TNSR 22.06 Release Notes

About the TNSR 22.06 Release

This is a regularly scheduled TNSR software release including new features and bug fixes.

Upgrade Notes

For the update to work properly, the owner of the TNSR update certificate may need to be manually changed to the _apt user.

See Certificate File Permissions for details.



Any interface that will contain an IPv6 address must have an MTU of 1280 or higher. This includes both the default MTU and MTU values set on interfaces directly. Currently input validation does not prevent the user from configuring a smaller MTU, but doing so will cause IPv6 to fail.

  • Added support for WireGuard VPN tunnel interfaces.


    At this time WireGuard only supports static address configurations with a single peer per tunnel. This limits it to primarily typical site-to-site connections and not mobile/remote access style use cases.

  • Added IPFIX flow reporting support, which allows monitoring general traffic flows. Previously IPFIX could only monitor NAT translations.

  • TNSR software no longer automatically whitelists interfaces in the dataplane.


    All interfaces must now manually be defined using dataplane dpdk dev <id> network as described in Setup NICs in Dataplane.

  • The show route CLI output has been optimized in several ways in this release, including:

    • The output is now sorted numerically by address instead of using a string comparison. This differs from previous releases but results in a more logical ordering of entries. For example, in previous versions route address components would be ordered “14, 17, 2, 25” where now they are “2, 14, 17, 25”.

    • Rather than gathering all route content and paginating the output, the function now only fetches a page worth of data at a time. This greatly increases the speed of displaying route data when the route table contains a large volume of routes.

    • The cached route data for display is updated for the first page, but not for later pages to ensure the data is consistent for route tables managed by dynamic routing functions.

  • IPsec tunnels can now be enabled or disabled explicitly without removing the other IPsec configuration. Existing tunnels are automatically enabled during the upgrade process, but new tunnels are disabled by default.

    See Enable/Disable IPsec Tunnels for details.


Changes in TNSR software version 22.06


  • Added: Use paged version of show route by default [7535]

  • Fixed: CLI command for disabled configuration history is not generated [7554]

  • Fixed: Output of show route does not account for wrapped lines when paginating based on display size [7593]

  • Fixed: CLI route table mode only offers IPv4 prefix choices in a new table [7924]

DHCP Server

  • Changed: Update kea from upstream [7057]

  • Fixed: Cannot show keactrl configuration file from TNSR [8064]


  • Added: Support multiple address entries for a hostname in DNS local zone configuration [1385]

  • Fixed: Multiple boolean attributes in Unbound cannot be disabled, use inconsistent CLI command forms [7749]


  • Changed: Update VPP from upstream [7545]

  • Changed: Remove automatic whitelisting of interface devices in dataplane startup.conf [7588]

  • Changed: Remove support for deprecated DPDK settings [7629]

  • Fixed: Memory leak in IPFIX leads to VPP crash dump SIGSEGV then ABRT [7810]

  • Added: Allow dataplane to use all available system cores [7822]

  • Fixed: Cannot start VPP with more than four workers [8210]


  • Changed: Add package logs to tnsr-diag archive [7667]


  • Added: A dp-exec equivalent to reach the host namespace from the dataplane namespace [5024]

  • Fixed: User dns-resolver configuration values for host namespace in resolv.conf are overwritten by systemd-resolved on Ubuntu [7517]


  • Fixed: IPsec tunnels take much longer than expected to be marked down when connectivity to the peer is interrupted [3533]

  • Added: Enable/Disable option for IPsec tunnels [3720]

  • Fixed: Packets exceeding 2020 bytes cannot be received on IPsec interface [5224]

  • Changed: davici: Update to 1.4 [7577]

  • Changed: Update strongswan to 5.9.5 [7701]


  • Fixed: Most SNMP interface counters for received traffic return zero on LACP bonds [7407]

  • Fixed: Duplex is not reported correctly in TNSR 22.02 [7819]


  • Fixed: CLI show nat sessions command displays no output in some cases [7685]

  • Fixed: VPP crashes during NAT handoff between worker threads [8150]

Operating System

  • Changed: Update to Ubuntu 20.04.4 LTS [7591]

  • Changed: Install HWE kernel to KVM, VMware images [7710]

  • Added: Allow coredumps larger than 2GB by default [7959]


  • Fixed: Deprecate support for generating certificates with insecure MD5 and SHA1 hashes [2403]

  • Added: Add support for Subject Alternative Name (SAN) entries in PKI signing requests [4748]

  • Fixed: PKI certificate and key entry fails if content has leading whitespace [6800]


  • Added: Order IP routes by the numeric value of the prefix address rather than the string representation [4340]

  • Added: Include route table description in show route output [4731]

  • Fixed: Invalid IPv6 routes are shown when searching by prefix [5033]

  • Fixed: TNSR responds to IPv6 Router Solicitation messages with default Router Advertisement when not configured to do so [5097]

  • Fixed: Unable to establish eBGP connection via NAT outside interface in endpoint-independent mode [7268]

  • Added: Display a flag to indicate that a route path link is down in show route output [7534]

SNMP / IPFIX / Prometheus

  • Fixed: Prometheus exporter crashes with SIGABRT when the FIB contains a large number of routes [6973]

  • Added: IPfix flow reporting [7683]

Static Routes

  • Fixed: Static routes resolved via subinterfaces do not re-appear after disabling/enabling related main interface [7604]


  • Fixed: netgate-dpdk-kmods package for interface driver modules may require manual reinstall after kernel upgrade [5353]


  • Fixed: Cannot interrupt applications running under dataplane/host shell in CLI [7729]

  • Fixed: Error when re-entering rest description expansions with multiple words [7751]

  • Fixed: Problem processing xpath with multiple ="%s" clauses [7784]

  • Fixed: Using unique in YANG validation is not working properly [7786]

Known Issues

Known Issues in TNSR software version 22.06


  • DHCP responses blocked by TNSR input ACLs since reflect on output ACLs does not work for DHCP requests [3570]


  • Unable to setup delayed option for an existing BFD session via REST [2709]

  • IPv6 session is not restored when virtual direct link gets disabled/enabled [4916]

  • TNSR cannot commit configuration candidate database loaded from a file if it contains a BFD session for an interface that does not exist [7150]


  • Bridge domain ARP entries cannot be displayed via CLI [2378]

  • Bridge domain ARP entries cannot be removed via CLI [2380]

  • Bridge domain mac-age value cannot be removed via CLI [2381]

  • Bridge domains and split-horizon groups are not functioning properly [5500]


  • CLI does not always return from a shell prompt [2651]

  • Deleting the startup configuration database does not fully remove the active configuration [3723]

  • Specifying interface to traceroute requires root privileges [5376]

  • Input validation of unbound message cache slabs value does not work as expected [5472]

  • CLI and RESTCONF behavior are different for no bgp default ipv4-unicast [6303]

  • RIP information does not contain a legend for kernel routes [7230]

  • Value of “Last Used” field in output of show nat sessions verbose is expressed in seconds since VPP startup [8277]

DHCP Client

  • Default gateway received via DHCP is not placed to the routing table when the interface uses a custom VRF [7254]

DHCP Server

  • CLI offers to delete mandatory variable in DHCP server subnet configuration [5240]

  • DHCP4 Kea config-file output shows VPP TAP interface names in its configuration instead of TNSR interface names [5264]

  • Unable to setup a custom DHCP option with certain data types in the record [5299]

  • DHCP daemon does not generate coredumps [5583]


  • show system output does not contain DNS resolver parameters [5397]


  • Binary API times out in some dual NUMA environments [2383]

  • Link state is always up when using e1000 network drivers [2831]

  • Cannot create rx-queues for interfaces on KVM and VirtualBox [3674]

  • Static routes with an interface as the next hop using resolve-via-attached appear to break dataplane ARP [5259]

  • TNSR on AWS does not pass traffic when using the uio_pci_generic driver [7015]

  • Multiple large routing table insertions crash VPP [8286]


  • Non-root users cannot access the FRR log file [4826]

  • Unable to specify TNSR interface as a source in ping and traceroute commands via REST [5605]

  • Startup entry is not created in configuration history log [7400]

  • Cannot commit a candidate configuration database if a tap interface is present [7458]


  • Cannot remove an IP address assigned to a host interface during the installation process via TNSR CLI [3013]

  • Cannot configure the default gateway for host namespace via TNSR CLI [3702]

  • VRF interface for a custom route table persists in the operating system after restarting services [4866]

  • dns-resolver configured for host namespace remains in system after removing from TNSR [7830]

  • dns-resolver configuration values for host namespace remain in resolv.conf after restarting TNSR [7975]


  • Buffer exhaustion with TCP/UDP when using c62x QAT device prevents traffic from passing [6711]

  • CLI requires setting integrity algorithm on IPsec tunnel using AES-GCM when a PRF should be sufficient [6926]

  • IPsec daemon does not support using non-default VRF entries [7266]

  • Cannot disable IPsec dpd-interval option [8012]


  • When installing TNSR via iDRAC virtual media redirector the text installer screensaver starts before the installation can complete [3182]

  • TNSR installer fails if interfaces are configured with IP addresses but have no Internet connectivity [7807]


  • Packets do not pass through VLAN subinterface after subinterface configuration has been modified [1612]

  • VLAN subinterfaces do not work with virtio network drivers on KVM [2189]

  • Unable to set IPv6 link-local address on an interface [2394]

  • Unable to create subinterface with dot1q any tag [2652]

  • Subinterface settings aren’t applied on change without restarting dataplane [2696]

  • Invalid routes remain in table when next-hop IP address is no longer directly connected [3161]

  • Reassembly timeout is not working when full IP reassembly is configured [3269]

  • Shallow virtual reassembly cannot be disabled when it is implicitly enabled by other features [3361]

  • Second fragment of a packet is not virtually reassembled when max-reassemblies is set to 1 [3384]

  • Unable to delete a MAC address explicitly set for the TNSR side of a TAP interface [4433]

  • XG-1541 link speed auto-negotiation incorrect with direct connected interfaces [5323]

  • Errors indicate TNSR is attempting to assign a MAC address to IPsec ipipX interfaces [6285]

  • Link state in X553 1GbE card does not change to down when disabling interface in TNSR [6849]

  • Interfaces using KVM virtio drivers use names which do not match link speed [6909]

  • L3 packets can be sent from bridged interfaces [6975]

  • Unable to setup DPDK uio_pci_generic driver on XG-1541 [6981]

  • Unable to setup DPDK vfio-pci driver on XG-1537 [6985]

  • Unable to setup DPDK vfio-pci driver on various environments [6989]

  • TAP instance tcpdump method only captures received packets [7137]

  • Unable to delete a non-existent multicast-interface from VXLAN tunnel configuration [7278]

  • Pings between IPIP interfaces become intermittent when BGP is applied to them [7392]

  • Interface IP address is shown in IPv4 route table instead of associated subnet [7511]

  • Setting a new MTU value does not affect the MRU for IPv6 packets [8245]

  • Validation does not prevent setting interface MTU below 1280 when an IPv6 address is configured [8246]


  • Unable to connect to memif interface using default socket [4448]


  • Twice-NAT does not work [1023]

  • 1:1 NAT drops packets with ttl=2 from inbound interface [2849]

  • Full IP reassembly does not work with MAP [3386]

  • MAP-T adds bogus zeroes when translating short IPv4 to IPv6 [3460]

  • NAT pool route table option only available when specifying a range [3628]

  • Packets larger than 2034 bytes are dropped when performing IPv4 to IPv6 MAP translation [3742]

  • MAP-T domain usage causes IPv6 traffic class value to always be copied from IPv4 ToS value [3774]

  • TCP MSS value is not applied to IPv4 packets when IPv6 to IPv4 decapsulation is performed on MAP-E BR [3783]

  • MAP does not relay IPv6 ICMP error messages to IPv4 [3809]

  • NAT static mappings for ICMP do not work [4373]

  • NAT static mappings for TCP/UDP protocol on any port result in translation for port 0 instead [4384]

  • NAT static mappings assume external port 0 when port is omitted [4432]

  • Packets not destined to a NAT pool are dropped when NAT simple mode is configured with out2in-dpo option [4927]

  • Full IPv4 reassembly doesn’t work with NAT endpoint-independent mode [5476]

  • Cannot increase NAT Sessions per thread past ~1e6 [6550]

  • Dataplane SIGSEGV crash and backtrace when exceeding NAT session limit [6551]

  • Expired NAT sessions become active again when increasing the timeout value [7090]

  • NAT sessions do not expire in endpoint-independent mode [7098]

  • Cannot commit a clean candidate configuration database if NAT static mapping is configured [7286]

  • Unable to establish NAT hairpin connection [8014]

  • NAT in endpoint-dependent mode drops packets when it cannot identify the correct worker thread [8262]


  • NTP does not properly handle IPv6 restrictions [4626]

  • Delay in CLI display of NTP configuration when NTP has noquery set [6818]

  • Interfaces in the TNSR NTP configuration are not validated when generating the NTP daemon configuration [7153]

Neighbor / ARP / NDP

  • Packet loss during ARP transactions [2868]

  • The MAC address of a static IPv6 neighbor cannot be changed [4454]


  • Adding a user via RESTCONF requires a password even when providing an ssh key [2875]

  • RESTCONF “pretty-printed” JSON contains incorrect indentation [3521]

  • OSPF interfaces are not validated when configured via RESTCONF [3528]

  • Cannot change GRE tunnel type to or from ERSPAN via RESTCONF [4353]

  • Response of /restconf/data/ and /restconf/data/netgate-interface:interfaces-state/ does not include any of *-table [5399]

  • RESTCONF allows configuring dataplane options for non-existent devices [5748]

  • RESTCONF route-state response does not contain actual state data [7115]

  • RESTCONF dataplane service does not work on interfaces in a non-default VRF [7265]

  • History version count does not match the count of REST configuration requests if they are sent without a delay [7440]


  • Changing default metric for OSPF server does not result in update on other routers [2586]

  • OSPF RIB is not updated when the ABR type is changed between standard and shortcut [2699]

  • BGP updates for new prefixes ignore the advertisement-interval value and are sent every 60 seconds [2757]

  • RIP “timeout” timer does not work [2796]

  • ttl-security hops value can be set when ebgp-multihop is already configured [2832]

  • BGP session soft reset option does not work for IPv6 peers [2833]

  • extended-nexthop capability isn’t being negotiated between IPv6 BGP peers [2850]

  • Unable to verify received prefix-list entries via CLI when using ORF capability [2864]

  • BGP network backdoor feature isn’t working without service restart [2873]

  • BGP next-hop attribute aren’t being sent unmodified to the eBGP peer when route-server-client option is configured [2940]

  • Unable to verify dynamic BGP peer information from TNSR CLI [3044]

  • Unable to delete OSPF3 config for an interface [3481]

  • Change made to a prefix-list used in a OSPF3 route-map doesn’t affect redistributed routes [3644]

  • TNSR does not prevent creating static routes for directly connected networks [3813]

  • OSPF conditional default route injection does not work [3846]

  • Unable to verify received routes when high number of routes received via BGP [3918]

  • TNSR allows OSPF network type for a loopback interface, which is rejected by FRR [4800]

  • Unable to set a custom path for the FRR log file [4825]

  • Reverting to the startup configuration doesn’t restore packet forwarding for BGP over IPsec prefixes [5321]

  • RIP route-map-filter option does not filter routes [5910]

  • Output of show route takes about a minute to begin displaying very large route tables (~1,000,000 routes) [6380]

  • Unable to disable IPv4 AF without BGP service restart [6393]

  • BGP failover logs “Failed to delete neighbor” error from linux-cp [6400]

  • OSPF virtual-link authentication does not work [6601]

  • Unable to remove OSPF virtual-link configuration [6962]

  • OSPF can announce interfaces from other VRFs on initial configuration [7002]

  • Cannot add a static recursive route [7010]

  • VPP crashes on applying custom VRF to loopback interface used in OSPF [7056]

  • Creating route-map, prefix-list, or access-list entries takes longer than expected [7068]

  • Cannot disable logging of adjacency changes for OSPF6 if detail option is set [7097]

  • Routes that exactly overlap an interface link route are accepted by CLI but are problematic [7101]

  • OSPF neighbor adjacency is established in wrong VRF in VirtualBox [7144]

  • Interfaces in the TNSR RIP configuration are not validated when generating the FRR RIP daemon configuration [7155]

  • Interfaces in TNSR route-map entries are not validated when generating the FRR daemon configurations [7156]

  • Interfaces in the TNSR OSPF configuration are not validated when generating the FRR OSPF daemon configuration [7177]

  • Interfaces in the TNSR BGP configuration are not validated when generating the FRR BGP daemon configuration [7218]

  • Dynamic routing protocols lose static routes after link they resolve through goes down and then comes up [7357]

  • OSPF logging for some options does not work if logging level is set explicitly [7411]

  • BGP debug option updates in <peer> does not filter messages for selected peer [7476]

  • BGP session does not become active after interface goes down and recovers [7501]

  • OSPF6 continues to redistribute connected/kernel routes resolved via interface with linkdown status [7624]

  • BGP address family neighbor option maximum-prefix restart does not work correctly [7709]

  • Malfunction of BGP process after entering maximum-prefix restart without the basic maximum-prefix limit command [7748]

  • OSPF6 does not advertise loopback address to another area if the loopback is configured first [7757]

  • Cannot set BGP unsuppress-map option for IPv6 neighbor [7760]

  • Extended BGP community lists do not work as expected [7772]

  • Routes remain in table after interface with VRRP configured is marked down until dataplane is restarted [7790]

  • OSPF stops working after configuring mtu-ignore option on an interface [8085]

  • RPC error message when using exact prefix match in show route table command for non-existent route [8088]

  • Routes do not match by route-map if match criteria is set to ip next-hop ... [8148]

SNMP / IPFIX / Prometheus

  • Prometheus filters with non-alphanumeric characters can cause HTTP requests to fail [5467]

  • Prometheus filters containing spaces cannot be removed [5470]

  • SNMP does not work on interfaces in a non-default VRF [7261]


  • Span config disappears/appears when repeatedly restarting dataplane [6526]

  • Incorrect error message when requesting SPAN info from a missing interface [7209]

  • SPAN mirroring can not be disabled [7560]

  • SPAN does not work correctly for outbound packets on VLAN subinterface [7801]

Static Routes

  • Static route description is not showing up in show commands or REST state data [5478]

  • Static route overwrites kernel route in the operating system routing table [7215]

  • Transit traffic goes to an interface with inactive link when there is another (active) path [8041]

Tunnel Protocols

  • Changes to an existing VXLAN tunnel configuration do not apply until the dataplane is restarted [1778]

  • TNSR IPv6 interface address does not appear in traceroute when next-hop is IPsec tunnel interface [5178]

  • VxLAN with multicast destination does not pass traffic [6491]

  • GRE interface configuration remains in running config after changing GRE tunnel ID [7050]

  • Configuring option route-table in a WireGuard peer does not affect next-hop lookup of the endpoint address [8070]

  • Only the first peer in a WireGuard instance functions properly [8106]

  • VPP processes packets received on disabled tunnel interfaces [8111]

  • Incorrect UDP checksum of IPv6 WireGuard packets [8163]

  • WireGuard tunnel interfaces with incorrect tunnel next-hops ping each other [8256]


  • log_upgrade does not print cxobj paths correctly in tnsr-upgrade.log [4747]

  • clixon_backend exhausts memory while displaying high amount of routes [5226]

  • Configuration upgrade does not run when loading configuration via history [6968]

  • Unable to set up a password that starts and finishes with a double quotation mark [7571]

  • Unable to set up a password that contains a backslash symbol [7572]