TNSR 22.06 Release Notes¶
About the TNSR 22.06 Release¶
This is a regularly scheduled TNSR software release including new features and bug fixes.
Upgrade Notes¶
For the update to work properly, the owner of the TNSR update certificate may
need to be manually changed to the _apt
user.
See Certificate File Permissions for details.
General¶
Warning
Any interface that will contain an IPv6 address must have an MTU of
1280
or higher. This includes both the default MTU and MTU values set on
interfaces directly. Currently input validation does not prevent the user
from configuring a smaller MTU, but doing so will cause IPv6 to fail.
Added support for WireGuard VPN tunnel interfaces.
Note
At this time WireGuard only supports static address configurations with a single peer per tunnel. This limits it to primarily typical site-to-site connections and not mobile/remote access style use cases.
Added IPFIX flow reporting support, which allows monitoring general traffic flows. Previously IPFIX could only monitor NAT translations.
TNSR software no longer automatically whitelists interfaces in the dataplane.
Warning
All interfaces must now manually be defined using
dataplane dpdk dev <id> network
as described in Setup NICs in Dataplane.The
show route
CLI output has been optimized in several ways in this release, including:The output is now sorted numerically by address instead of using a string comparison. This differs from previous releases but results in a more logical ordering of entries. For example, in previous versions route address components would be ordered “14, 17, 2, 25” where now they are “2, 14, 17, 25”.
Rather than gathering all route content and paginating the output, the function now only fetches a page worth of data at a time. This greatly increases the speed of displaying route data when the route table contains a large volume of routes.
The cached route data for display is updated for the first page, but not for later pages to ensure the data is consistent for route tables managed by dynamic routing functions.
IPsec tunnels can now be enabled or disabled explicitly without removing the other IPsec configuration. Existing tunnels are automatically enabled during the upgrade process, but new tunnels are disabled by default.
See Enable/Disable IPsec Tunnels for details.
Changes¶
Changes in TNSR software version 22.06
CLI¶
Added: Use paged version of
show route
by default [7535]Fixed: CLI command for disabled configuration history is not generated [7554]
Fixed: Output of
show route
does not account for wrapped lines when paginating based on display size [7593]Fixed: CLI route table mode only offers IPv4 prefix choices in a new table [7924]
DHCP Server¶
Changed: Update kea from upstream [7057]
Fixed: Cannot show
keactrl
configuration file from TNSR [8064]
DNS¶
Added: Support multiple address entries for a hostname in DNS local zone configuration [1385]
Fixed: Multiple boolean attributes in Unbound cannot be disabled, use inconsistent CLI command forms [7749]
Dataplane¶
Changed: Update VPP from upstream [7545]
Changed: Remove automatic whitelisting of interface devices in dataplane
startup.conf
[7588]Changed: Remove support for deprecated DPDK settings [7629]
Fixed: Memory leak in IPFIX leads to VPP crash dump
SIGSEGV
thenABRT
[7810]Added: Allow dataplane to use all available system cores [7822]
Fixed: Cannot start VPP with more than four workers [8210]
General¶
Changed: Add package logs to
tnsr-diag
archive [7667]
Host¶
Added: A
dp-exec
equivalent to reach the host namespace from the dataplane namespace [5024]Fixed: User
dns-resolver
configuration values for host namespace inresolv.conf
are overwritten bysystemd-resolved
on Ubuntu [7517]
IPsec¶
Fixed: IPsec tunnels take much longer than expected to be marked down when connectivity to the peer is interrupted [3533]
Added: Enable/Disable option for IPsec tunnels [3720]
Fixed: Packets exceeding
2020
bytes cannot be received on IPsec interface [5224]Changed: davici: Update to 1.4 [7577]
Changed: Update strongswan to 5.9.5 [7701]
Interfaces¶
Fixed: Most SNMP interface counters for received traffic return zero on LACP bonds [7407]
Fixed: Duplex is not reported correctly in TNSR 22.02 [7819]
NAT¶
Fixed: CLI
show nat sessions
command displays no output in some cases [7685]Fixed: VPP crashes during NAT handoff between worker threads [8150]
Operating System¶
Changed: Update to Ubuntu 20.04.4 LTS [7591]
Changed: Install HWE kernel to KVM, VMware images [7710]
Added: Allow coredumps larger than 2GB by default [7959]
PKI¶
Fixed: Deprecate support for generating certificates with insecure MD5 and SHA1 hashes [2403]
Added: Add support for Subject Alternative Name (SAN) entries in PKI signing requests [4748]
Fixed: PKI certificate and key entry fails if content has leading whitespace [6800]
Routing¶
Added: Order IP routes by the numeric value of the prefix address rather than the string representation [4340]
Added: Include route table description in
show route
output [4731]Fixed: Invalid IPv6 routes are shown when searching by prefix [5033]
Fixed: TNSR responds to IPv6 Router Solicitation messages with default Router Advertisement when not configured to do so [5097]
Fixed: Unable to establish eBGP connection via NAT outside interface in endpoint-independent mode [7268]
Added: Display a flag to indicate that a route path link is down in
show route
output [7534]
SNMP / IPFIX / Prometheus¶
Fixed: Prometheus exporter crashes with SIGABRT when the FIB contains a large number of routes [6973]
Added: IPfix flow reporting [7683]
Static Routes¶
Fixed: Static routes resolved via subinterfaces do not re-appear after disabling/enabling related main interface [7604]
Updates¶
Fixed:
netgate-dpdk-kmods
package for interface driver modules may require manual reinstall after kernel upgrade [5353]
clixon¶
Fixed: Cannot interrupt applications running under dataplane/host shell in CLI [7729]
Fixed: Error when re-entering
rest
description expansions with multiple words [7751]Fixed: Problem processing xpath with multiple
="%s"
clauses [7784]Fixed: Using
unique
in YANG validation is not working properly [7786]
Known Issues¶
Known Issues in TNSR software version 22.06
ACLs¶
DHCP responses blocked by TNSR input ACLs since reflect on output ACLs does not work for DHCP requests [3570]
BFD¶
Unable to setup
delayed
option for an existing BFD session via REST [2709]IPv6 session is not restored when virtual direct link gets disabled/enabled [4916]
TNSR cannot commit configuration candidate database loaded from a file if it contains a BFD session for an interface that does not exist [7150]
Bridge¶
Bridge domain ARP entries cannot be displayed via CLI [2378]
Bridge domain ARP entries cannot be removed via CLI [2380]
Bridge domain
mac-age
value cannot be removed via CLI [2381]Bridge domains and split-horizon groups are not functioning properly [5500]
CLI¶
CLI does not always return from a shell prompt [2651]
Deleting the startup configuration database does not fully remove the active configuration [3723]
Specifying interface to traceroute requires root privileges [5376]
Input validation of unbound
message cache slabs
value does not work as expected [5472]CLI and RESTCONF behavior are different for
no bgp default ipv4-unicast
[6303]RIP information does not contain a legend for kernel routes [7230]
Value of “Last Used” field in output of
show nat sessions verbose
is expressed in seconds since VPP startup [8277]
DHCP Client¶
Default gateway received via DHCP is not placed to the routing table when the interface uses a custom VRF [7254]
DHCP Server¶
CLI offers to delete mandatory variable in DHCP server subnet configuration [5240]
DHCP4 Kea
config-file
output shows VPP TAP interface names in its configuration instead of TNSR interface names [5264]Unable to setup a custom DHCP option with certain data types in the record [5299]
DHCP daemon does not generate coredumps [5583]
DNS¶
show system
output does not contain DNS resolver parameters [5397]
Dataplane¶
Binary API times out in some dual NUMA environments [2383]
Link state is always up when using e1000 network drivers [2831]
Cannot create
rx-queues
for interfaces on KVM and VirtualBox [3674]Static routes with an interface as the next hop using
resolve-via-attached
appear to break dataplane ARP [5259]TNSR on AWS does not pass traffic when using the
uio_pci_generic
driver [7015]Multiple large routing table insertions crash VPP [8286]
General¶
Non-root users cannot access the FRR log file [4826]
Unable to specify TNSR interface as a source in
ping
andtraceroute
commands via REST [5605]Startup entry is not created in configuration history log [7400]
Cannot commit a candidate configuration database if a
tap
interface is present [7458]
Host¶
Cannot remove an IP address assigned to a host interface during the installation process via TNSR CLI [3013]
Cannot configure the default gateway for host namespace via TNSR CLI [3702]
VRF interface for a custom route table persists in the operating system after restarting services [4866]
dns-resolver
configured for host namespace remains in system after removing from TNSR [7830]dns-resolver
configuration values forhost
namespace remain inresolv.conf
after restarting TNSR [7975]
IPsec¶
Buffer exhaustion with TCP/UDP when using
c62x
QAT device prevents traffic from passing [6711]CLI requires setting integrity algorithm on IPsec tunnel using AES-GCM when a PRF should be sufficient [6926]
IPsec daemon does not support using non-default VRF entries [7266]
Cannot disable IPsec
dpd-interval
option [8012]
Installation¶
When installing TNSR via iDRAC virtual media redirector the text installer screensaver starts before the installation can complete [3182]
TNSR installer fails if interfaces are configured with IP addresses but have no Internet connectivity [7807]
Interfaces¶
Packets do not pass through VLAN subinterface after subinterface configuration has been modified [1612]
VLAN subinterfaces do not work with virtio network drivers on KVM [2189]
Unable to set IPv6 link-local address on an interface [2394]
Unable to create subinterface with dot1q
any
tag [2652]Subinterface settings aren’t applied on change without restarting dataplane [2696]
Invalid routes remain in table when next-hop IP address is no longer directly connected [3161]
Reassembly timeout is not working when full IP reassembly is configured [3269]
Shallow virtual reassembly cannot be disabled when it is implicitly enabled by other features [3361]
Second fragment of a packet is not virtually reassembled when
max-reassemblies
is set to1
[3384]Unable to delete a MAC address explicitly set for the TNSR side of a TAP interface [4433]
XG-1541 link speed auto-negotiation incorrect with direct connected interfaces [5323]
Errors indicate TNSR is attempting to assign a MAC address to IPsec
ipipX
interfaces [6285]Link state in X553 1GbE card does not change to down when disabling interface in TNSR [6849]
Interfaces using KVM
virtio
drivers use names which do not match link speed [6909]L3 packets can be sent from bridged interfaces [6975]
Unable to setup DPDK
uio_pci_generic
driver on XG-1541 [6981]Unable to setup DPDK
vfio-pci
driver on XG-1537 [6985]Unable to setup DPDK
vfio-pci
driver on various environments [6989]TAP instance
tcpdump
method only captures received packets [7137]Unable to delete a non-existent multicast-interface from VXLAN tunnel configuration [7278]
Pings between IPIP interfaces become intermittent when BGP is applied to them [7392]
Interface IP address is shown in IPv4 route table instead of associated subnet [7511]
Setting a new MTU value does not affect the MRU for IPv6 packets [8245]
Validation does not prevent setting interface MTU below
1280
when an IPv6 address is configured [8246]
Memif¶
Unable to connect to
memif
interface using default socket [4448]
NAT¶
Twice-NAT does not work [1023]
1:1 NAT drops packets with
ttl=2
from inbound interface [2849]Full IP reassembly does not work with MAP [3386]
MAP-T adds bogus zeroes when translating short IPv4 to IPv6 [3460]
NAT pool route table option only available when specifying a range [3628]
Packets larger than
2034
bytes are dropped when performing IPv4 to IPv6 MAP translation [3742]MAP-T domain usage causes IPv6 traffic class value to always be copied from IPv4 ToS value [3774]
TCP MSS value is not applied to IPv4 packets when IPv6 to IPv4 decapsulation is performed on MAP-E BR [3783]
MAP does not relay IPv6 ICMP error messages to IPv4 [3809]
NAT static mappings for ICMP do not work [4373]
NAT static mappings for TCP/UDP protocol on
any
port result in translation for port0
instead [4384]NAT static mappings assume external port
0
when port is omitted [4432]Packets not destined to a NAT pool are dropped when NAT simple mode is configured with
out2in-dpo
option [4927]Full IPv4 reassembly doesn’t work with NAT endpoint-independent mode [5476]
Cannot increase NAT Sessions per thread past ~1e6 [6550]
Dataplane SIGSEGV crash and backtrace when exceeding NAT session limit [6551]
Expired NAT sessions become active again when increasing the timeout value [7090]
NAT sessions do not expire in endpoint-independent mode [7098]
Cannot commit a clean candidate configuration database if NAT static mapping is configured [7286]
Unable to establish NAT hairpin connection [8014]
NAT in endpoint-dependent mode drops packets when it cannot identify the correct worker thread [8262]
NTP¶
NTP does not properly handle IPv6 restrictions [4626]
Delay in CLI display of NTP configuration when NTP has
noquery
set [6818]Interfaces in the TNSR NTP configuration are not validated when generating the NTP daemon configuration [7153]
Neighbor / ARP / NDP¶
Packet loss during ARP transactions [2868]
The MAC address of a static IPv6 neighbor cannot be changed [4454]
RESTCONF¶
Adding a user via RESTCONF requires a password even when providing an ssh key [2875]
RESTCONF “pretty-printed” JSON contains incorrect indentation [3521]
OSPF interfaces are not validated when configured via RESTCONF [3528]
Cannot change GRE tunnel type to or from ERSPAN via RESTCONF [4353]
Response of
/restconf/data/
and/restconf/data/netgate-interface:interfaces-state/
does not include any of*-table
[5399]RESTCONF allows configuring dataplane options for non-existent devices [5748]
RESTCONF
route-state
response does not contain actual state data [7115]RESTCONF dataplane service does not work on interfaces in a non-default VRF [7265]
History version count does not match the count of REST configuration requests if they are sent without a delay [7440]
Routing¶
Changing default metric for OSPF server does not result in update on other routers [2586]
OSPF RIB is not updated when the ABR type is changed between standard and shortcut [2699]
BGP updates for new prefixes ignore the advertisement-interval value and are sent every 60 seconds [2757]
RIP “timeout” timer does not work [2796]
ttl-security hops value can be set when ebgp-multihop is already configured [2832]
BGP session soft reset option does not work for IPv6 peers [2833]
extended-nexthop capability isn’t being negotiated between IPv6 BGP peers [2850]
Unable to verify received prefix-list entries via CLI when using ORF capability [2864]
BGP network backdoor feature isn’t working without service restart [2873]
BGP next-hop attribute aren’t being sent unmodified to the eBGP peer when route-server-client option is configured [2940]
Unable to verify dynamic BGP peer information from TNSR CLI [3044]
Unable to delete OSPF3 config for an interface [3481]
Change made to a prefix-list used in a OSPF3 route-map doesn’t affect redistributed routes [3644]
TNSR does not prevent creating static routes for directly connected networks [3813]
OSPF conditional default route injection does not work [3846]
Unable to verify received routes when high number of routes received via BGP [3918]
TNSR allows OSPF network type for a loopback interface, which is rejected by FRR [4800]
Unable to set a custom path for the FRR log file [4825]
Reverting to the startup configuration doesn’t restore packet forwarding for BGP over IPsec prefixes [5321]
RIP
route-map-filter
option does not filter routes [5910]Output of
show route
takes about a minute to begin displaying very large route tables (~1,000,000 routes) [6380]Unable to disable IPv4 AF without BGP service restart [6393]
BGP failover logs “Failed to delete neighbor” error from
linux-cp
[6400]OSPF virtual-link authentication does not work [6601]
Unable to remove OSPF
virtual-link
configuration [6962]OSPF can announce interfaces from other VRFs on initial configuration [7002]
Cannot add a static recursive route [7010]
VPP crashes on applying custom VRF to loopback interface used in OSPF [7056]
Creating
route-map
,prefix-list
, oraccess-list
entries takes longer than expected [7068]Cannot disable logging of adjacency changes for OSPF6 if
detail
option is set [7097]Routes that exactly overlap an interface link route are accepted by CLI but are problematic [7101]
OSPF neighbor adjacency is established in wrong VRF in VirtualBox [7144]
Interfaces in the TNSR RIP configuration are not validated when generating the FRR RIP daemon configuration [7155]
Interfaces in TNSR
route-map
entries are not validated when generating the FRR daemon configurations [7156]Interfaces in the TNSR OSPF configuration are not validated when generating the FRR OSPF daemon configuration [7177]
Interfaces in the TNSR BGP configuration are not validated when generating the FRR BGP daemon configuration [7218]
Dynamic routing protocols lose static routes after link they resolve through goes down and then comes up [7357]
OSPF logging for some options does not work if logging level is set explicitly [7411]
BGP debug option
updates in <peer>
does not filter messages for selected peer [7476]BGP session does not become active after interface goes down and recovers [7501]
OSPF6 continues to redistribute connected/kernel routes resolved via interface with linkdown status [7624]
BGP address family neighbor option
maximum-prefix restart
does not work correctly [7709]Malfunction of BGP process after entering
maximum-prefix restart
without the basicmaximum-prefix limit
command [7748]OSPF6 does not advertise loopback address to another area if the loopback is configured first [7757]
Cannot set BGP
unsuppress-map
option for IPv6 neighbor [7760]Extended BGP community lists do not work as expected [7772]
Routes remain in table after interface with VRRP configured is marked down until dataplane is restarted [7790]
OSPF stops working after configuring
mtu-ignore
option on an interface [8085]RPC error message when using
exact
prefix match inshow route table
command for non-existent route [8088]Routes do not match by
route-map
if match criteria is set toip next-hop ...
[8148]
SNMP / IPFIX / Prometheus¶
Prometheus filters with non-alphanumeric characters can cause HTTP requests to fail [5467]
Prometheus filters containing spaces cannot be removed [5470]
SNMP does not work on interfaces in a non-default VRF [7261]
SPAN¶
Span config disappears/appears when repeatedly restarting dataplane [6526]
Incorrect error message when requesting SPAN info from a missing interface [7209]
SPAN mirroring can not be disabled [7560]
SPAN does not work correctly for outbound packets on VLAN subinterface [7801]
Static Routes¶
Static route description is not showing up in show commands or REST state data [5478]
Static route overwrites kernel route in the operating system routing table [7215]
Transit traffic goes to an interface with inactive link when there is another (active) path [8041]
Tunnel Protocols¶
Changes to an existing VXLAN tunnel configuration do not apply until the dataplane is restarted [1778]
TNSR IPv6 interface address does not appear in traceroute when next-hop is IPsec tunnel interface [5178]
VxLAN with multicast destination does not pass traffic [6491]
GRE interface configuration remains in running config after changing GRE tunnel ID [7050]
Configuring option
route-table
in a WireGuard peer does not affectnext-hop
lookup of the endpoint address [8070]Only the first peer in a WireGuard instance functions properly [8106]
VPP processes packets received on disabled tunnel interfaces [8111]
Incorrect UDP checksum of IPv6 WireGuard packets [8163]
WireGuard tunnel interfaces with incorrect tunnel next-hops ping each other [8256]
clixon¶
log_upgrade does not print cxobj paths correctly in tnsr-upgrade.log [4747]
clixon_backend exhausts memory while displaying high amount of routes [5226]
Configuration upgrade does not run when loading configuration via history [6968]
Unable to set up a password that starts and finishes with a double quotation mark [7571]
Unable to set up a password that contains a backslash symbol [7572]