TNSR 23.11 Release Notes

About the TNSR 23.11 Release

This is a regularly scheduled TNSR software release including new features and bug fixes.


  • This release introduces support for remote access IPsec (also known as “Mobile IPsec”). Currently TNSR supports remote access IKEv2 clients using EAP-TLS or PSK authentication.

  • On a new installation the dataplane is no longer running by default and no interfaces are automatically whitelisted. The new configuration command dataplane dpdk dev all-inactive-network can quickly create configuration entries for all interfaces not used by the host OS. See Setup NICs in Dataplane for details.

  • The CLI show commands now support a few output modifiers, for example, to filter the contents of the output (e.g. show route | match 10\.30\.). See Output Modifiers for details.

  • TNSR now automatically creates a set of PKI certificates and configures the RESTCONF service for the host namespace at boot on new installs and systems which have never configured RESTCONF before.


Changes in TNSR software version 23.11


  • Fixed: show acl pretty-print formatting is misaligned in some cases [10564]

  • Changed: Fix length of ICMP type/code fields in ACL yang data model [10846]


  • Fixed: Bridge domain is not removed in VPP when deleted via RESTCONF [10831]

  • Fixed: Bridge domains behave incorrectly when restarting dataplane [11012]


  • Added: Output filtering for show commands [9739]

  • Fixed: show configuration history version-diff does not autocomplete full command [10477]

Cloud Platforms

  • Changed: Azure: Move to Gen2 VM and build arm64 images [11617]

  • Changed: Build arm64 images for AWS [11642]

DHCP Server

  • Added: Support Kea DHCP4 authoritative configuration option [11099]


  • Fixed: Static routes with an interface as the next hop using resolve-via-attached appear to break dataplane ARP [5259]

  • Fixed: Interfaces are not attached to driver after first boot post-install [11042]

  • Added: Update VPP to stable/2306 (DPDK 23.03) [11045]

  • Changed: Start the configuration backend before starting the dataplane [11089]

  • Fixed: Buffer leak with IPv6 BFD sessions when interface is down [12348]


  • Added: Retain tnsr-diag output files in /tmp/tnsr-diag for 60 days and automatically remove older files [12242]


  • Added: Improve linux kernel command line management [10009]

  • Added: Add contents of /etc/netplan to tnsr-diag archive [10770]

  • Fixed: Starting up clixon_backend after a crash times out with large numbers of routes in the dataplane namespace [11731]

  • Added: External user authentication with RADIUS [11746]


  • Added: Support for remote access IPsec VPN [5004]

  • Fixed: CLI prints incorrect transmitted packet count for IPsec tunnel [11963]


  • Added: Command to display brief information about interfaces [9620]

  • Fixed: Adjacencies for subinterfaces are not updated when the MAC address of the parent interface changes [10726]

  • Fixed: Intel I226-V interfaces can periodically stop working in VPP [10857]

  • Fixed: Configuring large numbers of IPsec tunnels causes clixon_backend startup to timeout [11686]


  • Added: Add contents of vppctl show lacp details to tnsr-diag archive [11894]


  • Fixed: NACM rule paths created via RESTCONF are not validated and can lead to broken configuration databases [10116]


  • Fixed: 1:1 NAT drops packets with ttl=2 from inbound interface [2849]

Neighbor / ARP / NDP

  • Added: Neighbor cache configuration [6756]

Operating System

  • Fixed: TNSR GRUB kernel arguments file is not cleared on TNSR restart [11488]


  • Added: Automate initial RESTCONF setup after installation [10078]

  • Fixed: Newlines are removed from PKI certificate and key data when importing via RESTCONF [10794]


  • Fixed: Changing default metric for OSPF server does not result in update on other routers [2586]

  • Fixed: OSPF RIB is not updated when the ABR type is changed between standard and shortcut [2699]

  • Fixed: BGP ttl-security hops value can be set when ebgp-multihop is already configured [2832]

  • Fixed: BGP session soft reset option does not work for IPv6 peers [2833]

  • Fixed: BGP extended-nexthop capability is not being negotiated between IPv6 peers [2850]

  • Fixed: Unable to verify received prefix-list entries for BGP via CLI when using ORF capability [2864]

  • Fixed: OSPF virtual-link authentication does not work [6601]

  • Fixed: redistribute table configuration in RIP/OSPF does not affect route redistribution [8390]

  • Fixed: Deprecation warning from FRR OSPF6 for interface area syntax [9783]

  • Fixed: BGP does not select the best path for a route after updating the router-id of a neighbor when bestpath compare-routerid is enabled [10391]

SNMP / IPFIX / Prometheus

  • Fixed: snmp-subagent does not recover from VPP restarting [11298]

  • Fixed: The IPFIX Exporter is sending data that can not be read by external flow collectors [11475]

  • Fixed: Corrupted IPFIX packets sent when the selector is set to ipv6 or all [11769]

  • Added: IPFIX IPv4 template missing source and destination ports for UDP and TCP [11789]

  • Added: Add IPFIX flowprobe timeouts [11947]

  • Fixed: IPFIX exporter ends up in a broken state if the selection process is disabled while there is still buffered data [12026]

  • Fixed: SNMP returns stale interface counters after VPP crashes [12056]

  • Fixed: VPP cannot apply IPFIX configuration if it contains missing interfaces [12085]

  • Fixed: TNSR incorrectly allows removal of one IPFIX cache timeout value when both must be defined [12093]

  • Fixed: IPFIX incorrectly populates TCP Flags field [12110]

  • Fixed: IPFIX flow fields have value of zero [12179]

  • Fixed: IPFIX flow Packets and Duration fields have unexpectedly high values [12180]


  • Fixed: Clixon hangs until restarted after upgrading TNSR to 23.06 via TNSR CLI package upgrade command [11039]


  • Fixed: VRRP accept-mode may cause invalid ARP requests, leading to loss of connectivity during failover [9881]

  • Added: Improve format of show interface ipv4/6 vrrp-virtual-router output [11258]

  • Added: Add virtual MAC address to show interface ipv4/6 vrrp-virtual-router output [11875]

Known Issues

Known Issues in TNSR software version 23.11


  • Attempting to remove an in-use ACL produces an ambiguous error message [11066]


  • RADIUS server shared secret is stored in the configuration as unencrypted text [12223]

  • CLI expansion does not work for server values in RADIUS server configuration [12331]

  • RADIUS authentication may not honor the configured source address [12481]


  • IPv6 session is not restored when virtual direct link gets disabled/enabled [4916]

  • TNSR cannot commit configuration candidate database loaded from a file if it contains a BFD session for an interface that does not exist [7150]

  • BFD configuration inconsistently displayed [9425]

  • No ping response from peer when BFD session is down [9447]

  • IPv6 BFD sessions are intolerant of dataplane restart [9475]


  • Bridging fails with virtual interfaces as members [7762]

  • TNSR does not retransmit ARP replies if arp entry option is enabled in a bridge domain [10880]

  • Bridge domain shg and bvi options cannot be removed alone without bridge domain in interface configuration [10926]

  • Options flood and uu-flood in config-bridge mode look the same in VPP DPDK trace [11113]


  • Deleting the startup configuration database does not fully remove the active configuration [3723]

  • Specifying interface to traceroute requires root privileges [5376]

  • Input validation of unbound message cache slabs value does not work as expected [5472]

  • CLI and RESTCONF behavior are different for no bgp default ipv4-unicast [6303]

  • RIP information does not contain a legend for kernel routes [7230]

  • CLI shows incorrect routing table attached to an interface in cloud environments [10589]

  • VRRP prints empty interface definitions in show config running cli output [11072]

  • Update “reflect” action description under ACL config [11093]

  • CLI expansion works incorrectly for OSPF/OSPF6 area configuration [11152]

  • Incorrect CLI expansion for VLAN tags configured on a sub-interface [11508]

  • CLI commands are not generated for RESTCONF coredump configuration [11650]

  • It is impossible to remove RESTCONF certificates and key via CLI [11685]

  • RESTCONF status does not show information about multiple sockets [11691]

  • CLI commands containing RX queue configuration fail to apply on a clean TNSR instance [11737]

  • Excess newlines are added to user-key content when adding an SSH key from the CLI [12369]

  • Unable to delete password from authentication user entry via CLI [12482]


  • Contradictory output of detailed counters on bond interface in ‘broadcast’ mode [8351]

DHCP Client

  • Host OS systemd-networkd service defaults to DHCPv4/RoutesToDNS=true even when the DNS server is non-adjacent [11444]

DHCP Server

  • CLI offers to delete mandatory variable in DHCP server subnet configuration [5240]

  • DHCP4 Kea config-file output shows VPP TAP interface names in its configuration instead of TNSR interface names [5264]

  • Unable to setup a custom DHCP option with certain data types in the record [5299]

  • The command no authoritative in global DHCP server configuration does not work as expected [12388]

  • TNSR incorrectly allows configuring a DHCP pool outside the subnet on an interface, which prevents the DHCP daemon from starting [12470]


  • show system output does not contain DNS resolver parameters [5397]

  • Unbound fails to start with one or more values set to zero [11773]

  • Unbound cannot be configured to bind on IPv6 address [11854]

  • RESTCONF allows configuring a port for the system DNS resolver but it is not used or supported by the host OS [12307]


  • Cannot create rx-queues for interfaces on KVM and VirtualBox [3674]

  • TNSR on AWS does not pass traffic when using the igb_uio or uio_pci_generic driver [7015]

  • SEGV in VPP [9312]

  • Dataplane fails to start up after system reboot if it is configured to use number of huge pages that exceeds the default number [10848]

  • Interrupt mode does not work on Mellanox NICs [11222]

  • VPP fails to start after configuring DPDK driver default in TNSR [11949]


  • Non-root users cannot access the FRR log file [4826]

  • Unable to specify TNSR interface as a source in ping and traceroute commands via REST [5605]

  • Startup entry is not created in configuration history log [7400]

  • Cannot commit a candidate configuration database if a tap interface is present [7458]

  • Incorrect error message is shown when removing ABF policy attached to an interface [9530]

  • system-ping call via REST does not return any data if it is called with timeout flag and no response from the server [10608]

  • tnsr-backup utility does not backup or restore file ownership data [11270]

  • Service control operations for a specific FRR service affect all FRR services [11592]

  • High memory usage on Azure ARM64 [12036]


  • Cannot configure the default gateway for host namespace via TNSR CLI [3702]

  • VRF interface for a custom route table persists in the operating system after restarting services [4866]

  • dns-resolver configured for host namespace remains in system after removing from TNSR [7830]

  • dns-resolver configuration values for host namespace remain in resolv.conf after restarting TNSR [7975]

  • Unable to show two identical host routes in TNSR [10752]

  • Some host route options configured in TNSR are not applied correctly by the Linux network subsystem [10827]

  • Some types of host static routes are not displayed by show host route command [10905]

  • Option scope for IPv6 host static routes does not apply in the Linux network subsystem [11011]

  • DNS issues can occur with netplan configurations containing static interface addresses [11017]

  • TNSR shows incorrect Link MTU for host OS loopback (lo) interface [11596]

  • Configuring a host static route on a host TAP interface results in an incorrect Netplan configuration [12004]

  • show host route output does not contain protocol value for routes obtained from DHCP [12095]


  • IPsec daemon does not support using non-default VRF entries [7266]

  • Cannot disable IPsec dpd-interval option [8012]

  • Cannot configure IPsec with manual key type [8396]

  • Error when creating IPsec tunnel via RESTCONF with tunnel-enable set [8432]

  • IPsec tunnel without a child SA does not appear in IPsec state data [8433]

  • TNSR allows unsupported IPsec encryption algorithms to be configured [10503]

  • IPsec tunnel with initially unresolvable FQDN destination does not pass traffic after remote address gets resolved if there is another IPsec tunnel using the same source [10798]

  • Some sets of policy parameters in IPsec IKEv2 do not work on Azure arm64 and AWS arm64 [11701]


  • TNSR installer fails if interfaces are configured with IP addresses but have no Internet connectivity [7807]


  • Invalid routes remain in table when next-hop IP address is no longer directly connected [3161]

  • Reassembly timeout is not working when full IP reassembly is configured [3269]

  • Shallow virtual reassembly cannot be disabled when it is implicitly enabled by other features [3361]

  • Second fragment of a packet is not virtually reassembled when max-reassemblies is set to 1 [3384]

  • Unable to delete a MAC address explicitly set for the TNSR side of a TAP interface [4433]

  • Netgate 1541 link speed auto-negotiation incorrect with direct connected interfaces [5323]

  • Errors indicate TNSR is attempting to assign a MAC address to IPsec ipipX interfaces [6285]

  • L3 packets can be sent from bridged interfaces [6975]

  • Unable to setup DPDK uio_pci_generic driver on Netgate 1541 [6981]

  • TAP instance tcpdump method only captures received packets [7137]

  • Pings between IPIP interfaces become intermittent when BGP is applied to them [7392]

  • Interface IP address is shown in IPv4 route table instead of associated subnet [7511]

  • Setting a new MTU value does not affect the MRU for IPv6 packets [8245]

  • Unable to delete link MTU from an interface when default MTU is set less than 1280 [8837]

  • Evaluate presence of interface configuration items for loopback interfaces [9380]

  • Link state of a bond interface does not follow the link state of the underlying interfaces [10093]

  • Reinstantiation of an interface does not automatically re-create subinterfaces [10725]

  • show interface tap does not print IPv4 and IPv6 gateway information [10849]

  • show interface <name> subif command does not produce any output [10879]

  • Unable to configure interrupt mode with driver set to uio_pci_generic [11279]

  • It is possible to configure a multicast or broadcast MAC address on an interface [11454]

  • VPP can push unlimited number of VLAN tags to a packet [11509]

  • IPv6 ping from TNSR through a vhost-user interface stops working after down/up of eth0 interface in guest VM [11847]

  • Unable to create a guest VM when a vhost-user interface configured as server-mode [11864]

  • Restarting the dataplane service when a vhost-user interface is in server-mode causes the VirtualEthernet interface to shut down [11885]

  • no enable event-index command disables a vhost-user interface [11890]

  • Removing vhost-user options disable merge-rx-buffers or disable indirect-descriptors does not affect the vhost-user interface state [11896]

  • Removing vhost-user options disable merge-rx-buffers, disable indirect-descriptors disables a vhost-user interface in server-mode [11929]

  • Values that TNSR configure due to executing dataplane vhost-user coalesce-time don’t displayed correctly by vppctl show vhost-user [12066]

  • Confguring MAC address on bond interface causes its subinterface to disappear [12139]

  • Unable to add interface to bond with previously configured and then deleted IPv4 or IPv6 address [12368]

  • Configuring the same VLAN tag on multiple subinterfaces causes an existing subinterface to disappear [12394]


  • no lldp enable command shows CLI error [10925]

  • LLDP interface configuration parameters cannot be removed via CLI [10982]

  • TNSR sends incorrect LLDP management address if only lldp port-name is configured on an interface [11047]

  • TNSR continues sending LLDP frames after lldp port-name is removed from an interface using RESTCONF [11048]

  • LLDP router configuration cannot be removed [11049]


  • Unable to connect to memif interface using default socket [4448]

  • It is possible to have a memif interface pointing to a nonexistent socket [11201]

  • Incorrect state data is shown for memif interfaces [11202]

  • Impossible to set both rx-queues and tx-queues for a memif interface via CLI [11218]

  • Dataplane restart is required to change the MAC address of a memif interface [11220]

  • Cannot enter a secret phrase with spaces for a memif interface via CLI [11228]

  • Multiple memif interfaces can be configured using the same role and sockets [11230]

  • Memif interface configuration disappears after dataplane restart [11280]

  • VPP crashes when sending some commands to its memif socket [11293]

  • Non-default memif interface parameters can be applied only after dataplane restart [11294]

  • Its possible to create memif socket with incorrect filename [11295]

  • Memif socket file still exists in Host OS filesystem after being deleted from TNSR [11365]

  • Memif options rx-queues and tx-queues are not shown when executing show configuration running cli command [11453]

  • Memif instance configuration disappears when one of its options is changed [11473]

  • Link status of the memif interface can be up even if admin status is down [11474]

  • Default memif interface parameter role server is not present in configuration [11478]


  • It is possible to remove an NACM group used in a rule list [10115]


  • Twice-NAT does not work with output-feature/postrouting NAT [1023]

  • Full IP reassembly does not work with MAP [3386]

  • MAP-T adds bogus zeroes when translating short IPv4 to IPv6 [3460]

  • NAT pool route table option only available when specifying a range [3628]

  • Packets larger than 2034 bytes are dropped when performing IPv4 to IPv6 MAP translation [3742]

  • MAP-T domain usage causes IPv6 traffic class value to always be copied from IPv4 ToS value [3774]

  • TCP MSS value is not applied to IPv4 packets when IPv6 to IPv4 decapsulation is performed on MAP-E BR [3783]

  • MAP does not relay IPv6 ICMP error messages to IPv4 [3809]

  • NAT static mappings for ICMP do not work [4373]

  • NAT static mappings for TCP/UDP protocol on any port result in translation for port 0 instead [4384]

  • NAT static mappings assume external port 0 when port is omitted [4432]

  • Packets not destined to a NAT pool are dropped when NAT simple mode is configured with out2in-dpo option [4927]

  • Full IPv4 reassembly doesn’t work with NAT endpoint-independent mode [5476]

  • Dataplane SIGSEGV crash and backtrace when exceeding NAT session limit [6551]

  • Expired NAT sessions become active again when increasing the timeout value [7090]

  • NAT sessions do not expire in endpoint-independent mode [7098]

  • Cannot commit a clean candidate configuration database if NAT static mapping is configured [7286]

  • Unable to establish NAT hairpin connection [8014]

  • NAT in endpoint-dependent mode drops packets when it cannot identify the correct worker thread [8262]

  • Routing through NAT in EI mode does not work if NAT outside interface is IPIP or GRE [8333]

  • VPP can return incomplete session data for a user when NAT forwarding is enabled with multiple worker threads [9510]

  • Traffic from TNSR itself sourced from inside NAT interface does not get NAT applied when egressing via NAT outside interface [9706]

  • NAT side of an interface can be incorrect in state data after removing and reapplying NAT settings [12426]


  • NTP does not properly handle IPv6 restrictions [4626]

  • Delay in CLI display of NTP configuration when NTP has noquery set [6818]

  • Interfaces in the TNSR NTP configuration are not validated when generating the NTP daemon configuration [7153]

Neighbor / ARP / NDP

  • Packet loss during ARP transactions [2868]

  • The MAC address of a static IPv6 neighbor cannot be changed [4454]

  • Neighbor cache value for max-number is not honored if current neighbor count is larger than the configured value [12389]

Operating System

  • TNSR VM on Proxmox 8 powers off when changing dataplane interface IPv4 configuration [11204]

  • Errors at boot from enabled but unpopulated Universal Flash Storage Host Controller Driver (ufshcd) storage [11633]

  • Poor read/write performance when installed to eMMC (15GB Ultra HS-COMBO) [11688]


  • PKCS#12 archives are not generated correctly when the ca-name is not specified [10320]


  • Adding a user via RESTCONF requires a password even when providing an ssh key [2875]

  • RESTCONF “pretty-printed” JSON contains incorrect indentation [3521]

  • OSPF interfaces are not validated when configured via RESTCONF [3528]

  • Cannot change GRE tunnel type to or from ERSPAN via RESTCONF [4353]

  • Response of /restconf/data/ and /restconf/data/netgate-interface:interfaces-state/ does not include any of *-table [5399]

  • RESTCONF allows configuring dataplane options for non-existent devices [5748]

  • RESTCONF route-state response does not contain actual state data [7115]

  • RESTCONF dataplane service does not work on interfaces in a non-default VRF [7265]

  • History version count does not match the count of REST configuration requests if they are sent without a delay [7440]

  • Unable to clear trace filters over RESTCONF [9476]

  • RESTCONF does not validate payload body to prevent invalid arguments in certain cases [10413]

  • RESTCONF does not work with IPv6 sockets after TNSR reboot [10729]

  • Non-working RPC left in TNSR after removal of NGINX [11603]

  • Incorrect status can be shown for RESTCONF service [11657]


  • BGP updates for new prefixes ignore the advertisement-interval value and are sent every 60 seconds [2757]

  • BGP network backdoor feature isn’t working without service restart [2873]

  • BGP next-hop attribute aren’t being sent unmodified to the eBGP peer when route-server-client option is configured [2940]

  • Unable to verify dynamic BGP peer information from TNSR CLI [3044]

  • Unable to delete OSPF3 config for an interface [3481]

  • TNSR does not prevent creating static routes for directly connected networks [3813]

  • OSPF conditional default route injection does not work [3846]

  • Unable to verify received routes when high number of routes received via BGP [3918]

  • TNSR allows OSPF network type for a loopback interface, which is rejected by FRR [4800]

  • Reverting to the startup configuration doesn’t restore packet forwarding for BGP over IPsec prefixes [5321]

  • RIP route-map-filter option does not filter routes [5910]

  • Unable to disable IPv4 AF without BGP service restart [6393]

  • BGP failover logs “Failed to delete neighbor” error from linux-cp [6400]

  • Unable to remove OSPF virtual-link configuration [6962]

  • OSPF can announce interfaces from other VRFs on initial configuration [7002]

  • Cannot add a static recursive route [7010]

  • VPP crashes on applying custom VRF to loopback interface used in OSPF [7056]

  • Creating route-map, prefix-list, or access-list entries takes longer than expected [7068]

  • Cannot disable logging of adjacency changes for OSPF6 if detail option is set [7097]

  • Routes that exactly overlap an interface link route are accepted by CLI but are problematic [7101]

  • OSPF neighbor adjacency is established in wrong VRF in VirtualBox [7144]

  • Interfaces in the TNSR RIP configuration are not validated when generating the FRR RIP daemon configuration [7155]

  • Interfaces in TNSR route-map entries are not validated when generating the FRR daemon configurations [7156]

  • Interfaces in the TNSR OSPF configuration are not validated when generating the FRR OSPF daemon configuration [7177]

  • Interfaces in the TNSR BGP configuration are not validated when generating the FRR BGP daemon configuration [7218]

  • Dynamic routing protocols lose static routes after link they resolve through goes down and then comes up [7357]

  • OSPF logging for some options does not work if logging level is set explicitly [7411]

  • BGP debug option updates in <peer> does not filter messages for selected peer [7476]

  • OSPF6 continues to redistribute connected/kernel routes resolved via interface with linkdown status [7624]

  • BGP address family neighbor option maximum-prefix restart does not work correctly [7709]

  • Malfunction of BGP process after entering maximum-prefix restart without the basic maximum-prefix limit command [7748]

  • OSPF6 does not advertise loopback address to another area if the loopback is configured first [7757]

  • Routes remain in table after interface with VRRP configured is marked down until dataplane is restarted [7790]

  • OSPF stops working after configuring mtu-ignore option on an interface [8085]

  • Routes do not match by route-map if match criteria is set to ip next-hop ... [8148]

  • Output of show conf differs for route-map [8375]

  • Route map source-protocol match condition matches routes from any source [8381]

  • Cannot change distance for one BGP prefix [8690]

  • Forwarding address from OSPF6 LSA5 is not installed as the next hop for the route [8732]

  • BGP bestpath med missing-as-worst command does not function correctly [8805]

  • OSPFv3 repeatedly drops connection on AWS when redistribution is configured [8822]

  • Route Map with IPv6 Access List does not filter redistributed OSPF6 routes [8857]

  • Route-Map set src option does not function correctly [9045]

  • show route displays no routes for a VRF until it is placed on an interface [9073]

  • FRR cannot connect to RPKI cache server if a route to it does not exist in default VRF [9146]

  • The redistribute kernel and import vrf BGP options do not work at the same time if the static route is redistributed with an output interface in a third-party VRF [9147]

  • Applying a subsequent route map with import vrf cancels a previous applied route map [9156]

  • A route map applied to the import vrf option using a prefix list does not work correctly [9235]

  • Changing BGP as-number in default VRF leads to the termination of the import of routes to another VRF [9244]

  • Cannot change an interface to a new VRF when BGP is configured to import the current VRF [9259]

  • Changing an interface VRF does not stop importing routes from the previous VRF [9298]

  • RPKI expire-interval option does not get put into the FRR running configuration after restarting BGP/dataplane [9331]

  • Route maps with match rpki * conditions do not get re-applied when RPKI status of routes changes [9439]

  • set community command disappears from FRR configuration without warning after setting an invalid community [9508]

  • Suppression of specific routes when applied to an aggregated route of a route map containing set aggregator as <asn> ip address <ipv4-address> command [9547]

  • BGP soft-reconfiguration inbound option does not work for IPv6 peers [10086]

  • BGP selects incorrect path to a network when changing bestpath rules [10210]

  • zebra causes out-of-memory error on AWS when restarting TNSR after receiving 1.5-2 million prefixes via BGP [10273]

  • FRR fails to reload configuration if set as-path prepend values are incorrectly enclosed in quotes [10309]

  • OSPF6 conditional default route injection does not work correctly [10311]

  • BGP route-reflector-client option does not work on neighbor configurations using IP addresses instead of peer groups [10356]

  • Cannot remove BGP unsuppress-map option by route-map name for IPv6 neighbor [10409]

  • OSPFv3 default-information originate options do not stack when configured separately [10478]

  • OSPFv2 metric-type 2 option explicitly set for default-information originate does not get placed into the FRR configuration [10479]

  • Unexpected delay in distribution of route information between OSPF database and RIB during propagation of OSPF default route [10721]

  • Static route with next-hop IP address located on a DHCP client interface causes clixon_backend to fail [11765]

  • Routes with a via local destination are not available to FRR as kernel routes [11887]

  • CLI expansion does not work for prefix-list configuration in BGP address-family/neighbor section [11888]

  • A prefix-list can be configured with an invalid sequence number (0) [11889]

  • TNSR fails to show routes if there are IPv4 routes with IPv6 next-hops [12060]

  • TNSR cannot commit configuration candidate database loaded from a file if it contains changed ABF policy attached to interface [12248]

SNMP / IPFIX / Prometheus

  • Prometheus filters with non-alphanumeric characters can cause HTTP requests to fail [5467]

  • Prometheus filters containing spaces cannot be removed [5470]

  • SNMP does not work on interfaces in a non-default VRF [7261]

  • SNMP view configured with source address default does not accept queries from IPv6 addresses [12053]

  • VPP shows incorrect values for configured IPFIX cache timeout settings if they are greater than 2^31 [12094]

  • VPP crash during NAT out2in slowpath [12099]


  • Span config disappears/appears when repeatedly restarting dataplane [6526]

  • Incorrect error message when requesting SPAN info from a missing interface [7209]

  • SPAN mirroring can not be disabled [7560]

  • SPAN does not work correctly for outbound packets on VLAN subinterface [7801]

Static Routes

  • Static route description is not showing up in show commands or REST state data [5478]

  • Static route overwrites kernel route in the operating system routing table [7215]

  • Transit traffic goes to an interface with inactive link when there is another (active) path [8041]

Tunnel Protocols

  • TNSR IPv6 interface address does not appear in traceroute when next-hop is IPsec tunnel interface [5178]

  • VxLAN with multicast destination does not pass traffic [6491]

  • GRE interface configuration remains in running config after changing GRE tunnel ID [7050]

  • Configuring option route-table in a WireGuard peer does not affect next-hop lookup of the endpoint address [8070]

  • VPP processes packets received on disabled tunnel interfaces [8111]

  • WireGuard tunnel interfaces still function with a tunnel next-hops entry having an incorrect next-hop-address [8256]

  • Tunnel next-hop entries do not function in non-default VRFs [8653]

  • Incorrect WireGuard tunnel next-hop after roaming [8764]

  • IPIP interface loses attached ACLs when DNS resolution of the remote endpoint changes [10171]

  • IPIP interface loses TCP MSS setting when DNS resolution of the remote endpoint changes [10312]

  • IPv6 VxLAN does not pass traffic if it is configured over IPv6 IPsec [10592]

  • Lower than expected throughput over VXLAN interfaces terminated on a loopback BVI [10643]

  • It is possible to create a WireGuard instance and peer without a port value [11114]

  • It is possible to specify different address families for WireGuard source address and Peer endpoint address [11175]

  • Removing WireGuard peer causes an error message [11209]

  • WireGuard instance can be deleted even if it contains peers [11217]


  • Router upgraded to 22.10-2 will not start without an IKE prf entry [9368]


  • log_upgrade does not print cxobj paths correctly in tnsr-upgrade.log [4747]

  • clixon_backend exhausts memory while displaying high amount of routes [5226]

  • Configuration upgrade does not run when loading configuration via history [6968]

  • Unable to set up a password that starts and finishes with a double quotation mark [7571]

  • Unable to set up a password that contains a backslash symbol [7572]

  • clixon-backend fails when interfaces are removed [11518]

  • clixon-backend fails if any PKI entries referenced in the RESTCONF configuration are missing [11988]