TNSR 20.02 Release Notes

About This Release

This is a regularly scheduled TNSR release including new features and bug fixes.

Warning

TNSR 20.02.1 contains additional fixes for problems found in TNSR 20.02 and users should upgrade to that version instead.

The TNSR 20.02.2 release corrects problems specific to Azure and is only available on that platform.

General

Configuration Changes

Several areas of the configuration were changed. These changes must either be made manually or see Updating the Configuration Database for information on how to automatically update the configuration using a script included in this update.

  • IPsec interfaces in the dataplane changed from ipsec<N> to ipip<N> and all references in the configuration must be updated to follow that change [2970]

    This change can be made automatically by the configuration database update script [2972]

ACLs

  • Fixed issues with accessing very large ACLs (100K rules) repeatedly [2558]

Azure

  • Fixed network connectivity issues on Azure [2952]

Dataplane

  • Fixed dataplane auto pinning of worker threads to cores not following expected conventions [2846]

  • Fixed dataplane reporting incorrect physical core ID for main thread [2845]

  • Added QAT crypto Virtual Functions (VF) to VPP startup.conf when {corelist,coremask}-workers is set and a crypto Physical Function (PF) is white listed [3248]

  • Fixed potential situations where DPDK driver sections may not have been written to the dataplane startup configuration [3160]

  • Added dataplane DPDK iova-mode configuration options [3416]

  • The default dataplane UIO driver has been changed to igb_uio instead of using automatic driver selection [3414]

  • Fixed issues with loading the vfio-pci driver at boot time [2686]

DHCP

  • Added methods to view the current DHCP lease database via CLI and RESTCONF [2241]

  • Added the ability for the DHCP server to use new custom option definitions rather than only redefining existing options with custom values [2934]

Interfaces

  • Added options to assign per-interface RX queues to specific worker threads [2018]

  • Fixed issues on XG-1537 and other systems with X552 NICs where if one of the SFP+ (not copper) interfaces did not have an active link when the dataplane restarted, the interface would remain down when the link was reconnected. [2965]

  • SPAN interfaces may now utilize VXLAN interfaces as destinations. [1027]

IPsec

  • Fixed a dataplane and clixon crash due to large packets attempting to pass over IPsec. [2902]

    Though the crash has been solved, packets larger than the default-data-size buffer value in the dataplane will fail to pass. To pass large IPsec packets, increase this buffer size. For example:

    tnsr(config)# dataplane buffers default-data-size 16384
    tnsr(config)# service dataplane restart
    

NAT

  • Fixed incompatibility with NAT outside interfaces with output feature enabled being configured as a DHCP client [2914]

  • Increased the default maximum NAT translations per user from 100 to 10240 [2752]

MAP

  • Improved dataplane MAP-T RFC compliance [2977]

    • Fixed MAP-T IPv4 to IPv6 echo request not being translated correctly [2978]

    • Fixed MAP-T IPv4 to IPv6 echo reply not being translated correctly [2979]

    • Fixed MAP-T IPv6 to IPv4 echo request not being translated correctly [2980]

    • Fixed MAP-T IPv4 to IPv6 MTU Exceeded, DF flag set being handled incorrectly [2982]

    • Fixed MAP-T IPv4 to IPv6 TTL Expires at BR being handled incorrectly [2983]

    • Fixed MAP-T handling of spoofed IPv4 source prefix IPv6 to IPv4 [3053]

  • Fixed an issue where MAP BR encapsulated/translated only the last fragment when it received fragmented packets from an IPv4 network [1887]

  • Fixed fragmentation of IPv4 packets being performed regardless of configured MAP fragmentation behavior in MAP-T mode [1826]

Neighbors

  • Fixed ARP responses for VPP outside interfaces responding incorrectly from the Host OS interface when both are connected to the same layer 2 [2266, 3314]

  • Fixed issues with ARP table contents not being expired over time [3200]

QAT

  • Added the capability to configure QAT VF entries passed to a virtual machine from the hypervisor [3250]

RESTCONF

  • Added support for PATCH method in RESTCONF for API [1109]

  • RESTCONF responses for leaf nodes with a value of an empty string ("") have changed, but still may not contain the expected encoded JSON output. [3450]

    Previous versions of TNSR with clixon 4.0 or earlier returned the value as null, while clixon 4.3 now returns [null]. Per RFC 7951, the previous behavior was incorrect. While the new behavior is closer to that mentioned in RFC 7951 section 6.9, the behavior described there is for empty type nodes, not string type. The intended behavior for empty strings is not yet clearly defined in RFC 7951.

    This behavior is likely to change in future releases as the specification is refined.

Dynamic Routing

  • Removed a redundant BGP command enforce-multihop which is identical to disable-connected-check.

  • Fixed configuration of distance values for BGP address families via CLI [2869]

  • Added validation to prevent configuring a route-map with a sequence number of 0 [2876]

  • Removed incorrect route-reflector-client BGP option for eBGP peer from CLI [2936]

  • Fixed setting multiple attribute-unchanged values via CLI [2941]

  • Fixed setting attribute-unchanged BGP option without specifying a value [2942]

  • Fixed setting route-map as a value for unsuppress-map via CLI [2944]

  • Fixed disabling send-community BGP option in the CLI [2945]

  • Fixed disabling client-to-client reflection BGP option in the CLI [2946]

  • Fixed issue with displaying a large amount of received or advertised BGP prefixes taking a long time [2778]

SNMP

  • Fixed SNMP configuration changes requiring a service restart [2568]

Known Limitations

General

  • TNSR instances on VMWare configured for VM Hardware Compatibility with ESX 6.7 (VM Version 14 or later) cannot initialize their VMXNET3 interfaces unless there are 2 or more RX queues due to an upstream DPDK issue [2576]

    • Workaround 1: Create the VM with VM version 13 (ESX 6.5) and do not upgrade its compatibility level until this issue is resolved.

    • Workaround 2: Configure a num-rx-queues value of at least 2 for each VMXNET3 interface in the DPDK settings for the device(s) (DPDK Configuration) and restart the dataplane.

ACLs

  • ACLs used with access-list output do not work on traffic sent to directly connected hosts [2057]

BFD

  • Unable to set delayed option on an existing BFD session [2709]

CLI

  • CLI does not return from shell in certain situations [2651]

Dataplane

  • Systems with multiple CPU sockets using NUMA may experience dataplane issues at startup or when the dataplane is restarted manually [2383]

  • CLI does not prevent the user from configuring a custom interface name which uses reserved keywords which may cause the dataplane to fail (e.g. span) [3234]

  • UIO driver changes are not reflected on interfaces which are already in use [3209]

    Workaround: Reboot the TNSR device.

  • Setting dataplane stat segment heap size causes backend to crash [3598]

  • Deletion/change of custom interface names is not validated properly [3461]

DHCP

  • Unable to delete all DHCP server options at once from CLI [2667]

GRE

  • Unable to modify GRE tunnel settings [2698]

Host Interfaces

  • Configuration of host OS interface clears TNSR TAP interface configuration [2640]

    Workaround: Remove and reconfigure the TAP interface.

  • DHCP on Host Interface stops trying DHCP if a response is not received in a timely manner (Service = Failed) [3015]

    Workaround: Set PERSISTENT_DHCLIENT=1 in /etc/sysconfig/network-scripts/ifcfg-<name> for the affected host interface.

  • Cannot remove an IP address assigned to a host interface during the installation process from within the TNSR CLI [3013]

HTTP Server

  • HTTP server retains old configuration after TNSR services restart [2453]

  • SSL certificate error when the HTTP server is configured with a certificate that uses md5 digest [2403]

Installer

  • TNSR Install over OOB Management GUI may appear to fail due to the screen saver activating before installation is completed.

    This affects installation using a console such as iDRAC Virtual Media redirector.

    Workarounds: Press tab when the screensaver activates. Alternately, use vFlash instead of iDRAC for better performance.

Interfaces

  • Packets do not pass through a subinterface after the subinterface configuration has been modified [1612]

  • Chelsio interfaces crash the dataplane [1896]

  • VLAN subinterfaces may not work under KVM using virtio drivers [2189]

  • An IPv6 link-local address cannot manually be configured on an interface [2394]

  • IPv6 addresses on IPsec or GRE interfaces may not be displayed in show command output [2425]

  • Bridge domain ARP entries are not displayed in the CLI [2378]

  • Bridge domain ARP entries cannot be removed from the CLI [2380]

  • Bridge domain MAC age cannot be removed from the CLI [2381]

  • Link state always reported as “up” when using e1000 network drivers [2831]

  • vmxnet3 RSS fails to initialize, cannot pass packets [2576]

    Workaround: Set dataplane dpdk dev <device id> network num-rx-queues 2 in the TNSR CLI and restart the dataplane.

  • Cannot add a DHCP client hostname to an existing DHCP client [2557]

    Workaround: Remove the dhcp client from the interface and then re-add it with the hostname.

  • Re-enabling loopback interface breaks packet forwarding until the dataplane is restarted [2828]

  • Subinterface settings are not applied on change without restarting dataplane [2696]

  • Unable to create multiple IP QinQ subinterfaces with the same outer vlan tag [2659]

  • Unable to create a subinterface with dot1q any [2652]

  • Full reassembly may not disable on an interface once enabled when using no ip reassembly enable [3360]

    Workaround: Remove both the reassembly enable and type configuration on the interface:

    tnsr(config-interface)# no ip reassembly enable
    tnsr(config-interface)# no ip reassembly type
    

IPsec

  • An IPsec tunnel which was removed and then added back in may take longer than expected to establish [1313]

  • An SA ordering issue may prevent IPsec traffic from passing if both endpoints attempt to establish a tunnel at the same time [2391]

  • Attempting to change IKE lifetime for an existing tunnel to a value lower than the lifetime of a child entry results in an unintuitive error message [3243]

  • Deletion of IPsec tunnel configuration is not validated properly [3456]

LACP

  • If a bond interface does not have a MAC address explicitly configured, the MAC address may become out of sync between the dataplane and host tap interfaces [2126]

    Workaround: The MAC address will be synchronized when the interface status changes (up or down), so disable and enable the interface or restart the dataplane.

  • There may be a 10-15 second delay with ARP resolution after configuring an LACP bond [2867]

LLDP

  • All LLDP interface parameters must be configured at the same time. [3462]

  • When LLDP parameters change, TNSR requires a dataplane restart for the new settings to take effect. [3486]

  • LLDP parameter values are not validated by the CLI or RESTCONF and invalid values are rejected by the dataplane directly [3459]

MAP

  • MAP-T BR cannot translate IPv4 ICMP echo reply to IPv6 [1749]

  • MAP BR does not send ICMPv6 unreachable messages when a packet fails to match a MAP domain [1869]

  • Pre-resolve does not work when MAP-T mode is used [1871]

  • Full ip reassembly does not work with MAP [3386]

  • ICMP6 echo request packets are being dropped on MAP-T BR when MAP domain with non-zero PSID offset is used [3401]

  • Initial fragment of UDP and ICMP6 packets is dropped on MAP-T border router when it receives fragments from an IPv6 network [3412]

  • Ethernet padding is incorrectly copied from IPv4 to IPv6 frames when translated by MAP [3460]

NACM

  • Default parameters rule for NACM node access-operation and module does not work without explicit settings [2514]

NAT

  • twice-nat does not work [1023]

  • NAT forwarding is not working for in2out direction [1039]

  • NAT forwarding fails with more than one worker thread [2031]

    Note: This also affects connectivity to services on TNSR, such as RESTCONF, when the client is not on a directly connected network.

  • Router with 1:1 NAT will drop packets with ttl=2 from input interface [2849]

  • VPP service fails if NAT concurrent-reassemblies is set to 1 and several fragments arriving to the NAT outside interface [2739]

  • ICMP fragments arriving to NAT Inside interface aren’t being reassembled by NAT reassembly function [2733]

  • Dataplane fails on DS-Lite AFTR router when packets from B4 are received before pool is configured [3024]

    Workaround: Configure the DS-Lite pool` **before** the ``aftr endpoint.

  • DS-Lite CE configuration is not fully removed when deleted via CLI, which may leave TNSR with an invalid configuration database which cannot start [3030]

  • Deterministic nat option is not compatible with a pool of IP addresses [3257]

  • Reassembly timeout does not work when full IP reassembly is configured with NAT [3269]

  • Shallow Virtual Reassembly cannot be disabled when it is enabled implicitly by other features such as NAT and MAP [3361]

  • Shallow Virtual Reassembly may fail when configured explicitly after it is implicitly enabled by other features such as NAT and MAP [3362]

  • Re-enabling full IP reassembly on an interface which has implicit shallow virtual reassembly enabled breaks the packet flow [3379]

  • Setting reassembly type full and then enabling ip reassembly on an interface which has implicit shallow virtual reassembly enabled breaks packet flow [3380]

  • Second fragment of a packet is not being virtually reassembled when max-reassemblies counter for shallow virtual reassembly is set to 1 [3384]

Neighbor / ARP / NDP

  • Packet loss during ARP transaction immediately after Dataplane restart or interface disable/enable [2868]

NTP

  • NTP server default restriction list cannot be deleted in CLI [3413]

RESTCONF

  • RESTCONF responses for leaf nodes with a value of an empty string ("") may not contain the expected encoded JSON output. [3450]

    See RESTCONF earlier in this document for more details.

  • RESTCONF responses containing certain IETF error types such as application errors may contain an extra JSON key, rpc-error, in the error list. RESTCONF users should accommodate this extra key, if present, when parsing IETF error messages. [3455]

  • Incorrect BGP configuration is generated when IPv6 address family is configured via REST [2915]

  • Adding a user via RESTCONF requires a password even when key is provided [2875]

  • Adding MACIP rule via RESTCONF fails [2844]

  • Cannot rename an ACL via RESTCONF [2843]

  • Deleting ACL rule via RESTCONF crashes Clixon [2841]

Static Routing

  • IPv6 packet loss may be observed between TNSR instances [2382]

  • TNSR drops packets when an output interface configured in the routing table is disabled, even when other usable paths are present to the same destination [3359]

Dynamic Routing

  • CLI shows that only IPv4 prefix is available within prefix-list sequence configuration [2689]

BGP

  • An IPv6 BGP session cannot be established over IPsec or GRE [2429]

  • BGP maximum-path option for eBGP and iBGP can not be configured simultaneously [2879]

  • BGP network backdoor feature does not work without service restart [2873]

  • Unable to verify received prefix-list entries via CLI when ORF capability is used [2864]

  • extended-nexthop capability is not being negotiated between IPv6 BGP peers [2850]

  • BGP session soft reset option does not work for IPv6 peers [2833]

    Workaround: Reset the connection without soft option.

  • ttl-security hops value can be set when ebgp-multihop is already configured (the options are mutually exclusive) [2832]

  • clixon-backend fails when loading BGP config with 150k advertised prefixes [2784]

  • BGP updates for new prefixes are sent every 60 seconds despite configured advertisement-interval value [2757]

  • TNSR installs additional duplicated next-hop entries for multipath routes received via BGP [2935]

  • IPv4 BGP summary command returns results for both IPv4 and IPv6 [3270]

  • BGP next-hop attributes are not sent unmodified to an eBGP peer when route-server-client option is configured [2940]

  • show route dynamic bgp ipv6 summary command will not show any information if address family is not specified when configuring BGP for IPv6 [2967]

    Workaround: Set the address family when configuring BGP. Alternately, due to [3270], IPv6 information is current visible in show route dynamic bgp ipv4 summary, so use that command instead.

  • Unable to configure BGP IPv4/IPv6 multicast address family using CLI [3038]

    Workaround: Configure this feature via RESTCONF

  • BGP listen range option disappears from the active dynamic routing daemon configuration after restarting BGP service [3043]

  • Unable to verify dynamic BGP peer information from TNSR CLI [3044]

  • Unable to configure BGP dampening values via TNSR CLI [3057]

  • Unable to configure BGP write-quanta value via TNSR CLI [3087]

  • Unable to configure BGP debug logging via TNSR CLI [3199]

  • Unable to configure BGP confederation identifier via TNSR CLI [3210]

  • Static routes may not be restored correctly after failing over to a BGP route [3543]

OSPF

  • OSPF default-information originate does not work with static route 0.0.0.0/0 as default route [2477]

  • Changing redistributed kernel routes does not trigger addition/removal of corresponding OSPF Type-5 LSAs [2389]

  • Routing information in the forwarding table is not updated correctly when removing a static route which overlaps a route received via OSPF [2320]

  • The OSPF RIB is not updated when the ABR type changes from standard to shortcut, and vice versa [2699]

  • Changing the default metric for OSPF server does not result in update on other routers [2586]

OSPF6

  • IPv6 routes in the OSPF6 database may not appear in the OSPF RIB until the service is restarted [2891]

  • When deleting an OSPF6 interface via RESTCONF, it may remain active in the OSPF6 daemon despite being removed from the TNSR configuration [3481]

RIP

  • key-chain string is not applied in the routing daemon if configured after RIP is enabled [2878]

    Workaround: Disable and enable RIP after making the change.

  • RIP timeout value is not respected [2796]

SNMP

  • There are no changes when using “write” community [2567]

VRRP

  • VRRP does not function on an outside NAT interface with a priority of 255 [2419]

    Workaround: Set the priority of the VR address on the primary router to a value less than 255 yet higher than that of other routers. Enable Accept Mode on the VR address if the VR address will be used by services on TNSR.

VXLAN

  • Changes to a VXLAN interface do not apply until the dataplane is restarted [1778]

  • VXLAN and OSPF may not work properly if OSPF is configured after VXLAN in the dataplane [2511]

Reporting Issues

For issues, please contact the Netgate Support staff.