TNSR 18.11 Release Notes¶
About This Release¶
Access Lists (ACLs)¶
Added a description field to ACL rule entries 
Fixed issues with numerical sorting of ACL entries in
Fixed issues with order of installed ACL rules in the dataplane with large sequence numbers 
Authentication & Access Control¶
Removed users from the TNSR configuration so they are stored/managed directly in the host operating system, which eliminates any chance to be out of sync 
Fixed issues with deleting NACM rule lists 
Fixed an issue where the BGP service could not restart more that three times in a row 
bgp clearcommand to clear active BGP sessions 
Fixed a problem where the TNSR CLI incorrectly allowed multiple bridge interfaces to have
Fixed a problem where applied
dataplanecommands were not immediately present in the running configuration database until another change was made 
Fixed a problem where the candidate configuration database could not be emptied with the
Hardware & Installation¶
Added an ISO image to install TNSR on supported hardware 
Added support for VMware installations 
Added support for Mellanox network adapters 
Fixed interface link speed displaying incorrectly in CLI and RESTCONF 
Fixed issues with duplicate entries being generated in the dataplane interface configuration 
Added the ability to configure host OS management interfaces in the CLI [260, 261, 262]
Fixed issues with
pingcommand parameter parsing 
Fixed issues specifying a source address with
Fixed issues with IPsec tunnels failing to establish after a dataplane restart 
Changed the default NAT mode to
Fixed creating a
out-to-in-onlystatic mappings 
Fixed NAT reassembly for ICMP packets 
Fixed fragment limitations for NAT reassembly 
Added support for deterministic NAT 
Fixed issues with the
ntp restrictcommand 
Fixed validation when submitting invalid MAC addresses via RESTCONF 
Fixed validation when submitting invalid IP addresses via RESTCONF 
Fixed issues where daemons such as Kea and ntpd did not correctly form configuration file references to subinterface names 
Fixed issues with clients on subinterface networks from receiving return traffic that passes through TNSR 
The upstream VPP issue causing this has been fixed, but an additional source of problems in this area is that the
dot1qsetting for a subinterface must use
exact-matchto communicate properly with hosts on the VLAN. Ensure subinterfaces are configured to use this property.
Authentication & Access Control¶
TNSR does not send BGP updates without restarting service with
redistribute from connectedoption 
0.0.0.0does not appear in TNSR route table 
BGP sessions may fail to establish or rapidly reconnect when receiving more prefixes than defined by
maximum-prefix restartcommand does not work 
TNSR installs multiple paths for received routes even though support for multiple paths is not enabled 
systemctl reset-failed frrfrom the shell to clear the error which will allow the BGP service to start again.
update-sourcefrom an IP address to
loop1allows a session to establish but remote prefixes do not appear in the FIB until reboot 
IPv6 BGP neighbors get entered as
remote-asdoes not get into FRR
show route tablecauses the backend to die with large numbers of routes in the table 
For example, this crash happens with a full BGP feed.
A single IP address can be set in a pool range, but the DHCP daemon requires a start/end IP address or a prefix 
Workaround: Configure a pool with a start and end address or prefix.
DHCP server uses default VPP interface IP address (169.254.0.x) as a source address for DHCP packets and as a DHCP Server Identifier 
Unable to delete DHCPv4 options specified within the pool configuration 
HTTP Server / RESTCONF¶
nginxdoes not behave as expected with
authentication type noneand TLS 
This mode is primarily for testing and not production use.
Workaround: Use password or certificate-based authentication for RESTCONF.
HTTP server runs even though it’s not configured to run after TNSR services restart 
Workaround: Manually stop the
Loopback interface responds to ICMP echo from an outside host even when in a Down state 
Unable to delete an interface if has had an ACL or MACIP applied [1177, 1178]
Workaround: Remove the entire ACL or MACIP entry. Then, the interface may be removed.
MACIP ACL remains in the interface configuration after being removed 
twice-natdoes not work 
NAT mode is not deleted from VPP startup configuration after TNSR services restart 
NAT forwarding is not working for
NAT static mappings are not added as expected when only the
port-localvalue differs 
NAT static mapping with defined ports leads to
clixon-backendcrash after restart 
PAT dynamic sessions limited to 100 entries per address 
This is the default limit per user in VPP and will be configurable in the next release.
Deleting a non-empty route table fails with an error and the table remains in the configuration, but it cannot be changed afterward 
Workaround: Remove all routes from the table before deleting. Alternately, copy the running configuration to startup and restart TNSR, which will make the route table appear again so the routes and then the table can be removed.
When deleting a user key from the running configuration it is not removed from the user’s
Workaround: Manually edit the
authorized_keysfile for the user and remove the key.
For issues, please contact the Netgate Support staff.
Send email to email@example.com
Phone: 512.646.4100 (Support is Option 2)