Skip to main content
Versa Networks

Versa Concerto Release Notes for Release 11.4

These release notes describe features, enhancements, fixes, and known issues in Concerto Release 11.4, for Releases 11.4.1 through 11.4.4.

July 12, 2024
Revision 4

Product Documentation

The Versa Networks product documentation is located at https://docs.versa-networks.com.

Install Concerto

If you are installing new Concerto instances, follow the steps in Install Concerto.

Upgrade Concerto

Caution: Before you upgrade to Concerto 11.4.4, ensure that the current operating system security package (OS SPack) is installed on all the nodes in the cluster. To check that the current OS SPack is installed on all nodes in the cluster:

  1. Download the latest OS SPack from https://versanetworks.box.com/v/osspack or from an alternate download server at https://download.versa-networks.com/index.php/s/nEkF9xOO3e7BA9Z.
  2. Copy the OS SPack to /var/versa/ecp/share/packages.
  3. On each node, issue the vsh stop command to stop all Versa services.
  4. On each node, execute the OS SPack file:
    sudo /var/versa/ecp/share/packages/versa-concerto-osspack-B-20240605.bin
  5. Reboot each node.

To upgrade Concerto nodes from Release 11.x.x to Release 11.4.4:

  1. Download the Concerto 11.4.4 bin file to the /var/versa/ecp/share/packages directory on any one of the nodes in the Concerto cluster. The bin file is automatically synced to all other nodes in the cluster.
  2. Generate a backup of the existing Concerto cluster by issuing the vsh database backup create command. To verify that the backup has been created, check the output of vsh database backup list command.
  3. To upgrade to the new version of software, issue the vsh system package upgrade package-bin-filename command. This command triggers the upgrade process on all the nodes in the cluster. The upgrade debug logs are saved to the upgrade.log and install.log files in the /var/log/ecp directory.
  4. After the upgrade process completes, services start automatically on all the nodes. If the upgrade fails, the system automatically rolls back to the previous software image running on all the nodes.
  5. To check that the services are running, issue the vsh status command:
admin@concerto-1:~$ vsh status
postgresql            is Running
zookeeper             is Running
kafka                 is Running
solr                  is Running
glances               is Running
mgmt-service          is Running
web-service           is Running
cache-service         is Running
core-service          is Running
monitoring-service    is Running
traefik               is Running
  1. The docker service ls command also shows the status of the services:

    docker-services-ls-v2.png

Concerto 11.4.1 New Features and Enhancements

The following table lists the new features and enhancements in Concerto Release 11.4.1.

ID Service Description

90625

SSE

Add support for policy rules to authenticate users behind branch devices. You can configure authentication policy rules to authenticate users connecting to SSE gateways from SD-WAN devices or site-to-site tunnels. To configure the user and device authentication rules, select User and Device Authentication > Rule. See Configure User and Device Authentication.

 

user-device-authentication-rules-menu.png

user-device-authentication-rule-wizard.png

86471

SSE

You can modify parameters of predefined IPS profile by creating an IPS override profile and then associating it with internet or private application protection rules when you select a predefined IPS profile. To configure IPS override profiles, select Real-Time Protection > Profiles > IPS Override. See Configure IPS Override.

 

ips-override-tab.png

ips-easy-ips.png

94654

SSE

You can configure advanced threat protection (ATP) or sandboxing profiles from Real-Time Protection > Profiles. You can configure ATP profiles only if the tenant subscription is Bundle/VSA elite or professional tier with add-on ATP service. See Configure Advanced Threat Protection.

 

atp-tab.png

edit-atp-profile.png

94893

SSE

You can configure user-defined security actions from Settings > User Defined Objects > Security Actions. See Configure SASE User-Defined Objects.

 

security-actions-menu.png

93836

SSE

You can configure user-defined URL categories Settings > User Defined Objects > URL Categories. See Configure SASE User-Defined Objects.

 

add-url-categories.png

89168

SSE

You can configure exact data match (EDM) and document fingerprinting rule types in DLP profiles. See Configure Data Loss Prevention in Concerto.

 

create-dlp-rule-edm-fingerprint.png

92699

SSE

You can configure Versa SASE client source obfuscation and private application obfuscation from Real-Time Protection > Network Obfuscation. See Configure Network Obfuscation.

 

network-obfuscation-menu.png

obfuscate-applications.png

91038

SSE

You can for IPSec tunnels in policy-based site-to-site tunnels. Releases 11.3.2 and earlier support only route-based site-to-site tunnels. See Configure SASE Site-to-Site Tunnels.

 

site-to-site-tunnels-ipsec.png

93558

SSE

Add support for RADIUS-based user authentication in SSE authentication profiles. See Configure User and Device Authentication.

 

user-device-authentication-radius-option.png

96234

SD-WAN, SSE

Improve the UI for audit logs. See Manage Users.

 

audit-logs.png

94302

SSE

Add support for the SSE Elite subscription in the Create Tenant window. See Configure SASE Tenants.

 

sse-subscription-elite-option.png

94305

SSE

You can configure a tenant shaper on SSE gateways based on provisioned bandwidth for the tenant in tenant onboarding flow. See Configure SASE Tenants.

 

tenant-sse-gateway.png

80367

SD-WAN, SSE

The Concerto system administrator can configure maintenance windows and other notifications that impact each tenant, selected tenants, or devices. A notification popup window displays for selected users. The user can acknowledge the notification to disable the popup for subsequent logins. See Configure Scheduled Notifications for Concerto and Concerto Home Screen Overview.

 

concerto-upgrade-notification.png

84911

SSE

Add support for gateway-assisted trusted network detection on per routing-instance (VPN) of tenants. See Configure Trusted Network Detection for a SASE Gateway.

 

vpn-settings-trusted-network-option.png

85201

SSE

You can the configuration differences before publishing updated configurations to SSE gateways. See Publish SASE Gateways.

 

config-difference-at-publish.png

87327

SD-WAN

Add support for PPPoE WAN interfaces. To configure a PPPoE interface, choose the subcategory PPPoE in the WAN category. See Configure PPPoE Interfaces in Concerto.

 

create-interface-pppoe-option.png

92762

SD-WAN

You can configure Layer 2 interfaces in trunk mode. In Releases 11.3.2 and earlier, you can only configure Layer 2 interfaces in access mode. See Configure Access and Trunk Interfaces in Concerto.

 

create-interface-l2-trunk-option.png

95324

SD-WAN, SSE

Add support for match criteria based on a remote SD-WAN sites and appliance names in real-time protection rules. See Configure SASE Internet Protection Rules and Configure SASE Private Application Protection Rules.

 

internet-protection-match-criteria.png

87705

SD-WAN

Redesign Application Forwarding Profiles configuration screens with advanced functionality to support SaaS application monitoring and direct internet access. See Configure Profiles.

 

add-forwarding-profile-saas-dia-support.png

95310

SD-WAN

You can define SaaS application monitors and use them in forwarding profiles. See Configure SaaS Application Monitors.

 

saas-application-monitor.png

94564

SD-WAN

You can create sites or appliances in bulk by importing CSV files on the Deploy Lifecycle window. See Create a New Site.

 

import-csv-to-create-sites.png

94869

SD-WAN

Redesign Access Control Rules and Policies UI screens in secure SD-WAN configurations. See Configure SASE Secure Client Access Profiles and Configure SASE Secure Client Access Rules.

 

edit-access-control-rules.png

93682

SD-WAN

Redesign predefined and user-defined services UI screens in secure SD-WAN configurations. See Configure SASE Secure Client Access Profiles and Configure SASE Secure Client Access Rules.

 

endpoint-services.png

edit-access-control-rules-services.png

95585

SD-WAN

Add support for service groups. A service group can have collections of multiple user-defined and predefined services. See Configure SASE Secure Client Access Profiles and Configure SASE Secure Client Access Rules.

 

edit-service-groups.png

 

SD-WAN

Enhance the View lifecycle, including dashboards for Rules, SLA Metrics, SLA Violation, and QoS. See Concerto Deploy Lifecycle Overview.

95240

SD-WAN, SSE

Add support for an Analytics aggregator to display aggregated information from multiple Analytics clusters where the tenant is present. See Install Concerto.

 

analytics-aggregator.png

95005

SD-WAN

Add the Download button on the Global publish window to download the status of all appliances in CSV format. The following screenshot shows a sample CSV file that displays appliances in various states. See Download the Global Publishing Status.

 

global-publish-download-csv.png

90928

SD-WAN

Add support for multitenant hub–controller (HCN) devices. See Configure Appliances, Hubs, and Hub–Controllers.

95362

SD-WAN

Enhance multitenant master profiles to allow you to create subtenant-specific CGNAT rules by tenant name when you are creating a rule. See Configure Profiles.

95824

SD-WAN, SSE

Enhance user-defined applications to allow you to configure risk, productivity, family, and subfamily attributes. See Configure Profiles.

 

create-custom-applications-advanced.png

96576

SSE

Add support for SaaS tenant control. See Configure SaaS Tenant Control Profiles.

 

sase-tenant-control-tab.png

84314

SD-WAN, SSE

Add support for user login and password-requirements settings at the global level. These settings apply to all system and tenant users. See Manage Users.

 

user-settings-global.png

95060

SD-WAN

You can create TVI-based WAN interfaces with associated multiple VNI interfaces for redundancy. To configure a TVI WAN interface, select the TVI subcategory. To configure an associated VNI for TVI, select the VNI for WAN TVI category. See Configure TVI-Based WAN Interfaces.

 

edit-interface-tvi.png

edit-interface-wan-tvi.png

93593

SSE

You can configure a preferred Versa SASE client version to automatically upgrade clients on supported operating systems MacOS and Windows. See Configure SASE Secure Client Access Rules.

 

preferred-client-version.png

87257

SSE

You can customize captive portal pages. You can change the default captive portal certificate from the Captive Portal Settings section on the Customize User Intercept (Captive Portal) window. See Configure Captive Portal.

 

customize-captive-portal.png

 

captive-portal-certificate.png

95448

SD-WAN

Users can select the list of controllers and hub–controllers serving the site when you are creating a site in the Deploy Lifecycle. If only one or two Controller nodes are associated with the selected Director node, they are automatically selected on the Create Site window. See Create a New Site.

 

create-site-select-controllers-option.png

88060

SD-WAN

You can set the license period while creating an SD-WAN appliance. This information is propagated to the Director node when the appliance is published. See Configure Appliances, Hubs, and Hub–Controllers.

 

add-appliance-license-period.png

Fixed Bugs and Minor Enhancements in Concerto Release 11.4.1

The following tables lists the critical and major defects that were fixed and minor enhancements that were added in Release 11.4.1.

Bug ID Description

100631

Concerto does not update the latest alarms and shows old creation dates.

100555

Branch-to-branch IPsec tunnel settings do not apply to subtenant configuration in a multitenant hub configuration.

100553

Concerto SD-WAN Overview does not list all deices.

100539

Custom application using host patterns shows TCP as protocol.

100516

SD-WAN Onboarded Devices Inventory is missing under Inventory tab.

100498

Concerto Release 11.3.2 MDM configuration pushed from Concerto is not reflected in the configuration.

100497

From customer tenant, tenant user can perform upgrade the SPack and software on multitenant SSE and SD-WAN devices.

100398

BGP term to handle unused hubs is missing in LAN VRF's Export-To-LAN-Policy {}.

100294

Remove RMA Serial Number field from Concerto UI when creating a new device.

100240

URLF default action changes are not reflected in Director nodes and gateways.

99941

Prompt user that if are any unsaved bind data values when a user mistakenly closes the window without saving it.

99939

In the Deploy page, the 3-dots icon has no function. Also, there is extra space at the end of the Site Summary box.

99935

The +1 More button in the Director Name column of the tenant list page does not expand the Director names, Instead, it opens the tenant configuration page.

99934

Clicking anywhere in the tenant row should not open the tenant page.

99746

Enhancement to add service list instead of application in Implicit_Drop_Quic FW access policy.

99715

When a user-defined security profile folder is hidden from the user, hide the corresponding card in forward rule also.

99509

OS SPack upgrade fails from Inventory page.

99429

Ellipses of sites is not accessible under Deploy lifecycle to set profile or publish.

98644

Add support to enable autodisconnect in secure client access rule.

98620

MAC client does not process the secure client access profile information on IPsec tunnel configuration.

98331

Clone or deletion of Internet applications causes a CSRPF error.

98185

When you modify the order of rules in the Configure > SASE > Real-Time Protection > Internet Protection Rule screen, a reorder issue occurs with Release 11.3.2 images.

97941

Service template order is not retained between primary and secondary, and when copying from master profile.

97636

Concerto should prevent certificate upload for filenames that contain a space.

97456

Tag community 8009:8009 for hub routes received.

97438

Add new search bar in the Master Profile page to search profiles by name.

97412

Add support for CSG5000 models when adding appliances in Concerto.

97096

Decommissioned tenant custom user roles have not been removed from the Concerto database.

96503

Add ability to search for site/appliance/profile name in the Profile Assignment and Appliance Status zoom in pages.

96350

Publish fails after deleting existing service template attached to an appliance.

96306

Configure security service as stateful firewall with solution tier Prime-SD-WAN.

96296

Group filter value is missing in Concerto-generated configuration for IAM.

96249

Reverse role mapping when user is created using Concerto for the Director custom role is not working.

96210

Appliance-level bind variable value is overwritten with default values from master profile when applying new version of master profile to the appliance.

96053

WAN link down notification is not updated on the View lifecycle.

95945

Propagated user roles should be read-only in the subtenants.

95938

Unable to delete multitenant device of HA pair in Concerto that is created using URL ZTP.

95759

When you delete a parent tenant user role, the associated child tenant users cannot log in or having issues during sessions.

95362

Add DNAT support for multitenant CPE in Concerto.

95302

Remove references to version in Elements, because versioning is not used here.

94870

Increase the allowed portal lifetime value.

94812

Existing Internet Protection/PAP Rules display site-to-site source zones even when tunnel user permission is hidden.

94784

Profile must automatically assign different VRRP priority for redundant devices.

94765

Need GUI option to set Appliance ID (similar to Director), manually overwriting autogenerated ID during appliance creation from Concerto > Deploy lifecycle.

94632

Cannot see the default IPsec parameters for existing configured site-to-site IPsec tunnels after upgrading.

94536

Group ID field should accept non-ASCII characters in SAML user group ID.

94276

Add implicit deny rule in portal/gateway secure access policy rules.

94238

VOS Bionic OS SPack update from Concerto may fail.

94234

In the View tab of an SD-WAN appliance, display whether a WAN interface is attached to the current appliance or to a redundant pair of appliances.

94082

Blank screen while creating a profile under Subprofile > Security

94286

Generated TVI interface numbers for split tunnels are out of range if the VRF ID of LAN routing instance is a greater number.

93411

Add Precedence field in the custom application object for both SSE and SD-WAN.

92946

IPv6 validation required for Track Route - Prefix field under VRRP.

92513

Multitenant scope master profile is propagated in both parent and child tenant using Concerto 11.3.1.

92205

Concerto overwrites changes to To_ST_DIA policy done in Director pushing Reject_All term to the top.

91953

Allow Concerto to create loopback TVI Interfaces and associate with any VRF.

91794

Allow SASE gateway to publish without configuring any authentication profiles and site-to-site tunnels to support SD-WAN devices only connected to the SSE gateways.

91588

Concerto pushes certificate only to the default Director node

90577

Save and Schedule is not sending report in email when requested from Concerto. It is working from standalone Analytics nodes or from Director nodes.

90373

Option to apply service template to specific appliance in HA pair for subtenants.

90370

Remove hardware image in the View tab for unsupported appliance model numbers.

90366

Ability to hide Monitor tab without impacting the View tab in Concerto.

90315

Add option to download the report from the View tab.

Fixed Bugs and Minor Enhancements in Concerto 11.4.2

The following tables lists the critical and major defects that were fixed and minor enhancements that were added in Release 11.4.2.

Bug ID Description

93970

Interface IP address with mask length /31 is not allowed. This limitation is now removed.

96631

Fix issues with migrating forwarding profiles data from existing profiles.

98751

Allow non–RFC 1918 subnets to be configured on the Secure Access Client Policy if the tenant is subscribed to the VSIA service.

100930

Remove-Label DLP profile configuration is not  pushed to the VOS device.

101183

Do not allow the Delete IPS Override Profile if it is attached to or referenced in a real-time protection rule.

101207

Error occurs when accessing DLP rules page.

101419

Fix memory leak in Solr service.

101543

Fix /actuator URL vulnerabilities.

101748

Fix configuration issue with Network obfuscation.

101777

Fix  incorrect application logos under internet protection rule.

101800

BGP neighbor policies applied on the secondary device WAN circuits should not be configured on the corresponding cross-connect link.

101806

Transaction failure error when propagating configuration changes to large number of SDWAN configuration objects.

101807

Solr service terminates with memory limitation. This issue has been fixed by removing memory limitation for the Solr service.

102114

Enable server-side REST response payload compression to improve application performance.

102203

Fix base64 decode during certificate validation.

102243

Fix script issues with adding and removing nodes in the Concerto cluster.

103001

Add bind and search timeout configuration options in LDAP profiles.

103099

SASE Versa Directory username creation with uppercase is failing.

103106

Invalid FQDN name in the user-received email address from the Versa Directory service if the tenant’s name contains a _.

103361

URL reputation displays wrong order for the reputation Suspicious.

103735

Allow wildcard domain names in custom client native applications.

104228

Publish fails while custom application contains host patterns that have special characters.

104550

Allow smaller client address pools on SSE gateways (up to /28 prefix lengths) in the tenant onboarding page.

104639

Subtenant publish shows as Failed in the Task bar in the honeycomb view, but the configuration is pushed to the device successfully.

104716

Allow selection of site-to-site tunnel source zones in private application protection rules if the tenant is subscribed to the VSPA Professional Only service.

Fixed Bugs and Minor Enhancements in Concerto 11.4.3

The following tables lists the critical and major defects that were fixed and minor enhancements that were added in Release 11.4.3.

Bug ID Service Description

85299

SD-WAN

Generate WAN interface adaptive shaping configuration automatically if downlink bandwidth is configured on the interface.

99955 SD-WAN, SSE A user-defined application cannot be deleted in a tenant if another tenant has its own user-defined application with the same name and it is referred in its rule or application group.

101221

SD-WAN

Incorrect values and units shown for WAN interface upstream and downstream bandwidth in View Lifecycle of SD-WAN appliance. Bandwidth now displays in the correct units.

101259

SD-WAN

Service Templates attached with scope Primary on subtenant devices are not attached to the device group on the Director correctly. As a result, the service template configuration is not applied to the primary appliance in HA pair.

101337

SD-WAN

When a transport connection name is parameterized for IPsec, GRE, or EOGRE, the connection name values do not display in the variable values.

102865

SSE

Add support for trusted and exclude routes in Secure Client Access rules.
 

102865-border.png

103357

SD-WAN, SSE

Allow mapping of the Director-level RBAC user role to multiple Concerto user roles.

103434

SD-WAN

QoS peer classification is not working in active–active spokes (HA pair) when the VPN topology is not full mesh.

103691

SD-WAN

URL-based ZTP fails with the error “No interface configured with the same transport domain for URL based ZTP with vpn profile.”

105301

SSE

In site-to-site tunnel view, a maximum of 25 received and sent prefixes is shown in View Lifecyle.

105354

SD-WAN

Tenant user cannot configure shared SSE VCGs in the exit location list for SD-WAN forwarding profiles.

105476

SD-WAN

Support source and destination address negate option in SD-WAN policy rules

106042

SD-WAN

Overlay TVI IP address overlaps with DIA split tunnel paired TVI interface when the Tenant ID is greater than 300. Split tunnel TVI interfaces now have the format tvi-1/x.

106109

SD-WAN, SSE

Enable Analytics logging (LEF) for site-to-site tunnels implicitly.

106129 SD-WAN Global inventory page displays an out-of-memory error when there are a large number of tenants.

107058

SD-WAN, SSE

Add option to select both application and URL category/reputation in policy rule match criteria.

107155 SD-WAN User-defined service object does not accept multiple comma-separated source and destination ports and port ranges.

107417

SSE

Tenant with _ in its name generates an incorrect LDAP server configuration for a Versa Director authentication profile.

107430

SSE

When a tenant name is long, enabling the trusted network detection fails, because an implicit security rule generated for trusted network detection exceeds 63 characters. This issue has been fixed by generating a shorter firewall (ACL) rule.

107442

SD-WAN, SSE

Enforce minimum password strength requirements when creating a user on the Concerto portal.

107483

SSE

Tenant with _ in its name generates an incorrect SAML hostname configuration for an SSO authentication profile.

107502

SD-WAN

Incorrect VLAN ID values validation on Layer 2 interfaces.

107513

SD-WAN, SSE

Authentication bypass vulnerability occurred with an API URL that contains ///. This issue has been fixed.

107768

SD-WAN, SSE

Allow both a host pattern and an IP prefix when creating user-defined applications.

108069 SSE Detailed view of the BGP sent and received prefixes for site-to-site tunnels does not display more than 100 prefixes.
108199 SD-WAN Master profile change propagation to a large number of appliances creates duplicate profiles in the database, and they cannot be deleted from portal GUI.

Fixed Bugs and Minor Enhancements in Concerto 11.4.4

The following tables lists the critical and major defects that were fixed and minor enhancements that were added in Release 11.4.4.

Bug ID Service Description
94688 SD-WAN & SSE Improve the View tab landing screens load speed.
99909 SD-WAN Add the precedence option in CGNAT rules.
101514 SSE A Concerto-generated implicit IP cache rule intercepts internal DNS requests.
102709 SD-WAN & SSE Print a proper error message when SSO is not enabled for a tenant and a user tries to login using the SSO option.
104910 SD-WAN Not able to view and select file types in a malware protection profile under the Secure SD-WAN configuration.
105057 SD-WAN & SSE Allow pinging from the Concerto shell for a non-root user.
106743 SD-WAN & SSE SSO login for a user with a custom role is not working on Concerto.
108107 SSE The default action getting pushed to Appliance and Director is “Alert” for the any (Alert, Allow, Block, Drop Packet, Drop Session, Reject) configured action as default in Concerto.
108431 SSE The site-to-site tunnel Last Modified time is updating even for read the profile and close the configuration window.
108554 SD-WAN Unable to dismiss all alarms at the site level. API throws an error.
108629 SD-WAN ICMP packets from reachability monitor IP address used in forwarding profile should be allowed if ICMP is blocked on WAN.
108635 SD-WAN Unable to connect to the appliance shell from Concerto monitor using Shell-in-a-Box.
108750 SD-WAN Unable to create traffic steering rule when destination IP is Customized.
108946 SD-WAN Secondary device activation is failing for spoke HA devices as community has unresolved variable.
108965 SSE Display URL reputations order by risk level in URL Filtering profile.
109084 SD-WAN & SSE SMTP Auth failure occurs even if Auth is set to False in Concerto system level SMTP configuration.
109202 SSE Policy-based IPSec Tunnel—Policy configurations are not allowed to match the prefix 0.0.0.0/0.
109336 SD-WAN Unable to delete an appliance to migrate from one Director to another Director.
109374 SD-WAN Propagation failed on Concerto "Unable to commit against JDBC Connection."
109433 SSE Portal FQDN displays underscores from the tenant’s name. Underscores in tenant name should be converted to a dash (-) when converting to FQDN.
109506 SD-WAN Automatically trim white spaces in appliance serial numbers before saving.
109709 SSE Mandatory source/destination port validation needs to be removed from policy-based IPsec site-to-site tunnel.
109741 SD-WAN & SSE Update to version 5.4.0.182.
109850 SSE When deleting Versa Directory Profile, Concerto does not trigger IAM sync operation.
109855 SD-WAN & SSE Concerto authentication fails when the primary Director's services are down. Authentication requests are not sent to new active node.
110088 SD-WAN Application classification is accepting all special characters in the name.
110245 SSE The user-defined EIP agent for custom category does not support spaces in file path.
110259 SSE Create default TCP optimization policy and profile on SSE GWs to match SMB protocol traffic.
110349 SD-WAN Allow the ability to change a device model number before the appliance onboarding (ZTP) is completed.
110600 SD-WAN Make the WAN connection name optional when creating a DIA forwarding profile. This will help to redirect internet-bound traffic to a site-to-site tunnel.
110795 SD-WAN & SSE Director discovery adds all the controllers from the Director to all the existing tenants even though those tenants are deployed with a subset of controllers.
110800 SD-WAN & SSE Load Google fonts locally instead of loading from the internet.
111013 SSE Internet Protection and Private App Protection rules are cached incorrectly across tenants on the UI.
111124 SSE Concerto UI does not display LDAP users/groups in an Internet Protection rule if the tenant is deployed on multiple Directors and one of the Director does not provide a users/groups list.
111254 SD-WAN & SSE SSO user login fails if the same external role mapping is present in two different tenants.
111427 SD-WAN Add the Tenant Health card to View of Secure SD-WAN.
111688 SD-WAN In SD-WAN summary View, the Asset Summary counts do not add up with the total appliances count.
111714 SD-WAN Allow a VPN name to be selected as the exit routing-instance in a SaaS application monitor.
112098 SD-WAN Redistribute to BGP6 if any interface in a LAN VRF is configured with an IPv6 address, even when BGP is not enabled on the interface.
112267 SSE Destination zone “Internet” in Internet Protection rule gets converted to split-tunnel zones “L-ST…” when View Diff is invoked in the gateway's publishing page.
112274 SDWAN Cloning an interface with VRRP throws null pointer exception.
112304 SSE Add secure-access Portal FQDN to the Trusted Network Detection related DNS redirection policy rule.

Known Limitations in Concerto Release 11.4.1

The following are the limitations and behavior changes in Release 11.4.1:

  • Authentication Profiles is now under the menu User and Device Authentication, along with Authentication Rules, which is new.

    authentication-profile.png
     
  • If you enable BGP on a WAN or LAN interface, BGP alarms are automatically enabled in the corresponding routing instance.
  • On a multitenant SD-WAN appliance, service templates attached with the scope set to Primary at subtenant level are not reflected on the device. The scope should be set to Both for the service template to be applicable on the primary appliance. Note that this limitation is only on the subtenant-level attached service templates on a multitenant appliance.
  • Multitenant appliances, hubs, and hub–controllers are not accounted for in Up/Down counts in the Asset Summary card. Clicking on a count shows a list of multitenant devices.

    asset-summary-border.png
     
  • On a hub–controller device, changing the staging pool prefix size after initially publishing the appliance does not take effect on the Director. node. As a workaround, clear the bind variable values for the staging prefixes on the Director node in the device workflow and then republish the appliance from Concerto.
  • The wrong values and units are shown for the WAN Interface Upstream and Downstream Bandwidth in the View lifecycle of an SD-WAN appliance.

Concerto 11.4.1 REST API Updates

The attached files list the REST API changes for Concerto Release 11.4.1:

Concerto 11.4.3 REST API Updates

The attached files list the REST API changes for Concerto Release 11.4.3:

Concerto Release 11.4.1 Director Version Compatibility

Concerto 11.4.1 is compatible with Director Releases 21.2.2, 21.2.3, and 22.1.2 for SD-WAN services.

Concerto Release 11.4.2 Director Version Compatibility

Concerto 11.4.2 is compatible with Director Releases 21.2.2, 21.2.3, 22.1.2, and 22.1.3 for SD-WAN services, and with Director and VOS Release 22.1.3 for SSE services.

Concerto Release 11.4.3 Director Version Compatibility

Concerto 11.4.3 is compatible with Director Releases 21.2.2, 21.2.3, 22.1.2 and 22.1.3 for SD-WAN services, and with Director and VOS Releases 22.1.3 for SSE services.

Concerto Release 11.4.4 Director Version Compatibility

Concerto 11.4.4 is compatible with Director Releases 21.2.2, 21.2.3, 22.1.2, 22.1.3, and 22.1.4 for SD-WAN services, and with Director and VOS Releases 22.1.3 and 22.1.4 for SSE services. 

Request Technical Support

To request technical support, visit http://support.versa-networks.com. If you are contacting support for the first time, register and create an account. You can also send email to support@versa-networks.com or contact your Versa Networks sales account team.

Revision History

Revision 1—Release 11.4.1, September 25, 2023
Revision 2—Release 11.4.2, January 18, 2024
Revision 3—Release 11.4.3, March 28, 2024
Revision 4—Release 11.4.4, July 12, 2024

  • Was this article helpful?