110202

Administrative state of eth-0/0 interface shows as ‘down’ in the CLI show command; this was only a display issue.

110040

Fixed an issue where CSG5000 devices reboot when Versa services are stopped or restarted.

109907

Fixed a service restart issue with site-to-site IPsec module, where the policy context is already freed up, but the rule is not mapped to a correct tunnel-ID, which leads to a service restart.

109663

Addressed a Versa service restart by changing the maximum length of the array to 40, since there can be a maximum of 40 bytes of TCP options.

109604

A slow packet buffer leak was observed when File Filtering and Anti-Virus are both configured, and File Filtering drops the first packet and Anti-Virus has TCP splicing enabled.

109513

Disabled TPM1.2 on CSX4300, 4500, 8300, 8500 to improve switch performance.

109508

Unable to configure the shaping rate to a value equal to the link rate for 10G interfaces.

108997

When a LDAP certificate is updated, the configuration in the LDA-Profile is not updated. The certificate path remains the same, but only the certificate gets updated.

108967

For VIRTIO interfaces where the speed is not negotiated, software will now default to 10G speed for other features like shaping and bandwidth measurement to function as expected.

108855

In the file filtering module, there is a defect where an uninitialized data structure is being accessed, leading to Versa service restart. The data structure is not initialized during some error conditions. The software fix is to handle these errors gracefully.

108843

Versa VMOD process restarts if the Host record standard MIB is requested with an invalid index.

108776

High availability IP-SLA monitors may stay in the 'Unknown' state during service start. 

108678

Traffic does not resume post Layer-2 interface flap in a bridge-domain.

108291

When a BGP peer policy term's match configuration with extended community is modified to match based on community, then the match condition will fail.

108278

Fix a slow memory in the SSL decryption module.

108200

A "show arp kernel all" command issued while an SNMP walk also fetching ARP was in progress caused the Versa interface manager to restart.

107940

Fixed a Versa process restart, when APM is enabled for Layer-2 based sessions.

107926

Drop SNMP requests during service start/initialization to enable faster service start time.

107672

Fixed an issue where IXGBE-based 10 Gig SFPs on VEP-14X5 stay down, post upgrade to 22.1.3-Bionic.

107668

Disable QAT for Rangeley-based C2XXX processors to avoid QAT stalling, which can cause the tunnels in the branches to go down. 

107586

Fixed a Content Security Policy (CSP) vulnerability.

107515

Fixed an issue with LEF primary collector configuration.

107461

Unable to ping the nexthop of a PPPoE interface.

107316

The internal tracking file (that governs SSH key regeneration) for Ubuntu Bionic was incorrect (due to change in format of "ifconfig" between Ubuntu Trusty vs Bionic). This is fixed.

107158

Optimize versa-DHCPd process for supporting a larger number of routing instances and interfaces.

106832

The grace period for subjugation check has been changed from 7 days to 14 days.

106668

Optimize TPM operations by not decrypting private keys multiple times if multiple configuration objects are referring to the same key.

106596

When a transaction paused, some packet buffers were not properly released, leading to the Versa services to restart when trying to process them again. To fix this, we release all header packet buffers when holding packet buffers, ensuring they are cleared correctly.

106591

Fixed an Interface Manager restart issue triggered by a memory corruption.

106461

Addressed a memory leak in EIP ITC's that caused the Versa services to eventually restart when the device runs out of memory.

106221

When creating 2 uCPE's with exclusive CPU core pinning, the cores were incorrectly assigned. Fixed it to map unique CPUs for the hosts and make it persistent upon reboots.

106201

Fixed an issue with bandwidth reporting in interface utilization logs to Analytics.

106103

This performance optimization opts out SSL-VPN service for a session that is deemed to be non-VPN. Prior to this fix, the VPN module would receive the packet but not process it. With this fix, the infrastructure will not deliver the packet to the module once an opt-out is indicated by the SSL-VPN service.

106067

Send an explicit delete message to notify clients when VRRP groups are deleted either directly or by deleting the interface configuration. This is to differentiate between interface shut (INIT) state and delete to notify clients like Versa routing process to take different actions.

105936

Versa services restart after triggering the "request clear statistics class-of-service interface-policer all". Fixed by adding a NULL check in the clearing interface policer.

105891

Fixed an invalid assertion encountered during the processing of selective acknowledgement packets which was triggering a Versa service restart.

105838

Added the ability to display organization-specific bandwidth utilization using the command "show interfaces info <Tenant-Name>", if reference-bandwidth is configured under SD-WAN site WAN interfaces of the tenant.

105713

Flow start/end milliseconds for security flow logs is getting the incorrect Epoch time.

105654

Upgraded VOS custom-kernel to 5.4.0-170.

105581

Fixed an issue where the Versa interface process gets restarted when running the "show interface brief" command. This issue can occur when eth0 is configured on the VOS and interface is set to DHCP but there is no DHCP server to hand out an IP address.

105413

Force re-program the Scheduler Mapping when mapped to a tunnel interface. A configuration change was not taking effect immediately when adaptive shaping is configured.

105411

Restore Path MTU values for SD-WAN topology to the same values as earlier versions of software.

105368

ICMP error packets received in response to broadcast or multicast packets are processed. Now such packets will be dropped.

105366

If SD-WAN-TE is enabled in the configuration, but the nexthop may not be present in transient scenarios, ensure we do not overwrite the forwarding interface object, which may cause a Versa service restart downstream.

105363

Rate-limit SNMP packets to 100/second to protect the ConfD process.

105289

Memory leak observed in versa-rfd process when active-standby configuration and HA monitors are configured.

105255

A race condition during tenant deletion causes messages to be delivered out of order to the versa-service process. The out-of-order messages cause an irrecoverable condition leading versa-service process to restart.

105166

With secure-mode enabled, increase the monit start from 30 seconds to 60 seconds for high-end appliances and 240 seconds for all other appliances.

105164

On low-end Atom CPU-based devices, QAT stalls and IPsec crypto calls fail. This is observed after the upgrade to the 22.1.3 GA image after a few days of activity.

105082

When the length of the BGP message for the versa-private specific route crosses 65K of length, this causes Versa services to restart on the Controller. This applies only when SD-WAN-TE is enabled.

104972

Fixed/enhanced the KMS server use case to not use locally generated keys in case reachability to the external KMS server is down and instead continue to use the keys provided by the KMS until the external server service is restored.

104830

With the tunnel-less header compression feature, and FEC/Replication enabled, IPv6 traffic is getting dropped sporadically. 

104758

A regression issue was introduced whereupon during an upgrade from an earlier version, the routing process would restart. This issue would be observed only if BGP is configured for peering with IPv6 neighbors.

104663

Fixed an issue where DLP and IP-Filtering policies were enabled. The application final event was being processed first by DLP and then by IP filtering. DLP would hold and then un-hold the packet while processing the event. IP filtering was trying to reset the session after DLP had finished processing the event, which resulted in the Versa service restart.

104646

On the Controller, a flood of notifications to be sent to the Director during service start caused the control and management path to be paused for 2-3 seconds, since the confd was not able to schedule and drain the socket, while the Interface Manager daemon was pushing data continuously.

104600

Fixed the interface ordering to sort alphabetically, use vni-0/0 first for URL-ZTP, and then move to vni-0/2 in case ping test fails on vni-0/0.

104565

Fixed an issue where Versa services due to an access to a null pointer. Set the NAT flag only when a CGNAT flow is present.

104503

Optimize the memory usage for firewall rule configuration on a multi-tenant setup.

104468

The NTP process would run on high CPU when a different NTP server FQDN resolves to the same IP address.

104358

Use the if-index in vIfAddrEntry polling in the VERSA-IF MIB. This makes the vIfAddrEntry and vIfEntry consistent. The index used in the vIfAddrEntry used to be a running serial number, now it will be an interface index; the resulting key will be "vIfIndex vIfName vIfAddress" now. 

104321

Fixed an issue for email-based OTP related to VSA users.

104292

Fixed an issue with URL ZTP taking longer than expected to onboard an appliance.

104279

Fixed an issue with cloud instances not showing up the vni interfaces after upgrading to 22.1.3-GA build.

103922

Optimized the IPsec code to not trigger a service restart, when 100+ branches try to connect to the controller with an authentication failure.

103908

Optimize TPM private key decrypt calls. Instead of calling the TPM private key decrypt every time an OCSP request is made, the TPM private key decrypt call is made only once, and the private key is cached and used for subsequent calls. This reduces repeated calls to TPM, overloading the CERTD daemon. If the private key changes, then the cache is updated.

103596

Fixed an issue with interface policer for fragmented packets.

103403

Fix the DHCP Relay functionality to not forward the DHCP Offer to a client as a Layer-3 broadcast when the broadcast bit of BootP is not set, implying unicast.

102799

Fix to send some secure access logs from VSM control thread/worker thread instead of IPsec control thread.

102698

DHCP lease sync channel is used to exchange DHCP lease database between peers which is carried over a TCP sync channel. If reset is received from the peer over the sync channel or if the sync channel is closed due to a network issue (interface down, etc.), then the TCP connection is closed and reinitiated after a small wait time (typically 2 seconds). The Sync channel is also closed if an HA configuration (or a DHCP-lease-sync configuration) is deleted from the appliance. In a corner case scenario, if configuration delete event is received during sync channel reinit wait time (as explained above), the configuration cleanup also initiates sync channel close sequence, which resulted in an assert/crash (since the channel is already closed due to error). 

102316

Added the ability to support header compression only when it is enabled at the Forwarding Profile besides the global knob.

101398

If there is no IKE server available or if the IKE server is disabled for a particular IP address or interface, any IKE packet coming to that IP address should not be passed to the IKE stack for processing. With this change, VOS drops the packet if no IKE server is enabled.

100530

Fixed an issue where the Versa SSPFD service is getting restarted.

98493

Do not use port-id 0 in LACP-PDU to follow the IEEE standards.

95237

Added better recoverability by fixing the system package state when there is an upgrade failure in case the VOS node is rolled back to a software version prior to 202302 release with the latest OS Spack (any OS SPack released after 202302).

94751

Increased the IPsec profile to include the WAN interface count from 10 to 15, for GZTP.

89572

ADC monitor with TCP Monitor to the LEF is creating a stale connection with an unknown tenant. Fixed this by adding a check on the VOS/Controller.

86705

Added an enhancement to support 8 traffic classes for the hardware-based egress shaper/schedulers in CSG5000.

85942

Fixed a service restart by disabling cache usage of the RAC zone lookup (SASE) and performing the filter lookup each time.

84303

This fix addresses the requirements of supporting ECDSA signatures in IKEv2 negotiations. We now support ECDSA certificate authentication for P-224, P-256, and P-384 curves.

81255

Enhanced SLA's from the cross-connect. Bypass re-evaluation for reverse flow packets in policy engine. For any catastrophic changes in the CGNAT module, drop the reverse flow packets.

80035

The MAC-addresses column width was not aligned properly with the VOS CLI show command.

74395

Increased the burst factor to 1 second from 5ms on the Control Plane Protection [CoPP] in the backend.

52503

Fixed an issue with /etc/network/interfaces incorrectly having the DOS file-format when upgrading from VOS Release 21.X to VOS Release 22.1.

 

Limitations and Behavior Changes

The following are the limitations and behavior changes in Release 22.1:

  • When you configure WAN interfaces, you can configure the interface priority to be a value from 1 through 15. Previously, the maximum priority value was 8. See Configure Basic Features.
  • QAT is disabled for some low-end devices , such as C2xxx CPU-based devices.
  • The following VOS features are not supported on LAN Ethernet (enet) interfaces:
    • Anycast gateway IP address
    • ARP suppression
    • Bridge-domain-level MAC age timer. This configuration is a systemwide configuration.
    • EVPN Type-5 symmetric IRB
    • Layer 3 multicast
    • MPLS-based VPN
  • The following are the QoS limitations for 100-Gbps interfaces on CSG5000 and Dell R7515 platforms:
    • No support for aggregate IFD shaping, that is, for all traffic classes together egressing on an IFD/port.
    • Eight transmit-side scaling queues (TSS) per real CoS queue. This limits the number of pollers that can be used for Tx shaping to 8 Tx pollers.
    • No support for pipe or IFL level shaping, adaptive shaping, multiple queues per-TC, tenant shaping, or WRED dropping.
    • No support for dynamic update to the shaper rates. As a result, any configuration changes to shaping parameters for a port result in the deletion of the topology and reconstruction, which disrupts all traffic egressing on that port.
    • The framing (FCS and so forth) overheads are not accounted for by the driver, which results in the observed actual shape rate to be higher by 2 to 10 percent, depending on packet sizes.
  • A VOS device running Release 22.1 and that has more than eight WAN interfaces cannot communicate with VOS device running a software version earlier than Release 22.1 (for example, Release 21.2.3).
  • For Versa Networks appliances that have NPU switching hardware, if you enable ARP suppression on a specific bridge domain, it is enabled for all bridge domains. 
  • Data Loss Prevention (DLP), Application Reverse Proxy does not work when the Cloud Lookup feature is enabled for URL and IP reputation.
  • If you configured tenant shaper on VOS nodes running Release 21.2, connectivity issues may arise with new or existing branches running Release 22.1.X. To avoid these issues, you can either disable tenant shaper until all nodes are upgraded or upgrade the remote 22.1.X node to a hotfix image released on or after October 22, 2024.
  • It is recommended that you upgrade both the paired sites to VOS Release 22.1.2 or later. If the paired sites are running a combination of VOS Release 22.x and 21.x, traffic may not be queued in the correct forwarding class when using a cross-connect link. For example, if HA Site-1 is running VOS Release 22.1.x and HA Site-2 is running Release 21.2.x, traffic egressing from the HA Site-1 to a remote branch running VOS Release 22.1.x using the cross-connect of HA Site-2, may face this issue.
  • VMS services are not supported in VOS Release 22.1.3. For VMS Releases earlier than Release 5.1.1, use VOS Releases 22.1.2 and earlier. For VMS Release 5.1.1, use VOS Release 22.1.4, November 10, 2024 hot-fix and later.

Request Technical Support

To request technical support, visit http://support.versa-networks.com. If you are contacting support for the first time, register and create an account. You can also send email to support@versa-networks.com or contact your Versa Networks sales account team.

Revision History

Revision 1—Release 22.1.1, May 5, 2023
Revision 2—Release 22.1.2, July 31, 2023
Revision 3—Release 22.1.3, December 30, 2023
Revision 4—Release 22.1.4, July 1, 2024

  • Was this article helpful?