TNSR 22.02 Release Notes

About The TNSR 22.02 Release

This is a regularly scheduled TNSR release including new features and bug fixes.

Operating System Change

Due to major changes in the development, support, and licensing models of CentOS 8 and RHEL 8, TNSR 22.02 has been re-engineered to run under an Ubuntu Linux LTS release. Currently this is Ubuntu Server 20.04.

TNSR only supports Ubuntu as of TNSR 22.02.

Migrating from TNSR on CentOS to TNSR on Ubuntu requires backing up the TNSR configuration, reinstalling using Ubuntu-based installation media, and then restoring the configuration and related files. In most cases the TNSR configuration will work as-is without adjustments when moving from one base to the other.


Ubuntu 20.04 uses a Linux 5.x kernel by default where CentOS used a 3.x or 4.x kernel depending on the version. As such, virtual environments such as KVM, ESXi, Proxmox, and so on may require adjusting guest OS parameters to reflect the change in base OS type and/or kernel version.

I40E VRRP Source Pruning Requirement

Devices participating in VRRP on TNSR which use the I40E poll mode driver must have source pruning manually disabled. These interfaces include members of the Intel X710/XL710 Family. On previous versions of TNSR this was handled automatically, however, the upstream dataplane behavior changed since the previous release.

The commands to disable source pruning are not present until the router is running TNSR software version 22.02. Thus, the configuration changes must be performed after an upgrade to, or fresh installation of, TNSR software version 22.02.

For details on how to disable source pruning, see Disable Source Pruning.


  • This version adds new validation on DHCP server option definition record types and data. During the upgrade process TNSR attempts to make existing invalid entries conform to the new constraints, but certain combinations of existing invalid options may require manual intervention.

    To avoid potential problems with upgrading DHCP option type definition lists, ensure they are less than 63 characters in length before upgrading. Alternately, consider removing DHCP option type definitions and data before upgrade and then add them back after completing the upgrade.

    If the DHCP server process is not running after upgrading to TNSR software version 22.02, manually inspect the DHCP option definitions and correct any remaining inconsistencies in record types and data.



  • Fixed: ACLs applied to a bridged loopback interface do not block traffic [6248]


  • Fixed: Bidirectional Forwarding Detection sessions spontaneously vanish [5313]

  • Fixed: BFD desired-min-tx option does not work until the dataplane is restarted [6953]

  • Fixed: BFD detect-multiplier is reset after setting other options on a running session [6955]

  • Fixed: BFD key change requires dataplane restart to activate [7007]


  • Fixed: Bridge domain configuration rewrite parameter does not work [6613]

  • Fixed: Generated CLI commands contain nacm enable command at the beginning [6785]

  • Changed: Fix typo in NACM CLISPEC command [6824]

  • Fixed: Interrupt after running ping causes CLI to exit [6882]

  • Fixed: Wrong CLI commands generated for NACM access-operations [6967]

  • Changed: Change CLI from using CDATA tags to standard XML escaping [7089]

  • Added: Display local routes for interface addresses in show route output [7282]

DHCP Server

  • Changed: Unable to show Kea leases when the DHCP lease database is large [6870]

  • Fixed: Make leaf “severity” mandatory in Kea logging YANG [6896]

  • Fixed: Kea DHCP4 daemon opens stderr and leaves it open [6897]

  • Changed: Refactor DHCP tests slightly [6917]

  • Fixed: Unable to apply just created a custom DHCP option without exiting from DHCP server configuration context [6923]

  • Fixed: Can change DHCP custom option type to one incompatible with the configured value [6941]

  • Fixed: Can delete DHCP custom option definition without deletion of configured its option data [6942]

  • Fixed: CLI reject attempts to apply DHCP option with empty data [6944]

  • Fixed: Unable to redefine DHCP server options with a single CLI transaction [6945]

  • Fixed: Kea fails to validate option-data inside of subnet4 and subnet4/pools [6948]

  • Fixed: DHCP Server sometimes can’t bind to a properly configured interface [6958]

  • Fixed: Crash in clixon-backend when DHCP option configuration contains invalid data [6969]

  • Fixed: DHCP server sends incorrect data for options defined as tuple type [6970]

  • Fixed: DHCP options can be deleted when used by subnet/pool if there are multiple subnets/pools [7027]


  • Fixed: VPP service does not start if an interface name uses a reserved keyword [3234]

  • Changed: Resynchronize VPP linux-nl with kernel after netlink socket overflow [6630]

  • Changed: TNSR 22.02 VPP update [6784]

  • Added: Add support for DPDK per-device devargs in VPP startup.conf [7032]

  • Fixed: Remove dataplane scheduler policy and priority commands as they are not compatible with the Ubuntu kernel [7298]


  • Added: Configuration rollback timer to automatically revert potentially disruptive changes [2161]

  • Added: Configuration database history additional features [6608]

  • Changed: Improve core dump handling [6786]

  • Added: Enable configuration history by default [7142]

  • Fixed: Cannot commit a candidate database that removes a subinterface with an ACL rule [7311]


  • Changed: Remove base64 encoding from package management RPC reply data [7382]


  • Fixed: Configuration of host interface address clears TNSR TAP interface configuration [2640]

  • Fixed: Unable to set a TAP object as part of a host bridge [4427]

  • Fixed: RESTCONF interfaces-state response contains "host-namespace": "(nil)" value in tap-table, when the namespace is specified as host [4867]

  • Fixed: VLAN interfaces do not show VLAN ID in output of show interface [6326]

  • Fixed: Missing interface prevents configuration backend daemon from starting [6874]

  • Fixed: Memory leaks while applying ACLs to an interface [6995]

  • Fixed: Subinterface does not come back up after dataplane restart [7045]

  • Fixed: Cannot create a TAP interface with certain index values [7083]

  • Fixed: TNSR fails to start when the configuration contains a static route with an implicit interface that is not available [7134]

  • Fixed: VLAN subinterface cannot be deleted if bonded parent interface is deleted [7322]

  • Fixed: 2.5 Gbit/s interfaces such as igc show as 2 Gbit/s in interface properties [7403]


  • Fixed: Default NAT session timeouts do not work in endpoint-dependent mode [4600]

  • Fixed: Default NAT translation limits may be undersized [5464]

  • Fixed: Packet forwarding over an IPsec tunnel fails after enabling UDP encapsulation in IKEv1 mode [6490]

  • Fixed: Cannot disable NAT if an inside/outside NAT role was removed from an interface [6553]

  • Fixed: Crash in clixon-backend when a VRF is removed and re-added for NAT static translation [6554]

  • Fixed: Cannot apply a VRF to an interface if the VRF was removed by applying clean candidate database [6561]

  • Fixed: Unable to remove NAT static mappings from the running configuration if the interface on the mapping does not exist [7148]


  • Changed: Remove the “present” hack in the NTP YANG data model. [4360]

Operating System

  • Changed: Stop logging failures to read files under /proc [6748]

  • Fixed: tnsr-diag only captures one day of system log content [7301]


  • Fixed: BGP listen range option disappears from active FRR configuration after restarting BGP [3043]

  • Fixed: CLI allows creation of invalid prefix lists [3603]

  • Added: Unable to configure metric type for OSPFv3 external routes via TNSR CLI [3775]

  • Changed: Update libvppmgmt FIB path structures [4330]

  • Fixed: FRR prefix list synchronization lost after dataplane restart [4456]

  • Fixed: Unable to verify BGP session information when BGP is configured for the non-default VRF [4966]

  • Fixed: Neighbor events not logged as expected by FRR [4971]

  • Fixed: Static routes in custom VRFs are not available to FRR [4975]

  • Fixed: TNSR resolves output interface via default routing table when VRF static route is configured without interface name [5134]

  • Fixed: BGP routes remain in route table after BGP session drops, even when TNSR interface is marked down [5325]

  • Fixed: Neighbors do not exchange routes when using OSPF over VRF-lite [5338]

  • Fixed: BGP command to show routes from neighbors returns an error instead of expected data [5835]

  • Fixed: BGP shows its capabilities as advertised when configured with the dont-capability-negotiate option [6035]

  • Fixed: VRF is not removed after loading and committing candidate configuration [6449]

  • Fixed: Setting an OSPF virtual-link parameter removes all other configured parameters [6595]

  • Fixed: Unable to set a value less than 3s for the OSPF retransmit interval [6833]

  • Fixed: Unable to set a transmit delay for the OSPF6 interface [6834]

  • Added: BGP option for log-neighbor-changes [6883]

  • Fixed: OSPF status commands do not work for custom VRFs [7001]

  • Fixed: Static routes without an interface in the next hop are not added back to the operating system routing table after disable/enable of an interface [7091]

  • Fixed: Unable to apply BGP updates prefix debug option using CLI [7212]

  • Added: Implement IPv4 prefix for the BGP debug bestpath option [7263]

  • Fixed: Cannot create multiple BGP debug updates options using CLI [7269]

  • Fixed: Loopback interfaces do not get assigned to the correct VRF in OSPF route table [7288]

  • Fixed: VRF is not removed from VPP if it contains a static route [7302]

  • Fixed: Deleted static routes are not removed from a VRF if an interface is attached to the VRF after the route was created [7309]

  • Fixed: BGP no option debug keepalive command removes all configured debug options [7416]

  • Fixed: BGP no option debug bestpath command does not work as expected [7417]

SNMP / IPFIX / Prometheus

  • Fixed: Interface name-to-index mappings are not available in Prometheus exporter output [5618]

  • Fixed: SNMP query for ifDescr returns unexpected Hex-STRING type data or incorrect STRING contents [6403]

  • Fixed: SNMP does not work on IPv6 [6589]

  • Fixed: SNMP services start at system boot when SNMP is not configured [6841]

  • Fixed: TNSR fails to respond to SNMP requests after dataplane restart [7213]

Static Routes

  • Fixed: Cannot remove a static route from the CLI if its interface is missing [7154]

  • Fixed: A route with implicitly defined interface remains in a VRF after removal of the interface from that VRF [7272]

Tunnel Protocols

  • Fixed: Unable to modify multiple GRE tunnel settings in a single operation [2698]


  • Changed: Deprecate tnsr-db-update script [7374]


  • Fixed: Lower-priority VRRP interface flaps with “ip nat outside” enabled [6807]

  • Fixed: VRRP advertisements dropped on a subinterface in a non-default VRF [7169]

  • Fixed: Spurious VRRP state transitions can occur with worker threads [7402]


  • Fixed: TNSR CLI treats “#” character as comment delimiter, ignores input after [5237]

  • Fixed: TNSR does not validate username when creating a user [5238]

  • Fixed: Crash with SEGFAULT in clixon_backend when it cannot parse XML from config_db [6627]

  • Fixed: Upgrade code does not validate DHCP data in older configurations [7151]

  • Fixed: Inconsistent presence of namespaces in TNSR RPC replies [7275]

  • Fixed: clixon does not validate implicit choice cases in an RPC input parameter [7461]

Known Issues


  • DHCP responses blocked by TNSR input ACLs since reflect on output ACLs does not work for DHCP requests [3570]


  • Unable to setup delayed option for an existing BFD session via REST [2709]

  • IPv6 session is not restored when virtual direct link gets disabled/enabled [4916]

  • TNSR cannot commit configuration candidate database loaded from a file if it contains a BFD session for an interface that does not exist [7150]


  • Bridge domain ARP entries cannot be displayed via CLI [2378]

  • Bridge domain ARP entries cannot be removed via CLI [2380]

  • Bridge domain mac-age value cannot be removed via CLI [2381]

  • Bridge domains and split-horizon groups are not functioning properly [5500]


  • CLI does not always return from a shell prompt [2651]

  • Deleting the startup configuration database does not fully remove the active configuration [3723]

  • Specifying interface to traceroute requires root privileges [5376]

  • Input validation of unbound message cache slabs value does not work as expected [5472]

  • CLI and RESTCONF behavior are different for no bgp default ipv4-unicast [6303]

  • RIP information does not contain a legend for kernel routes [7230]

  • CLI command for disabled configuration history is not generated [7554]

DHCP Client

  • Default gateway received via DHCP is not placed to the routing table when the interface uses a custom VRF [7254]

DHCP Server

  • CLI offers to delete mandatory variable in DHCP server subnet configuration [5240]

  • DHCP4 Kea config-file output shows VPP TAP interface names in its configuration instead of TNSR interface names [5264]

  • Unable to setup a custom DHCP option with certain data types in the record [5299]

  • DHCP daemon does not generate coredumps [5583]


  • show system output does not contain DNS resolver parameters [5397]


  • RESTCONF query fails to TNSR interface with >1 worker thread when NAT is active [2031]

  • Binary API times out in some dual NUMA environments [2383]

  • Link state is always up when using e1000 network drivers [2831]

  • Cannot create rx-queues for interfaces on KVM and VirtualBox [3674]

  • DPDK does not work with Mellanox ConnectX-3 drivers [3781]

  • Static routes with an interface as the next hop using resolve-via-attached appear to break dataplane ARP [5259]

  • VPP crashes on Azure when configured with option default-data-size 1024 [6007]

  • TNSR on AWS does not pass traffic when using the uio_pci_generic driver [7015]


  • Non-root users cannot access the FRR log file [4826]

  • Unable to specify TNSR interface as a source in ping and traceroute commands via REST [5605]

  • Startup entry is not created in configuration history log [7400]

  • Cannot commit a candidate configuration database if a tap interface is present [7458]


  • Cannot remove an IP address assigned to a host interface during the installation process via TNSR CLI [3013]

  • Cannot configure the default gateway for host namespace via TNSR CLI [3702]

  • VRF interface for a custom route table persists in the operating system after restarting services [4866]

  • TNSR CLI host interface configuration does not update pre-existing OS interface configuration [6728]

  • User-defined log files need rotation or other size limit mechanism [6977]

  • User dns-resolver configuration values for host namespace in resolv.conf are overwritten by systemd-resolved on Ubuntu [7517]


  • IPsec tunnels take much longer than expected to be marked down when connectivity to the peer is interrupted [3533]

  • Packets exceeding 2020 bytes cannot be received on IPsec interface [5224]

  • Buffer exhaustion with TCP/UDP when using c62x QAT device prevents traffic from passing [6711]

  • CLI requires setting integrity algorithm on IPsec tunnel using AES-GCM when a PRF should be sufficient [6926]

  • IPsec tunnel cannot be established in a non-default VRF [7266]


  • When installing TNSR via iDRAC virtual media redirector the text installer screensaver starts in before the installation can complete [3182]


  • Packets do not pass through VLAN subinterface after subinterface configuration has been modified [1612]

  • VLAN subinterfaces do not work with virtio network drivers on KVM [2189]

  • Unable to set IPv6 link-local address on an interface [2394]

  • Unable to create subinterface with dot1q “any” tag [2652]

  • Subinterface settings aren’t applied on change without restarting dataplane [2696]

  • Invalid routes remain in table when next-hop IP address is no longer directly connected [3161]

  • Reassembly timeout is not working when full IP reassembly is configured [3269]

  • Shallow virtual reassembly cannot be disabled when it is implicitly enabled by other features [3361]

  • Second fragment of a packet is not virtually reassembled when max-reassemblies is set to 1 [3384]

  • TX queues utilized based off RX queue count [3624]

  • Unable to delete a MAC address explicitly set for the TNSR side of a TAP interface [4433]

  • Restoring a configuration database with named interfaces requires loading, restarting the dataplane, then loading again [5144]

  • XG-1541 link speed auto-negotiation incorrect with direct connected interfaces [5323]

  • Errors indicate TNSR is attempting to assign a MAC address to IPsec ipipX interfaces [6285]

  • Link state in X553 1GbE card does not change to down when disabling interface in TNSR [6849]

  • Interfaces using KVM virtio drivers use names which do not match link speed [6909]

  • L3 packets can be sent from bridged interfaces [6975]

  • Unable to setup DPDK uio_pci_generic driver on XG-1541 [6981]

  • Unable to setup DPDK vfio-pci driver on XG-1537 [6985]

  • Unable to setup DPDK vfio-pci driver on various environments [6989]

  • TAP instance tcpdump method only captures received packets [7137]

  • Unable to delete a non-existent multicast-interface from VXLAN tunnel configuration [7278]

  • Pings between IPIP interfaces become intermittent when BGP is applied to them [7392]


  • Unable to connect to memif interface using default socket [4448]


  • Twice-NAT does not work [1023]

  • 1:1 NAT drops packets with ttl=2 from inbound interface [2849]

  • Full IP reassembly does not work with MAP [3386]

  • MAP-T adds bogus zeroes when translating short IPv4 to IPv6 [3460]

  • NAT pool route table option only available when specifying a range [3628]

  • Packets larger than 2034 bytes are dropped when performing IPv4 to IPv6 MAP translation [3742]

  • MAP-T domain usage causes IPv6 traffic class value to always be copied from IPv4 ToS value [3774]

  • TCP MSS value is not applied to IPv4 packets when IPv6 to IPv4 decapsulation is performed on MAP-E BR [3783]

  • MAP does not relay IPv6 ICMP error messages to IPv4 [3809]

  • NAT static mappings for ICMP do not work [4373]

  • NAT static mappings for TCP/UDP protocol on “any” port result in translation for port 0 instead [4384]

  • NAT static mappings assume external port 0 when port is omitted [4432]

  • Packets that aren’t destined to NAT pool are dropped when NAT simple mode with out2in-dpo option is configured [4927]

  • Full IPv4 reassembly doesn’t work with NAT endpoint-independent mode [5476]

  • Cannot increase NAT Sessions per thread past ~1e6 [6550]

  • Dataplane SIGSEGV crash and backtrace when exceeding NAT session limit [6551]

  • Expired NAT sessions become active again when increasing the timeout value [7090]

  • NAT sessions do not expire in endpoint-independent mode [7098]

  • Cannot commit a clean candidate configuration database if NAT static mapping is configured [7286]


  • NTP does not properly handle IPv6 restrictions [4626]

  • Delay in CLI display of NTP configuration when NTP has noquery set [6818]

  • Interfaces in the TNSR NTP configuration are not validated when generating the NTP daemon configuration [7153]

Neighbor / ARP / NDP

  • Packet loss during ARP transactions [2868]

  • The MAC address of a static IPv6 neighbor cannot be changed [4454]


  • PKI certificate and key entry fails if content has leading whitespace [6800]


  • Adding a user via RESTCONF requires a password even when providing an ssh key [2875]

  • RESTCONF “pretty-printed” JSON contains incorrect indentation [3521]

  • OSPF interfaces are not validated when configured via RESTCONF [3528]

  • Cannot change GRE tunnel type to or from ERSPAN via RESTCONF [4353]

  • Response of /restconf/data/ and /restconf/data/netgate-interface:interfaces-state/ does not include any of *-table [5399]

  • RESTCONF allows configuring dataplane options for non-existent devices [5748]

  • RESTCONF route-state response does not contain actual state data [7115]

  • RESTCONF dataplane service does not work on interfaces in a non-default VRF [7265]

  • History version count does not match the count of REST configuration requests if they are sent without a delay [7440]


  • Changing default metric for OSPF server does not result in update on other routers [2586]

  • OSPF RIB is not updated when the ABR type is changed between standard and shortcut [2699]

  • BGP updates for new prefixes ignore the advertisement-interval value and are sent every 60 seconds [2757]

  • RIP “timeout” timer does not work [2796]

  • ttl-security hops value can be set when ebgp-multihop is already configured [2832]

  • BGP session soft reset option does not work for IPv6 peers [2833]

  • extended-nexthop capability isn’t being negotiated between IPv6 BGP peers [2850]

  • Unable to verify received prefix-list entries via CLI when using ORF capability [2864]

  • BGP network backdoor feature isn’t working without service restart [2873]

  • BGP next-hop attribute aren’t being sent unmodified to the eBGP peer when route-server-client option is configured [2940]

  • Unable to verify dynamic BGP peer information from TNSR CLI [3044]

  • Unable to delete OSPF3 config for an interface [3481]

  • Change made to a prefix-list used in a OSPF3 route-map doesn’t affect redistributed routes [3644]

  • TNSR does not prevent creating static routes for directly connected networks [3813]

  • OSPF conditional default route injection does not work [3846]

  • Unable to verify received routes when high number of routes received via BGP [3918]

  • TNSR allows OSPF network type for a loopback interface, which is rejected by FRR [4800]

  • Unable to set a custom path for the FRR log file [4825]

  • Invalid IPv6 routes are shown when searching by prefix [5033]

  • TNSR responds to IPv6 Router Solicitation messages with default Router Advertisement when not configured to do so [5097]

  • Reverting to the startup configuration doesn’t restore packet forwarding for BGP over IPsec prefixes [5321]

  • RIP route-map-filter option does not filter routes [5910]

  • Output of show route takes about a minute to begin displaying very large route tables (~1,000,000 routes) [6380]

  • Unable to disable IPv4 AF without BGP service restart [6393]

  • BGP failover logs “Failed to delete neighbor” error from linux-cp [6400]

  • OSPF virtual-link authentication does not work [6601]

  • Unable to remove OSPF virtual-link configuration [6962]

  • OSPF can announce interfaces from other VRFs on initial configuration [7002]

  • Cannot add a static recursive route [7010]

  • VPP crashes on applying custom VRF to loopback interface used in OSPF [7056]

  • Creating route-map, prefix-list, or access-list entries takes longer than expected [7068]

  • Cannot disable logging of adjacency changes for OSPF6 if detail option is set [7097]

  • Routes that exactly overlap an interface link route are accepted by CLI but are problematic [7101]

  • OSPF neighbor adjacency is established in wrong VRF in VirtualBox [7144]

  • Interfaces in the TNSR RIP configuration are not validated when generating the FRR RIP daemon configuration [7155]

  • Interfaces in TNSR route-map entries are not validated when generating the FRR daemon configurations [7156]

  • Interfaces in the TNSR OSPF configuration are not validated when generating the FRR OSPF daemon configuration [7177]

  • Interfaces in the TNSR BGP configuration are not validated when generating the FRR BGP daemon configuration [7218]

  • Router services do not work properly on interfaces in a non-default VRF [7229]

  • Unable to establish eBGP connection via NAT outside interface in endpoint-independent mode [7268]

  • Dynamic routing protocols lose static routes after link they resolve through goes down and then comes up [7357]

  • OSPF logging for some options does not work if logging level is set explicitly [7411]

  • BGP debug option updates in <peer> does not filter messages for selected peer [7476]

  • BGP session does not become active after interface goes down and recovers [7501]

SNMP / IPFIX / Prometheus

  • SNMP does not accept changes made using a write community [2567]

  • Restarting SNMP daemon causes NMS software to report a device reboot [3901]

  • Prometheus filters with non-alphanumeric characters can cause HTTP requests to fail [5467]

  • Prometheus filters containing spaces cannot be removed [5470]

  • Prometheus exporter crashes with SIGABRT when the FIB contains a large number of routes [6973]

  • SNMP does not work on interfaces in a non-default VRF [7261]

  • Most SNMP interface counters for received traffic return zero on LACP bonds [7407]


  • Span config disappears/appears when repeatedly restarting dataplane [6526]

  • Incorrect error message when requesting SPAN info from a missing interface [7209]

  • SPAN mirroring can not be disabled [7560]

Static Routes

  • Static route description is not showing up in show commands or REST state data [5478]

  • Static route overwrites kernel route in the operating system routing table [7215]

Tunnel Protocols

  • Changes to an existing VXLAN tunnel configuration do not apply until the dataplane is restarted [1778]

  • TNSR IPv6 interface address does not appear in traceroute when next-hop is IPsec tunnel interface [5178]

  • VxLAN with multicast destination does not pass traffic [6491]

  • GRE interface configuration remains in running config after changing GRE tunnel ID [7050]


  • Update scripts may fail on some systems [5342]

  • netgate-dpdk-kmods package for interface driver modules may require manual reinstall after kernel upgrade [5353]


  • log_upgrade does not print cxobj paths correctly in tnsr-upgrade.log [4747]

  • clixon_backend exhausts memory while displaying high amount of routes [5226]

  • CLI closes when performing commands after restarting TNSR [5974]

  • Duplicate attribute created when upgrading TNSR 20.10 NAT configuration to 21.03.1-1 from CLI [6531]

  • Configuration upgrade does not run when loading configuration via history [6968]

  • Unable to set up a password that starts and finishes with a double quotation mark [7571]

  • Unable to set up a password that contains a backslash symbol [7572]


  • Clients receive an SSL certificate error when querying the HTTPS server if it uses a certificate with an MD5 digest [2403]