TNSR 25.10 Release Notes¶

About the TNSR 25.10 Release¶

This is a regularly scheduled TNSR software release including new features and bug fixes.

Notes¶

VPF prefix tables have changed from the keyword table to prefix-table due to the addition of port tables. TNSR will update configurations automatically.
VPF NAT now has a src-ip-hash address selection algorithm for NAT rules which apply NAT translation using a pool of addresses. This algorithm only considers the source address (e.g. local clients) when choosing a translation address from a pool, which maintains a consistent translation address for all connections sourced by a local client. This new algorithm improves behavior for protocols such as SIP which rely on the NAT translation address being consistent for local clients. Consider changing existing NAT rules to the new algorithm after upgrading.
VPF now supports endpoint-independent NAT (also known as “full cone NAT”). Read all the information and warnings about its use before considering activating this NAT mode. For details, see Endpoint-Dependent vs Endpoint-Independent.
TEB mode GRE interfaces now use randomized MAC addresses by default for interfaces which do not have a manually-specified MAC addresses.

Dataplane NAT Removed¶

Dataplane NAT functionality has been removed in this release.

Danger

Configurations which rely on dataplane NAT will no longer pass traffic as expected after upgrading.

Note

This does not include MAP, which is separate and still present.

Environments which require NAT must convert the configuration to VPF NAT. VPF offers significant advantages over the NAT features formerly available in the dataplane. Not only is VPF NAT more stable, but it offers features and flexibility that were not possible with dataplane NAT.

There is no automatic conversion from dataplane NAT to VPF NAT, rulesets must be converted manually.

TNSR makes the following changes when upgrading to this release or restoring an older backup:

Removes dataplane NAT configuration.
Removes interface NAT configuration for dataplane NAT.
Migrates MAP to the new configuration structure, if present.

Note

MAP commands moved from nat nat64 map to map.

VPF High Availability Synchronization Version Change¶

This version of TNSR uses a new revision of VPF high availability (HA) state synchronization packets to accommodate new features such as endpoint-independent NAT. Due to this change, VPF HA cannot synchronize VPF state data between this version and previous versions of TNSR. As a consequence, ongoing connections will be disrupted when VRRP designates a new active node until both nodes are running the new version of TNSR.

For example, users typically upgrade the secondary node of an HA pair first, then when upgrading the primary node VRRP will make the secondary node active. The secondary node cannot not import state data from the primary due to the VPF HA version mismatch, so it has no knowledge of any existing connections. When the secondary node becomes active, and it has no connection states, clients must re-establish their connections. Once the primary node is upgraded, those new connection states can synchronize back to the primary node so any VRRP changes after that point can transition smoothly.

NTP Daemon Change¶

The NTP daemon has been changed from ntpd to Chrony in this release. Documentation has been updated to reflect this change. TNSR will attempt to migrate the NTP configuration during the upgrade process, however certain aspects of the two daemon configurations are incompatible and cannot be handled automatically.

When migrating the configuration from ntpd to Chrony, TNSR makes the following changes:

If the configuration contains a tinker panic <x> value greater than 0, TNSR converts it to maxchange offset <x> start 1 ignore 2, otherwise it is dropped.
TNSR converts interface ... listen interface <x> directives to interface binddevice <x>, other interface items are dropped.
TNSR only converts restrict <x> directives where <x> is default, an IPv4 or IPv6 address, or a prefix. FQDNs are ignored.
- TNSR creates access sequence N allow <x> rules if there are no restriction flags on the restrict rules, otherwise it creates access sequence N deny <x> rules.
- TNSR translates default to all.
TNSR removes logconfig directives because they cannot be translated to Chrony options.

After upgrade, review the NTP configuration and test each configured aspect to ensure it is operating properly and is allowing only expected clients.

Changes¶

Changes in TNSR software version 25.10

Authentication¶

Fixed: TNSR cannot fully manage the default tnsr user [18654]
Fixed: The default user shell is incorrect after creating a user through TNSR [20038]

CLI¶

Added: Execute external command and print output line-by-line on CLI [13206]
Fixed: AutoCLI expansion shows values configured on other instances [19862]
Fixed: AutoCLI expansion shows generic values for delete command [19863]
Fixed: Cannot configure an IPv4 address under logging-config in AutoCLI [20083]
Fixed: Irrelevant edit command parameters in AutoCLI [20101]
Fixed: Network Access Control Manager (NACM) section is not present in AutoCLI [20120]

Clixon¶

Fixed: Clixon backend fails to start with dataplane SSH enabled [20212]

DHCP Server¶

Added: DHCP lease affinity options [17997]

Dataplane¶

Added: Update VPP to stable/2506 (DPDK 24.11.1) [20144]
Fixed: Timeout while starting VPP leads to clixon_backend restart [20360]
Fixed: Starting FRR before VPP is running can cause startup to fail [20439]
Fixed: Jumbo frame MTU incorrect on VLAN subinterfaces with mlx5 driver interfaces [20618]

Host¶

Fixed: TNSR generates incorrect rsyslog configuration for priority and facility filter options [20359]

Interfaces¶

Added: vhost-user API to retrieve global settings [19536]

Memif¶

Fixed: Cannot set both rx-queues and tx-queues for a memif interface via CLI [11218]
Fixed: Non-default memif interface parameters can be applied only after dataplane restart [11294]
Fixed: Output of show configuration running cli memif does not include rx-queues and tx-queues options [11453]
Fixed: Default memif interface parameter role server is not present in configuration [11478]
Fixed: It is possible to set out-of-range memif queue value [20244]

NAT¶

Changed: Deprecate support for VPP NAT plugin [17929]

NTP¶

Added: Option to configure local system time zone [18832]

Routing¶

Fixed: OSPF stops working after configuring mtu-ignore option on an interface [8085]
Fixed: OSPFv3 default-information originate options do not stack when configured separately [10478]
Fixed: Out-of-memory error from zebra daemon on Azure x64 when advertising 2 million IPv6 prefixes via BGP [17277]
Fixed: CLI expansion does not work on no redistribute command in RIP server [20061]

SNMP / IPFIX / Prometheus¶

Fixed: SNMP services crashing with SIGABRT [20210]

Tunnel Protocols¶

Added: Randomize default MAC address of TEB mode GRE interfaces [19824]

Updates¶

Added: Improve package upgrade output to be more informative and user-friendly [12908]
Fixed: Boot-time kernel console configuration disappears [20380]
Fixed: package upgrade fails with illegal option error for tnsr-upgrade [20962]

VPF Filter/NAT¶

Fixed: VPF rules with direction both do not function as expected [18105]
Added: VPF port tables [18522]
Added: Endpoint-independent mode for VPF NAT rules [20308]
Added: VPF NAT rule port range configuration [20477]
Added: Source IP address hash algorithm for VPF NAT translation address selection [20557]
Fixed: show vpf connections returns NAT state for non-NAT connections [20971]

VRRP¶

Fixed: Packet counter VRRP packets processed marked as error severity, should be info [19625]
Fixed: VRRP backup node flaps between master and backup state and floods master with advertisements [20919]

WireGuard¶

Fixed: It is possible to create a WireGuard instance and peer without a port value [11114]
Fixed: It is possible to specify different address families for WireGuard source address and peer endpoint address [11175]
Fixed: Removing WireGuard peer causes an error message [11209]
Added: Configure WireGuard remote peer by FQDN [18726]

Known Issues¶

Known Issues in TNSR software version 25.10

ACLs¶

ACL with deny rule partially drops fragmented packets [12664]
MACIP ACL requires ip-version when not specifying an IP address on the ACL [16764]

Authentication¶

Timeout option in LDAP configuration does not work as expected [13420]
Specifying a source IPv6 address in RADIUS configuration does not work correctly [15900]
Unable to retrieve LDAP configuration via RESTCONF [16018]
Cannot delete LDAP transport options using RESTCONF [16244]
RADIUS does not support servers located in custom VRFs [16642]
Incorrect ownership on user SSH keys prevents successful authentication [16722]

BFD¶

IPv6 session is not restored when virtual direct link gets disabled/enabled [4916]
TNSR cannot commit configuration candidate database loaded from a file if it contains a BFD session for an interface that does not exist [7150]
BFD configuration inconsistently displayed [9425]
No ping response from peer when BFD session is down [9447]
IPv6 BFD sessions are intolerant of dataplane restart [9475]

Backup¶

Configuration changes not being committed in Git [20459]

Bridge¶

Bridging fails with virtual interfaces as members [7762]
TNSR does not retransmit ARP replies if arp entry option is enabled in a bridge domain [10880]
Bridge domain shg and bvi options cannot be removed alone without bridge domain in interface configuration [10926]
Options flood and uu-flood in config-bridge mode look the same in VPP DPDK trace [11113]

CLI¶

Deleting the startup configuration database does not fully remove the active configuration [3723]
Specifying interface to traceroute requires root privileges [5376]
Input validation of unbound message cache slabs value does not work as expected [5472]
CLI and RESTCONF behavior are different for no bgp default ipv4-unicast [6303]
RIP information does not contain a legend for kernel routes [7230]
CLI shows incorrect routing table attached to an interface in cloud environments [10589]
VRRP prints empty interface definitions in show config running cli output [11072]
Update “reflect” action description under ACL config [11093]
CLI expansion works incorrectly for OSPF/OSPF6 area configuration [11152]
Incorrect CLI expansion for VLAN tags configured on a sub-interface [11508]
CLI commands are not generated for RESTCONF coredump configuration [11650]
It is impossible to remove RESTCONF certificates and key via CLI [11685]
RESTCONF status does not show information about multiple sockets [11691]
CLI commands containing RX queue configuration fail to apply on a clean TNSR instance [11737]
Excess newlines are added to user-key content when adding an SSH key from the CLI [12369]
Unable to delete password from authentication user entry via CLI [12482]
CLI expansion and verification do not work for next-hop-table field when creating a static route [12494]
Attempting to set a description on a BGP prefix-list fails [13073]
show ipsec tunnel exits with an error when TNSR has no IPsec configuration [13463]
Attempting to remove a single NAT pool address results in “Unspecified Error” message [16150]
CLI expansion help text is unclear when entering match as-path in route map configuration [16242]
TNSR does not validate network address location within BGP address-family configuration [16407]
Values for after-time and before-time options for show logging command are not validated [16578]
CLI freezes when trying to run show route | match <text> command with a large routing table [16625]
| count and | tail options in CLI work very slowly for large command output [17145]
Configuring host interface static address does not persist, reverts to DHCP [17922]
Contradictive CLI error messages of allowed values for unsigned integer parameters [19043]
CLI expansion failure when configuring DHCP Relay in autocli [20057]
Cannot set interface description via AutoCLI if any interface configuration already exists [20121]
AutoCLI does not fully validate partial MAC address input for existing neighbors [20122]
Within the LDAP configuration process, it is not possible to configure an IPv4 address [20151]
Within the RADIUS configuration process, it is not possible to configure an IPv4 address [20152]
Unable to filter output of show route dynamic command for OSPF and OSPF6 [20279]

Clixon¶

clixon_backend exhausts memory while displaying a large volume of routes [5226]
Configuration upgrade does not run when loading configuration via history [6968]
Unable to set up a password that starts and finishes with a double quotation mark [7571]
Unable to set up a password that contains a backslash symbol [7572]
clixon_backend fails when configured interfaces are not present in hardware [11518]
clixon_backend fails if any PKI entries referenced in the RESTCONF configuration are missing [11988]
RIP interface key-chain value is not validated when configured via RESTCONF [17396]
Error when explicitly restarting clixon-backend with an ACL applied to an interface [20754]

DHCP Client¶

Host OS systemd-networkd service defaults to DHCPv4/RoutesToDNS=true even when the DNS server is non-adjacent [11444]
DHCP client sends an incorrect packet when releasing an IP address [17855]
DHCP client in dataplane namespace cannot generate resolv.conf [19970]

DHCP Server¶

CLI offers to delete mandatory variable in DHCP server subnet configuration [5240]
DHCP4 Kea config-file output shows VPP TAP interface names in its configuration instead of TNSR interface names [5264]
Unable to setup a custom DHCP option with certain data types in the record [5299]
The command no authoritative in global DHCP server configuration does not work as expected [12388]
TNSR incorrectly allows configuring a DHCP pool outside the subnet on an interface, which prevents the DHCP daemon from starting [12470]
DHCP relay proxies DHCPv6 packets other than SOLICIT to first server only [17815]
DHCP option boot-file-name is terminated with 0xff [20049]

DNS¶

show system output does not contain DNS resolver parameters [5397]
Unbound fails to start with one or more values set to zero [11773]
Unbound cannot be configured to bind on IPv6 address [11854]
RESTCONF allows configuring a port for the system DNS resolver but it is not used or supported by the host OS [12307]

Dataplane¶

Cannot create rx-queues for interfaces on KVM and VirtualBox [3674]
TNSR on AWS does not pass traffic when using the igb_uio or uio_pci_generic driver [7015]
SEGV in VPP [9312]
Dataplane fails to start up after system reboot if it is configured to use number of huge pages that exceeds the default number [10848]
Interrupt mode does not work on mlx5 driver NICs [11222]
VPP fails to start after configuring DPDK network device default in TNSR [11949]
Inconsistent behavior of CLI and RESTCONF when dataplane dpdk outer-checksum-offload is enabled [12585]
Dataplane does not prevent adding the same interface to whitelist and blacklist on Azure [12595]
VPP debug console show errors output includes info/error counts for graph nodes which are not in use [13035]
vHost User interfaces cannot be placed in adaptive mode when not linked to virtual machine [13233]
Configuring a vHost User interface with Interrupt or adaptive mode causes loss of connectivity [13237]
Interrupt rx-mode fails with Ethernet Controller I226-V (rev 04) [15756]
2MB hugepages improperly allocated on multi-NUMA systems [15987]
Adaptive mode on virtio interfaces caues loss of connectivity [17098]
Dataplane uio-driver igb_uio is non-functional in Noble builds with default kernel options [19285]
Requesting CPU state in TNSR may lead to XML error [20249]
Maximum OSPF adjacency count is constrained by Linux IGMP group membership limit [20447]
Dataplane crashes when a bond interface has members in different LACP groups [20515]

General¶

Non-root users cannot access the FRR log file [4826]
Unable to specify TNSR interface as a source in ping and traceroute commands via REST [5605]
Startup entry is not created in configuration history log [7400]
Cannot commit a candidate configuration database if a tap interface is present [7458]
system-ping call via REST does not return any data if it is called with timeout flag and no response from the server [10608]
tnsr-backup utility does not back up or restore file ownership data [11270]
Service control operations for a specific FRR service affect all FRR services [11592]
Remote logging does not support servers located in custom VRFs [16650]
TNSR does not update the address of a remote logging server configured with an FQDN if the server IP address changes [16654]
Unnecessary attempts are made to stop services which are not running during clixon_backend startup [19973]

Host¶

Cannot configure the default gateway for host namespace via TNSR CLI [3702]
VRF interface for a custom route table persists in the operating system after restarting services [4866]
dns-resolver configured for host namespace remains in system after removing from TNSR [7830]
dns-resolver configuration values for host namespace remain in resolv.conf after restarting TNSR [7975]
Some host route options configured in TNSR are not applied correctly by the Linux network subsystem [10827]
Some types of host static routes are not displayed by show host route command [10905]
Option scope for IPv6 host static routes does not apply in the Linux network subsystem [11011]
DNS issues can occur with netplan configurations containing static interface addresses [11017]
TNSR shows incorrect Link MTU for host OS loopback (lo) interface [11596]
Host ACLs created in TNSR are not removed when restarting with a clean startup configuration database [16400]
Host ACL descriptions are not displayed anywhere [16453]
Host ACL rule pointing to a missing host interface gets applied anyway [16612]
show system CLI command output includes inaccurate hardcoded product values [19402]

Host Netfilter¶

TNSR incorrectly creates host ACL rules with only IP version configured [16208]

IPsec¶

IPsec daemon does not support using non-default VRF entries [7266]
Cannot disable IPsec dpd-interval option [8012]
Cannot configure IPsec with manual key type [8396]
Error when creating IPsec tunnel via RESTCONF with tunnel-enable set [8432]
IPsec tunnel without a child SA does not appear in IPsec state data [8433]
IPsec tunnel with initially unresolvable FQDN destination does not pass traffic after remote address gets resolved if there is another IPsec tunnel using the same source [10798]

Installation¶

TNSR installer fails if interfaces are configured with IP addresses but have no Internet connectivity [7807]
Clean installation doesn’t have input validation for multiple gateways [17133]

Interfaces¶

Invalid routes remain in table when next-hop IP address is no longer directly connected [3161]
Reassembly timeout is not working when full IP reassembly is configured [3269]
Shallow virtual reassembly cannot be disabled when it is implicitly enabled by other features [3361]
Second fragment of a packet is not virtually reassembled when max-reassemblies is set to 1 [3384]
Unable to delete a MAC address explicitly set for the TNSR side of a TAP interface [4433]
Netgate 1541 link speed auto-negotiation incorrect with direct connected interfaces [5323]
Errors indicate TNSR is attempting to assign a MAC address to IPsec ipipX interfaces [6285]
L3 packets can be sent from bridged interfaces [6975]
Unable to setup DPDK uio_pci_generic driver on Netgate 1541 [6981]
TAP instance tcpdump method only captures received packets [7137]
Pings between IPIP interfaces become intermittent when BGP is applied to them [7392]
Interface IP address is shown in IPv4 route table instead of associated subnet [7511]
Setting a new MTU value does not affect the MRU for IPv6 packets [8245]
Unable to delete link MTU from an interface when default MTU is set less than 1280 [8837]
Evaluate presence of interface configuration items for loopback interfaces [9380]
Reinstantiation of an interface does not automatically re-create subinterfaces [10725]
show interface tap does not print IPv4 and IPv6 gateway information [10849]
show interface <name> subif command does not produce any output [10879]
Unable to configure interrupt mode with driver set to uio_pci_generic [11279]
It is possible to configure a multicast or broadcast MAC address on an interface [11454]
VPP can push unlimited number of VLAN tags to a packet [11509]
IPv6 ping from TNSR through a vhost-user interface stops working after down/up of eth0 interface in guest VM [11847]
Unable to create a guest VM when a vhost-user interface configured as server-mode [11864]
Restarting the dataplane service when a vhost-user interface is in server-mode causes the VirtualEthernet interface to shut down [11885]
no enable event-index command disables a vhost-user interface [11890]
Removing vhost-user options disable merge-rx-buffers or disable indirect-descriptors does not affect the vhost-user interface state [11896]
Removing vhost-user options disable merge-rx-buffers, disable indirect-descriptors disables a vhost-user interface in server-mode [11929]
Configuring MAC address on bond interface causes its subinterface to disappear [12139]
Configuring the same VLAN tag on multiple subinterfaces causes an existing subinterface to disappear [12394]
Bond interfaces take longer than expected to pass traffic on hardware installations [12615]
Adaptive mode on vhost-user interfaces does not place the interface in adaptive mode [13232]
Users are unable to authenticate against any LDAP server after a failed member of a server group recovers [15781]
The show ldap command does not provide correct information which LDAP server is used for authentication [15787]
The show radius servers command does not provide correct information about which RADIUS server is used for authentication [15788]
IPsec ignores RADIUS source-address configuration [15810]
Error applying one configuration over another when loading candidate configuration databases from files [15816]
TNSR does not display the value of vhost-user interface packed-ring option [15879]
A disabled bond LACP interface continues to send LACPDUs [16857]
Interfaces with enabled MAP don’t accept Neighbor Advertisement packets [17087]
Bond interface MTU is not configured on slave interfaces [18616]
Cannot make an interface unnumbered if it is attached to a custom VRF [19666]
Interface state stays untouched when applying a candidate containing unnumbered interface with missing master [19804]
Unattached interfaces are not handled properly when changing their children nodes [19861]
Cannot configure rx-mode on linux-cp TAP for bond interfaces [19911]

LLDP¶

no lldp enable command shows CLI error [10925]
LLDP interface configuration parameters cannot be removed via CLI [10982]
TNSR sends incorrect LLDP management address if only lldp port-name is configured on an interface [11047]
TNSR continues sending LLDP frames after lldp port-name is removed from an interface using RESTCONF [11048]
LLDP router configuration cannot be removed [11049]

Memif¶

Unable to connect to memif interface using default socket [4448]
It is possible to have a memif interface pointing to a nonexistent socket [11201]
Incorrect state data is shown for memif interfaces [11202]
Dataplane restart required to change memif interface configuration [11220]
VPP crashes when sending some commands to its memif socket [11293]
Its possible to create memif socket with incorrect filename [11295]
Memif socket file still exists in Host OS filesystem after being deleted from TNSR [11365]
Link status of the memif interface can be up even if admin status is down [11474]
Value for memif interface ring-size cannot be set higher than 14 [20339]
Value of memif options ring-size and buffer-size can be configured regardless of memif interface role [20475]

NACM¶

It is possible to remove an NACM group used in a rule list [10115]

NAT¶

Full IP reassembly does not work with MAP [3386]
MAP-T adds bogus zeroes when translating short IPv4 to IPv6 [3460]
NAT pool route table option only available when specifying a range [3628]
Packets larger than 2034 bytes are dropped when performing IPv4 to IPv6 MAP translation [3742]
MAP-T domain usage causes IPv6 traffic class value to always be copied from IPv4 ToS value [3774]
TCP MSS value is not applied to IPv4 packets when IPv6 to IPv4 decapsulation is performed on MAP-E BR [3783]
MAP does not relay IPv6 ICMP error messages to IPv4 [3809]
NAT static mappings assume external port 0 when port is omitted [4432]
Dataplane SIGSEGV crash and backtrace when exceeding NAT session limit [6551]
Unable to establish NAT hairpin connection [8014]
Traffic from TNSR itself sourced from inside NAT interface does not get NAT applied when egressing via NAT outside interface [9706]
GRE tunnel terminated on loopback interface is being NAT-translated without NAT-Inside definition [17591]
VPP outside NAT adds NAT pool addresses to unspecified VRFs [17844]
clixon-backend fails to start due to leftover Dataplane NAT configuration [18670]

NTP¶

NTP does not properly handle IPv6 restrictions [4626]
Delay in CLI display of NTP configuration when NTP has noquery set [6818]
Interfaces in the TNSR NTP configuration are not validated when generating the NTP daemon configuration [7153]
NTP daemon does not collect statistics [13483]
NTP does not switch to orphan mode even if all UTC reference peers below this stratum are unreachable [13511]
NTP does not take tinker panic value into account when synchronizing the clock with a remote peer [15741]
No CLI expansion when configuring NTP interface binding [20881]

Neighbor / ARP / NDP¶

Packet loss during ARP transactions [2868]
The MAC address of a static IPv6 neighbor cannot be changed [4454]
Neighbor cache value for max-number is not honored if current neighbor count is larger than the configured value [12389]
Neighbor option no-adj-route-table-entry does not function as expected [12614]

Operating System¶

Errors at boot from enabled but unpopulated Universal Flash Storage Host Controller Driver (ufshcd) storage [11633]
Poor read/write performance when installed to eMMC (15GB Ultra HS-COMBO) [11688]
systemd timer update-notifier-download.service runs every 24 hours but does not appear to do anything [15950]
systemd timer motd-news.timer runs twice a day and logs a failure message [16026]

PKI¶

PKCS#12 archives are not generated correctly when the ca-name is not specified [10320]
PKI private key algorithm ec-p256 does not work properly when configured via RESTCONF/GUI [16130]

RESTCONF¶

Adding a user via RESTCONF requires a password even when providing an ssh key [2875]
RESTCONF “pretty-printed” JSON contains incorrect indentation [3521]
OSPF interfaces are not validated when configured via RESTCONF [3528]
Cannot change GRE tunnel type to or from ERSPAN via RESTCONF [4353]
Response of /restconf/data/ and /restconf/data/netgate-interface:interfaces-state/ does not include any of *-table [5399]
RESTCONF allows configuring dataplane options for non-existent devices [5748]
RESTCONF route-state response does not contain actual state data [7115]
RESTCONF dataplane service does not work on interfaces in a non-default VRF [7265]
History version count does not match the count of REST configuration requests if they are sent without a delay [7440]
Unable to clear trace filters over RESTCONF [9476]
RESTCONF does not validate payload body to prevent invalid arguments in certain cases [10413]
Non-working RPC left in TNSR after removal of NGINX [11603]
Incorrect status can be shown for RESTCONF service [11657]
service restconf coredump parameters inconsistent with all other service <name> coredump commands [18277]

Routing¶

BGP updates for new prefixes ignore the advertisement-interval value and are sent every 60 seconds [2757]
BGP network backdoor feature isn’t working without service restart [2873]
BGP next-hop attribute aren’t being sent unmodified to the eBGP peer when route-server-client option is configured [2940]
Unable to verify dynamic BGP peer information from TNSR CLI [3044]
Unable to delete OSPF3 config for an interface [3481]
TNSR does not prevent creating static routes for directly connected networks [3813]
OSPF conditional default route injection does not work [3846]
Unable to verify received routes when high number of routes received via BGP [3918]
TNSR allows OSPF network type for a loopback interface, which is rejected by FRR [4800]
Reverting to the startup configuration doesn’t restore packet forwarding for BGP over IPsec prefixes [5321]
RIP route-map-filter option does not filter routes [5910]
Unable to disable IPv4 AF without BGP service restart [6393]
BGP failover logs “Failed to delete neighbor” error from linux-cp [6400]
Unable to remove OSPF virtual-link configuration [6962]
Cannot add a static recursive route [7010]
VPP crashes on applying custom VRF to loopback interface used in OSPF [7056]
Creating route-map, prefix-list, or access-list entries takes longer than expected [7068]
Cannot disable logging of adjacency changes for OSPF6 if detail option is set [7097]
Routes that exactly overlap an interface link route are accepted by CLI but are problematic [7101]
OSPF neighbor adjacency is established in wrong VRF in VirtualBox [7144]
Interfaces in the TNSR RIP configuration are not validated when generating the FRR RIP daemon configuration [7155]
Interfaces in TNSR route-map entries are not validated when generating the FRR daemon configurations [7156]
Interfaces in the TNSR OSPF configuration are not validated when generating the FRR OSPF daemon configuration [7177]
Interfaces in the TNSR BGP configuration are not validated when generating the FRR BGP daemon configuration [7218]
OSPF logging for some options does not work if logging level is set explicitly [7411]
BGP debug option updates in <peer> does not filter messages for selected peer [7476]
BGP address family neighbor option maximum-prefix restart does not work correctly [7709]
Malfunction of BGP process after entering maximum-prefix restart without the basic maximum-prefix limit command [7748]
OSPF6 does not advertise loopback address to another area if the loopback is configured first [7757]
Routes remain in table after interface with VRRP configured is marked down until dataplane is restarted [7790]
Routes do not match by route-map if match criteria is set to ip next-hop ... [8148]
Output of show conf differs for route-map [8375]
Route map source-protocol match condition matches routes from any source [8381]
Cannot change distance for one BGP prefix [8690]
Forwarding address from OSPF6 LSA5 is not installed as the next hop for the route [8732]
BGP bestpath med missing-as-worst command does not function correctly [8805]
Route Map with IPv6 Access List does not filter redistributed OSPF6 routes [8857]
Route-Map set src option does not function correctly [9045]
show route displays no routes for a VRF until it is placed on an interface [9073]
FRR cannot connect to RPKI cache server if a route to it does not exist in default VRF [9146]
The redistribute kernel and import vrf BGP options do not work at the same time if the static route is redistributed with an output interface in a third-party VRF [9147]
Applying a subsequent route map with import vrf cancels a previous applied route map [9156]
A route map applied to the import vrf option using a prefix list does not work correctly [9235]
Changing BGP as-number in default VRF leads to the termination of the import of routes to another VRF [9244]
Cannot change an interface to a new VRF when BGP is configured to import the current VRF [9259]
Changing an interface VRF does not stop importing routes from the previous VRF [9298]
Route maps with match rpki * conditions do not get re-applied when RPKI status of routes changes [9439]
set community command disappears from FRR configuration without warning after setting an invalid community [9508]
Suppression of specific routes when applied to an aggregated route of a route map containing set aggregator as <asn> ip address <ipv4-address> command [9547]
BGP soft-reconfiguration inbound option does not work for IPv6 peers [10086]
BGP selects incorrect path to a network when changing bestpath rules [10210]
zebra causes out-of-memory error on AWS when restarting TNSR after receiving 1.5-2 million prefixes via BGP [10273]
FRR fails to reload configuration if set as-path prepend values are incorrectly enclosed in quotes [10309]
OSPF6 conditional default route injection does not work correctly [10311]
BGP route-reflector-client option does not work on neighbor configurations using IP addresses instead of peer groups [10356]
Cannot remove BGP unsuppress-map option by route-map name for IPv6 neighbor [10409]
OSPFv2 metric-type 2 option explicitly set for default-information originate does not get placed into the FRR configuration [10479]
Unexpected delay in distribution of route information between OSPF database and RIB during propagation of OSPF default route [10721]
Static route with next-hop IP address located on a DHCP client interface causes clixon_backend to fail [11765]
Routes with a via local destination are not available to FRR as kernel routes [11887]
CLI expansion does not work for prefix-list configuration in BGP address-family/neighbor section [11888]
A prefix-list can be configured with an invalid sequence number (0) [11889]
TNSR fails to show routes if there are IPv4 routes with IPv6 next-hops [12060]
TNSR cannot commit configuration candidate database loaded from a file if it contains changed ABF policy attached to interface [12248]
BFD in a non-default VRF takes longer than expected to act on peer state changes [12500]
RIP offset-list configuration without a specific interface name causes an FRR configuration error [12716]
RIP outgoing offset-list does not function when configured together with incoming offset-list on the same interface [12718]
Cannot configure an administrative distance for a static route which is respected by dynamic routing [12761]
RIP distribution-list entries do not work correctly [12762]
BGP graceful-restart option select-defer-time does not function as expected [12946]
BGP graceful-restart status includes duplicate IPv6 neighbor information [12979]
BGP peer with graceful-restart enabled does not retain routes while BGP service is stopped [13039]
BGP peer-group can be removed even if it is in use by peer [13205]
BGP peer does not change ORF received prefix-list when BGP speaker replaces prefix-list by another [13213]
CLI does not expand VRF names for dynamic routing protocols BGP/OSPF/RIP [15828]
Dynamic routing protocols BGP/OSPF/RIP allow configuring non-existent VRF with server vrf <name> [15829]
Connected interface routes not withdrawn from routing table when link is down [15832]
Adding or removing route-map with atomic-aggregate attribute set requires BGP restart [16039]
Unable to specify more than one community without quoting when configuring set in route-map section [16102]
Route map set community command allows community values which are not well-known communities, but those values are not used in FRR [16165]
BGP extended community is removed when routes are handled by import vrf option [16176]
Adding the force parameter to the next-hop-self option creates two separate lines in BGP configuration [16369]
Prefix list le and ge parameters are always present in the show running-configuration output, even if they have not been configured [16425]
Route map parameter on-match goto value is not validated and can point to itself [16576]
Route map parameter call <rt-map-name> is not validated and can point to its own route map [16577]
FRR failing with has not made any SendQ progress error message in logs [16592]
Zebra continues advertising kernel routes resolved via interface with link down state [16684]
Some routes are not installed from FRR RIB to VPP FIB [16686]
VPP logs warning messages when running the show route command with large route tables [16793]
OSPF pce parameters are not displayed in vtysh config [16985]
OSPF ‘refresh timer <time>’ parameter can be removed only with ‘no refresh’ command [17064]
Configuration OSPF ‘distance (external|inter-area|intra-area) <dist>’ causes FRR config error [17086]
OSPF6 interface configuration may be missing from FRR state after TNSR reboot [17576]
Dataplane stops processing static routes when it fails to resolve a route [18005]
RESTCONF allows assigning a nonexistent peer group to a BGP neighbor [18238]
Output uRPF in loose mode drops all locally originated traffic [18341]
Attaching a BGP peer-group to another peer-group fails silently in CLI [18433]
FRR Not Counting Prefixes Learned from Route Server at IX (internet exchange) [18501]
Cannot create blackhole discard routes via BGP [19543]
IS-IS L1/2 router cannot advertise L1 routes received from L1 neighbor into L2 [19599]
Column headers in IS-IS output tables are not aligned with data [19768]
show route dynamic rip config command does not show full FRR RIP configuration [20062]
show route dynamic bgp config command does not show full FRR BGP configuration [20082]
IS-IS stops advertising high metrics after service restart [20185]
Changing or removing IS-IS hello padding during-adjacency-formation causes configuration mismatch between FRR and TNSR [20203]
IS-IS conditional default route injection does not work [20315]
IS-IS SNP area/domain authentication can be configured without area/domain password [20351]
BGP community lists accept invalid community indexes [20364]
All OSPF/IS-IS route next-hop entries disappear if any of their interfaces is administratively disabled [20370]
IS-IS LFA interface exclusion does not work as expected [20407]
IS-IS LFA fast-reroute backup path is displayed with wrong metric [20412]
IS-IS LFA disable-load-sharing option does not work as expected [20442]
IS-IS SPF interval behaves differently for level 1 and level 2 [20473]
TNSR occasionally does not output a specific IS-IS neighbor if several IS-IS processes are configured in different VRFs [20478]
Changing IS-IS spf backoff-delay parameters via TNSR causes SPF delay timers to run [20504]
Cannot enable IS-IS spf backoff-delay with default parameters [20524]
Configuring IS-IS LFA tie-breakers does not affect backup route selection [20599]
FRR fails when configuring IS-IS LSP MTU [20610]
IS-IS option debug packet-dump does not capture any data [20622]
IS-IS service fails when trying to validate SNP packet without authentication received from neighbor [20786]
IS-IS restart is required when changing the route-map used in IS-IS redistribution [20927]
BGP inconsistencies when withdrawing a route from FIB [21114]

SNMP / IPFIX / Prometheus¶

Prometheus filters with non-alphanumeric characters can cause HTTP requests to fail [5467]
Prometheus filters containing spaces cannot be removed [5470]
SNMP does not work on interfaces in a non-default VRF [7261]
SNMP view configured with source address default does not accept queries from IPv6 addresses [12053]
VPP shows incorrect values for configured IPFIX cache timeout settings if they are greater than 2^31 [12094]
Unable to remove SNMP access group entry with specific security-model [12668]
Prometheus response contains double definitions of some metrics [17173]
IPFIX exports only Data-Template packets for VLAN subinterfaces [19706]
Prometheus crashes when run in host namespace [20368]

SPAN¶

Incorrect error message when requesting SPAN info from a missing interface [7209]
SPAN does not work correctly for outbound packets on VLAN subinterface [7801]

Static Routes¶

Static route description is not showing up in show commands or REST state data [5478]
Static route overwrites kernel route in the operating system routing table [7215]
Transit traffic goes to an interface with inactive link when there is another (active) path [8041]
RESTCONF query does not return VRF entry descriptions [13490]
Static routes configured with next-hop-table option are not removed when they can no longer be resolved [17416]

Tunnel Protocols¶

TNSR IPv6 interface address does not appear in traceroute when next-hop is IPsec tunnel interface [5178]
VxLAN with multicast destination does not pass traffic [6491]
GRE interface configuration remains in running config after changing GRE tunnel ID [7050]
VPP processes packets received on disabled tunnel interfaces [8111]
Tunnel next-hop entries do not function in non-default VRFs [8653]
IPIP interface loses attached ACLs when DNS resolution of the remote endpoint changes [10171]
IPIP interface loses TCP MSS setting when DNS resolution of the remote endpoint changes [10312]
IPv6 VxLAN does not pass traffic if it is configured over IPv6 IPsec [10592]
Lower than expected throughput over VXLAN interfaces terminated on a loopback BVI [10643]
VXLAN configuration commands are not validated while the dataplane is stopped, invalid configurations created in this state cannot be deleted [16812]
Configurations commands of ‘interface vxlan_tunnel’ mode allow to set unsupported parameters [16926]

Updates¶

Router upgraded to 22.10-2 will not start without an IKE prf entry [9368]

VPF Filter/NAT¶

TNSR allows UDP connection that was created by VPF filter stateful rule when rule action changes from pass to block and connection is expired [18129]
Outbound NAT applied to inbound connections [20882]
show vpf filter ruleset output shows 0 matches for block counters in CLI [21000]

WireGuard¶

Configuring option route-table in a WireGuard peer does not affect next-hop lookup of the endpoint address [8070]
WireGuard tunnel cannot pass traffic with underlying dataplane interface type virtio [17213]