Tip
This is the documentation for the 19.12 version. Looking for the documentation of the latest version? Have a look here.
TNSR 19.12 Release Notes¶
About This Release¶
General¶
Updated to CentOS 7.7 [2638]
ACL¶
Fixed a backend crash when requesting a non-existent ACL via RESTCONF [2613]
Fixed a backend crash when displaying an ACL with a description in the CLI [2606]
BFD¶
Integrated BFD implementation with dynamic routing protocol daemons [2106, 2131]
Removed redundant BFD configuration parameters from routing daemon configuration, configure options directly in BFD instead [2578]
Counters¶
Fixed an issue with invalid interface counter data at first boot. [2572]
Fixed an issue with multicast counter output containing unicast counter data [2526]
Dataplane¶
Fixed error message displayed when attempting to assign more than the available number of CPU cores [2625]
Enhanced the CPU corelist-workers command to accept ranges of cores [1943]
Fixed an issue where the value of
ip reassembly max-reassemblies
was ignored ifip reassembly expire-walk-interval
was also set [2561]Added commands to configure dataplane network device receive and transmit descriptors [2020]
DHCP¶
Added commands to define custom DHCP options [2774]
Fixed an error when running
service dhcp reload
[2666]
Host ACLs¶
Changed default host ACL ruleset to allow IPv6 traceroute [2627]
Interfaces¶
Fixed display of tag rewriting configuration in
show interface
output [2807]Fixed IPv6 addresses not being reapplied to an interface when it was disabled and later re-enabled [2648]
Fixed use of renamed interfaces with bonding [2740]
Fixed adding interfaces to a bond when they previously had been configured with an IP address [2654]
Fixed an issue where data may fail to pass through a bond interface after changing its settings [1603]
IPsec¶
Fixed an issue with RESTCONF IPsec status data returning every value as a string type [2642]
Improved IPsec to be thread-safe with multiple workers [1334, 2084]
MAP¶
Fixed an issue where IPv6 packets were not translated to IPv4 for MAP domain rules where PSID offset and length are specified [2808]
Fixed an issue where changing MAP behavior from translate to encapsulate required restarting the dataplane [1779]
Fixed TCP MSS value not being applied to encapsulated packets in MAP-E mode [1816]
NAT¶
Fixed an issue with
show nat deterministic-mappings
returning IPv6 data instead of IPv4 [2887]Fixed issues with
show nat sessions
not returning results via RESTCONF or the CLI [2746, 2251]Added commands to adjust values of NAT hash buckets and memory [1762, 2611]
Increased the maximum value of
max-translations-per-user
to262144
[2612]Fixed NAT and ACL permit+reflect rules not working when configured together [2262]
Routing¶
Fixed an issue with adding routes to the same destination via different next-hop routers [2407]
Dynamic Routing¶
Fixed an issue preventing OS-level interface events/status from being recognized by FRR daemons [2755]
Fixed an issue with creating
access-list
entries for IPv6 prefixes using the CLI [2624]Fixed an issue with creating route map
match peer
entries for IPv6 addresses using the CLI [2623]
BGP¶
Fixed setting the
solo
option for BGP neighbors [2826]Fixed setting the
maximum-paths
BGP option via CLI [2822]Fixed setting the
table-map
filter BGP option via CLI [2821]Fixed setting the
route-map
option for BGPnetwork
entries via CLI [2820]Fixed setting the
backdoor
option for BGPnetwork
entries via CLI [2819]Fixed the
show route dynamic bgp ipv4 network
command so it does not require a full prefix with mask length [2773]Fixed an issue where setting a new BGP
update-delay
timer did not override the previouspeer-wait
value [2772]Fixed input validation of the BGP
update-delay
value so it cannot be set larger thanpeer-wait
[2771]Fixed an issue where BGP would fail to install a received IPv6 route into the routing table [2650]
OSPF¶
Added
detail
modifier toshow route dynamic ospf neighbor
which displays more detailed OSPF neighbor information [2742]Fixed an issue where an OSPF LSA was not added to the LSDB if there was a dead LSA for same route present [2626]
Fixed an issue where OSPF did not send LSA-5 messages to a backbone area if an NSSA area session was already established [2559]
Fixed setting the
timer throttle lsa
value for OSPF in the CLI [2555]
OSPF6¶
Added support for OSPFv3 (Also known as OSPF6) to handle OSPF for IPv6 [2517]
OSPF6 is now also allowed in the default host ACL ruleset [2668]
RIP¶
Added support for RIP (v2 and v1) [2498]
RIP is now also allowed in the default host ACL ruleset (UDP port
520
) [2657]
SNMP¶
Fixed
ifOutUcastPkts
returning value ofrx-bytes
instead oftx- bytes
[2584]
VRRP¶
Added commands to configure interface tracking for VRRP and display its status [2521]
Fixed an issue where multiple VRs with the same VR ID on a hardware interface (via subinterfaces) could interfere with each other [2865]
Fixed an issue where a VRRP VR only removes the virtual MAC from an interface when transitioning from master to backup [2842]
Fixed an issue with using VRRP on bond interfaces [2829]
Fixed an issue with incorrect VRRP VR behavior with priority
255
and accept mode enabled [2816]Added input validation to prevent conflicting VRRP and NAT configurations [2799]
Fixed an issue where VRRP may fail to add a virtual IP address [2706]
Configuration Changes¶
Several areas of the configuration were changed. These changes must either be made manually or see Updating the Configuration Database for information on how to automatically update the configuration using a script included in this update.
netgate-bgp
Configuration under
/route-config/dynamic/bgp/routers/router
:update-delay-peer-wait
had a constraint added. Its value must be less than or equal to../update-delay-updates
address-families/ipv4/unicast/mutliple-path-maximums
was renamed tomultiple-path-maximums
to correct a spelling erroraddress-families/ipv6/unicast/mutliple-path-maximums
was renamed tomultiple-path-maximums
to correct a spelling errorneighbors/neighbor/bidirectional-forwarding-detection
did not have any effect on BGP so it was removed.
netgate-ospf
Type definitions
Enumerated type
ospf-route-out
had several values removed which are not supported. This type was used in/route-config/dynamic/ospf/routers/router/distribute-list/out/route-out
netgate-snmp
Type definitions
Enumerated type
snmp-security-level
had several values removed which are not supported. This type is used in/snmp-config/snmp-access-control/access/access-entry/security-level
Enumerated type
snmp-security-model
had several values removed which are not supported. This type is used in/snmp-config/snmp-access-control/access/access-entry/security-model
and/snmp-config/snmp-access-control/group/group-entry/security-model
Enumerated type
snmp-context-match
had several values removed which are not supported. This type is used in/snmp-config/snmp-access-control/access/access-entry/prefix
netgate-ip
Renamed
/ip
toip-config
– This only contains IP reassembly settings.
Known Limitations¶
Upgrade Issues¶
Warning
Due to a build dependency issue with librtnl
in TNSR 19.12,
installations of TNSR 19.08 upgraded to TNSR 19.12 will not end up with a
functional copy of librtnl
. This library must be linked against the
current version of VPP. Since VPP had a version change between 19.08 and
19.12, but the version number of librtnl
did not change, it is not
reinstalled on upgrade with an appropriately relinked copy.
To resolve this problem, manually reinstall the librtnl
package using a
shell prompt:
$ sudo yum reinstall librtnl
This may also be run from within TNSR by using the shell
command, for
example:
tnsr# shell sudo yum reinstall librtnl
This problem has been fixed so it will not recur for TNSR 20.02 or later
releases which will carry the TNSR version on these packages to ensure they
match appropriately. Installations of TNSR versions prior to 19.08 can safely
upgrade to 19.12 without encountering this issue as there was a version
change in librtnl
after that time.
Symptoms of this problem include:
Sporadic VPP and configuration backend crashes.
VPP failing to forward packets as expected.
Configured services (e.g. BGP, IPsec, DNS) not functioning correctly due to host stack connectivity being impaired.
Azure¶
Warning
The TNSR 19.12 release is not compatible with Azure. Instances of TNSR 19.08 running on Azure should not be upgraded until the next release (TNSR 20.02).
ACLs¶
ACLs used with
access-list output
do not work on traffic sent to directly connected hosts [2057]Accessing very large (100K rules) ACLs repeatedly results in a Clixon crash [2558]
BFD¶
Unable to set
delayed
option on an existing BFD session [2709]
CLI¶
CLI does not return from shell in certain situations [2651]
Dataplane¶
Dataplane auto pinning of worker threads to cores does not follow expected convention [2846]
Dataplane reports incorrect physical core ID for main thread [2845]
Systems with multiple CPU sockets using NUMA may experience dataplane issues at startup or when the dataplane is restarted manually [2383]
DHCP¶
Unable to delete all DHCP server options at once from CLI [2667]
GRE¶
Unable to modify GRE tunnel settings [2698]
HTTP Server / RESTCONF¶
HTTP server retains old configuration after TNSR services restart [2453]
SSL certificate error when the HTTP server is configured with a certificate that uses md5 digest [2403]
Interfaces¶
Packets do not pass through a subinterface after the subinterface configuration has been modified [1612]
Chelsio interfaces crash the dataplane [1896]
VLAN subinterfaces may not work under KVM using virtio drivers [2189]
An IPv6 link-local address cannot manually be configured on an interface [2394]
IPv6 addresses on IPsec or GRE interfaces may not be displayed in
show
command output [2425]Bridge domain ARP entries are not displayed in the CLI [2378]
Bridge domain ARP entries cannot be removed from the CLI [2380]
Bridge domain MAC age cannot be removed from the CLI [2381]
Link state always reported as “up” when using
e1000
network drivers [2831]vmxnet3
RSS fails to initialize, cannot pass packets [2576]Workaround: Set
dataplane dpdk dev <device id> network num-rx-queues 2
in the TNSR CLI and restart the dataplane.Cannot add a DHCP client hostname to an existing DHCP client [2557]
Workaround: Remove the dhcp client from the interface and then re-add it with the hostname.
Re-enabling loopback interface breaks packet forwarding until the dataplane is restarted [2828]
Subinterface settings are not applied on change without restarting dataplane [2696]
Unable to create multiple IP QinQ subinterfaces with the same outer vlan tag [2659]
Configuration of host OS interface clears TNSR TAP interface configuration [2640]
Workaround: Remove and reconfigure the TAP interface.
On the XG-1537 and other systems with X552 NICs, if one of the SFP+ (not copper) interfaces does not have an active link when the dataplane is restarted, and presumably during startup, the interface remains down when the link is reconnected. The link lights come on as though the interface is working and the opposing interface shows the correct link state and speed. This has been confirmed with LR and SR SFP+ modules.
If an affected interface has an active link when the dataplane is started, the link can later change to be down/up or removed/reconnected without issue.
Workaround: Restart the dataplane once the links are active.
IPsec¶
An IPsec tunnel which was removed and then added back in may take longer than expected to establish [1313]
An SA ordering issue may prevent IPsec traffic from passing if both endpoints attempt to establish a tunnel at the same time [2391]
Large packets over IPSec crash VPP and
clixon-backend
[2902]
MAP¶
MAP-T BR cannot translate IPv4 ICMP echo reply to IPv6 [1749]
Fragmentation of IPv4 packets is performed regardless of configured MAP fragmentation behavior when MAT-T mode is used [1826]
MAP BR does not send ICMPv6 unreachable messages when a packet fails to match a MAP domain [1869]
Pre-resolve does not work when MAP-T mode is used [1871]
MAP BR encapsulates/translates only last fragment when receiving fragmented packets from IPv4 network [1887]
NACM¶
Default parameters rule for NACM node
access-operation
andmodule
does not work without explicit settings [2514]
NAT¶
twice-nat
does not work [1023]NAT forwarding is not working for
in2out
direction [1039]DS-Lite is not functional; B4 router sends encapsulated IPv4-in-IPv6 packets, but AFTR replies with an error [1626]
NAT forwarding fails with more than one worker thread [2031]
Note: This also affects connectivity to services on TNSR, such as RESTCONF, when the client is not on a directly connected network.
Router with 1:1 NAT will drop packets with
ttl=2
from input interface [2849]VPP service fails if NAT
concurrent-reassemblies
is set to1
and several fragments arriving to the NAT outside interface [2739]ICMP fragments arriving to NAT Inside interface aren’t being reassembled by NAT reassembly function [2733]
Neighbor / ARP / NDP¶
Packet loss during ARP transaction immediately after Dataplane restart or interface disable/enable [2868]
RESTCONF¶
Incorrect BGP configuration is generated when IPv6 address family is configured via REST [2915]
Adding a user via RESTCONF requires a password even when key is provided [2875]
Adding MACIP rule via RESTCONF fails [2844]
Cannot rename an ACL via RESTCONF [2843]
Deleting ACL rule via RESTCONF crashes Clixon [2841]
Routing¶
IPv6 packet loss may be observed between TNSR instances [2382]
Dynamic Routing¶
CLI shows that only IPv4 prefix is available within
prefix-list
sequence configuration [2689]route-map
with sequence number0
can be configured in the CLI but cannot be used [2876]
BGP¶
An IPv6 BGP session cannot be established over IPsec or GRE [2429]
BGP
maximum-path
option for eBGP and iBGP can not be configured simultaneously [2879]BGP network
backdoor
feature does not work without service restart [2873]Unable to configure BGP distance values via CLI [2869]
Unable to verify received prefix-list entries via CLI when ORF capability is used [2864]
extended-nexthop
capability is not being negotiated between IPv6 BGP peers [2850]BGP session soft reset option does not work for IPv6 peers [2833]
Workaround: Reset the connection without soft option.
ttl-security
hops value can be set whenebgp-multihop
is already configured (the options are mutually exclusive) [2832]clixon-backend
fails when loading BGP config with 150k advertised prefixes [2784]Displaying a large amount of received or advertised BGP prefixes takes a long time [2778]
BGP updates for new prefixes are sent every 60 seconds despite configured
advertisement-interval
value [2757]TNSR installs additional duplicated
next-hop
entries for multipath routes received via BGP [2935]
OSPF¶
OSPF
default-information originate
does not work with static route0.0.0.0/0
as default route [2477]Changing redistributed kernel routes does not trigger addition/removal of corresponding OSPF Type-5 LSAs [2389]
Routing information in the forwarding table is not updated correctly when removing a static route which overlaps a route received via OSPF [2320]
The OSPF RIB is not updated when the ABR type changes from standard to shortcut, and vice versa [2699]
Changing the default metric for OSPF server does not result in update on other routers [2586]
OSPF6¶
IPv6 routes in the OSPF6 database may not appear in the OSPF RIB until the service is restarted [2891]
RIP¶
key-chain
string is not applied in the routing daemon if configured after RIP is enabled [2878]Workaround: Disable and enable RIP after making the change.
SNMP¶
SNMP configuration change requires a service restart [2568]
There are no changes when using “write” community [2567]
VRRP¶
VRRP does not function on an outside NAT interface with a priority of
255
[2419]Workaround: Set the
priority
of the VR address on the primary router to a value less than255
yet higher than that of other routers. Enable Accept Mode on the VR address if the VR address will be used by services on TNSR.
VXLAN¶
Changes to a VXLAN interface do not apply until the dataplane is restarted [1778]
VXLAN and OSPF may not work properly if OSPF is configured after VXLAN in the dataplane [2511]
Reporting Issues¶
For issues, please contact the Netgate Support staff.
Send email to support@netgate.com
Phone: 512.646.4100 (Support is Option 2)