TNSR 23.02.1 Release Notes

About the TNSR 23.02.1 Release

This is a maintenance release for TNSR software version 23.02 with bug fixes.

General

Changes

Changes in TNSR software version 23.02.1

Dataplane

  • Fixed: IPv6 Neighbor Discovery starts to fail until Linux neighbor cache is cleared [9135]

  • Fixed: VPP crash from process node scheduling and expiration issues [9339]

  • Fixed: VPP hangs resulting in SNMP segfault [9665]

Known Issues

Known Issues in TNSR software version 23.02

BFD

  • Unable to setup delayed option for an existing BFD session via REST [2709]

  • IPv6 session is not restored when virtual direct link gets disabled/enabled [4916]

  • TNSR cannot commit configuration candidate database loaded from a file if it contains a BFD session for an interface that does not exist [7150]

  • BFD configuration inconsistently displayed [9425]

  • No ping response from peer when BFD session is down [9447]

  • IPv6 BFD sessions are intolerant of dataplane restart [9475]

Bridge

  • Bridge domain ARP entries cannot be displayed via CLI [2378]

  • Bridge domain ARP entries cannot be removed via CLI [2380]

  • Bridge domain mac-age value cannot be removed via CLI [2381]

  • Bridge domains and split-horizon groups are not functioning properly [5500]

  • Bridging fails with virtual interfaces as members [7762]

CLI

  • CLI does not always return from a shell prompt [2651]

  • Deleting the startup configuration database does not fully remove the active configuration [3723]

  • Specifying interface to traceroute requires root privileges [5376]

  • Input validation of unbound message cache slabs value does not work as expected [5472]

  • CLI and RESTCONF behavior are different for no bgp default ipv4-unicast [6303]

  • RIP information does not contain a legend for kernel routes [7230]

  • The cli autocompletion when launching BGP in several VRF’s suggests BGP neighbors not from their VRF [9316]

  • show host interface command allows repeated use of identical parameters [9969]

Counters

  • Contradictory output of detailed counters on bond interface in ‘broadcast’ mode [8351]

DHCP Server

  • CLI offers to delete mandatory variable in DHCP server subnet configuration [5240]

  • DHCP4 Kea config-file output shows VPP TAP interface names in its configuration instead of TNSR interface names [5264]

  • Unable to setup a custom DHCP option with certain data types in the record [5299]

DNS

  • show system output does not contain DNS resolver parameters [5397]

Dataplane

  • Link state is always up when using e1000 network drivers [2831]

  • Cannot create rx-queues for interfaces on KVM and VirtualBox [3674]

  • Static routes with an interface as the next hop using resolve-via-attached appear to break dataplane ARP [5259]

  • TNSR on AWS does not pass traffic when using the igb_uio or uio_pci_generic driver [7015]

  • Interrupt rx-mode does not function on some hardware [9039]

  • IPv6 Neighbor Discovery starts to fail until Linux neighbor cache is cleared [9135]

  • SEGV in VPP [9312]

  • VPP crashes while initializing VMXNET3 interfaces using default configuration [10064]

General

  • Non-root users cannot access the FRR log file [4826]

  • Unable to specify TNSR interface as a source in ping and traceroute commands via REST [5605]

  • Startup entry is not created in configuration history log [7400]

  • Cannot commit a candidate configuration database if a tap interface is present [7458]

  • Incorrect error message is shown when removing ABF policy attached to an interface [9530]

Host

  • Cannot configure the default gateway for host namespace via TNSR CLI [3702]

  • VRF interface for a custom route table persists in the operating system after restarting services [4866]

  • dns-resolver configured for host namespace remains in system after removing from TNSR [7830]

  • dns-resolver configuration values for host namespace remain in resolv.conf after restarting TNSR [7975]

  • Missing host interfaces are not handled properly by TNSR [10272]

IPsec

  • IPsec daemon does not support using non-default VRF entries [7266]

  • Cannot disable IPsec dpd-interval option [8012]

  • Cannot configure IPsec with manual key type [8396]

  • Error when creating IPsec tunnel via RESTCONF with tunnel-enable set [8432]

  • IPsec tunnel without a child SA does not appear in IPsec state data [8433]

Installation

  • TNSR installer fails if interfaces are configured with IP addresses but have no Internet connectivity [7807]

Interfaces

  • VLAN subinterfaces do not work with virtio network drivers on KVM [2189]

  • Unable to set IPv6 link-local address on an interface [2394]

  • Unable to create subinterface with dot1q any tag [2652]

  • Invalid routes remain in table when next-hop IP address is no longer directly connected [3161]

  • Reassembly timeout is not working when full IP reassembly is configured [3269]

  • Shallow virtual reassembly cannot be disabled when it is implicitly enabled by other features [3361]

  • Second fragment of a packet is not virtually reassembled when max-reassemblies is set to 1 [3384]

  • Unable to delete a MAC address explicitly set for the TNSR side of a TAP interface [4433]

  • XG-1541 link speed auto-negotiation incorrect with direct connected interfaces [5323]

  • Errors indicate TNSR is attempting to assign a MAC address to IPsec ipipX interfaces [6285]

  • L3 packets can be sent from bridged interfaces [6975]

  • Unable to setup DPDK uio_pci_generic driver on XG-1541 [6981]

  • TAP instance tcpdump method only captures received packets [7137]

  • Unable to delete a non-existent multicast-interface from VXLAN tunnel configuration [7278]

  • Pings between IPIP interfaces become intermittent when BGP is applied to them [7392]

  • Interface IP address is shown in IPv4 route table instead of associated subnet [7511]

  • Setting a new MTU value does not affect the MRU for IPv6 packets [8245]

  • Unable to delete link MTU from an interface when default MTU is set less than 1280 [8837]

  • Evaluate presence of interface configuration items for loopback interfaces [9380]

  • Link state of a bond interface does not follow the link state of the underlying interfaces [10093]

  • Interfaces disappear at boot until dataplane is restarted with vfio-pci driver [10280]

Memif

  • Unable to connect to memif interface using default socket [4448]

NACM

  • It is possible to remove an NACM group used in a rule list [10115]

  • NACM rule paths created via RESTCONF are not validated and can lead to broken configuration databases [10116]

NAT

  • Twice-NAT does not work [1023]

  • 1:1 NAT drops packets with ttl=2 from inbound interface [2849]

  • Full IP reassembly does not work with MAP [3386]

  • MAP-T adds bogus zeroes when translating short IPv4 to IPv6 [3460]

  • NAT pool route table option only available when specifying a range [3628]

  • Packets larger than 2034 bytes are dropped when performing IPv4 to IPv6 MAP translation [3742]

  • MAP-T domain usage causes IPv6 traffic class value to always be copied from IPv4 ToS value [3774]

  • TCP MSS value is not applied to IPv4 packets when IPv6 to IPv4 decapsulation is performed on MAP-E BR [3783]

  • MAP does not relay IPv6 ICMP error messages to IPv4 [3809]

  • NAT static mappings for ICMP do not work [4373]

  • NAT static mappings for TCP/UDP protocol on any port result in translation for port 0 instead [4384]

  • NAT static mappings assume external port 0 when port is omitted [4432]

  • Packets not destined to a NAT pool are dropped when NAT simple mode is configured with out2in-dpo option [4927]

  • Full IPv4 reassembly doesn’t work with NAT endpoint-independent mode [5476]

  • Cannot increase NAT Sessions per thread past ~1e6 [6550]

  • Dataplane SIGSEGV crash and backtrace when exceeding NAT session limit [6551]

  • Expired NAT sessions become active again when increasing the timeout value [7090]

  • NAT sessions do not expire in endpoint-independent mode [7098]

  • Cannot commit a clean candidate configuration database if NAT static mapping is configured [7286]

  • Unable to establish NAT hairpin connection [8014]

  • NAT in endpoint-dependent mode drops packets when it cannot identify the correct worker thread [8262]

  • Routing through NAT in EI mode doesn’t work if NAT outside interface is IPSec tunnel [8333]

  • VPP can return incomplete session data for a user when NAT forwarding is enabled with multiple worker threads [9510]

  • Traffic from TNSR itself sourced from inside NAT interface does not get NAT applied when egressing via NAT outside interface [9706]

NTP

  • NTP does not properly handle IPv6 restrictions [4626]

  • Delay in CLI display of NTP configuration when NTP has noquery set [6818]

  • Interfaces in the TNSR NTP configuration are not validated when generating the NTP daemon configuration [7153]

Neighbor / ARP / NDP

  • Packet loss during ARP transactions [2868]

  • The MAC address of a static IPv6 neighbor cannot be changed [4454]

PKI

  • PKI certificate entries do not include Key Usage/Extended Key Usage properties and may be rejected for some purposes when SANs are present [10018]

RESTCONF

  • Adding a user via RESTCONF requires a password even when providing an ssh key [2875]

  • RESTCONF “pretty-printed” JSON contains incorrect indentation [3521]

  • OSPF interfaces are not validated when configured via RESTCONF [3528]

  • Cannot change GRE tunnel type to or from ERSPAN via RESTCONF [4353]

  • Response of /restconf/data/ and /restconf/data/netgate-interface:interfaces-state/ does not include any of *-table [5399]

  • RESTCONF allows configuring dataplane options for non-existent devices [5748]

  • RESTConf route-state response does not contain actual state data [7115]

  • RESTConf dataplane service does not work on interfaces in a non-default VRF [7265]

  • History version count does not match the count of REST configuration requests if they are sent without a delay [7440]

  • Unable to clear trace filters over RESTCONF [9476]

  • RESTCONF daemon exits when certain clients fail to validate the server certificate [10112]

Routing

  • Changing default metric for OSPF server does not result in update on other routers [2586]

  • OSPF RIB is not updated when the ABR type is changed between standard and shortcut [2699]

  • BGP updates for new prefixes ignore the advertisement-interval value and are sent every 60 seconds [2757]

  • RIP “timeout” timer does not work [2796]

  • ttl-security hops value can be set when ebgp-multihop is already configured [2832]

  • extended-nexthop capability isn’t being negotiated between IPv6 BGP peers [2850]

  • Unable to verify received prefix-list entries via CLI when using ORF capability [2864]

  • BGP network backdoor feature isn’t working without service restart [2873]

  • BGP next-hop attribute aren’t being sent unmodified to the eBGP peer when route-server-client option is configured [2940]

  • Unable to verify dynamic BGP peer information from TNSR CLI [3044]

  • Unable to delete OSPF3 config for an interface [3481]

  • TNSR does not prevent creating static routes for directly connected networks [3813]

  • OSPF conditional default route injection does not work [3846]

  • Unable to verify received routes when high number of routes received via BGP [3918]

  • TNSR allows OSPF network type for a loopback interface, which is rejected by FRR [4800]

  • Reverting to the startup configuration doesn’t restore packet forwarding for BGP over IPsec prefixes [5321]

  • RIP route-map-filter option does not filter routes [5910]

  • Unable to disable IPv4 AF without BGP service restart [6393]

  • BGP failover logs “Failed to delete neighbor” error from linux-cp [6400]

  • OSPF virtual-link authentication does not work [6601]

  • Unable to remove OSPF virtual-link configuration [6962]

  • OSPF can announce interfaces from other VRFs on initial configuration [7002]

  • Cannot add a static recursive route [7010]

  • VPP crashes on applying custom VRF to loopback interface used in OSPF [7056]

  • Creating route-map, prefix-list, or access-list entries takes longer than expected [7068]

  • Cannot disable logging of adjacency changes for OSPF6 if detail option is set [7097]

  • Routes that exactly overlap an interface link route are accepted by CLI but are problematic [7101]

  • OSPF neighbor adjacency is established in wrong VRF in VirtualBox [7144]

  • Interfaces in the TNSR RIP configuration are not validated when generating the FRR RIP daemon configuration [7155]

  • Interfaces in TNSR route-map entries are not validated when generating the FRR daemon configurations [7156]

  • Interfaces in the TNSR OSPF configuration are not validated when generating the FRR OSPF daemon configuration [7177]

  • Interfaces in the TNSR BGP configuration are not validated when generating the FRR BGP daemon configuration [7218]

  • Dynamic routing protocols lose static routes after link they resolve through goes down and then comes up [7357]

  • OSPF logging for some options does not work if logging level is set explicitly [7411]

  • BGP debug option updates in <peer> does not filter messages for selected peer [7476]

  • BGP session does not become active after interface goes down and recovers [7501]

  • OSPF6 continues to redistribute connected/kernel routes resolved via interface with linkdown status [7624]

  • BGP address family neighbor option maximum-prefix restart does not work correctly [7709]

  • Malfunction of BGP process after entering maximum-prefix restart without the basic maximum-prefix limit command [7748]

  • OSPF6 does not advertise loopback address to another area if the loopback is configured first [7757]

  • Routes remain in table after interface with VRRP configured is marked down until dataplane is restarted [7790]

  • OSPF stops working after configuring mtu-ignore option on an interface [8085]

  • Routes do not match by route-map if match criteria is set to ip next-hop ... [8148]

  • Output of show conf differs for route-map [8375]

  • Route map source-protocol match condition matches routes from any source [8381]

  • redistribute table configuration in RIP/OSPF does not affect route redistribution [8390]

  • Cannot change distance for one BGP prefix [8690]

  • Forwarding address from OSPF6 LSA5 is not installed as the next hop for the route [8732]

  • BGP bestpath med missing-as-worst command does not function correctly [8805]

  • OSPFv3 repeatedly drops connection on AWS when redistribution is configured [8822]

  • Route Map with IPv6 Access List does not filter redistributed OSPF6 routes [8857]

  • Route-Map set src option does not function correctly [9045]

  • show route displays no routes for a VRF until it is placed on an interface [9073]

  • FRR cannot connect to RPKI cache server if a route to it does not exist in default VRF [9146]

  • The redistribute kernel and import vrf BGP options do not work at the same time if the static route is redistributed with an output interface in a third-party VRF [9147]

  • Applying a subsequent route map with import vrf cancels a previous applied route map [9156]

  • A route map applied to the import vrf option using a prefix list does not work correctly [9235]

  • Changing BGP as-number in default VRF leads to the termination of the import of routes to another VRF [9244]

  • Cannot change an interface to a new VRF when BGP is configured to import the current VRF [9259]

  • Changing an interface VRF does not stop importing routes from the previous VRF [9298]

  • RPKI expire-interval option does not get put into the FRR running configuration after restarting BGP/dataplane [9331]

  • Route maps with match rpki * conditions do not get re-applied when RPKI status of routes changes [9439]

  • TNSR does not prevent removing extended and large community lists referred by route maps [9499]

  • set community command disappears from FRR configuration without warning after setting an invalid community [9508]

  • Suppression of specific routes when applied to an aggregated route of a route map containing set aggregator as <asn> ip address <ipv4-address> command [9547]

  • Deprecation warning from FRR OSPF6 for interface area syntax [9783]

  • BGP soft-reconfiguration inbound option does not work for IPv6 peers [10086]

  • BGP selects incorrect path to a network when changing bestpath rules [10210]

  • zebra causes out-of-memory error on AWS when restarting TNSR after receiving 1.5-2 million prefixes via BGP [10273]

SNMP / IPFIX / Prometheus

  • Prometheus filters with non-alphanumeric characters can cause HTTP requests to fail [5467]

  • Prometheus filters containing spaces cannot be removed [5470]

  • SNMP does not work on interfaces in a non-default VRF [7261]

SPAN

  • Span config disappears/appears when repeatedly restarting dataplane [6526]

  • Incorrect error message when requesting SPAN info from a missing interface [7209]

  • SPAN mirroring can not be disabled [7560]

  • SPAN does not work correctly for outbound packets on VLAN subinterface [7801]

Static Routes

  • Static route description is not showing up in show commands or REST state data [5478]

  • Static route overwrites kernel route in the operating system routing table [7215]

  • Transit traffic goes to an interface with inactive link when there is another (active) path [8041]

Tunnel Protocols

  • Changes to an existing VXLAN tunnel configuration do not apply until the dataplane is restarted [1778]

  • TNSR IPv6 interface address does not appear in traceroute when next-hop is IPsec tunnel interface [5178]

  • VxLAN with multicast destination does not pass traffic [6491]

  • GRE interface configuration remains in running config after changing GRE tunnel ID [7050]

  • Configuring option route-table in a WireGuard peer does not affect next-hop lookup of the endpoint address [8070]

  • VPP processes packets received on disabled tunnel interfaces [8111]

  • WireGuard tunnel interfaces still function with a tunnel next-hops entry having an incorrect next-hop-address [8256]

  • Tunnel next-hop entries do not function in non-default VRFs [8653]

  • Incorrect WireGuard tunnel next-hop after roaming [8764]

  • Changing crypto asynchronous dispatch-mode greatly increases the latency between IPsec tunnel IP addresses [10030]

  • IPIP interface loses attached ACLs when DNS resolution of the remote endpoint changes [10171]

Updates

  • Router upgraded to 22.10-2 will not start without an IKE prf entry [9368]

VRRP

  • VRRP accept-mode may cause invalid ARP requests, leading to loss of connectivity during failover [9881]

clixon

  • log_upgrade does not print cxobj paths correctly in tnsr-upgrade.log [4747]

  • clixon_backend exhausts memory while displaying high amount of routes [5226]

  • Configuration upgrade does not run when loading configuration via history [6968]

  • Unable to set up a password that starts and finishes with a double quotation mark [7571]

  • Unable to set up a password that contains a backslash symbol [7572]