Tip
This is the documentation for the 22.06 version. Looking for the documentation of the latest version? Have a look here.
TNSR 18.08 Release Notes¶
About This Release¶
Authentication & Access Control¶
Added support for NETCONF Access Control Model (NACM) management.
NACM provides group-based controls to selectively allow command access for users. Users are authenticated by other means (e.g. RESTCONF certificates or users, CLI user) and then mapped to groups based on username.
Added default configurations for NACM for different platforms [891]
These default rules allow members of group
admin
to have unlimited access and sets the default values todeny
. It includes the userstnsr
androot
in the groupadmin
.Warning
TNSR Does not prevent a user from changing the rules in a way that would cut off all access.
Changed password management to allow changing passwords for users in the host OS as well as for TNSR users [1091]
BGP¶
Added explicit sequence numbering to BGP AS Path statements to support multiple patterns in a single AS Path [898]
Added
show bgp network A.B.C.D
command to display detailed information about BGP routes [922]
CLI¶
Added
enable
anddisable
commands to be used in favor ofno shutdown
/shutdown
[938]Fixed CLI issues with data encoding that could lead to XML Parsing errors [887]
DHCP¶
Improved support and control for DHCP server (Kea) management [490, 738, 1037, 1045]
Added explicit
enable
/disable
for DHCP Server daemon [1053]Added logging support to the DHCP Server [907]
DNS Resolver¶
Added support for management of a DNS Resolver (Unbound) [492, 1072, 1093, 1094]
Hardware & Installation¶
Added support for installation on Xeon D, C3000 SoCs [961]
Added configuration packages for Netgate hardware that can run TNSR [1056]
Fixed a Layer 2 connectivity issue with certain Intel 10G fiber configurations due to a timeout waiting for link [509]
IPsec¶
Added QAT cryptographic acceleration enabled for IPsec [912, 940]
This acceleration works with QAT CPIC cards as well as C62X, C3XXX, and D15XX QAT devices.
Fixed an issue where an IPsec Child SA would disappear after an IKEv1 Security Association re-authenticates [628]
NAT¶
Fixed creating a NAT pool for custom route tables in the CLI [1055]
Fixed handling of the NAT reassembly timeout value [1000]
Added support for
output feature
NAT [867, 897]Fixed an error when changing static NAT command boolean properties [703]
Addressed NAT issues which prevent the TNSR host OS network services from working on
nat outside
interfaces [616]This can only work in
endpoint-dependent
NAT mode, which can be enabled as follows:dataplane nat endpoint-dependent service dataplane restart
This may become the default NAT mode in future TNSR releases [1079]
NTP¶
Added support for NTP server (ntp.org) management [847, 939, 948, 952]
PKI (Certificates)¶
Added support to the PKI CLI for managing certificate authority (CA) entries as well as certificate signing [930]
RESTCONF¶
Added commands for RESTCONF management and authentication (HTTP server, nginx) [933]
Added support to RESTCONF for certificate-based authentication [937]
When using certificates to authenticate, the common name (CN) part of the subject is used as the username.
Added PAM support for HTTP authentication to the HTTP server [934]
Known Limitations¶
Authentication & Access Control¶
Unable to delete a user from the CLI after TNSR services restart [1067]
BGP¶
TNSR does not send BGP updates without restarting service with
redistribute from connected
option [746]Route with
aggregate-address
via next-hop0.0.0.0
does not appear in TNSR route table [832]BGP sessions may fail to establish or rapidly reconnect when receiving more prefixes than defined by
maximum-prefix limit
[858]The
maximum-prefix restart
command does not work [859]TNSR installs multiple paths for received routes even though support for multiple paths is not enabled [885]
Unable to restart BGP service more that three times in a row [902]
Workaround: Run
systemctl reset-failed frr
from the shell to clear the error which will allow the BGP service to start again.Changing
update-source
from an IP address toloop1
allows a session to establish but remote prefixes do not appear in the FIB until reboot [1104]
Bridge¶
TNSR CLI allows multiple bridge interfaces to have
bvi
set [984]Only the first interface set with
bvi
will work properly.Workaround: Only set
bvi
on a single interface.
CLI¶
Applied
dataplane
commands are not immediately present in the running configuration database until another change is made [1099]The candidate configuration database cannot be emptied with the
clear
command [1066]show route table
causes the backend to die with large numbers of routes in the table [506]For example, this crash happens with a full BGP feed.
RESTCONF¶
nginx
does not behave as expected withauthentication type none
[1086]This mode is primarily for testing and not production use.
Workaround: Use password or certificate-based authentication for RESTCONF.
Interfaces¶
Interface link speed displayed incorrectly in CLI and RESTCONF [672]
Loopback interface responds to ICMP echo from an outside host even when in a Down state [850]
NAT¶
Unable to create a
twice-nat
pool [972] ortwice-nat
not working [1023]twice-nat
can only work inendpoint-dependent
NAT mode, which can be enabled as follows:dataplane nat endpoint-dependent service dataplane restart
Unable to create
out-to-in-only
static mapping [976]out-to-in-only
can only work inendpoint-dependent
NAT mode, which can be enabled as follows:dataplane nat endpoint-dependent service dataplane restart
NAT Reassembly is not working for ICMP packets [990]
Fragment limitation for NAT reassembly is not working [1065]
NAT mode is not deleted from VPP startup configuration after TNSR services restart [1017]
NAT forwarding is not working for
in2out
direction [1039]NAT static mappings are not added as expected when only the
port-local
value differs [1100]NAT static mapping with defined ports leads to
clixon-backend
crash after restart [1103]
VLAN/Subinterfaces¶
Daemons such as Kea and ntpd do not correctly form configuration file references to subinterface names [1150]
A VPP issue is preventing clients on subinterface networks from receiving return traffic that passes through TNSR [1152]
These clients can communicate to TNSR, but not to hosts on other interfaces or subinterfaces.
Other interface types work properly
Reporting Issues¶
For issues, please contact the Netgate Support staff.
Send email to support@netgate.com
Phone: 512.646.4100 (Support is Option 2)