TNSR 23.02 Release Notes

About the TNSR 23.02 Release

This is a regularly scheduled TNSR software release including new features and bug fixes.


  • There is an incompatibility between some packages in TNSR 22.10-2 and their counterparts in TNSR 23.02. Due to this incompatibility, an upgrade using the TNSR CLI package upgrade command or the RESTCONF package-upgrade RPC will fail due to the procedure those mechanisms utilize for upgrading packages.

    When upgrading to TNSR 23.02, use the host shell upgrade method described in Updating via the shell which will work as expected since it utilizes sudo apt full-upgrade and that procedure does not have the same issue.

    The issue is addressed in TNSR 23.02, so the next upgrade (From TNSR 23.02 to TNSR 23.06 or other later versions) will not be subject to the same problem.

    If the CLI package upgrade command or the RESTCONF package-upgrade RPC is run and the upgrade fails, running sudo apt full-upgrade from a host shell is also the rescue procedure for completing the upgrade successfully.

  • IPsec was changed to remove several older, insecure algorithms.


    This version of TNSR deprecates the 3DES and MD5 algorithms in IPsec as they are no longer considered secure for use with VPNs [10026].

    On upgrade, TNSR will replace the deprecated values in existing IPsec tunnel IKE and child proposals with stronger options:

    • 3DES encryption will be changed to AES-128

    • MD5 integrity will be changed to SHA-256

    • MD5 Pseudo-Random Function (PRF) will be changed to SHA-256

    Remote peers must be updated to match the new values.

    The best practice is to reconfigure tunnels using better encryption and test them before performing an upgrade to ensure a smoother transition.

    This change only affects IPsec and not other uses of these algorithms. For example, BGP can still use TCP-MD5 authentication.

  • The best practice value for memory page size has been updated. The optimal default size for most workloads is now 2m pages to avoid delays in memory allocation, especially on systems where the main heap size has been increased.

    tnsr(config)# dataplane memory main-heap-page-size 2m

    For more information, see Page Size and Memory.


Changes in TNSR software version 23.02


  • Added: CLI command to rapidly exit all modes (end) [383]

  • Fixed: Interface vrf command is missing argument description when there are no VRFs defined [8941]

  • Fixed: Interface access-list input acl command is missing argument description when there are no ACLs defined [9248]

  • Added: Interface access-list output acl command is missing argument description when there are no ACLs defined [9249]

  • Fixed: Interface access-list macip command is missing argument description when there are no MACIP ACLs defined [9250]

  • Added: Change show configuration XML and JSON output to only include explicitly configured values by default [9295]

  • Fixed: Interface bond command is missing argument description when there are no bonds defined [9341]

  • Fixed: Interface bridge domain command is missing argument description when there are no domains defined [9342]

  • Fixed: Interface vrf command missing description when route names undefined [9353]

  • Fixed: ABF policy list is not printed in the expected order [9438]

  • Fixed: CLI commands generated in wrong order for CPU workers [9537]


  • Added: Support for Ice Lake QAT devices [9154]

  • Added: Update VPP to stable/2210 (DPDK 22.07) [9167]

  • Fixed: QAT device drivers may use incorrect configuration on certain hardware [9231]

  • Added: Settings for dataplane API segment management [9373]

  • Changed: Deprecate dataplane cpu coremask-workers [9452]

  • Fixed: IPv6 neighbor advertisements do not have the “router” flag set [9778]


  • Changed: Add vppctl show event-logger output to tnsr-diag archive [9418]

  • Changed: Add output of vppctl show memory commands to tnsr-diag archive [9450]


  • Added: Configuration of host system static routes [6729]

  • Added: User-defined log files need rotation or other size limit mechanism [6977]

  • Fixed: package commands use apt, which prints console warnings [9127]

  • Added: Configuration of Linux kernel cmdline arguments [9195]

  • Added: Configuration of host interface DHCP client [9263]

  • Added: Enable core dumps for services by default [9667]


  • Added: Improve support for DNS/FQDNs as IPsec tunnel endpoints [5227]

  • Changed: Remove deprecated IPsec authentication type CLI command [9020]

  • Fixed: Patch VPP security vulnerability CVE-2022-46397 (IPSec generates a predictable IV in AES-CBC mode) [10025]

  • Changed: Remove support for 3DES, MD5 with IKE and IPsec [10026]


  • Added: Add configuration of IPv6 router advertisements to enable SLAAC clients [5676]

  • Added: Adaptive interface RX mode support [9203]

  • Added: Condense show interface CLI output [9552]


  • Fixed: Enabling NAT plugin times out [9329]

  • Fixed: Clixon backend crash when running show nat sessions with multiple worker threads [9415]

Operating System

  • Changed: Sync dpdk-kmods with upstream [10090]


  • Added: Show CA/certificate expiration date and validity when listing entries [6914]

  • Added: Commands to view PKI entry properties [9019]

  • Added: Command to export PKCS#12 archives for PKI certificate entries [10035]


  • Fixed: REST API requests from Postman fail [10156]


  • Fixed: Unable to set a custom path for the FRR log file [4825]

  • Fixed: Cannot set BGP unsuppress-map option for IPv6 neighbor [7760]

  • Added: Support for default-information originate in OSPF6 [8692]

  • Fixed: RPKI settings do not get applied until the BGP service is restarted [9122]

  • Fixed: Column headers in BGP neighbor routes output table are not aligned with data [9123]

  • Fixed: ABF policy does not forward IPv6 packets when ipv6-next-hop is set to local [9149]

  • Fixed: Cannot remove an additive option from a route-map that sets a community [9346]

  • Fixed: RPKI source parameter does not get applied until BGP service is restarted [9356]

  • Fixed: CLI does not allow IPv6 BFD peer address to be entered for show command [9440]

  • Added: Support exclusion of packets from ABF processing using deny ACL rules [9609]

SNMP / IPFIX / Prometheus

  • Fixed: Enabling core dumps for snmp service does not enable them for snmp-subagent [9696]

  • Fixed: snmp-subagent daemon does not check its API connection before use [9704]

Static Routes

  • Fixed: Static route next-hop options stack when updated, but only one works [5326]

Tunnel Protocols

  • Fixed: IPv6 VXLAN does not work over WireGuard IPv6 tunnel [8360]

Known Issues

Known Issues in TNSR software version 23.02


  • Unable to setup delayed option for an existing BFD session via REST [2709]

  • IPv6 session is not restored when virtual direct link gets disabled/enabled [4916]

  • TNSR cannot commit configuration candidate database loaded from a file if it contains a BFD session for an interface that does not exist [7150]

  • BFD configuration inconsistently displayed [9425]

  • No ping response from peer when BFD session is down [9447]

  • IPv6 BFD sessions are intolerant of dataplane restart [9475]


  • Bridge domain ARP entries cannot be displayed via CLI [2378]

  • Bridge domain ARP entries cannot be removed via CLI [2380]

  • Bridge domain mac-age value cannot be removed via CLI [2381]

  • Bridge domains and split-horizon groups are not functioning properly [5500]

  • Bridging fails with virtual interfaces as members [7762]


  • CLI does not always return from a shell prompt [2651]

  • Deleting the startup configuration database does not fully remove the active configuration [3723]

  • Specifying interface to traceroute requires root privileges [5376]

  • Input validation of unbound message cache slabs value does not work as expected [5472]

  • CLI and RESTCONF behavior are different for no bgp default ipv4-unicast [6303]

  • RIP information does not contain a legend for kernel routes [7230]

  • The cli autocompletion when launching BGP in several VRF’s suggests BGP neighbors not from their VRF [9316]

  • show host interface command allows repeated use of identical parameters [9969]


  • Contradictory output of detailed counters on bond interface in ‘broadcast’ mode [8351]

DHCP Server

  • CLI offers to delete mandatory variable in DHCP server subnet configuration [5240]

  • DHCP4 Kea config-file output shows VPP TAP interface names in its configuration instead of TNSR interface names [5264]

  • Unable to setup a custom DHCP option with certain data types in the record [5299]


  • show system output does not contain DNS resolver parameters [5397]


  • Link state is always up when using e1000 network drivers [2831]

  • Cannot create rx-queues for interfaces on KVM and VirtualBox [3674]

  • Static routes with an interface as the next hop using resolve-via-attached appear to break dataplane ARP [5259]

  • TNSR on AWS does not pass traffic when using the igb_uio or uio_pci_generic driver [7015]

  • Interrupt rx-mode does not function on some hardware [9039]

  • IPv6 Neighbor Discovery starts to fail until Linux neighbor cache is cleared [9135]

  • SEGV in VPP [9312]

  • Unexplained crashes in VPP [9339]

  • VPP hangs resulting in SNMP segfault [9665]

  • VPP crashes while initializing VMXNET3 interfaces using default configuration [10064]


  • Non-root users cannot access the FRR log file [4826]

  • Unable to specify TNSR interface as a source in ping and traceroute commands via REST [5605]

  • Startup entry is not created in configuration history log [7400]

  • Cannot commit a candidate configuration database if a tap interface is present [7458]

  • Incorrect error message is shown when removing ABF policy attached to an interface [9530]


  • Cannot configure the default gateway for host namespace via TNSR CLI [3702]

  • VRF interface for a custom route table persists in the operating system after restarting services [4866]

  • dns-resolver configured for host namespace remains in system after removing from TNSR [7830]

  • dns-resolver configuration values for host namespace remain in resolv.conf after restarting TNSR [7975]

  • Missing host interfaces are not handled properly by TNSR [10272]


  • IPsec daemon does not support using non-default VRF entries [7266]

  • Cannot disable IPsec dpd-interval option [8012]

  • Cannot configure IPsec with manual key type [8396]

  • Error when creating IPsec tunnel via RESTCONF with tunnel-enable set [8432]

  • IPsec tunnel without a child SA does not appear in IPsec state data [8433]


  • TNSR installer fails if interfaces are configured with IP addresses but have no Internet connectivity [7807]


  • VLAN subinterfaces do not work with virtio network drivers on KVM [2189]

  • Unable to set IPv6 link-local address on an interface [2394]

  • Unable to create subinterface with dot1q any tag [2652]

  • Invalid routes remain in table when next-hop IP address is no longer directly connected [3161]

  • Reassembly timeout is not working when full IP reassembly is configured [3269]

  • Shallow virtual reassembly cannot be disabled when it is implicitly enabled by other features [3361]

  • Second fragment of a packet is not virtually reassembled when max-reassemblies is set to 1 [3384]

  • Unable to delete a MAC address explicitly set for the TNSR side of a TAP interface [4433]

  • XG-1541 link speed auto-negotiation incorrect with direct connected interfaces [5323]

  • Errors indicate TNSR is attempting to assign a MAC address to IPsec ipipX interfaces [6285]

  • L3 packets can be sent from bridged interfaces [6975]

  • Unable to setup DPDK uio_pci_generic driver on XG-1541 [6981]

  • TAP instance tcpdump method only captures received packets [7137]

  • Unable to delete a non-existent multicast-interface from VXLAN tunnel configuration [7278]

  • Pings between IPIP interfaces become intermittent when BGP is applied to them [7392]

  • Interface IP address is shown in IPv4 route table instead of associated subnet [7511]

  • Setting a new MTU value does not affect the MRU for IPv6 packets [8245]

  • Unable to delete link MTU from an interface when default MTU is set less than 1280 [8837]

  • Evaluate presence of interface configuration items for loopback interfaces [9380]

  • Link state of a bond interface does not follow the link state of the underlying interfaces [10093]

  • Interfaces disappear at boot until dataplane is restarted with vfio-pci driver [10280]


  • Unable to connect to memif interface using default socket [4448]


  • It is possible to remove an NACM group used in a rule list [10115]

  • NACM rule paths created via RESTCONF are not validated and can lead to broken configuration databases [10116]


  • Twice-NAT does not work [1023]

  • 1:1 NAT drops packets with ttl=2 from inbound interface [2849]

  • Full IP reassembly does not work with MAP [3386]

  • MAP-T adds bogus zeroes when translating short IPv4 to IPv6 [3460]

  • NAT pool route table option only available when specifying a range [3628]

  • Packets larger than 2034 bytes are dropped when performing IPv4 to IPv6 MAP translation [3742]

  • MAP-T domain usage causes IPv6 traffic class value to always be copied from IPv4 ToS value [3774]

  • TCP MSS value is not applied to IPv4 packets when IPv6 to IPv4 decapsulation is performed on MAP-E BR [3783]

  • MAP does not relay IPv6 ICMP error messages to IPv4 [3809]

  • NAT static mappings for ICMP do not work [4373]

  • NAT static mappings for TCP/UDP protocol on any port result in translation for port 0 instead [4384]

  • NAT static mappings assume external port 0 when port is omitted [4432]

  • Packets not destined to a NAT pool are dropped when NAT simple mode is configured with out2in-dpo option [4927]

  • Full IPv4 reassembly doesn’t work with NAT endpoint-independent mode [5476]

  • Cannot increase NAT Sessions per thread past ~1e6 [6550]

  • Dataplane SIGSEGV crash and backtrace when exceeding NAT session limit [6551]

  • Expired NAT sessions become active again when increasing the timeout value [7090]

  • NAT sessions do not expire in endpoint-independent mode [7098]

  • Cannot commit a clean candidate configuration database if NAT static mapping is configured [7286]

  • Unable to establish NAT hairpin connection [8014]

  • NAT in endpoint-dependent mode drops packets when it cannot identify the correct worker thread [8262]

  • Routing through NAT in EI mode doesn’t work if NAT outside interface is IPSec tunnel [8333]

  • VPP can return incomplete session data for a user when NAT forwarding is enabled with multiple worker threads [9510]

  • Traffic from TNSR itself sourced from inside NAT interface does not get NAT applied when egressing via NAT outside interface [9706]


  • NTP does not properly handle IPv6 restrictions [4626]

  • Delay in CLI display of NTP configuration when NTP has noquery set [6818]

  • Interfaces in the TNSR NTP configuration are not validated when generating the NTP daemon configuration [7153]

Neighbor / ARP / NDP

  • Packet loss during ARP transactions [2868]

  • The MAC address of a static IPv6 neighbor cannot be changed [4454]


  • PKI certificate entries do not include Key Usage/Extended Key Usage properties and may be rejected for some purposes when SANs are present [10018]


  • Adding a user via RESTCONF requires a password even when providing an ssh key [2875]

  • RESTCONF “pretty-printed” JSON contains incorrect indentation [3521]

  • OSPF interfaces are not validated when configured via RESTCONF [3528]

  • Cannot change GRE tunnel type to or from ERSPAN via RESTCONF [4353]

  • Response of /restconf/data/ and /restconf/data/netgate-interface:interfaces-state/ does not include any of *-table [5399]

  • RESTCONF allows configuring dataplane options for non-existent devices [5748]

  • RESTCONF route-state response does not contain actual state data [7115]

  • RESTCONF dataplane service does not work on interfaces in a non-default VRF [7265]

  • History version count does not match the count of REST configuration requests if they are sent without a delay [7440]

  • Unable to clear trace filters over RESTCONF [9476]

  • RESTCONF daemon exits when certain clients fail to validate the server certificate [10112]


  • Changing default metric for OSPF server does not result in update on other routers [2586]

  • OSPF RIB is not updated when the ABR type is changed between standard and shortcut [2699]

  • BGP updates for new prefixes ignore the advertisement-interval value and are sent every 60 seconds [2757]

  • RIP “timeout” timer does not work [2796]

  • ttl-security hops value can be set when ebgp-multihop is already configured [2832]

  • extended-nexthop capability isn’t being negotiated between IPv6 BGP peers [2850]

  • Unable to verify received prefix-list entries via CLI when using ORF capability [2864]

  • BGP network backdoor feature isn’t working without service restart [2873]

  • BGP next-hop attribute aren’t being sent unmodified to the eBGP peer when route-server-client option is configured [2940]

  • Unable to verify dynamic BGP peer information from TNSR CLI [3044]

  • Unable to delete OSPF3 config for an interface [3481]

  • TNSR does not prevent creating static routes for directly connected networks [3813]

  • OSPF conditional default route injection does not work [3846]

  • Unable to verify received routes when high number of routes received via BGP [3918]

  • TNSR allows OSPF network type for a loopback interface, which is rejected by FRR [4800]

  • Reverting to the startup configuration doesn’t restore packet forwarding for BGP over IPsec prefixes [5321]

  • RIP route-map-filter option does not filter routes [5910]

  • Unable to disable IPv4 AF without BGP service restart [6393]

  • BGP failover logs “Failed to delete neighbor” error from linux-cp [6400]

  • OSPF virtual-link authentication does not work [6601]

  • Unable to remove OSPF virtual-link configuration [6962]

  • OSPF can announce interfaces from other VRFs on initial configuration [7002]

  • Cannot add a static recursive route [7010]

  • VPP crashes on applying custom VRF to loopback interface used in OSPF [7056]

  • Creating route-map, prefix-list, or access-list entries takes longer than expected [7068]

  • Cannot disable logging of adjacency changes for OSPF6 if detail option is set [7097]

  • Routes that exactly overlap an interface link route are accepted by CLI but are problematic [7101]

  • OSPF neighbor adjacency is established in wrong VRF in VirtualBox [7144]

  • Interfaces in the TNSR RIP configuration are not validated when generating the FRR RIP daemon configuration [7155]

  • Interfaces in TNSR route-map entries are not validated when generating the FRR daemon configurations [7156]

  • Interfaces in the TNSR OSPF configuration are not validated when generating the FRR OSPF daemon configuration [7177]

  • Interfaces in the TNSR BGP configuration are not validated when generating the FRR BGP daemon configuration [7218]

  • Dynamic routing protocols lose static routes after link they resolve through goes down and then comes up [7357]

  • OSPF logging for some options does not work if logging level is set explicitly [7411]

  • BGP debug option updates in <peer> does not filter messages for selected peer [7476]

  • BGP session does not become active after interface goes down and recovers [7501]

  • OSPF6 continues to redistribute connected/kernel routes resolved via interface with linkdown status [7624]

  • BGP address family neighbor option maximum-prefix restart does not work correctly [7709]

  • Malfunction of BGP process after entering maximum-prefix restart without the basic maximum-prefix limit command [7748]

  • OSPF6 does not advertise loopback address to another area if the loopback is configured first [7757]

  • Routes remain in table after interface with VRRP configured is marked down until dataplane is restarted [7790]

  • OSPF stops working after configuring mtu-ignore option on an interface [8085]

  • Routes do not match by route-map if match criteria is set to ip next-hop ... [8148]

  • Output of show conf differs for route-map [8375]

  • Route map source-protocol match condition matches routes from any source [8381]

  • redistribute table configuration in RIP/OSPF does not affect route redistribution [8390]

  • Cannot change distance for one BGP prefix [8690]

  • Forwarding address from OSPF6 LSA5 is not installed as the next hop for the route [8732]

  • BGP bestpath med missing-as-worst command does not function correctly [8805]

  • OSPFv3 repeatedly drops connection on AWS when redistribution is configured [8822]

  • Route Map with IPv6 Access List does not filter redistributed OSPF6 routes [8857]

  • Route-Map set src option does not function correctly [9045]

  • show route displays no routes for a VRF until it is placed on an interface [9073]

  • FRR cannot connect to RPKI cache server if a route to it does not exist in default VRF [9146]

  • The redistribute kernel and import vrf BGP options do not work at the same time if the static route is redistributed with an output interface in a third-party VRF [9147]

  • Applying a subsequent route map with import vrf cancels a previous applied route map [9156]

  • A route map applied to the import vrf option using a prefix list does not work correctly [9235]

  • Changing BGP as-number in default VRF leads to the termination of the import of routes to another VRF [9244]

  • Cannot change an interface to a new VRF when BGP is configured to import the current VRF [9259]

  • Changing an interface VRF does not stop importing routes from the previous VRF [9298]

  • RPKI expire-interval option does not get put into the FRR running configuration after restarting BGP/dataplane [9331]

  • Route maps with match rpki * conditions do not get re-applied when RPKI status of routes changes [9439]

  • TNSR does not prevent removing extended and large community lists referred by route maps [9499]

  • set community command disappears from FRR configuration without warning after setting an invalid community [9508]

  • Suppression of specific routes when applied to an aggregated route of a route map containing set aggregator as <asn> ip address <ipv4-address> command [9547]

  • Deprecation warning from FRR OSPF6 for interface area syntax [9783]

  • BGP soft-reconfiguration inbound option does not work for IPv6 peers [10086]

  • BGP selects incorrect path to a network when changing bestpath rules [10210]

  • zebra causes out-of-memory error on AWS when restarting TNSR after receiving 1.5-2 million prefixes via BGP [10273]

SNMP / IPFIX / Prometheus

  • Prometheus filters with non-alphanumeric characters can cause HTTP requests to fail [5467]

  • Prometheus filters containing spaces cannot be removed [5470]

  • SNMP does not work on interfaces in a non-default VRF [7261]


  • Span config disappears/appears when repeatedly restarting dataplane [6526]

  • Incorrect error message when requesting SPAN info from a missing interface [7209]

  • SPAN mirroring can not be disabled [7560]

  • SPAN does not work correctly for outbound packets on VLAN subinterface [7801]

Static Routes

  • Static route description is not showing up in show commands or REST state data [5478]

  • Static route overwrites kernel route in the operating system routing table [7215]

  • Transit traffic goes to an interface with inactive link when there is another (active) path [8041]

Tunnel Protocols

  • Changes to an existing VXLAN tunnel configuration do not apply until the dataplane is restarted [1778]

  • TNSR IPv6 interface address does not appear in traceroute when next-hop is IPsec tunnel interface [5178]

  • VxLAN with multicast destination does not pass traffic [6491]

  • GRE interface configuration remains in running config after changing GRE tunnel ID [7050]

  • Configuring option route-table in a WireGuard peer does not affect next-hop lookup of the endpoint address [8070]

  • VPP processes packets received on disabled tunnel interfaces [8111]

  • WireGuard tunnel interfaces still function with a tunnel next-hops entry having an incorrect next-hop-address [8256]

  • Tunnel next-hop entries do not function in non-default VRFs [8653]

  • Incorrect WireGuard tunnel next-hop after roaming [8764]

  • Changing crypto asynchronous dispatch-mode greatly increases the latency between IPsec tunnel IP addresses [10030]

  • IPIP interface loses attached ACLs when DNS resolution of the remote endpoint changes [10171]


  • Router upgraded to 22.10-2 will not start without an IKE prf entry [9368]


  • VRRP accept-mode may cause invalid ARP requests, leading to loss of connectivity during failover [9881]


  • log_upgrade does not print cxobj paths correctly in tnsr-upgrade.log [4747]

  • clixon_backend exhausts memory while displaying high amount of routes [5226]

  • Configuration upgrade does not run when loading configuration via history [6968]

  • Unable to set up a password that starts and finishes with a double quotation mark [7571]

  • Unable to set up a password that contains a backslash symbol [7572]