This is the documentation for the 21.07 version. Looking for the documentation of the latest version? Have a look here.

TNSR 18.11 Release Notes

About This Release

Access Lists (ACLs)

  • Added a description field to ACL rule entries [1195]

  • Fixed issues with numerical sorting of ACL entries in show output [1255]

  • Fixed issues with order of installed ACL rules in the dataplane with large sequence numbers [1270]

Authentication & Access Control

  • Removed users from the TNSR configuration so they are stored/managed directly in the host operating system, which eliminates any chance to be out of sync [1067]

  • Fixed issues with deleting NACM rule lists [1137]


  • Fixed an issue where the BGP service could not restart more that three times in a row [902]

  • Added bgp clear command to clear active BGP sessions [923]


  • Fixed a problem where the TNSR CLI incorrectly allowed multiple bridge interfaces to have bvi set [984]


  • Fixed a problem where applied dataplane commands were not immediately present in the running configuration database until another change was made [1099]

  • Fixed a problem where the candidate configuration database could not be emptied with the clear command [1066]

Hardware & Installation

  • Added an ISO image to install TNSR on supported hardware [1364]

  • Added support for VMware installations [1026]

  • Added support for Mellanox network adapters [1268]


  • Fixed interface link speed displaying incorrectly in CLI and RESTCONF [672]

  • Fixed issues with duplicate entries being generated in the dataplane interface configuration [1243]


  • Added the ability to configure host OS management interfaces in the CLI [260, 261, 262]

  • Fixed issues with ping command parameter parsing [1133]

  • Fixed issues specifying a source address with ping [1134]


  • Fixed issues with IPsec tunnels failing to establish after a dataplane restart [1138]


  • Changed the default NAT mode to endpoint-dependent [1079]

  • Fixed creating a twice-nat pool [972]

  • Fixed creating out-to-in-only static mappings [976]

  • Fixed NAT reassembly for ICMP packets [990]

  • Fixed fragment limitations for NAT reassembly [1065]

  • Added support for deterministic NAT [360]


  • Fixed issues with the ntp restrict command [1163]


  • Fixed validation when submitting invalid MAC addresses via RESTCONF [1197]

  • Fixed validation when submitting invalid IP addresses via RESTCONF [1199]


  • Fixed issues where daemons such as Kea and ntpd did not correctly form configuration file references to subinterface names [1150]

  • Fixed issues with clients on subinterface networks from receiving return traffic that passes through TNSR [1152]

    The upstream VPP issue causing this has been fixed, but an additional source of problems in this area is that the dot1q setting for a subinterface must use exact-match to communicate properly with hosts on the VLAN. Ensure subinterfaces are configured to use this property.

Known Limitations

Authentication & Access Control


  • TNSR does not send BGP updates without restarting service with redistribute from connected option [746]

  • Route with aggregate-address via next-hop does not appear in TNSR route table [832]

  • BGP sessions may fail to establish or rapidly reconnect when receiving more prefixes than defined by maximum-prefix limit [858]

  • The maximum-prefix restart command does not work [859]

  • TNSR installs multiple paths for received routes even though support for multiple paths is not enabled [885]

    Workaround: Run systemctl reset-failed frr from the shell to clear the error which will allow the BGP service to start again.

  • Changing update-source from an IP address to loop1 allows a session to establish but remote prefixes do not appear in the FIB until reboot [1104]

  • IPv6 BGP neighbors get entered as peer-groups only in bgpd.conf [1190]

  • peer-group attribute remote-as does not get into FRR bgpd.conf [1272]


  • show route table causes the backend to die with large numbers of routes in the table [506]

    For example, this crash happens with a full BGP feed.


  • A single IP address can be set in a pool range, but the DHCP daemon requires a start/end IP address or a prefix [1208]

    Workaround: Configure a pool with a start and end address or prefix.

  • DHCP server uses default VPP interface IP address (169.254.0.x) as a source address for DHCP packets and as a DHCP Server Identifier [1222]

  • Unable to delete DHCPv4 options specified within the pool configuration [1267]


  • nginx does not behave as expected with authentication type none and TLS [1086]

    This mode is primarily for testing and not production use.

    Workaround: Use password or certificate-based authentication for RESTCONF.

  • HTTP server runs even though it’s not configured to run after TNSR services restart [1153]

    Workaround: Manually stop the nginx service using systemctl.


  • Loopback interface responds to ICMP echo from an outside host even when in a Down state [850]

  • Unable to delete an interface if has had an ACL or MACIP applied [1177, 1178]

    Workaround: Remove the entire ACL or MACIP entry. Then, the interface may be removed.

  • MACIP ACL remains in the interface configuration after being removed [1179]


  • twice-nat does not work [1023]

  • NAT mode is not deleted from VPP startup configuration after TNSR services restart [1017]

  • NAT forwarding is not working for in2out direction [1039]

  • NAT static mappings are not added as expected when only the port-local value differs [1100]

  • NAT static mapping with defined ports leads to clixon-backend crash after restart [1103]

  • PAT dynamic sessions limited to 100 entries per address [1303]

    This is the default limit per user in VPP and will be configurable in the next release.


  • Deleting a non-empty route table fails with an error and the table remains in the configuration, but it cannot be changed afterward [1241]

    Workaround: Remove all routes from the table before deleting. Alternately, copy the running configuration to startup and restart TNSR, which will make the route table appear again so the routes and then the table can be removed.

User Management

  • When deleting a user key from the running configuration it is not removed from the user’s authorized_keys file [1162]

    Workaround: Manually edit the authorized_keys file for the user and remove the key.

Reporting Issues

For issues, please contact the Netgate Support staff.