TNSR 21.03 Release Notes

About This Release

This is a regularly scheduled TNSR release including new features and bug fixes.

General

This release introduces significant changes in NAT behavior. Most NAT configuration commands have changed syntax or behavior. For example, default NAT behaviors have changed, and the procedure to change global configuration options for NAT is different. Review the NAT documentation in detail.

Warning

The deterministic NAT feature, which was deprecated in previous releases, has now been completely removed.

Changes

ACLs

  • Fixed: Output ACLs do not work with directly connected IP addresses [2057]

CLI

  • Added: Option to show configuration contents as a set of CLI commands [3655]

  • Changed: Remove redundant shell command to allow show commands to be abbreviated as sh [5269]

  • Fixed: TNSR CLI stores less lines in command history than configured [5270]

  • Fixed: Clixon crashes on executing various commands with ampersand symbol [5363]

  • Fixed: CLI errors when configuring some OSPF6 options [5656]

DHCP Server

  • Fixed: CLI incorrectly offers option to delete mac-address from DHCP host reservations [5203]

  • Fixed: Prevent using the same MAC address on more than one DHCP host reservation in the same subnet [5205]

DNS

  • Fixed: Previous DNS resolver settings remain active after resetting TNSR configuration [5398]

  • Fixed: DNS resolver only uses the last search domain [5400]

  • Fixed: Cannot configure local static zone with empty name using the CLI [5459]

Dataplane

  • Fixed: VPP service crashes on attempt to connect to Azure TNSR VM or perform a REST request [3850]

  • Added: Whitelist/configure individual VMbus/NetVSC devices in VPP [5095]

  • Changed: Set default MTU to 1500 [5136]

  • Added: VPP startup configuration to enable DPDK telemetry thread [5143]

  • Changed: Increase default buffers-per-numa startup setting for dataplane [5246]

  • Changed: Update VPP from upstream [5258]

General

  • Added: Include more output in diagnostic tool [4676]

  • Added: Configuration candidate load/save command support for saved configuration *_db files [4766]

  • Fixed: Unable to specify TNSR interface as a source in ping and traceroute commands via CLI [5262]

  • Fixed: Ping and traceroute commands do not respect TTL value [5263]

  • Fixed: Traceroute command does not respect timeout value [5271]

Host Netfilter

  • Fixed: Sequence numbers displayed in state data for host ACLs do not match the configuration database [4789]

IPsec

  • Changed: Enable asynchronous cryptography infrastructure in VPP [5093]

Interfaces

  • Fixed: Unable to create multiple QinQ subinterfaces with the same outer VLAN tag [2659]

  • Fixed: Jumbo frames do not pass on VMXNET3 adapters [4891]

  • Fixed: Conflicting IP addresses remain on interfaces after VRF deletion [5035]

NAT

  • Fixed: NAT interfaces drop packets that do not match existing NAT sessions or static NAT mappings [1979]

  • Fixed: VPP service fails when receiving a packet if NAT simple mode is configured with static-mapping-only option [4610]

  • Fixed: Ping to outside NAT interface produces a NAT session when forwarding is disabled [4960]

  • Changed: Deprecate support for deterministic NAT [5533]

RESTCONF

  • Fixed: Unable to ping remote host using hostname via REST [5492]

Routing

  • Fixed: Large burst of BGP routes can overload netlink socket buffer, leading to routes missing from FIB [5229]

  • Fixed: Unable to verify RIP information when RIP is configured for a VRF [5255]

  • Fixed: VPP crashes when passing certain UDP packets via IPsec tunnel on Azure [5560]

  • Fixed: Custom VRFs do not pass traffic as expected [5601]

SNMP / IPFIX / Prometheus

  • Fixed: RESTCONF returns an incorrect response code when removing IPFIX destinationIPAddress [5045]

  • Added: Allow Prometheus port in default Host ACLs [5356]

VRRP

  • Fixed: VRRP remains in dual master state on bare metal and VMWare/Virtualization platforms using Intel XL710 and X710 network interfaces [5713]

httpd

  • Fixed: HTTP server retains previous configuration when restarting without saving [2453]

Known Issues

ACLs

  • DHCP responses blocked by TNSR input ACLs since reflect on output ACLs does not work for DHCP requests [3570]

BFD

  • Unable to setup “delayed” option for an existing BFD session via REST [2709]

  • IPv6 session is not restored when virtual direct link gets disabled/enabled [4916]

  • Bidirectional Forwarding Detection sessions spontaneously vanish [5313]

Bridge

  • Bridge domain ARP entries not displayed via CLI [2378]

  • Bridge domain ARP entry cannot be removed via CLI [2380]

  • Bridge domain mac-age cannot be removed via CLI [2381]

  • Bridge domains and split-horizon groups not functioning properly [5500]

CLI

  • CLI does not always return from a shell prompt [2651]

  • Deleting the startup_db does not fully remove the active configuration [3723]

  • Specifying Interface to traceroute requires root privileges [5376]

  • Fix unbound ‘message cache slabs’ CLI weirdness [5472]

  • Wrong CLI command generated for ACL MACIP config [5815]

  • CLI auto-completion prints extremely long lines on serial console session [5816]

DHCP Server

  • CLI offers to delete mandatory variable in DHCP server subnet configuration [5240]

  • DHCP4 kea config-file output shows “vpp” TAP interface names in its configuration instead of TNSR interface names [5264]

  • Unable to set up a custom DHCP option with certain data types in the record [5299]

  • Default kea settings allow lease file to grow without bounds [5414]

  • DHCP/kea stops issuing leases after dataplane restart [5426]

  • DHCP/kea coredump isn’t generated [5583]

DNS

  • show system output does not contain DNS resolver parameters [5397]

Dataplane

  • RESTCONF query fails to TNSR interface with >1 worker thread when NAT is active [2031]

  • Binary API times out in some dual NUMA environments [2383]

  • Link state is always up when using e1000 network drivers [2831]

  • VPP service does not start if an interface name uses a reserved keyword [3234]

  • Cannot create rx-queues for interfaces on KVM and VirtualBox [3674]

  • DPDK does not work with Mellanox ConnectX-3 drivers [3781]

  • Using interface routes appears to breaks dataplane ARP [5259]

  • VPP crashes with SIGSEGV at faulting address 0x0 or 0x1c [5695]

  • VPP crashes in AWS if main heap size is set in VPP config [5754]

General

  • Non-root users cannot access the FRR log file [4826]

  • Unable to configure packet trace [5261]

  • VRF isn’t removed after loading and committing of candidate configuration [5507]

  • Unable to specify TNSR interface as a source in ping and traceroute commands via REST [5605]

  • Commit failed error when setting values for IP reassembly options [5683]

Host

  • Cannot remove an IP address assigned to a host interface during the installation process via TNSR CLI [3013]

  • Cannot configure the default gateway for host namespace via TNSR CLI [3702]

  • VRF interface for a custom route table persists in the operating system after restarting services [4866]

IPsec

  • IPsec tunnels take much longer than expected to be marked down when connectivity to the peer is interrupted [3533]

  • Packets exceeding 2020 bytes cannot be received on IPsec interface [5224]

Installation

  • When installing TNSR via iDRAC virtual media redirector the text installer screensaver starts in before the installation can complete [3182]

  • Software selection in the installer changes after network configuration [3834]

  • Installer python exception [5556]

Interfaces

  • Packets do not pass through VLAN subinterface after subinterface configuration has been modified [1612]

  • VLAN subinterfaces do not work with virtio network drivers on KVM [2189]

  • Unable to set IPv6 link-local address on an interface [2394]

  • Configuration of host OS interface clears TNSR TAP interface configuration [2640]

  • Unable to create subinterface with dot1q “any” tag [2652]

  • Subinterface settings aren’t applied on change without restarting dataplane [2696]

  • Invalid routes remain in table when next-hop IP address is no longer directly connected [3161]

  • TX queues utilized based off RX queue count [3624]

  • Unable to set a TAP object as part of a host bridge [4427]

  • Unable to delete a MAC address explicitly set for the TNSR side of a TAP interface [4433]

  • RESTCONF interfaces-state response contains “host-namespace”: “(nil)” value in tap-table, when the namespace is specified as “host” [4867]

  • Interface subnet routes are left within VRF route table after detaching interface from that VRF [4949]

  • Interface subnet IPv6 route is left within default route table after attaching interface to a custom VRF [4950]

  • Restoring a configuration database with named interfaces requires loading, restarting the dataplane, then loading again [5144]

  • XG-1541 link speed auto-negotiation incorrect with direct connected interfaces [5323]

  • Cannot set bridge BVI option on an interface after initial setup [5628]

Memif

  • Unable to connect to memif interface using default socket [4448]

NAT

  • Twice-NAT does not work [1023]

  • 1:1 NAT drops packets with ttl=2 from inbound interface [2849]

  • VPP fails on DS-Lite AFTR router when packets from B4 are being received before pool is configured [3024]

  • Clixon service fails when deleting dslite-ce role [3030]

  • Reassembly timeout isn’t working when full IP reassembly is configured [3269]

  • Shallow virtual reassembly cannot be disabled when it is implicitly enabled by other features [3361]

  • Second fragment of a packet is not virtually reassembled when max-reassemblies is set to 1 [3384]

  • Full IP reassembly does not work with MAP [3386]

  • MAP-T: bogus zeroes when translating short IPv4 to IPv6 [3460]

  • NAT pool route table option only available when specifying a range [3628]

  • Packets larger than 2034 bytes are dropped when performing IPv4 to IPv6 MAP translation [3742]

  • MAP-T domain usage causes IPv6 traffic class value to always be copied from IPv4 ToS value [3774]

  • TCP MSS value is not applied to IPv4 packets when IPv6 to IPv4 decapsulation is performed on MAP-E BR [3783]

  • MAP does not relay IPv6 ICMP error messages to IPv4 [3809]

  • Deterministic NAT mode prevents local clients from communicating with local services on TNSR [4356]

  • Deterministic NAT mappings in the configuration database prevent the dataplane from starting when switching to endpoint-dependent mode [4371]

  • NAT static mappings for ICMP do not work [4373]

  • NAT static mappings for TCP/UDP protocol on “any” port result in translation for port 0 instead [4384]

  • NAT static mappings assume external port 0 when port is omitted [4432]

  • Deterministic NAT users experience sluggish performance and lag on video calls [4492]

  • Unable to verify NAT sessions in deterministic mode [4562]

  • Default NAT session timeouts do not work in endpoint-dependent mode [4600]

  • NAT forwarding does not work in deterministic and simple modes [4604]

  • Packets that aren’t destined to NAT pool are dropped when NAT simple mode with out2in-dpo option is configured [4927]

  • NAT hairpinning results in VPP crash due to SEGV [5302]

  • NAT forwarding option does not work with multiple worker threads [5327]

  • Default NAT translation limits may be undersized [5464]

  • Full IPv4 reassembly doesn’t work with NAT endpoint-independent mode [5476]

NTP

  • NTP does not properly handle IPv6 restrictions [4626]

  • NTP should allow ‘iburst’ on “pool” entries [5796]

Neighbor / ARP / NDP

  • Packet loss during ARP transactions [2868]

  • The MAC address of a static IPv6 neighbor cannot be changed [4454]

RESTCONF

  • Adding a user via RESTCONF requires a password even when providing an ssh key [2875]

  • RESTCONF “pretty-printed” JSON contains incorrect indentation [3521]

  • OSPF interfaces are not validated when configured via RESTCONF [3528]

  • Cannot change GRE tunnel type to or from ERSPAN via RESTCONF [4353]

  • Response of /restconf/data/ and /restconf/data/netgate-interface:interfaces-state/ does not include any of *-table [5399]

  • RESTCONF allows configuring dataplane options for non-existent devices [5748]

Routing

  • Changing default metric for OSPF server does not result in update on other routers [2586]

  • CLI shows that only IPv4 prefix is available within prefix-list sequence configuration [2689]

  • OSPF RIB is not updated when the ABR type is changed between standard and shortcut [2699]

  • BGP updates for new prefixes ignore the advertisement-interval value and are sent every 60 seconds [2757]

  • RIP “timeout” timer does not work [2796]

  • ttl-security hops value can be set when ebgp-multihop is already configured [2832]

  • BGP session soft reset option does not work for IPv6 peers [2833]

  • extended-nexthop capability isn’t being negotiated between IPv6 BGP peers [2850]

  • Unable to verify received prefix-list entries via CLI when using ORF capability [2864]

  • BGP network backdoor feature isn’t working without service restart [2873]

  • BGP next-hop attribute aren’t being sent unmodified to the eBGP peer when route-server-client option is configured [2940]

  • BGP listen range option disappears from active FRR configuration after restarting BGP [3043]

  • Unable to verify dynamic BGP peer information from TNSR CLI [3044]

  • Unable to delete OSPF3 config for an interface [3481]

  • Error occurs when using “match ipv6 address <acl_name>” in route-map configuration [3619]

  • Change made to a prefix-list used in a OSPF3 route-map doesn’t affect redistributed routes [3644]

  • TNSR does not prevent creating static routes for directly connected networks [3813]

  • OSPF conditional default route injection does not work [3846]

  • Unable to verify received routes when high number of routes received via BGP [3918]

  • Cannot disable IPv4 in BGP [4399]

  • FRR prefix list synchronization lost after dataplane restart [4456]

  • TNSR allows OSPF network type for a loopback interface, which is rejected by FRR [4800]

  • Unable to set a custom path for the FRR log file [4825]

  • Unable to verify BGP session information when BGP is configured for the non-default VRF [4966]

  • Reevaluate the FRR logging settings [4971]

  • Static routes in custom VRFs are not available to FRR [4975]

  • Invalid IPv6 routes are shown when searching by prefix [5033]

  • CLI description in prefix-list definition misleading [5065]

  • TNSR responds to IPv6 Router Solicitation messages with default Router Advertisement when not configured to do so [5097]

  • TNSR resolves output interface via default routing table when VRF static route is configured without interface name [5134]

  • Reverting to the startup configuration doesn’t restore packet forwarding for BGP over IPsec prefixes [5321]

  • BGP routes remain in route table after BGP session drops, even when TNSR interface is marked down [5325]

  • Neighbors do not exchange routes when using OSPF over VRF-lite [5338]

SNMP / IPFIX / Prometheus

  • SNMP does not accept changes made using a write community [2567]

  • Restarting SNMP daemon causes NMS software to report a device reboot [3901]

  • SNMP results are returned at approximately 3 per second [4670]

  • Configuring IPFIX collector address to directly connected host in Azure causes continuous VPP crash [5117]

  • Octet Counter64 OIDs missing from SNMP [5272]

  • Prometheus filters with non-alphanumeric characters can cause HTTP requests to fail [5467]

  • Prometheus filters containing spaces cannot be removed [5470]

  • Interface name-to-index mappings not available in prometheus exporter output [5618]

  • SNMP subagent startup takes a long time [5696]

Static Routes

  • Static route next-hop options stack when updated, but only one works [5326]

  • Static route description is not showing up in show commands or REST state data [5478]

Tunnel Protocols

  • Changes to an existing VXLAN tunnel configuration do not apply until the dataplane is restarted [1778]

  • Unable to modify GRE tunnel settings [2698]

  • TNSR IPv6 interface address does not appear in traceroute when next-hop is IPsec tunnel interface [5178]

Updates

  • Update scripts may fail on some systems [5342]

VRRP

  • VRRP cannot change the MAC address on ixgbevf interfaces [4551]

YANG

  • Fix dataplane YANG [5412]

  • Fix interface YANG [5424]

  • Fix lldp YANG issues [5428]

  • Fix macip YANG issues [5430]

  • Fix nat map-e/t YANG issues [5431]

  • Fix route-table YANG issues [5450]

  • Fix prometheus YANG issues [5451]

  • Fix vxlan YANG issues [5456]

  • Fix unbound YANG issues [5473]

  • Fix host/system YANG issues [5474]

  • Fix NTP YANG issues [5501]

  • Fix SNMP YANG issues [5515]

  • Fix ipsec YANG issues [5516]

  • Fix Kea DHCP4 YANG issues [5523]

  • Fix FRR YANG issues in netgate-frr.yang [5537]

  • Fix BGP YANG issues [5566]

  • Fix OSPF YANG issues [5567]

  • Fix OSPF6 YANG issues [5568]

clixon

  • Clixon allows invalid prefix lists [3603]

  • log_upgrade does not print cxobj paths correctly in tnsr-upgrade.log [4747]

  • clixon_backend exhausts memory while displaying high amount of routes [5226]

  • TNSR CLI treats “#” character as comment delimiter, ignores input after [5237]

  • TNSR does not validate username when creating a user [5238]

httpd

  • Clients receive an SSL certificate error when querying the HTTPS server if it uses a certificate with an MD5 digest [2403]