TNSR 19.12 Release Notes

About This Release

General

  • Updated to CentOS 7.7 [2638]

ACL

  • Fixed a backend crash when requesting a non-existent ACL via RESTCONF [2613]

  • Fixed a backend crash when displaying an ACL with a description in the CLI [2606]

BFD

  • Integrated BFD implementation with dynamic routing protocol daemons [2106, 2131]

  • Removed redundant BFD configuration parameters from routing daemon configuration, configure options directly in BFD instead [2578]

Counters

  • Fixed an issue with invalid interface counter data at first boot. [2572]

  • Fixed an issue with multicast counter output containing unicast counter data [2526]

Dataplane

  • Fixed error message displayed when attempting to assign more than the available number of CPU cores [2625]

  • Enhanced the CPU corelist-workers command to accept ranges of cores [1943]

  • Fixed an issue where the value of ip reassembly max-reassemblies was ignored if ip reassembly expire-walk-interval was also set [2561]

  • Added commands to configure dataplane network device receive and transmit descriptors [2020]

DHCP

  • Added commands to define custom DHCP options [2774]

  • Fixed an error when running service dhcp reload [2666]

Host ACLs

  • Changed default host ACL ruleset to allow IPv6 traceroute [2627]

Interfaces

  • Fixed display of tag rewriting configuration in show interface output [2807]

  • Fixed IPv6 addresses not being reapplied to an interface when it was disabled and later re-enabled [2648]

  • Fixed use of renamed interfaces with bonding [2740]

  • Fixed adding interfaces to a bond when they previously had been configured with an IP address [2654]

  • Fixed an issue where data may fail to pass through a bond interface after changing its settings [1603]

IPsec

  • Fixed an issue with RESTCONF IPsec status data returning every value as a string type [2642]

  • Improved IPsec to be thread-safe with multiple workers [1334, 2084]

MAP

  • Fixed an issue where IPv6 packets were not translated to IPv4 for MAP domain rules where PSID offset and length are specified [2808]

  • Fixed an issue where changing MAP behavior from translate to encapsulate required restarting the dataplane [1779]

  • Fixed TCP MSS value not being applied to encapsulated packets in MAP-E mode [1816]

NAT

  • Fixed an issue with show nat deterministic-mappings returning IPv6 data instead of IPv4 [2887]

  • Fixed issues with show nat sessions not returning results via RESTCONF or the CLI [2746, 2251]

  • Added commands to adjust values of NAT hash buckets and memory [1762, 2611]

  • Increased the maximum value of max-translations-per-user to 262144 [2612]

  • Fixed NAT and ACL permit+reflect rules not working when configured together [2262]

Routing

  • Fixed an issue with adding routes to the same destination via different next-hop routers [2407]

Dynamic Routing

  • Fixed an issue preventing OS-level interface events/status from being recognized by FRR daemons [2755]

  • Fixed an issue with creating access-list entries for IPv6 prefixes using the CLI [2624]

  • Fixed an issue with creating route map match peer entries for IPv6 addresses using the CLI [2623]

BGP

  • Fixed setting the solo option for BGP neighbors [2826]

  • Fixed setting the maximum-paths BGP option via CLI [2822]

  • Fixed setting the table-map filter BGP option via CLI [2821]

  • Fixed setting the route-map option for BGP network entries via CLI [2820]

  • Fixed setting the backdoor option for BGP network entries via CLI [2819]

  • Fixed the show route dynamic bgp ipv4 network command so it does not require a full prefix with mask length [2773]

  • Fixed an issue where setting a new BGP update-delay timer did not override the previous peer-wait value [2772]

  • Fixed input validation of the BGP update-delay value so it cannot be set larger than peer-wait [2771]

  • Fixed an issue where BGP would fail to install a received IPv6 route into the routing table [2650]

OSPF

  • Added detail modifier to show route dynamic ospf neighbor which displays more detailed OSPF neighbor information [2742]

  • Fixed an issue where an OSPF LSA was not added to the LSDB if there was a dead LSA for same route present [2626]

  • Fixed an issue where OSPF did not send LSA-5 messages to a backbone area if an NSSA area session was already established [2559]

  • Fixed setting the timer throttle lsa value for OSPF in the CLI [2555]

OSPF6

  • Added support for OSPFv3 (Also known as OSPF6) to handle OSPF for IPv6 [2517]

    • OSPF6 is now also allowed in the default host ACL ruleset [2668]

RIP

  • Added support for RIP (v2 and v1) [2498]

    • RIP is now also allowed in the default host ACL ruleset (UDP port 520) [2657]

SNMP

  • Fixed ifOutUcastPkts returning value of rx-bytes instead of tx- bytes [2584]

VRRP

  • Added commands to configure interface tracking for VRRP and display its status [2521]

  • Fixed an issue where multiple VRs with the same VR ID on a hardware interface (via subinterfaces) could interfere with each other [2865]

  • Fixed an issue where a VRRP VR only removes the virtual MAC from an interface when transitioning from master to backup [2842]

  • Fixed an issue with using VRRP on bond interfaces [2829]

  • Fixed an issue with incorrect VRRP VR behavior with priority 255 and accept mode enabled [2816]

  • Added input validation to prevent conflicting VRRP and NAT configurations [2799]

  • Fixed an issue where VRRP may fail to add a virtual IP address [2706]

Configuration Changes

Several areas of the configuration were changed. These changes must either be made manually or see Updating the Configuration Database for information on how to automatically update the configuration using a script included in this update.

  • netgate-bgp

    • Configuration under /route-config/dynamic/bgp/routers/router:

      • update-delay-peer-wait had a constraint added. Its value must be less than or equal to ../update-delay-updates

      • address-families/ipv4/unicast/mutliple-path-maximums was renamed to multiple-path-maximums to correct a spelling error

      • address-families/ipv6/unicast/mutliple-path-maximums was renamed to multiple-path-maximums to correct a spelling error

      • neighbors/neighbor/bidirectional-forwarding-detection did not have any effect on BGP so it was removed.

  • netgate-ospf

    • Type definitions

      • Enumerated type ospf-route-out had several values removed which are not supported. This type was used in /route-config/dynamic/ospf/routers/router/distribute-list/out/route-out

  • netgate-snmp

    • Type definitions

      • Enumerated type snmp-security-level had several values removed which are not supported. This type is used in /snmp-config/snmp-access-control/access/access-entry/security-level

      • Enumerated type snmp-security-model had several values removed which are not supported. This type is used in /snmp-config/snmp-access-control/access/access-entry/security-model and /snmp-config/snmp-access-control/group/group-entry/security-model

      • Enumerated type snmp-context-match had several values removed which are not supported. This type is used in /snmp-config/snmp-access-control/access/access-entry/prefix

  • netgate-ip

    • Renamed /ip to ip-config – This only contains IP reassembly settings.

Known Limitations

Upgrade Issues

Warning

Due to a build dependency issue with librtnl in TNSR 19.12, installations of TNSR 19.08 upgraded to TNSR 19.12 will not end up with a functional copy of librtnl. This library must be linked against the current version of VPP. Since VPP had a version change between 19.08 and 19.12, but the version number of librtnl did not change, it is not reinstalled on upgrade with an appropriately relinked copy.

To resolve this problem, manually reinstall the librtnl package using a shell prompt:

$ sudo yum reinstall librtnl

This may also be run from within TNSR by using the shell command, for example:

tnsr# shell sudo yum reinstall librtnl

This problem has been fixed so it will not recur for TNSR 20.02 or later releases which will carry the TNSR version on these packages to ensure they match appropriately. Installations of TNSR versions prior to 19.08 can safely upgrade to 19.12 without encountering this issue as there was a version change in librtnl after that time.

Symptoms of this problem include:

  • Sporadic VPP and configuration backend crashes.

  • VPP failing to forward packets as expected.

  • Configured services (e.g. BGP, IPsec, DNS) not functioning correctly due to host stack connectivity being impaired.

Azure

Warning

The TNSR 19.12 release is not compatible with Azure. Instances of TNSR 19.08 running on Azure should not be upgraded until the next release (TNSR 20.02).

ACLs

  • ACLs used with access-list output do not work on traffic sent to directly connected hosts [2057]

  • Accessing very large (100K rules) ACLs repeatedly results in a Clixon crash [2558]

BFD

  • Unable to set delayed option on an existing BFD session [2709]

CLI

  • CLI does not return from shell in certain situations [2651]

Dataplane

  • Dataplane auto pinning of worker threads to cores does not follow expected convention [2846]

  • Dataplane reports incorrect physical core ID for main thread [2845]

  • Systems with multiple CPU sockets using NUMA may experience dataplane issues at startup or when the dataplane is restarted manually [2383]

DHCP

  • Unable to delete all DHCP server options at once from CLI [2667]

GRE

  • Unable to modify GRE tunnel settings [2698]

HTTP Server / RESTCONF

  • HTTP server retains old configuration after TNSR services restart [2453]

  • SSL certificate error when the HTTP server is configured with a certificate that uses md5 digest [2403]

Interfaces

  • Packets do not pass through a subinterface after the subinterface configuration has been modified [1612]

  • Chelsio interfaces crash the dataplane [1896]

  • VLAN subinterfaces may not work under KVM using virtio drivers [2189]

  • An IPv6 link-local address cannot manually be configured on an interface [2394]

  • IPv6 addresses on IPsec or GRE interfaces may not be displayed in show command output [2425]

  • Bridge domain ARP entries are not displayed in the CLI [2378]

  • Bridge domain ARP entries cannot be removed from the CLI [2380]

  • Bridge domain MAC age cannot be removed from the CLI [2381]

  • Link state always reported as “up” when using e1000 network drivers [2831]

  • vmxnet3 RSS fails to initialize, cannot pass packets [2576]

    Workaround: Set dataplane dpdk dev <device id> network num-rx-queues 2 in the TNSR CLI and restart the dataplane.

  • Cannot add a DHCP client hostname to an existing DHCP client [2557]

    Workaround: Remove the dhcp client from the interface and then re-add it with the hostname.

  • Re-enabling loopback interface breaks packet forwarding until the dataplane is restarted [2828]

  • Subinterface settings are not applied on change without restarting dataplane [2696]

  • Unable to create multiple IP QinQ subinterfaces with the same outer vlan tag [2659]

  • Configuration of host OS interface clears TNSR TAP interface configuration [2640]

    Workaround: Remove and reconfigure the TAP interface.

  • On the XG-1537 and other systems with X552 NICs, if one of the SFP+ (not copper) interfaces does not have an active link when the dataplane is restarted, and presumably during startup, the interface remains down when the link is reconnected. The link lights come on as though the interface is working and the opposing interface shows the correct link state and speed. This has been confirmed with LR and SR SFP+ modules.

    If an affected interface has an active link when the dataplane is started, the link can later change to be down/up or removed/reconnected without issue.

    Workaround: Restart the dataplane once the links are active.

IPsec

  • An IPsec tunnel which was removed and then added back in may take longer than expected to establish [1313]

  • An SA ordering issue may prevent IPsec traffic from passing if both endpoints attempt to establish a tunnel at the same time [2391]

  • Large packets over IPSec crash VPP and clixon-backend [2902]

    Workaround: Increase the default-data-size buffer size to 16384 and restart the dataplane.

    tnsr(config)# dataplane buffers default-data-size 16384
    tnsr(config)# service dataplane restart
    

MAP

  • MAP-T BR cannot translate IPv4 ICMP echo reply to IPv6 [1749]

  • Fragmentation of IPv4 packets is performed regardless of configured MAP fragmentation behavior when MAT-T mode is used [1826]

  • MAP BR does not send ICMPv6 unreachable messages when a packet fails to match a MAP domain [1869]

  • Pre-resolve does not work when MAP-T mode is used [1871]

  • MAP BR encapsulates/translates only last fragment when receiving fragmented packets from IPv4 network [1887]

NACM

  • Default parameters rule for NACM node access-operation and module does not work without explicit settings [2514]

NAT

  • twice-nat does not work [1023]

  • NAT forwarding is not working for in2out direction [1039]

  • DS-Lite is not functional; B4 router sends encapsulated IPv4-in-IPv6 packets, but AFTR replies with an error [1626]

  • NAT forwarding fails with more than one worker thread [2031]

    Note: This also affects connectivity to services on TNSR, such as RESTCONF, when the client is not on a directly connected network.

  • Router with 1:1 NAT will drop packets with ttl=2 from input interface [2849]

  • VPP service fails if NAT concurrent-reassemblies is set to 1 and several fragments arriving to the NAT outside interface [2739]

  • ICMP fragments arriving to NAT Inside interface aren’t being reassembled by NAT reassembly function [2733]

Neighbor / ARP / NDP

  • Packet loss during ARP transaction immediately after Dataplane restart or interface disable/enable [2868]

RESTCONF

  • Incorrect BGP configuration is generated when IPv6 address family is configured via REST [2915]

  • Adding a user via RESTCONF requires a password even when key is provided [2875]

  • Adding MACIP rule via RESTCONF fails [2844]

  • Cannot rename an ACL via RESTCONF [2843]

  • Deleting ACL rule via RESTCONF crashes Clixon [2841]

Routing

  • IPv6 packet loss may be observed between TNSR instances [2382]

Dynamic Routing

  • CLI shows that only IPv4 prefix is available within prefix-list sequence configuration [2689]

  • route-map with sequence number 0 can be configured in the CLI but cannot be used [2876]

BGP

  • An IPv6 BGP session cannot be established over IPsec or GRE [2429]

  • BGP maximum-path option for eBGP and iBGP can not be configured simultaneously [2879]

  • BGP network backdoor feature does not work without service restart [2873]

  • Unable to configure BGP distance values via CLI [2869]

  • Unable to verify received prefix-list entries via CLI when ORF capability is used [2864]

  • extended-nexthop capability is not being negotiated between IPv6 BGP peers [2850]

  • BGP session soft reset option does not work for IPv6 peers [2833]

    Workaround: Reset the connection without soft option.

  • ttl-security hops value can be set when ebgp-multihop is already configured (the options are mutually exclusive) [2832]

  • clixon-backend fails when loading BGP config with 150k advertised prefixes [2784]

  • Displaying a large amount of received or advertised BGP prefixes takes a long time [2778]

  • BGP updates for new prefixes are sent every 60 seconds despite configured advertisement-interval value [2757]

  • TNSR installs additional duplicated next-hop entries for multipath routes received via BGP [2935]

OSPF

  • OSPF default-information originate does not work with static route 0.0.0.0/0 as default route [2477]

  • Changing redistributed kernel routes does not trigger addition/removal of corresponding OSPF Type-5 LSAs [2389]

  • Routing information in the forwarding table is not updated correctly when removing a static route which overlaps a route received via OSPF [2320]

  • The OSPF RIB is not updated when the ABR type changes from standard to shortcut, and vice versa [2699]

  • Changing the default metric for OSPF server does not result in update on other routers [2586]

OSPF6

  • IPv6 routes in the OSPF6 database may not appear in the OSPF RIB until the service is restarted [2891]

RIP

  • key-chain string is not applied in the routing daemon if configured after RIP is enabled [2878]

    Workaround: Disable and enable RIP after making the change.

SNMP

  • SNMP configuration change requires a service restart [2568]

  • There are no changes when using “write” community [2567]

VRRP

  • VRRP does not function on an outside NAT interface with a priority of 255 [2419]

    Workaround: Set the priority of the VR address on the primary router to a value less than 255 yet higher than that of other routers. Enable Accept Mode on the VR address if the VR address will be used by services on TNSR.

VXLAN

  • Changes to a VXLAN interface do not apply until the dataplane is restarted [1778]

  • VXLAN and OSPF may not work properly if OSPF is configured after VXLAN in the dataplane [2511]

Reporting Issues

For issues, please contact the Netgate Support staff.