This is the documentation for the 20.02 version. Looking for the documentation of the latest version? Have a look here.

TNSR 19.08 Release Notes

About This Release


TNSR 19.08.1 installation images are identical to 19.08 except that they have the most recent (as of the time it was built) set of updates from CentOS applied instead of the base release version of CentOS 7.6.1810.

There is no need to reinstall 19.08 to reach 19.08.1 using these images as running an update from 19.08 will result in the same, or even newer, CentOS packages.


  • Fixed removal of SSH authorized-keys entries from user entries in the OS when they are removed from TNSR users [1162]

  • Cleaned up extraneous logging messages from the configuration backend [2230]


  • Fixed manual selection of ACL protocol value 0, and renamed it to any [2134]

  • Fixed setting type and code values for ICMP ACLs [2325, 2426]

  • Fixed issues with removing the protocol value from an ACL rule [2252, 2307]

  • Expanded TNSR ACL rule protocol choices to any protocol, specified by number [2224]

  • Improved performance and display of large ACL rulesets (e.g. 10,000+ ACLs) [2139]


  • Fixed editing unused BFD keys [1891]

  • Fixed the BFD delayed option [1885]

  • Added validation to prevent changing the BFD interface, local address, or peer address since this is not allowed by the dataplane. [1549]

  • Fixed administratively disabling BFD via CLI [1883]


  • Improved handling of resizing terminal dimensions [2214]

  • Added options to enable and disable command history as well as to set the history size to a given value [2011]


  • Added verbose counter information to show interface [<if-name>] counters output [2413]

  • Removed redundant show counters command [2377]


  • Improved memory handling with large ACL rulesets [2442]

  • Added dataplane configuration option for num-crypto-mbufs [2160]

  • Added dataplane configuration options for buffer parameters [2399]

  • Fixed service dataplane restart potentially causing clixon_backend to lose its configuration [1383]


  • Removed invalid * DHCP logging category [1307]

  • Fixed DHCP reservation required value validation so entries cannot be created without a MAC address [1530]


  • Removed invalid allow_setrd value from Unbound access-control command [1747]

  • Fixed handling of local zone hostname and domain when forming A/AAAA and PTR entries [1384]

  • Added outgoing-interface command to config-unbound mode to control how TNSR will originate DNS requests to upstream DNS servers [1884]


  • Fixed routing IPv6 inner traffic over IPv4 outer GRE tunnel [2424]

Host ACLs

  • Expanded Host ACL rule protocol choices to any protocol, specified by number [2227]

  • Fixed host ACL ICMP rule matching [2217, 2226]

  • Fixed duplication of rules in the nftables ruleset when the dataplane restarts [2207]


  • Fixed handling of the HTTP daemon configuration file when the service is not enabled in TNSR [1153]

  • Added new default index and error pages to the HTTP daemon [1531]


  • Fixed loopback interfaces responding to ICMP echo requests when in the down state [850]

  • Added commands to enable and configure IP reassembly [1302, 1277]

  • Changed show interface subcommands to be more consistent with other areas of the CLI [2376]


    Only one output-limiting keyword may now be specified, and several keywords were renamed to match their corresponding configuration parameters.

  • Added the ability to remove a MAC address from an interface, which will return the MAC address back to the native address after a dataplane restart [2310]

  • Fixed a clixon crash while executing show interface lacp [2438]

  • Fixed MAC address change propagation from dataplane to host tap interfaces [1502]

  • Fixed QinQ VLAN termination [1550]

  • Added no mtu interface command to remove the MTU setting and revert to the default value [2021]


  • Fixed IPv6 traffic traversing an IPv4 IKEv2 IPsec tunnel [2422]

  • Fixed IPsec Child SA failures with AES-GCM combined with DPDK cryptodevs (QAT or aesni vdev) [2309]

  • Fixed IPsec tunnels with a Child SA using MD5 integrity failing to establish [2505]

  • Fixed IPsec tunnels with a Child SA using 3DES encryption failing to establish [2476]

  • Added elliptic curve DH group 31 (curve25519, 256 bit) to IPsec proposal choices [2179]


  • Added input validation to enforce MAP ip6-src-prefix values [2087]


  • Added improved error messages showing failed paths when access is denied by NACM [2443]

  • Changes to interface-related validation now require that users with access to configure interface-related items must also be able to get /interfaces-state/interface to read the interface list [2443]


  • Added commands to manage NAT session timeout values [2232]

  • Fixed issues with static NAT mappings with defined ports occasionally leading to a clixon-backend crash when restarting [1103]

  • Added input validation to prevent deterministic NAT crashes in the dataplane due to incorrect user configuration [1856]


  • Fixed NTP configuration generated for restrict lists [1705]


  • Improved information returned in queries for netgate-system:system-state [2324]

  • Fixed malformed requests causing the API to return unexpected errors for a few seconds while it restarts [2079]


  • Improved handling of route table display with large route tables [506]

  • Improved output of show route table [2229]

  • Fixed handling and display of IPv6 static neighbors [2005]

  • Fixed FIB lookup option for static routes [1280]

  • Fixed creating static routes with the same next-hop ID in multiple routing tables [2510]

Dynamic Routing


Commands for BGP and related dynamic routing functionality have been restructured so everything is under route dynamic. Changes are extensive and the documentation has been updated to reflect the new commands.

  • Added support for OSPF [1895]

  • Length of BGP neighbor passwords is now limited to 63 characters [1454]

  • Fixed removal of IPv6 next-hop peer address from a route map [2304]

  • Fixed BGP advertisement of connected routes after interface status changes [746, 2409]

  • Changed BGP status commands for summary, neighbors, and network to require an address family [2367]

  • Fixed handling of BGP debug commands [2385]

  • Fixed handling of BGP maximum-prefix configuration parameter [859]

  • Fixed session handling when maximum-prefix-limit is exceeded [858]

  • Fixed handling of IPv6 static routes in the dynamic routing manager (zebra) [2279]

  • Cleaned up commands for unsupported dynamic routing features [2312]

  • Fixed handling of BGP import-check [781]

  • Fixed handling of routes from aggregate-address via next-hop [832]

  • Eliminated unnecessary restarts of the dynamic routing daemons when making changes [1758]

  • Fixed positive relative metric adjustments in route-maps [2493]

  • Fixed displaying specific IPv6 BGP networks by address [2479]

  • Fixed configuring a BGP IPv6 aggregate address with summary-only option [2509]



  • Fixed handling of igb_uio module during an upgrade which also updates the kernel [2216]



  • Fixed configuration of alternate VXLAN encapsulation routing tables [1872]

Known Limitations


  • The UIO drivers may not be present in the correct directory after a kernel upgrade. Since the UIO drivers are kernel-specific, they must be rebuilt after any change in the kernel [2216].

    To work around this issue, force a reinstall of the DPDK package which will rebuild the UIO drivers and place them in the appropriate location for the updated kernel:

    $ sudo yum -y reinstall dpdk

    This procedure will not be necessary when upgrading to future releases from 19.08.


  • ACLs used with access-list output do not work on traffic sent to directly connected hosts [2057]


  • BFD does not integrate with BGP [2106]


  • Changing update-source from an IP address to loop1 allows a session to establish but remote prefixes do not appear in the FIB until reboot [1104]


  • At first boot, interface counter data may be invalid. [2572]

    Workaround: Restart the dataplane to correct this problem until next reboot.


  • Systems with multiple CPU sockets using NUMA may experience dataplane issues at startup or when the dataplane is restarted manually [2383]


  • HTTP server retains old configuration after TNSR services restart [2453]

  • SSL certificate error when the HTTP server is configured with a certificate that uses md5 digest [2403]


  • Non-LACP bond interfaces may experience packet drops when a bond member interface is down [1603]

  • Packets do not pass through a subinterface after the subinterface configuration has been modified [1612]

  • Chelsio interfaces crash the dataplane [1896]

  • VLAN subinterfaces may not work under KVM using virtio drivers [2189]

  • An IPv6 link-local address cannot manually be configured on an interface [2394]

  • IPv6 addresses on IPsec or GRE interfaces may not be displayed in show command output [2425]

  • Bridge domain ARP entries are not displayed in the CLI [2378]

  • Bridge domain ARP entries cannot be removed from the CLI [2380]

  • Bridge domain MAC age cannot be removed from the CLI [2381]


  • An IPsec tunnel which was removed and then added back in may take longer than expected to establish [1313]

  • An SA ordering issue may prevent IPsec traffic from passing if both endpoints attempt to establish a tunnel at the same time [2391]


  • MAP-T BR cannot translate IPv4 ICMP echo reply to IPv6 [1749]

  • MAP behavior cannot be changed from translate to encapsulate without restarting the dataplane [1779]

  • TCP MSS value is not applied to encapsulated packets when MAP-E mode is used [1816]

  • Fragmentation of IPv4 packets is performed regardless of configured MAP fragmentation behavior when MAT-T mode is used [1826]

  • MAP BR does not send ICMPv6 unreachable messages when a packet fails to match a MAP domain [1869]

  • Pre-resolve does not work when MAP-T mode is used [1871]

  • MAP BR encapsulates/translates only last fragment when receiving fragmented packets from IPv4 network [1887]


  • Default parameters rule for NACM node access-operation and module does not work without explicit settings [2514]


  • twice-nat does not work [1023]

  • NAT forwarding is not working for in2out direction [1039]

  • DS-Lite is not functional; B4 router sends encapsulated IPv4-in-IPv6 packets, but AFTR replies with an error [1626]

  • NAT forwarding fails with more than one worker thread [2031]

    Note: This also affects connectivity to services on TNSR, such as RESTCONF, when the client is not on a directly connected network.

  • Connections to and from the TNSR host are included in NAT sessions when connecting through an interface with ip nat outside [1892] [1979]

  • NAT and ACL permit+reflect rules do not work together [2262]


  • Deleting a non-empty route table fails with an error and the table remains in the configuration, but it cannot be changed afterward [1241]

    Workaround: Remove all routes from the table before deleting. Alternately, copy the running configuration to startup and restart TNSR, which will make the route table appear again so the routes and then the table can be removed.

  • Cannot add multiple routes to the same destination using different next hops [2407]

Dynamic Routing

  • An IPv6 BGP session cannot be established over IPsec or GRE [2429]

  • iBGP router advertises redistributed static IPv6 routes with next-hop value set to link-local address [2478]

  • OSPF default-information originate does not work with static route as default route [2477]

  • Changing redistributed kernel routes does not trigger addition/removal of corresponding OSPF Type-5 LSAs [2389]

  • Routing information in the forwarding table is not updated correctly when removing a static route which overlaps a route received via OSPF [2320]


  • VRRP does not function on an outside NAT interface [2419]


  • Changes to a VXLAN interface do not apply until the dataplane is restarted [1778]

  • VXLAN and OSPF may not work properly if OSPF is configured after VXLAN in the dataplane [2511]

Reporting Issues

For issues, please contact the Netgate Support staff.