Tip
This is the documentation for the 24.06 version. Looking for the documentation of the latest version? Have a look here.
TNSR 20.02 Release Notes¶
About This Release¶
This is a regularly scheduled TNSR release including new features and bug fixes.
Warning
TNSR 20.02.1 contains additional fixes for problems found in TNSR 20.02 and users should upgrade to that version instead.
The TNSR 20.02.2 release corrects problems specific to Azure and is only available on that platform.
General¶
Updated DPDK to 19.11 [2968]
Updated VPP to 20.01 [2970]
Updated strongswan to 5.8.2 [2964]
Updated clixon to 4.3.2 [2570]
Yang module version data is now stored in the configuration database [3022]
Added support for Shallow Virtual Reassembly [2954]
This replaces manual reassembly configuration for NAT and MAP with global reassembly configuration parameters.
The old reassembly options under NAT and MAP must be removed from the configuration database. This change can be made automatically by the configuration database update script [3019, 3021].
Added a diagnostic information utility for use when submitting support requests [2769]
Configuration Changes¶
Several areas of the configuration were changed. These changes must either be made manually or see Updating the Configuration Database for information on how to automatically update the configuration using a script included in this update.
IPsec interfaces in the dataplane changed from
ipsec<N>
toipip<N>
and all references in the configuration must be updated to follow that change [2970]This change can be made automatically by the configuration database update script [2972]
ACLs¶
Fixed issues with accessing very large ACLs (100K rules) repeatedly [2558]
Azure¶
Fixed network connectivity issues on Azure [2952]
Dataplane¶
Fixed dataplane auto pinning of worker threads to cores not following expected conventions [2846]
Fixed dataplane reporting incorrect physical core ID for main thread [2845]
Added QAT crypto Virtual Functions (VF) to VPP
startup.conf
when{corelist,coremask}-workers
is set and a crypto Physical Function (PF) is white listed [3248]Fixed potential situations where DPDK driver sections may not have been written to the dataplane startup configuration [3160]
Added dataplane DPDK
iova-mode
configuration options [3416]The default dataplane UIO driver has been changed to
igb_uio
instead of using automatic driver selection [3414]Fixed issues with loading the
vfio-pci
driver at boot time [2686]
DHCP¶
Added methods to view the current DHCP lease database via CLI and RESTCONF [2241]
Added the ability for the DHCP server to use new custom option definitions rather than only redefining existing options with custom values [2934]
Interfaces¶
Added options to assign per-interface RX queues to specific worker threads [2018]
Fixed issues on XG-1537 and other systems with X552 NICs where if one of the SFP+ (not copper) interfaces did not have an active link when the dataplane restarted, the interface would remain down when the link was reconnected. [2965]
SPAN interfaces may now utilize VXLAN interfaces as destinations. [1027]
IPsec¶
Fixed a dataplane and clixon crash due to large packets attempting to pass over IPsec. [2902]
Though the crash has been solved, packets larger than the
default-data-size
buffer value in the dataplane will fail to pass. To pass large IPsec packets, increase this buffer size. For example:tnsr(config)# dataplane buffers default-data-size 16384 tnsr(config)# service dataplane restart
NAT¶
Fixed incompatibility with NAT outside interfaces with output feature enabled being configured as a DHCP client [2914]
Increased the default maximum NAT translations per user from
100
to10240
[2752]
MAP¶
Improved dataplane MAP-T RFC compliance [2977]
Fixed MAP-T IPv4 to IPv6 echo request not being translated correctly [2978]
Fixed MAP-T IPv4 to IPv6 echo reply not being translated correctly [2979]
Fixed MAP-T IPv6 to IPv4 echo request not being translated correctly [2980]
Fixed MAP-T IPv4 to IPv6 MTU Exceeded, DF flag set being handled incorrectly [2982]
Fixed MAP-T IPv4 to IPv6 TTL Expires at BR being handled incorrectly [2983]
Fixed MAP-T handling of spoofed IPv4 source prefix IPv6 to IPv4 [3053]
Fixed an issue where MAP BR encapsulated/translated only the last fragment when it received fragmented packets from an IPv4 network [1887]
Fixed fragmentation of IPv4 packets being performed regardless of configured MAP fragmentation behavior in MAP-T mode [1826]
Neighbors¶
Fixed ARP responses for VPP outside interfaces responding incorrectly from the Host OS interface when both are connected to the same layer 2 [2266, 3314]
Fixed issues with ARP table contents not being expired over time [3200]
QAT¶
Added the capability to configure QAT VF entries passed to a virtual machine from the hypervisor [3250]
RESTCONF¶
Added support for PATCH method in RESTCONF for API [1109]
RESTCONF responses for leaf nodes with a value of an empty string (
""
) have changed, but still may not contain the expected encoded JSON output. [3450]Previous versions of TNSR with clixon 4.0 or earlier returned the value as
null
, while clixon 4.3 now returns[null]
. Per RFC 7951, the previous behavior was incorrect. While the new behavior is closer to that mentioned in RFC 7951 section 6.9, the behavior described there is forempty
type nodes, notstring
type. The intended behavior for empty strings is not yet clearly defined in RFC 7951.This behavior is likely to change in future releases as the specification is refined.
Dynamic Routing¶
Removed a redundant BGP command
enforce-multihop
which is identical todisable-connected-check
.Configuration database entries for
enforce-multihop
must be removed or changed todisable-connected-check
. This change can be made automatically by the configuration database update script [3004]
Fixed configuration of
distance
values for BGP address families via CLI [2869]Added validation to prevent configuring a
route-map
with a sequence number of0
[2876]Removed incorrect
route-reflector-client
BGP option for eBGP peer from CLI [2936]Fixed setting multiple
attribute-unchanged
values via CLI [2941]Fixed setting
attribute-unchanged
BGP option without specifying a value [2942]Fixed setting
route-map
as a value forunsuppress-map
via CLI [2944]Fixed disabling
send-community
BGP option in the CLI [2945]Fixed disabling
client-to-client reflection
BGP option in the CLI [2946]Fixed issue with displaying a large amount of received or advertised BGP prefixes taking a long time [2778]
SNMP¶
Fixed SNMP configuration changes requiring a service restart [2568]
Known Limitations¶
General¶
TNSR instances on VMWare configured for VM Hardware Compatibility with ESX 6.7 (VM Version 14 or later) cannot initialize their VMXNET3 interfaces unless there are 2 or more RX queues due to an upstream DPDK issue [2576]
Workaround 1: Create the VM with VM version 13 (ESX 6.5) and do not upgrade its compatibility level until this issue is resolved.
Workaround 2: Configure a
num-rx-queues
value of at least2
for each VMXNET3 interface in the DPDK settings for the device(s) (DPDK Configuration) and restart the dataplane.
ACLs¶
ACLs used with
access-list output
do not work on traffic sent to directly connected hosts [2057]
BFD¶
Unable to set
delayed
option on an existing BFD session [2709]
CLI¶
CLI does not return from shell in certain situations [2651]
Dataplane¶
Systems with multiple CPU sockets using NUMA may experience dataplane issues at startup or when the dataplane is restarted manually [2383]
CLI does not prevent the user from configuring a custom interface name which uses reserved keywords which may cause the dataplane to fail (e.g.
span
) [3234]UIO driver changes are not reflected on interfaces which are already in use [3209]
Workaround: Reboot the TNSR device.
Setting dataplane stat segment heap size causes backend to crash [3598]
Deletion/change of custom interface names is not validated properly [3461]
DHCP¶
Unable to delete all DHCP server options at once from CLI [2667]
GRE¶
Unable to modify GRE tunnel settings [2698]
Host Interfaces¶
Configuration of host OS interface clears TNSR TAP interface configuration [2640]
Workaround: Remove and reconfigure the TAP interface.
DHCP on Host Interface stops trying DHCP if a response is not received in a timely manner (Service = Failed) [3015]
Workaround: Set
PERSISTENT_DHCLIENT=1
in/etc/sysconfig/network-scripts/ifcfg-<name>
for the affected host interface.Cannot remove an IP address assigned to a host interface during the installation process from within the TNSR CLI [3013]
HTTP Server¶
HTTP server retains old configuration after TNSR services restart [2453]
SSL certificate error when the HTTP server is configured with a certificate that uses md5 digest [2403]
Installer¶
TNSR Install over OOB Management GUI may appear to fail due to the screen saver activating before installation is completed.
This affects installation using a console such as iDRAC Virtual Media redirector.
Workarounds: Press
tab
when the screensaver activates. Alternately, use vFlash instead of iDRAC for better performance.
Interfaces¶
Packets do not pass through a subinterface after the subinterface configuration has been modified [1612]
Chelsio interfaces crash the dataplane [1896]
VLAN subinterfaces may not work under KVM using virtio drivers [2189]
An IPv6 link-local address cannot manually be configured on an interface [2394]
IPv6 addresses on IPsec or GRE interfaces may not be displayed in
show
command output [2425]Bridge domain ARP entries are not displayed in the CLI [2378]
Bridge domain ARP entries cannot be removed from the CLI [2380]
Bridge domain MAC age cannot be removed from the CLI [2381]
Link state always reported as “up” when using
e1000
network drivers [2831]vmxnet3
RSS fails to initialize, cannot pass packets [2576]Workaround: Set
dataplane dpdk dev <device id> network num-rx-queues 2
in the TNSR CLI and restart the dataplane.Cannot add a DHCP client hostname to an existing DHCP client [2557]
Workaround: Remove the dhcp client from the interface and then re-add it with the hostname.
Re-enabling loopback interface breaks packet forwarding until the dataplane is restarted [2828]
Subinterface settings are not applied on change without restarting dataplane [2696]
Unable to create multiple IP QinQ subinterfaces with the same outer vlan tag [2659]
Unable to create a subinterface with
dot1q any
[2652]Full reassembly may not disable on an interface once enabled when using
no ip reassembly enable
[3360]Workaround: Remove both the reassembly enable and type configuration on the interface:
tnsr(config-interface)# no ip reassembly enable tnsr(config-interface)# no ip reassembly type
IPsec¶
An IPsec tunnel which was removed and then added back in may take longer than expected to establish [1313]
An SA ordering issue may prevent IPsec traffic from passing if both endpoints attempt to establish a tunnel at the same time [2391]
Attempting to change IKE
lifetime
for an existing tunnel to a value lower than the lifetime of a child entry results in an unintuitive error message [3243]Deletion of IPsec tunnel configuration is not validated properly [3456]
LACP¶
If a bond interface does not have a MAC address explicitly configured, the MAC address may become out of sync between the dataplane and host tap interfaces [2126]
Workaround: The MAC address will be synchronized when the interface status changes (up or down), so disable and enable the interface or restart the dataplane.
There may be a 10-15 second delay with ARP resolution after configuring an LACP bond [2867]
LLDP¶
All LLDP interface parameters must be configured at the same time. [3462]
When LLDP parameters change, TNSR requires a dataplane restart for the new settings to take effect. [3486]
LLDP parameter values are not validated by the CLI or RESTCONF and invalid values are rejected by the dataplane directly [3459]
MAP¶
MAP-T BR cannot translate IPv4 ICMP echo reply to IPv6 [1749]
MAP BR does not send ICMPv6 unreachable messages when a packet fails to match a MAP domain [1869]
Pre-resolve does not work when MAP-T mode is used [1871]
Full ip reassembly does not work with MAP [3386]
ICMP6 echo request packets are being dropped on MAP-T BR when MAP domain with non-zero PSID offset is used [3401]
Initial fragment of UDP and ICMP6 packets is dropped on MAP-T border router when it receives fragments from an IPv6 network [3412]
Ethernet padding is incorrectly copied from IPv4 to IPv6 frames when translated by MAP [3460]
NACM¶
Default parameters rule for NACM node
access-operation
andmodule
does not work without explicit settings [2514]
NAT¶
twice-nat
does not work [1023]NAT forwarding is not working for
in2out
direction [1039]NAT forwarding fails with more than one worker thread [2031]
Note: This also affects connectivity to services on TNSR, such as RESTCONF, when the client is not on a directly connected network.
Router with 1:1 NAT will drop packets with
ttl=2
from input interface [2849]VPP service fails if NAT
concurrent-reassemblies
is set to1
and several fragments arriving to the NAT outside interface [2739]ICMP fragments arriving to NAT Inside interface aren’t being reassembled by NAT reassembly function [2733]
Dataplane fails on DS-Lite AFTR router when packets from B4 are received before pool is configured [3024]
Workaround: Configure the DS-Lite
pool` **before** the ``aftr endpoint
.DS-Lite CE configuration is not fully removed when deleted via CLI, which may leave TNSR with an invalid configuration database which cannot start [3030]
Deterministic nat option is not compatible with a pool of IP addresses [3257]
Reassembly timeout does not work when full IP reassembly is configured with NAT [3269]
Shallow Virtual Reassembly cannot be disabled when it is enabled implicitly by other features such as NAT and MAP [3361]
Shallow Virtual Reassembly may fail when configured explicitly after it is implicitly enabled by other features such as NAT and MAP [3362]
Re-enabling full IP reassembly on an interface which has implicit shallow virtual reassembly enabled breaks the packet flow [3379]
Setting reassembly type
full
and then enabling ip reassembly on an interface which has implicit shallow virtual reassembly enabled breaks packet flow [3380]Second fragment of a packet is not being virtually reassembled when
max-reassemblies
counter for shallow virtual reassembly is set to1
[3384]
Neighbor / ARP / NDP¶
Packet loss during ARP transaction immediately after Dataplane restart or interface disable/enable [2868]
NTP¶
NTP server default restriction list cannot be deleted in CLI [3413]
RESTCONF¶
RESTCONF responses for leaf nodes with a value of an empty string (
""
) may not contain the expected encoded JSON output. [3450]See RESTCONF earlier in this document for more details.
RESTCONF responses containing certain IETF error types such as
application
errors may contain an extra JSON key,rpc-error
, in theerror
list. RESTCONF users should accommodate this extra key, if present, when parsing IETF error messages. [3455]Incorrect BGP configuration is generated when IPv6 address family is configured via REST [2915]
Adding a user via RESTCONF requires a password even when key is provided [2875]
Adding MACIP rule via RESTCONF fails [2844]
Cannot rename an ACL via RESTCONF [2843]
Deleting ACL rule via RESTCONF crashes Clixon [2841]
Static Routing¶
IPv6 packet loss may be observed between TNSR instances [2382]
TNSR drops packets when an output interface configured in the routing table is disabled, even when other usable paths are present to the same destination [3359]
Dynamic Routing¶
CLI shows that only IPv4 prefix is available within
prefix-list
sequence configuration [2689]
BGP¶
An IPv6 BGP session cannot be established over IPsec or GRE [2429]
BGP
maximum-path
option for eBGP and iBGP can not be configured simultaneously [2879]BGP network
backdoor
feature does not work without service restart [2873]Unable to verify received prefix-list entries via CLI when ORF capability is used [2864]
extended-nexthop
capability is not being negotiated between IPv6 BGP peers [2850]BGP session soft reset option does not work for IPv6 peers [2833]
Workaround: Reset the connection without soft option.
ttl-security
hops value can be set whenebgp-multihop
is already configured (the options are mutually exclusive) [2832]clixon-backend
fails when loading BGP config with 150k advertised prefixes [2784]BGP updates for new prefixes are sent every 60 seconds despite configured
advertisement-interval
value [2757]TNSR installs additional duplicated
next-hop
entries for multipath routes received via BGP [2935]IPv4 BGP summary command returns results for both IPv4 and IPv6 [3270]
BGP
next-hop
attributes are not sent unmodified to an eBGP peer whenroute-server-client
option is configured [2940]show route dynamic bgp ipv6 summary
command will not show any information if address family is not specified when configuring BGP for IPv6 [2967]Workaround: Set the address family when configuring BGP. Alternately, due to [3270], IPv6 information is current visible in
show route dynamic bgp ipv4 summary
, so use that command instead.Unable to configure BGP IPv4/IPv6 multicast address family using CLI [3038]
Workaround: Configure this feature via RESTCONF
BGP listen range option disappears from the active dynamic routing daemon configuration after restarting BGP service [3043]
Unable to verify dynamic BGP peer information from TNSR CLI [3044]
Unable to configure BGP dampening values via TNSR CLI [3057]
Unable to configure BGP
write-quanta
value via TNSR CLI [3087]Unable to configure BGP debug logging via TNSR CLI [3199]
Unable to configure BGP confederation identifier via TNSR CLI [3210]
Static routes may not be restored correctly after failing over to a BGP route [3543]
OSPF¶
OSPF
default-information originate
does not work with static route0.0.0.0/0
as default route [2477]Changing redistributed kernel routes does not trigger addition/removal of corresponding OSPF Type-5 LSAs [2389]
Routing information in the forwarding table is not updated correctly when removing a static route which overlaps a route received via OSPF [2320]
The OSPF RIB is not updated when the ABR type changes from standard to shortcut, and vice versa [2699]
Changing the default metric for OSPF server does not result in update on other routers [2586]
OSPF6¶
IPv6 routes in the OSPF6 database may not appear in the OSPF RIB until the service is restarted [2891]
When deleting an OSPF6 interface via RESTCONF, it may remain active in the OSPF6 daemon despite being removed from the TNSR configuration [3481]
RIP¶
key-chain
string is not applied in the routing daemon if configured after RIP is enabled [2878]Workaround: Disable and enable RIP after making the change.
RIP
timeout
value is not respected [2796]
SNMP¶
There are no changes when using “write” community [2567]
VRRP¶
VRRP does not function on an outside NAT interface with a priority of
255
[2419]Workaround: Set the
priority
of the VR address on the primary router to a value less than255
yet higher than that of other routers. Enable Accept Mode on the VR address if the VR address will be used by services on TNSR.
VXLAN¶
Changes to a VXLAN interface do not apply until the dataplane is restarted [1778]
VXLAN and OSPF may not work properly if OSPF is configured after VXLAN in the dataplane [2511]
Reporting Issues¶
For issues, please contact the Netgate Support staff.
Send email to support@netgate.com
Phone: 512.646.4100 (Support is Option 2)