SteelConnect EX Director Release Notes - Riverbed Support
-
Upload
khangminh22 -
Category
Documents
-
view
2 -
download
0
Transcript of SteelConnect EX Director Release Notes - Riverbed Support
1
SteelConnect EX Director
Release Notes
Version number 21.2.2
Release date December 2021
Document revision 1.0
2
SteelConnect EX Director Release Notes for Release 21.2.2 These release notes describe features, enhancements, fixes, and known issues in the Release 21.2 SteelConnect EX
Director software, for Releases 21.2.0 (simply called 21.2) through 21.2.2. Releases 21.2.1 and later are general
available (GA) releases and are supported for use in production networks.
Install the SteelConnect EX Director Software To install the SteelConnect EX Director software, see the deployment and initial configuration articles.
Upgrade to Release 21.2
Before You Upgrade
Run the Upgrade Validation Script
For SteelConnect EX Director instances running on Ubuntu 14.04, before you upgrade to Release 21.2, you must run
an upgrade validation script to identify all the configuration discrepancies and fix them before the upgrade.
Caution: SteelConnect EX Director Release 21.2 enforces stringent validation checks on configurations. If any of the
following SteelConnect EX Director items are configured incorrectly, the upgrade to Release 21.2 will fail:
• Duplicate site or device IDs
• Duplicate paired location IDs (Release 21.2.1 only)
• Missing organization attributes such as VRF IDs or UUIDs (Release 21.2.1 only)
• Authentication connectors with partial information
• Duplicate overlay IP addresses used on different devices
3
The validation script is in the file versa-director-patch-release.bin, where release is 21.2.2 or 21.2.1. You download the
validation script from the SteelConnect EX Director software release folder. Then, run the script from the Director Linux
shell with the following commands:
chmod +x ./versa-director-patch-21.2.2.bin
sudo ./versa-director-patch-21.2.2.bin
The patch script creates the validate.py file and places it in the /opt/versa/vnms/upgrade/scripts directory.
To upgrade from Release 16.1R2, run the validate.py script with the following options:
sudo /opt/versa/vnms/upgrade/scripts/validate.py -f 16.1R2 -t 21.2
To upgrade from Release 20.2, run the validate.py script with the following options:
sudo /opt/versa/vnms/upgrade/scripts/validate.py -f 20.2 -t 21.2
To upgrade from Release 21.1 to Release 21.2, run the validate.py script with the following options:
sudo /opt/versa/vnms/upgrade/scripts/validate.py -f 21.1 -t 21.2
The following shows the console output from when the validation script runs successfully:
INFO - Pre-Upgrade Validation Initiated
INFO - Executing validation script: ha-pair-config-validation.py ...
INFO - Successfully executed ha-pair-config-validation.py
INFO - Executing validation script: auth-connector-validation.lua ...
INFO - Successfully executed auth-connector-validation.lua
INFO - Executing validation script: org-validation.py ...
INFO - Successfully executed org-validation.py
INFO - Executing validation script: ip-address-config-validation.py ...
INFO - Successfully executed ip-address-config-validation.py
If the validation script identifies incorrect configurations, it displays error messages and logs details to the /var/log/vnms/
upgrade.log file. The following sample console output shows error messages display because of a validation failure:
[Administrator@StandbyDirector: ~] $ sudo /opt/versa/vnms/upgrade/scripts/validate.py -f 20.2 -t 21.
2
INFO - Pre-Upgrade Validation Initiated
Pre-Upgrade Validation Initiated
INFO - Executing validation script: auth-connector-validation.lua ...
Executing validation script: auth-connector-validation.lua ...
ERROR - Errors encountered during execution of auth-connector-validation.lua
Errors encountered during execution of auth-connector-validation.lua
INFO - Executing validation script: ha-pair-config-validation.py ...
Executing validation script: ha-pair-config-validation.py ...
INFO - Successfully executed ha-pair-config-validation.py
Successfully executed ha-pair-config-validation.py
INFO - Executing validation script: org-validation.py ...
Executing validation script: org-validation.py ...
INFO - Successfully executed org-validation.py
Successfully executed org-validation.py
4
chmod +x ./versa-director-osspack-date.bin
sudo ./versa-director-osspack-date.bin
INFO - Executing validation script: ip-address-config-validation.py ...
Executing validation script: ip-address-config-validation.py ...
INFO - Successfully executed ip-address-config-validation.py
Successfully executed ip-address-config-validation.py
ERROR - Validation failed for following scripts: auth-connector-validation.lua
Validation failed for following scripts: auth-connector-validation.lua
The following sample snippet from the /var/log/vnms/upgrade.log file explains the failure report by the output above:
13-March-2021, 10:05:10 main [INFO] Executing validation script: auth-connector-validation.lua ...
13-March-2021, 10:05:10 main [DEBUG] Executing command su root -c "source /etc/profile.d/versa-profile. sh && /opt/versa/util/runlua -n confd -e confu /opt/versa/vnms/upgrade/validate/scripts/auth-connector-validation.
lua"
13-March-2021, 10:05:10 main [DEBUG] Command Output of auth-connector-validation.lua" is
13-March-2021, 10:05:12 main [DEBUG] DEBUG badly formatted or nonexistent path - Bad path element
"radius-server-details" after: /nms/provider/auth-connectors/auth-connector
13-March-2021, 10:05:12 main [DEBUG] secret is not configured for authentication connector Name
versaAuth Type radius
13-March-2021, 10:05:12 main [DEBUG] Command exit status/return code is 1
13-March-2021, 10:05:12 main [ERROR] Errors encountered during execution of auth-connector-validation.
lua
The validation script runs automatically as the first step in the software upgrade. If the validation fails, the upgrade
aborts immediately. If the following error is displayed while upgrading to Release 21.2 using SteelConnect EX Director
CLI, refer to the validation error mitigation guide or contact Riverbed Support:
Administrator@SDWAN-VOAE1> request system package upgrade package-name
Will restart SteelConnect EX Director (all processes). Are you sure? [no,yes] yes
Pre-Upgrade Validation Initiated
Executing validation script: org-validation.py …
Successfully executed org-validation.py
Executing validation script: ip-address-config-validation.py …
Errors encountered during execution of ip-address-config-validation.py
Executing validation script: auth-connector-validation.lua …
Successfully executed auth-connector-validation.lua
Executing validation script: ha-pair-config-validation.py …
Successfully executed ha-pair-config-validation.py
Validation failed for following scripts: ip-address-config-validation.py
Pre-Upgrade-Validation Failed.
Please refer to /var/log/vnms/upgrade.log for more details.
Caution: For systems running Ubuntu 14.04, before you upgrade to SteelConnect EX Director Release 21.2, you
must upgrade the OS SPacks on all Director nodes to the latest version. If you do not upgrade the OS SPacks, the
software upgrade may fail. For systems running Ubuntu 18.04, the OS SPack upgrade is not required.
To check the Ubuntu version from the terminal, run the lsb_release –a CLI command.
To install the OS SPack, run the following commands:
5
The following error may display when you upgrade from Release 16.1R2 to Release 21.2 from the SteelConnect EX Director CLI:
Administrator@director1> request system package package-name
Will restart SteelConnect EX Director (all processes). Are you sure?
[no,yes] yes Verify package checksum..
status Some of the packages on this system are not correctly installed, please resolve before upgrading
SteelConnect EX Director
Desired=Unknown/Install/Remove/Purge/Hold| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-
aWait/Trig-pend|/ Err?=(none)/Reinst-required (Status,Err:uppercase=bad) ||/
Name Version Architecture Description
==============================================================================================
rc amd64-microcode 3.20180524.1~ubuntu0.14.04.2+really20130710.1ubuntu1 amd64 Processor microcode
firmware for AMD CPUs
rc intel-microcode 3.20180807a.0ubuntu0.14.04.1 amd64 Processor microcode firmware for
Intel CPUs
To resolve this error, run the following commands to manually remove the offending packages from Linux shell before
you attempt to upgrade the Director node from CLI again:
Administrator@director1> sudo dpkg --purge amd64-microcode
Administrator@director1> sudo dpkg --purge intel-microcode
To install or upgrade to the Release 21.2 Director software, each Director node, whether a virtual machine (VM) or a
bare-metal server, must have a minimum disk size of 150 GB.
If your deployment includes an HTTP proxy, see the “Enable HTTP 2.0 on Proxies” section below.
Upgrade HA Director Nodes
If you are upgrading HA Director nodes, following one of the procedures described in this section.
If you want to disable HA before upgrading to Release 21.2:
1. Disable HA.
2. Apply the patch on both the active and standby Director nodes.
3. Run the validation file on both the active and standby Director nodes.
4. Upgrade in parallel both the active and standby Director nodes.
5. After the upgrade completes on both the active and standby Director nodes, re-enable HA.
If HA is enabled during the upgrade to Release 21.2.1:
1. Run the patch on the active Director node.
2. Run the validation on the active Director node
3. Run the patch on the standby Director node, and remove the /opt/versa/vnms/upgrade/validate/scripts/stale-bind-
data-remover.py file and the /opt/versa/vnms/upgrade/validate/stale-bind-data-remover directory.
4. Upgrade the standby Director node
5. Stop services on the standby Director node.
6. Upgrade the active Director node
6
7. Verify that all services are running on the active Director node
8. Start services on the standby Director.
Upgrade to Release 21.2
To upgrade to Release 21.2:
1. Copy the appropriate bin package file to the SteelConnect EX Director /var/versa/packages/vnms directory.
Ensure that the file has +x execute permission. Alternatively, use the following command, which copies the file
to the /var/versa/ packages/vnms directory:
Administrator@versa-director> request system package fetch uri uri
2. Install the new software package:
Administrator@versa-director> request system package upgrade filename.bin
Note that if you use SCP or FTP to copy the SteelConnect EX Director bin package file directly to the
/var/versa/packages/vnms directory, you must execute the versa-director-patch.bin patch file before you start the
upgrade. In an HA setup, you must also execute the patch file on the standby SteelConnect EX Director node even if
the SteelConnect EX Director bin package was uploaded using the UI on the active SteelConnect EX Director. This
step is not required in the following cases:
• For a standalone SteelConnect EX Director, you uploaded the bin package from the GUI.
• In an HA setup, you uploaded the SteelConnect EX Director bin package from the GUI to the active SteelConnect EX Director.
To install the patch, issue the following command from the Director shell:
[Administrator@versa-director ~] # sudo ./versa-director-patch.bin
Downgrade the Software
To downgrade to the software image that had been installed immediately before you performed the upgrade, issue the
following command:
Administrator@versa-director> request system rollback to snapshot-timestamp
The SteelConnect EX Director configuration and image are restored to the state when the snapshot was taken. Note
that any configuration changes done since the snapshot was taken are lost when you perform the rollback operation.
Install the Software License for SteelConnect EX Director
SteelConnect EX Director is controlled by a software license. You must obtain a valid license file by contacting Riverbed
Support.
7
Note the following:
• SteelConnect EX Director software ceases to operate after a 15-day trial period, so you must obtain a license key
within that time.
• On all newly installed SteelConnect EX Directors, you must run the SteelConnect EX Director startup script,
/opt/versa/vnms/scripts/vnms- startup.sh, to correctly configure the Director network interfaces for their intended
function (for example, interface eth0 for northbound communication towards OSS systems and for UI access, and
eth1 for southbound communication towards SteelConnect EX devices).
Software Version Compatibility
Release 21.2 of SteelConnect EX Director is compatible with the following software versions:
• Release 20.2.x
• Release 21.1.x
• Release 21.2.x
Release 21.2 of SteelConnect EX Director is not fully configuration-compliant with other versions of SteelConnect EX
software. If you commit templates or make direct configuration changes in Appliance view to non-compatible
SteelConnect EX releases, the commit or configuration changes may be rejected with an RPC error.
New Features
This section describes the new SteelConnect EX Director features in Release 21.2. All features are introduced in
Release 21.2.1 unless otherwise noted.
• Cloud API enhancements—API-based integration in Azure virtual WAN and AWS transit gateway supports
scenarios in which the branch is behind a NAT.
• NAT in site-to-site tunnels—When creating site-to-site tunnel between a branch and an Azure Virtual WAN or
AWS Transit Gateway, the WAN interface can use the NATed IP address. You can also configure the NATed IP
address when deploying Workflows.
• SteelConnect EX Director central authentication—(For Releases 21.2.2 and later.) In a topology with more than
one Director node, you can have one of the Director nodes be the central authentication Director node. The central
authentication Director node verifies all authentication requests, and it issues a token that can be used for making
APIs calls to any Director node.
8
You enable central authentication from the CLI:
Administrator@versa-director% show nms provider central-auth-connector
enable-central-auth enabled;
director-ips [ 10.192.63.14 ]; Provide IP addresses of primary and secondary Director nodes
• SteelConnect EX Director–managed site-to-site tunnels—You can create a SteelConnect EX Director-
managed IPsec site-to-site tunnel between a provider SteelConnect EX Director node and a customer
SteelConnect EX Director node to allow the customer SteelConnect EX Director node to use available services
from the provider Director node as if the services were directly available from the customer Director node.
These services include:
◦ On-ramp to SaaS providers, such as Box, Google, Microsoft Office, and Salesforce
◦ Cloud Service Gateways (CSGs)
◦ Application reverse proxies
Director–managed site-to-site tunnels support EBGP, IKE, and IPsec, IKE.
• VMS passive authentication enhancements—The messaging server (VMS) supports the following:
◦ Administrative container for VMS to manage services and the VMS deployment, including Rest API capabilities
to manage the VMS features and infrastructure.
◦ High availability for VMS infrastructure and containers.
◦ Passive authentication.
• Workflow support for T1/E1 and ADSL2+/VDSL2+ interfaces—You can use Workflows to configure T1/E1 and
ADSL2+/VDSL2+ interfaces, making configuration of these interfaces easier and integral part of SD-WAN
workflows.
9
Enhancements in Release 21.2.2
• Option to set RequestedAuthnContext value is SSO—Add an option to set Requested Auth Context Comparison in
an SSO SAML connector. You can set the value to "minimum" or "exact" depending on your authentication type
• Total Site Up/Down in Tenant Summary window—In the Tenant Summary window, add the count of the number of
sites that are up and down, and add a card that summarizes the status of all assets.
Fixed Bugs
The following are the critical and major defects fixed in Release 21.2.
Fixed Bugs in Release 21.2.1
The following tables lists the critical and major defects that were fixed in Release 21.2.1.
Tracking
Bug
Description
34494
Subscription Query page shows state as automatically renewed after device
is automatically renewed instead of showing automatically activated. This
issue has been fixed.
10
Tracking
Bug
Description
40095
Add enable and disable policy rules.
40157
Add support for TCP-based syslog remote connector.
42494
Snapshot creation is now audited and present in the audit log.
43124
Custom role editing is now audited.
45549
Add alarm for when AMQP/Kafka connector is not reachable from Director
node.
46789
Add Total column, which was missing in Entitlement summary report.
47781
Spoke group search is now done by making query to the backend instead of
performing a UI-level search.
47998
For a device managed with LTE as WAN, the Director node now decreases
polling cycles and netconf notifications to reduce management traffic.
48207
Asset Inventory is not showing the count of hub-controllers under both
Summary and Details tabs under Director > Monitor > Provider > Summary.
This issue has been fixed.
48431
Virtual router UI screen access was slow. This issue has been fixed.
49326
Add cloud-connector support, with type as SteelConnect EX. This enables a
client SteelConnect EX Director to create site-to-site tunnels between FlexVNF
devices managed by different Director nodes.
50511
Add option to enable and disable the sending of device-level alarms to an
AMQP server configured as an AMQP connector.
11
Tracking
Bug
Description
50562
Bulk delete of VRRP configuration fails in UI under template. This issue has
been fixed.
50578
Entitlement management/subscription actions are not RBAC-protected from
Rest APIs. This issue has been fixed.
52001
NCS crashed with error ''Internal error: Supervision terminated". This issue
has been fixed by upgrading NCS to a newer version, version 4.7.8
52518
Add new alerts such as DESIGNATED-MASTER-NOT-ACTIVE, LICENSE-
EXPIRY-ALERT, DISK-USAGE-ALERT. Update the alerts naming
conventions, changing Master to Active and Slave to Standby.
52665
NCS Java logging does not work. This issue has been fixed.
54006
You can now customize common SteelConnect EX software HTTP/HTTPS
credentials. The Director node uses these the in
/var/versa/vnms/data/conf/default.conf script.
55106
Validation is missing for cluster list in bind data screen. This issue has been
fixed.
55471
Upgrade with customer configuration from Release 16.1R2S10.1 to Release
20.3.1 fails during migrate scripts because of QoS configuration. This issue
has been fixed.
55504
Create/delete device group is not notified over AMQP. This issue has been
fixed.
55520
If a device in the unknown device list tries to reconnect, a new task is
created. This issue has been fixed.
12
Tracking
Bug
Description
55655
Add support for circuit tag in Workflows > Template > interfaces > WAN
Interfaces.
55676
Under Entitle Management, end date calculation for a subscription is wrong.
This issue has been fixed.
56584
Director upgrade from Release 16.1R2S10.1 running customer snapshot fails
in Workflows module related to split tunnel. This issue has been fixed.
56777
In a multitenant deployment, monitor UI now displays location information
with access to the child organization.
57028
Free memory calculation is incorrect. This issue has been fixed.
57369
PPPoE WAN interface network is not added to traffic identification list during
template Workflow deployment. This issue has been fixed.
58484
When a user attempts to change their password multiple times, the user
account is not locked even after incorrect password attempts defined in
max_login_fail_count in UserGlobalSettings. This issue has been fixed.
58749
In uCPE, add support to increase the secondary hard disk size to a
maximum of 512 GB.
58828
In some GUIs, time is not displayed in the local time zone. This issue has
been fixed.
59034
Local backups cannot be deleted using the Purge command. This issue has
been fixed.
59131
Add support to encrypt all passwords in device configuration.
13
Tracking
Bug
Description
59334
In Entitlement Management Query page, TotalActiveDays is not updated
properly. This issue has been fixed.
59426
Appliance location data type changed from varchar to text to accommodate
larger location values.
60505
validate.py script does not display the errors from the ha-pair-config-
validation.py script. This issue has been fixed.
60653
In the virtual router UI, changing the OSPF network returns the error “invalid
byte sequence for encoding UTF8: 0x00..”. This issue has been fixed.
60857
Stale entries in bind data cause Director upgrade from Release 20.2.2 to
Release 20.2.3 to fail. This issue has been fixed.
60954
Director upgrade from Releases 16.1R2S10.1/S11 to Release 21.2.1 fails
during migrate script because of an incorrect user role, with the error:
"Upgrade failed: Upgrade transaction failed to validate: /ncs:devices/
device{DCA-Controller-01}/config/system/users{ab16399}/role (value "oper"):
oper user cannot land on shell (use 'cli' or 'none')". This issue has been fixed.
60991
When you modify the bandwidth in a Workflow template and apply the
changes, they do not take effect on existing SD-WAN branches. This issue
has been fixed.
61281
Add support for bandwidth limit configuration when uploading a package to a
branch or device.
61475
Add support in monitor screens for application identification.
62155
In an AWS SD-WAN gateway deployment, the DescribeInstances API call
may fail, with the error "instance ID does not exist". This issue has been
fixed.
14
Tracking
Bug
Description
62286
Redundant template deployment fails when you configure an AWS transit
gateway site-to-site or Azure Virtual WAN tunnel in a Workflow template. This
issue has been fixed.
62334
When you select multiple devices from a Director node to upgrade, if one
device is not reachable, the task is shown as successful in the progress
column. This issue has been fixed.
62346
Move Kerberos virtual URL configuration from captive portal to Kerberos
profile.
62352
If you add or remove a service template in a device Workflow or device
group, or make a configuration change in a service template, the template
state does not go out of sync in the commit window. This issue has been
fixed.
62375
Entitlement Management > License period is not updated after performing
Workflow organization deploy. This issue has been fixed.
62390
When you change the SSH host keys on a SteelConnect EX device,
subsequent requests to the SteelConnect EX device fail, with the error “SSH
host key error”. This issue has been fixed.
62412
Update software to reduce the number of system/details calls made to each
SteelConnect EX device in each polling cycle.
62557
NGFl service is not picked up from default-sng if the services field is empty.
This issue has been fixed.
62574
Reachable to unreachable state is not shown at least every 3 minutes. This
issue has been fixed.
15
Tracking Bug
Description
62608
GUI cursor keeps spinning when a TenantSuperAdmin user who is logged in with email format as the username tries to change session timeout. This issue has been fixed.
62618
Template recreation fails when radius-shared-secret contains special characters, such as ";" which is a valid character. This issue has been fixed.
62709
Cannot save/deploy a Controller node after the Controller node is deleted
from the appliance listing screen. This issue has been fixed.
62790
EXTERNAL_USER.log shows bearer token instead of username. This issue
has been fixed.
62900
Remove per-organization subscription details from the Entitlement Manager
summary page.
62923
In Director GUI, cannot add VLAN to LAN interface on CPE with DF error. This
issue has been fixed.
62952
Template regeneration fails when TACACS+ key is parameterized. This issue
has been fixed.
63011
Add template sync status to tool tip for an appliance on Appliance Listing
screen.
63142
Commit template should not send an email when commit template is set to
schedule it now. This issue has been fixed.
63145
Proxy authentication is not working for SPack download. This issue has been
fixed.
16
Tracking
Bug
Description
63185
When user creates new device Workflow and clicks Cancel at bind data, the
user cannot create a new device Workflow with the same name. This issue
has been fixed.
63206
Local CMS organization update might fail for tenant superadmin user. This
issue has been fixed.
63241
After you upgrade to Release 20.2.3, the bind variables of a service template
that were attached to all the devices using it are no longer present in the
device bind-data tables. This issue has been fixed.
63249
When using the vnms-startup.sh script that is non-interactive, the system
addresses are taking the docker IP address when no southbound interface is
provided. This issue has been fixed.
63298
LAN routing instance is provisioned incorrectly for TVI interface for GRE-
based tunnels when the tunnel start endpoint is LAN network instead of WAN
network. This issue has been fixed.
63316
Bind data variable for BGP local AS in Workflow template for IBGP is not
populating in the device. This issue has been fixed.
63328
Enabling IPsec for HA secure communication generates unwanted
configuration, leading to an IPsec failure. This issue has been fixed.
63382
In Releases 20.2 and 21.1, files are not correctly copied in /var/versa/
packages/spack/current/config/. This issue has been fixed.
63397
Redistribution policy Default-Policy-To-BGP on DMZ-VR (not VRF) is not
created when you select ST with either DIA or gateway option. This issue has
been fixed.
17
Tracking
Bug
Description
63430
After you delete a device from a Workflow, the device global site ID is not
freed. This issue has been fixed.
63455
During URL ZTP, the email notification may not be not sent. This issue has
been fixed.
63500
Tenants deleted from a branch are still listed in the appliance listing screen.
This issue has been fixed.
63525
WPA password or RADIUS shared secret key in Workflow device bind data
is not encrypted. This issue has been fixed.
63589
Director failover operation results in application timeout. This issue has been
fixed.
63607
Editing WAN circuit tag does not work. This issue has been fixed.
63610
Do not add the default configuration of Layer 2 learning in Workflow
templates. This configuration is not needed.
63649
When creating a WiFi template, you can configure a different country for both
radios in the wireless configuration. This issue has been fixed.
63714
You cannot delete multiple static routes from the GUI. This issue has been
fixed.
63725
Add support for OOKLA speed test from the GUI.
18
Tracking
Bug
Description
63761
Add support to configure software package upload time under device group.
63769
NullPointerException is seen when you commit a shared service template
associated with device group and device level. This issue has been fixed.
63897
Kafka/AMQP message publishing should happen using a separate event bus
to handle unreachable or slow brokers. This was impacting ZTP task
creation. This issue has been fixed.
63941
Changing the Director timezone causes incorrect timestamp to display in
many listing screens. This issue has been fixed.
63977
Creating an AWS Transit Gateway or Azure Virtual WAN tunnel with
redundant template creates duplicate tunnels for the primary and redundant
templates. This issue has been fixed.
64035
In the entitlement manager, modifying the solution tier modification is not
updated using the Workflow template. This issue has been fixed.
64040
Invalid CSRF token message is displayed during sync-from, sync-to, and
bulk sync-from. This issue has been fixed.
64111
Deleting the SSO configuration might not work properly. This issue has been
fixed.
64169
Director backend has WPA password in encrypted text, but returns it in
cleartext to Workflow template API call. This issue has been fixed.
19
Tracking
Bug
Description
64170
The AWS DeleteOnTermination flag for EBS volume should be set as True
during SteelConnect EX deployment using CMS connector to make sure that
stale volumes are not present in the cloud. This issue has been fixed.
64248
SMS messages sent using the SteelConnect EX account are rate-limited. This
issue has been fixed.
64291
OS SPack download task is generated with no description. This issue has
been fixed.
64330
TenantSuperAdmin user cannot download OS SPack on appliance page.
This issue has been fixed.
64342
PSQL database password change command does not work. This issue has
been fixed.
64362
Unable to log in as tenant user when single-idp-connector type selected. This
issue has been fixed.
64363
For an incremental SPack upgrade, director.json and other xml files are not
copied when incremental SPack is installed via rest API call with update-type
"incremental" (in lowercase letters). This issue has been fixed.
64365
ZTP might fail, with a socket close error. This issue has been fixed.
64366
PPPoE password on appliance is now encrypted during communication
between the Director node and the appliance.
64373
Upgrading a Director node to Release 21.2.1 fails, with the error "failed to
execute migrate script sysusers.lua". This issue has been fixed.
20
Tracking
Bug
Description
64376
RMA skips upgrade/downgrade and continues with RMA process when
software version is blank for existing device, but it prints proper messages in
the task. This issue has been fixed.
64426
Include c5a instance type during device deployment on AWS using CMS
connector.
64427
Static route screen shows invalid IPv4 or IPv6 address/prefix error for a valid
destination. This issue has been fixed.
64467
Template automerge operation may remove configuration added at the
template configuration level when recreating the template after adding DNS
policy rule. This issue has been fixed.
64479
Unable to ZTP to a device running Release 20.2.2 when Controller and
Director nodes are running Release 21.2. This issue has been fixed.
64497
When you delete a Controller device in the GUI, peer controller information is
not removed from the database. This issue has been fixed.
64603
Resource groups are not listed during the creation of Azure Virtual WAN
tunnels. This issue has been fixed.
64614
Allow only GET and /api/*/actions/* POST APIs. Reject other POST, PUT
and DELETE APIs with appropriate error message from standby Director.
64664
Workflow templates deployed with duplicate name as redundant pair are
corrected or flagged by validate.py script. This issue has been fixed.
64675
Local user information is pushed only to devices that are in the device group
associated with the first template. This issue has been fixed.
21
Tracking
Bug
Description
64713
Login, logout, and change password time are not captured in the audit log.
This issue has been fixed.
64807
TenantSecurityAdmin users cannot download OS security package. This
issue has been fixed.
64816
Cannot remove Analytics cluster or all user-supported roles from Workflow
organization after redeploying the organization. This issue has been fixed.
64828
In Entitlement Query, rename column State to Event.
64862
Search does not work for Configuration > Objects > VPN Profiles GUI. This
issue has been fixed.
64872
After you modify the organization from a template, virtual switches are not
populated because the backend sends the previous organization. This issue
has been fixed.
64882
Device upgrade might get stuck at 70% even if upgrade is successful. This
issue has been fixed.
65064
Cannot see bind data for more than 100 devices in a single device group.
This issue has been fixed.
65069
Autogenerated bind data IKE identifier is not updated. This issue has been
fixed.
65257
No data displays on Services > Monitor screen. This issue has been fixed.
65260
Audit logs are not reported for any of the operations performed by the local
provider-level users. This issue has been fixed.
22
Tracking
Bug
Description
65335
Import workflow device is deploying devices without bind data variables. This
issue has been fixed.
65365
Cannot delete service chain template in Workflows. This issue has been
fixed.
65386
Variable bind data loads slowly after being deployed from a device Workflow.
This issue has been fixed.
65517
Current user cannot make changes to the branch when the branch is locked
for other users. This issue has been fixed.
65646
Cannot commit to multiple devices because of task description length
description. This issue has been fixed.
65650
Incorrect configuration under device context when bootstrap fails. This issue
has been fixed.
65683
Replacing an appliance with new serial number incorrectly updates
lastModifiedBy field with null value in Workflow device. This issue has been
fixed.
65696
Deploying application template by TenantSuperAdmin on Workflows >
Template > Application Steering may fail. This issue has been fixed.
65718
After HA failover, cannot receive alarm emails. This issue has been fixed.
65735
User authentication now fetches HA status from cache instead of from NCS
to improve performance and avoid resource-denied NCS issue.
65753
Enable suspend-backup-collectors as default in Workflow templates.
23
Tracking
Bug
Description
65774
Update CPE ports object on firewall rule in controller. Remove port 4000.
65775
Error occurs when pushing post-staging template for hub and spoke. This
issue has been fixed.
65793
Workflow device deploy using CMS connector does not work in Azure China
region. This issue has been fixed.
65818
SD-WAN policies created by Workflow must add action. This issue has been
fixed.
65831
Changing SiteId from Workflow devices is shown in the inventory but not on
the GUI appliances screen. This issue has been fixed.
65850
After ZTP, appliance shows incorrect subscription state as created in
entitlement screen under appliance context. This issue has been fixed.
65960
Upgrade to Tomcat 9.0.43.
65992
Default spring-boot tomcat thread-pool size for ports 9182, 9183, and 8090 is
configured incorrectly in application properties. This issue has been fixed.
35962
Update third-party libraries to address vulnerabilities reported by OWASP
dependency check tool.
38387
During HA enable operation, task popup disappears from the window before
displaying the success prompt. This issue has been fixed.
39367
Add GUI support for displaying PoE statistics.
40103
Remove keepalive timeout for IPsec from CLI and GUI.
24
Tracking
Bug
Description
42113
Under Device Templates in the Peer IP field, the + icon and parameterize
icons are not aligned. This issue has been fixed.
45613
Add support to set and match BGP community in the old format, that is, as a
4-byte number.
45739
Fix OSPF clear neighbor operation in the GUI.
45901
Add GUI support for Director SPack upload and installation.
47699
Add pagination support for IGMP Group Monitor screen.
47781
Add GUI support for search for Spoke Group screen.
47929
Add support for health check for a standby interface.
48207
Asset Inventory does not display a count of Hub-Controllers (under both
Summary and Details). This issue has been fixed.
48421
Add support for bulk delete operation for syslog servers in templates
configuration.
48481
Fix GUI to gray out code field under DHCP custom options if vendor ID is
selected.
48490
Fix Add Appliance screen in Administration tab.
48606
Fix GUI tool tip to show "Undefined" for Director and Analytics Cluster in
Monitor > Provider-org > Summary > Asset Inventory.
25
Tracking
Bug
Description
49322
Add GUI support for Platform > Management Port > Usage Model.
49632
Add parameterization for routing instance in security package update
configuration.
50611
Add parameterization for prefix under BGP route aggregation.
52518
Fix to display Director HA critical alarms in notification popup.
54327
Disable No Summaries option for OSPF3 Area 0.
56092
Rename whitelist/blacklist to allowlist/denylist in URL Filtering screen.
56175
In Filtering Profile screen, change incorrectly named Authentication profile to
Cloud profile.
58351
Enhance traceroute to support ICMP and TCP probes.
59621
Add GUI support for Layer 2 services.
61617
Add support for IPv6 options on the LTE interfaces vni-0/100 to vni-0/103.
62418
Add new option in uCPE screen to enable and disable multiqueue settings
for the VM.
62801
Networks and subinterfaces values are shown incorrectly under
Administration > Organizations > Associations. This issue has been fixed.
62933
Remote server exception issue seen when editing global router. This issue
has been fixed.
26
Tracking
Bug
Description
63380
Fix to allow only FIPS-compliant ciphers when FIPS mode is enabled.
63596
Fix issue seen while modifying the configuration of routing instance for
speed-test server.
63671
Add support for 10 domains in RAS VPN profile.
63776
Add Director support for secure access server group configuration.
63804
packet-padding-size IMIX is not reflected in show commands. This issue has
been fixed.
63895
Enhance Appliance System configuration GUI screen to allow configuration
of health object parameters.
63915
Implement LEF-logging configuration under WLAN so that WiFi LEF logs are
sent based on user configuration.
64012
Add BGP prefixes for Layer 2 VPN EVPN screens under monitor screen.
64040
Fix invalid CSRF token message seen during sync-from device.
64111
After you delete all SSO configurations, SSO link is now disabled from the
login page.
64211
GUI shows error incorrectly as [Object,Object] in task window during replace
appliance operation. This issue has been fixed.
64249
Cannot edit or delete SNMP communities, USM, and trap profiles configured
with special characters. This issue has been fixed.
27
Tracking
Bug
Description
64316
When authentication control dot1x was opened and clicked, dynamic VLAN
is disabled. This issue has been fixed.
64318
Fix search operation for Application Steering screen.
64323
Fix search operation for Disabled Access Policy rules.
64337
Organization selection is not maintained when moving from objects to
services. This issue has been fixed.
64343
Search in DoS policy rules screen does not work for values other than rule
name. This issue has been fixed.
64355
For IP SLA monitor of subtype ha-probe, change interval default to 1 second.
You cannot change the default.
64361
Neighbor peering is not starting when RIP instance or group password is
enabled. This issue has been fixed.
64371
Fix failure in security package screens for TenantSuperAdmin and
TenantSecurityAdmin.
64410
Add search bar for DoS profiles screen.
64411
GUI gets stuck when navigating from NTP screen to Objects/Services page.
This issue has been fixed.
64437
In BGP, share-aro is enabled if you open advance tab under peer-group
twice, and vice versa.
28
Tracking
Bug
Description
64446
Add select index for routing instance field under Configuration > System > Security Update > Automatic.
64460
Fix search operation on domain name server screen.
64462
When you select the radio button from the popup to search on VRRP Group
screen/interfaces screen, it does not go away with one click/enter option.
This issue has been fixed.
64468
Creating a new DDoS profile from DoS Policies > Edit DoS Rule > Enforce >
Aggregate Profile > +Add New, selects aggregate profile by default, and vice
versa, for classified. This issue has been fixed.
64492
Fix sorting on DDoS profiles screen.
64532
Fix missing instance ID in spanning-tree details screen from the second row
onwards.
64535
Fix issue seen when updating the transparent proxy match rule configuration.
64550
Form landing is incorrect for the decryption profile. This issue has been fixed.
64559
Rule enable/disable option is not available for traffic monitoring in device
configuration page. This issue has been fixed.
64566
Add GUI support to add destination zone as match condition under SD-WAN
policy screen.
64580
Some information is not same on Administration page card view and list
view. This issue has been fixed.
29
Tracking
Bug
Description
64581
In CGNAT rule screen, source and destination range is not mandatory, but
empty list is sent in payload, causing issue in template commit. This issue
has been fixed.
64584
LLDP always shown as true in GUI even after you disable LLDP globally.
This issue has been fixed.
64589
Correct name for global routing instance while adding DNS to be Global.
64596
Fix console error when you try to click on site configuration under Services.
64618
Enable caching mode for all profiles types, including local database, LDAP,
Kerberos, SAML, and certificate authentication profile.
64639
When you add a static route with same gateway/next-hop IP address, GUI
rejects configuration as a duplicate record. This issue has been fixed.
64640
Fix issue in the rearranging templates in the device service templates screen.
64651
VRRP Group ID and Interface are swapped in the VRRP Table. This issue
has been fixed.
64652
Template workflow is not working properly for redundant pair cross-connect
interface for vni0/2 or greater. This issue has been fixed.
64659
Add parameterization for Certificate Authentication Profile in template.
64669
Fix error in console while clicking redeploy button in organization Workflow.
64671
After committing the BGP general password, you cannot use the BGP GUI
without modifying the BGP general password. This issue has been fixed.
30
Tracking
Bug
Description
64694
Fix issue in HA template screen in which recreate button was not working
after re-opening.
64697
NTP configuration screen is not showing interfaces with units. This issue has
been fixed.
64724
GUI is showing incorrect details in SAs in Monitor > Services > IPsec > SA
screen. This issue has been fixed.
64728
If the appliance count is more than two digits, the number alignment was
incorrect under System Summary. This issue has been fixed.
64740
When you try to add or edit decryption server profiles, error 500 is seen. This
issue has been fixed.
64744
Under Configuration > Networking > PBF > Policies screen, the column
header Status has been changed to Rule Status.
64757
In GUI, creating a new vendor catalog did not indicate any process of adding
the new one. This issue has been fixed.
64766
Implement rule insertion for QoS policy, App QoS policy, PBF policy, and
DNS proxy screens.
64797
Add Director GUI support for per-interface (SD-WAN) PMTUD interval.
64810
File type qcow2 is not passed in the payload when creating a new vendor
catalog. This issue has been fixed.
64849
Fix clear command for the SSL History Monitor screen.
31
Tracking
Bug
Description
64859
Default zone protection scan interval in GUI changed from 300 seconds to 30
seconds.
64875
Rename SLA Dampen labels to SLA Damp.
64880
Fix issue seen in parameterization for vni under bridge domains.
64923
Fix incorrect message for predefined application groups.
64942
Add parameterization for weight under BGP peer group and under routing
peer policy.
64943
Add parameterization for community in peer/group policy under match/action
and under redistribution policy.
64945
Caching mode is always set as IP-based when you select local database or
LDAP profile in authentication profile. This issue has been fixed.
64958
Change column name from Status to Rule Disabled in secure access portal
and gateway rules screen.
65065
Add support to display audit logs under Administration > Troubleshooting
screen.
65070
Captive portal is not displayed as a part of secure access. This issue has
been fixed.
65071
LDAP user/group is not fetched in Secure Access portal and gateway policy
in template. This issue has been fixed.
32
Tracking
Bug
Description
65175
After changing device ID for an existing device from workflows, user-
defined bind data disappears when user attempts to redeploy a device.
This issue has been fixed.
65198
Disable virtual service option was checked when controller is deployed but
service is not actually disabled. This issue has been fixed.
65222
Tunnel interfaces that you add manually as type IPsec display as Down in
monitor GUI when the interface is actually Up in appliance CLI and Director
live status CLI. This issue has been fixed.
65229
Jitter value in SLA profile is shown in percentage. This issue has been fixed.
65230
Users cannot create mac-address object with only wildcard mask. This issue
has been fixed.
65235
OK button is not working while creating a device after filling bind data
information. This issue has been fixed.
65247
Add parameterization for keytab field in Kerberos profile in template.
65249
Add parameterization for virtual URL field in Kerberos profile in template.
65267
Fix GUI alignment issue when trying to create address group from IP filtering
profile.
65299
In Secure Access Configuration screen, add the option to display how many
characters can be typed for a string variable and the current length of the
string typed.
65317
Fix cosmetic issues on File Filtering Profile screen.
33
Tracking
Bug
Description
65364
Vertical line is seen over the [+] icon in Add Rule window for Source/
Destination and Application/URL tabs. This issue has been fixed.
65406
Regex pattern validation is missing in post-staging template under custom
URL category. This issue has been fixed.
65431
Add support for Layer 2 services in Monitor Screen.
65458
When device is already deployed, GUI grays out changing tenant name in
workflow device deploy. This issue has been fixed. You can now change the
tenant name in device deploy Workflow.
65495
Remove OK button in Decryption Settings screen for TenantOperator user.
65549
Add support for secure access gateway and portal policy in Monitor Screen.
65576
Fix GUI issue in requests screen in Certificate Manager under Objects and
Connectors.
65578
Tenant selector does not display when user switches from one tab to other in
configuration page. This issue has been fixed.
65598
Add pagination on Security Profiles > DNS Filtering page for Device
Templates/Service Templates.
65610
Add Director GUI support for new security algorithms.
65628
Remove Dual Tunnel from Gateway General page.
65631
Remove mandatory restriction for IP address in LDAP profile.
34
Tracking
Bug
Description
65645
Fix to allow maximizing Director task window.
65649
Templates attached to device groups are incorrectly added to Device Service
Template. This issue has been fixed.
65658
Cannot select firewall service for fifth tenant when workflow template
resolution is set to 1366 x 768. This issue has been fixed.
65661
Server configuration cannot be updated when IP address is not configured in
LDAP profile. This issue has been fixed.
65666
Fix SD-WAN rules output in application monitor.
65679
Fix for password field that was displayed in clear text when logging into
SteelConnect EX Director.
65682
Fix for GUI issue that caused multihoming under Aggregated Ethernet
interface not to work.
65738
Cannot update client CA Chain in Certificate Auth Profile. This issue has
been fixed.
65779
Cannot configure loss as dotted decimal in SLA profile. GUI was pushing
only integer values. This issue has been fixed.
65807
Add support for LLDP statistics in Monitor screen.
65817
Fix incorrect staging pool restriction for Hub-Controller nodes.
65857
Remove availability requirement field from Sever pool tab.
35
Tracking
Bug
Description
65881
VLAN ID is enabled when trunk is configured as interface mode. This issue
has been fixed.
65884
Shared control plane field overlaps with organization field. This issue has
been fixed.
65894
Fix parameterized values update and validation issue in ILC.
65916
Fix issue in BGP advertised routes that was showing incorrect subnet mask
for the advertised prefix.
65948
Cloud profile type is now mandatory field in cloud profile page.
65966
Network addresses are accepted in the dstAddrIpv4 and srcAddrIpv4 fields in
the bind data in IPsec section.
65980
Fix Eye icon in login screen so that it does not display password in clear text.
66017
Fix typo in CPE Public Cloud workflow.
66134
Add validation for encrypted keys in template configuration before committing
via apply Template to device.
64773
Device deploy with redundant template having site-to-site tunnel for tunnel
gateway or Virtual WAN does not creating tunnel objects. This issue has
been fixed.
36
Tracking
Bug
Description
64598
Release 21.1 Director pushes incorrect PSK key to Release 20.2.x devices when applying a template to a mix of Release 20.2.x and Release 21.1devices. This issue has been fixed.
62422
Add user account type SERVICE/GENERAL to allow customer to use user
accounts only for Rest APIs and disallow GUI login.
60805
Fix RBAC cache issues in failover.
59969
Add sort-by name functionality in the Controller listing screen.
61492
Fix issue in which device software version in postgres was set to blank for
devices that were down. This was affecting RMAs.
66040
Fix issue to support IDP and local SSO logout for SteelConnect EX Director
and Analytics.
63987
Remove wait time when stopping appliance monitoring thread and the
scheduler is configured run the threads efficiently. This important fix allows a
scale setup to run the appliance monitoring efficiently.
59207
Fix issue with sync status when parallel requests made to push configuration
in Appliance view.
62205
Fix issue with uCPE VNF creation task when the template is committed to
the device from the Diff View screen.
58477
Add support for federated SSO logout and to show custom login page after
SSO logout.
37
Tracking
Bug
Description
60160
Fix issue with publishing appliance generated alarms to Kafka topic and AMQP server.
59464
Devices under Monitoring and Configuration tabs are not shown after HA
failover. This issue has been fixed.
58921
Cannot export SteelConnect EX SSO SP metadata from SSO screen to
upload to external IDP. This issue has been fixed.
64445
Fix XPath injection vulnerability that was found in appliance APIs.
64443
Fix information disclosure vulnerability that was found in appliance APIs.
60156
Change SSO SAML samlp:RequestedAuthnContext method from Exact to
Minimum to allow multifactor IDP login authentication.
64442
User Enumeration vulnerability seen with user read/creation/update/deletion
and change/reset password and unlock user account APIs. This issue has
been fixed.
65860
LDAP bind password decryption error seen in template/appliance context.
This issue has been fixed.
Many
As part of many bug fixes, many fields that define appliances are now
encrypted when they are sent to appliances, including BGP, OSPF
passwords, SNMP user passwords, and the MDM profile client secret.
Fixed Bugs in Release 21.2.2
The following tables lists the critical and major defects that were fixed in Release 21.2.2.
Tracking Bug
Description
43606
Fix drop-down compatibility issues in Firefox browser.
38
Tracking Bug
Description
48020
Director uptime screen now reflects timezone data properly.
48033
Fix values shown for source network field on NTP page.
48973
Fix vulnerability regarding HTTP host header injection.
51468
Fix navigation glitches from authentication policy rule screen on address group screen.
52518
Director notification popup now shows different HA alarms, including HA-SLAVE-
DIED, SLAVE-DIRECTOR-OFFLINE, and SLAVE-INCORRECT-MODE.
54132
Fix incorrect template status on Apply Template screen.
57028
Fix incorrect values for free memory in System Details card on Monitor screen.
57693
Fix apply template failure when description field contains the quotation (").
58050
Add parameterize validation when field has values such as {$v
62949
Add support for configuring the RADIUS and TACACS+ timeout.
62998
Fix IPv6 VRRP screen for parameterizing variable limitations.
63854
Add support for reordering rules in secure access portal and security gateway policies.
64330
TenantSuperAdmin can now download OS SPacks.
64337
Organization context is now maintained when user switches to different tab under the
Configuration tab.
39
Tracking Bug
Description
65069
Fix refreshing of autogenerated bind data values when device workflow name
changes.
65658
Fix template workflow resolution issue that was preventing the user from seeing drop-
down values.
65818
Default action is now set for policies added by template workflow.
65964 Director UI does not validate and provide feedback to user if there are errors in adding
a user on the User Management screen.
66020
Fix element order issue during apply template.
66061
Fix issue that TenantOperator user cannot view device workflow object content.
66257, 66263,
66442
Fix search functionality in Profiles > DHCP and Services > SD-WAN > Controller,
Authentication policy rules pages.
66416
Add support for external auth user to take Director snapshot.
66417, 66418
Fix corner cases while taking Director snapshot
66582
Add encryption-proto support in workflow template.
66668
Add supported to show statistics per traffic class or per forwarding class on Monitor >
Networking > CoS > Interfaces > Detail/Extensive screen.
66965
Destination IP address and port fields can now be parameterized on log collector
screen.
40
Tracking Bug
Description
66983
Fix issue of tenant users removing subscription from their own organization when saving it.
67008
Fix to set the correct username for a task.
67305
Fix intermittent LDAP user and group fetch issue.
67327
Fix CGNAT configuration issues when LAN Interface is part of the provider
organization.
67582
Fix issue that an organization cannot be deselected if service templates are
associated with that organization on the Device Group screen.
67603
TenantSuperAdmin is now allowed to perform sync-from operation.
67628
Fix task messages for bulk SteelConnect EX device upgrade.
67677
NPE now does not generate an error if an HA pair site location in the asset table is
empty.
67758
DSL interface and PPPoE username and password fields can now be parameterized.
67783
Service template bind data is now cleaned up when user deletes a service template
from a device group.
67905
Increase FD limit for Director process.
67949
Fix disabling of OK button until the data is loaded on the VR page.
67965
Device name field now has uniform name for Director-generated alarms.
41
Tracking Bug
Description
68006
Honor release date in the package to select the latest image during bootstrap of SteelConnect EX device.
68041
Add support for editing OS SPack settings.
68064
Fix cross-connect select and deselect issues in template workflow for redundant templates.
68104
Fix HTML tags in message body of notification rule.
68231
Add GUI option to restrict routing and connectivity across regions.
68271
Fix CA chain certificate expiration issue in the UI.
68363
User can now make NMS action API calls with external OAuth token.
68372
Monitor screen now supports Layer 2 SD-WAN SteelConnect EX device traffic.
68718
Custom user role can now create NTP server instance.
68847
Fix to pick correct Trusty/Bionic SteelConnect EX software image while pushing image to SteelConnect EX device.
68914
Add support for deleting VRFs from the spoke group screen.
68923
NAT traversal configuration is added incorrectly when user modifies data on WAN Interface window.
68978
Fix HA template and Layer 2 interface configuration issue in template workflow.
68996
Fix monitor dashboard LTE display screen.
42
Tracking Bug
Description
69246
For the Ubuntu 18.04 OS, if isolate-CPU is enabled on Rangeley CPU-based system, the services sometimes fail to start.
69314
SNMP rap profile does not allow the ‘.’ (dot) character. Only these special characters
are allowed: _ # = + ^ $ @ : . { }',
69491
Add support for DNS filters under configuration.
69555
TenantSuperAdmin can now see organization workflows that are in the saved state.
69590
Add pagination for Locked User screen.
69641
Fix duplicate key sdwan-post-staging issues on Device Group screen.
69808
Workflow > Templates > Site > Subscriptions > Solution Tier > Service Bandwidth
changes are now recorded in the audit log.
69859
Fix issue of IKE changing on Controller node while redeploying a device workflow.
69860
Path policy configuration now accepts free-form text.
69877
Fix hub template workflow.
69916
PPPoE service name now accepts special characters.
69949
After adding service chain under organization limits, service menu now shows correct
options for service chain template.
69987
Entitlement report does not take into account the license year when reporting peak
usage metric.
43
Tracking Bug
Description
70002
Fix NGFW security policy rules filter issue.
70138
Changing IP address pool using docker-overlay-config.sh now prompts for
confirmation to restart service.
70234
Add support for URL ZTP over xDSL interfaces.
70284
Per-user policies now are enabled when rate is parameterized.
70313
Fix sorting functionality for System Summary tables on Monitor screens.
70318
Fix download merge configuration issue on commit template screen.
70336
BGP, IKE, and paths on monitor page now shows correct data after deleting
SteelConnect EX device.
70338
Add support for user type data for IP-SLAM Monitor next-hop fields.
70342
Fix for notification rule payload not having phone number.
70368
Fix issues with importing service template configuration.
70394
Asset summary now shows count for service VNFs
70441
Suppress unwanted logs while fetching get-vnms-ha details from standby Director
node.
70459
Fix incorrect security package information on monitor screen
70526
Fix RMA issue when encryption is enabled on Director node.
44
Tracking Bug
Description
70560
Fix for calling uCPE VNF operation each time a service chain template is committed.
70585
Fix display of common template address group objects in device template.
70613 TLS v1.3 configuration in Proxy Profile window is not activated.
70647
Fix display of overlay address schema popup if controller already exists in the system.
70649
Fix units in Live monitor graph on monitor screen.
70656
Fix for template failing to add WiFi interfaces added when the security mode is none.
70659
Service template references are now removed from device workflow when service
template is deleted.
70661
Fix corner cases when user opens existing device workflow objects.
70789
Add ability to configure port number on secure-access server screen.
70790
Add ability to configure configuring port number in server group URL on secure access
server screen.
70814
Fix DHCP mapping file upload issue.
70845 Option to configure custom block action under captive portal in a template is missing.
70857
Add per-user policers under lass of service on monitor dashboard.
70932
Restrict TSA users so they cannot view other tenant appliances in IP SLA next hop UI
page.
70955
Fix IPV6 identification in Tools > Ping page.
45
Tracking Bug
Description
70956
Allow parameterizing fields in prefix list on device template screen.
70957
Fix autogenerated values that were missing in a secondary Hub Controller.
71004
Allow more than eight interfaces in a Workflows template
71006
RBAC-protect the nms/cloud/systems/getAllApplianceNames API call.
71083
Fix pushing default values along with user changes in the form.
71106
Make APN parameters for WWAN interface optional.
71210
Custom role user now can perform speed test.
71327
Fix bind data page to accept network address for IP address object.
71330
Fix issues with TenantSuperAdmin accessing appliance shell through GUI.
71386
Fix IP address and mask parameterized validation in service templates.
71471
Fix for duplicate key value violating unique constraint appliance_hardware_pkey error
while onboarding a SteelConnect EX device.
71477
TSA users can now take configuration snapshots of the common template.
71515 Fix the display of LEF profiles in secure access service templates that are configured
in common templates.
71522
Fix for TenantSuperAdmin failing to delete SteelConnect EX device.
71530
Fix special cases in SteelConnect EX Analytics cluster installation script.
46
Tracking Bug
Description
71622
Fix issues on DHCP relay profile edit screen.
71623 POE warning prevents configuration of a VNI interface even when the POE attribute is
not enabled.
71638
Fix spoke group bulk deletion issue.
71665
Add support for Available Provider Organizations configuration on Org Limits page.
71685
Fix for scheduling image upload task messages that are not progressing.
71686
Fix for scheduling template issues when SteelConnect EX device not reachable and job triggered.
71749
Fix issues on Hardware UI page.
71757
Add support for the special characters “{“, “}”, “#” in the SNMP manager in Workflow
template.
71785
Fix for backup Director node not being able to take over as primary when port 5432 is
not available.
71812
Remove autoconfiguration and URI fields from WiFi screen.
71831
Fix for Workflow template going blank while removing suborganization.
71863
Handle automerge gracefully when preserve appliance changes is disabled.
71903
Fix for Director node loading page even after logging out of Director node.
71917
Fix Director login issue for Bionic images.
47
Tracking Bug
Description
71944
Fix for reset button not working on monitor screens.
71977
Fix for showing empty content for File Filter field on monitor page.
71983
Fix filter on monitor screen when switching from Appliance > Configuration > Objects >
Addresses to the Monitoring tab.
72046
Fix for custom role tenant user not being able to log in to Analytics node from Director
node.
72070
Fix incorrect order of BGP policy terms after workflow template is redeployed.
72084
Add missing dot1p-rw-enable filed under QoS profile.
72094
For virtual switches, MAC learning is now enabled by default.
72110
MTU for IRB can be now configured in UI.
72183
Fix to creation of shared service and service template configuration objects.
72186
Fix template workflow blank screen issue.
72215
Fix Director rollback issue.
72305 Fix to reset local preferences for remote region hub.
48
Behavioral Changes
The following are behavioral changes in Releases 21.2.1 and 21.2.2:
• The CGNAT and DNS configurations are automatically added through template Workflows to support OOKLA-
based speed tests.
• The algorithm used to generate ptvi interface numbers in spoke template to hub controllers has been changed to
accommodate hub controllers with large device IDs.
• When you deploy a template Workflow, the implicit zones "remote-client" are "versa-speedtest" are created in the
templates.
• When you create or redeploy a template, the speed-test configuration is pushed to devices running previous
software versions.
• In Device workflows, when you create a new device, if you have navigated to the bind data tab and you want to
change the device name, cancel the popup and repeat the workflow again. This procedure ensures that the correct
automatic variable value is generated.
• The GET /nextgen/applicationserviceTemplate/sample/allSamples API call replaces the GET /nextgen/
applicationserviceTemplate/allSamples API call.
• Under Monitor > Tools > Ping, the default packet size value of 5 has been removed, and the input is now restricted
to positive, nonzero numbers. If you choose not to specify a packet size, a default value is provided
• Under Monitor > Services > Services, the VPN Clients field has been renamed to Secure Access. The options that
were available under VPN Clients field are now available under Secure Access > IPsec Profiles.
• Under Monitor > Tools > Speed Test, the SteelConnect EX and Internet tabs are added. The options that were
available in the Speed Test field are now available under the SteelConnect EX tab, and the new OOKLA-based
speed test is available under the Internet tab.
• The Routing Instance and Interface drop-down fields are no longer available under SteelConnect EX speed test
configuration. Instead, you must select from a list of WAN networks, and the corresponding routing instance and
interface are automatically pushed along with the selected network name.
• HA-related critical alarms and disk usage-related alarms are shown as notification popups at the top of the GUI
when you log in.
• When a Netconf notification for an SD-WAN branch LTE-only transport is received from a Controller node, the alarm
is presented in the alarms GUI, and the branch is marked as being in the LTE-only state. When the device is
reachable and in LTE-only state, monitoring is suspended for a period of 2 hours, by default. (This time period is
configurable). The LTE-only state is not obvious when navigating the GUI (it is seen only in alarms), but the
appliance status API can show the state.
Limitations and Known Issues
Limitations in Releases 21.2.1 and 21.2.2
• When you commit a template that contains service templates, you cannot see the devices to which the service
template is attached (at the device in Device Workflow) nor the devices to which it is not attached (in the Device
Group).
• If device deployment fails for an active-active scenario, the paired site ID is never generated correctly.
49
• If you remove a link monitor from a WAN interface in the Workflow template and then commit the template, the
existing configured monitor is removed. (Bug 65897).
• The Director GUI may not open on Safari and MacOS 10.15, because the self-signed certificates that were used
previously are not compatible with the new security requirements of the Apple Safari browser.
To install self-signed certificates, run the following commands:
sudo su - versa
cd /opt/versa/vnms/scripts/ ./vnms-certgen.sh --san example.com --san test.example.com --overwrite --storepass "password"
To install CA-signed certificates, regenerate the CA-signed certificates that honors the new security requirements:
sudo su - versa
cd /var/versa/vnms/data/certs/
keytool -import -alias tomcatserver -file {CA_CERTIFICATE}.cer -keystore tomcat_keystore.jks -storepass
password
Then, synchronize the new certificate to all the Analytics nodes using the following script, which is located in the
/opt/versa/vnms/scripts directory:
./vnms-cert-sync.sh –sync
• If you do not enable proxies with HTTP 2.0 and TLS 1.2, browsers fall back automatically to use HTTP 1.1. In the
newer version of Tomcat, HTTP 1.1–based REST API calls with large payloads might fail, because not all the
payload is provided to the backend server. This issue is observed intermittently with configuration diff windows in
template workflow and template commit to appliances.
• When you commit a template, the Director node may display an error when one of the interface description text field
contains multiple quotation marks (Bug 57693, Bug 58568).
• When you create device workflows, if you want to change the name of the device after navigating to the bind data
tab, cancel the popup and then recreate the device. This procedure ensures that the variables are autogenerated
properly.
• When you deploy paired devices, if deployment of the first device fails, but deployment of the paired device
succeeds, if you want to redeploy the failed device again, manually copy the paired location ID from the paired
device to the failed device and then redeploy the first device.
• For Release 21.2.2, central authentication is not fully implemented and there are few limitations with the feature,
including:
◦ You cannot use SSO& as central authentication.
◦ You must perform user operations such updates and password resets on the central Director node.
Enable HTTP 2.0 on Proxies
In Release 21.1.1, the Director web server (Apache Tomcat) was upgraded to support HTTP 2.0, also called HTTP/2 or
H2. Newer versions of Chrome and Firefox browsers automatically take advantage of the HTTP/2 protocol when
supported by the web servers.
50
If an HTTP proxy, such as Load Balancer, HA Proxy, and NGINX, is deployed between web clients (browsers) and a
Director node, you must enable HTTP/2 with TLS 1.2 on them with the following cipher set:
• TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
• TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
When users access the Director node using secure proxies, such as ZScaler, inspection done by the proxy of the
sessions to the Director node must be bypassed or the proxy must be enabled with HTTP/2 and TLS 1.2 protocols with
the above cipher set.
After you update the configuration on the proxy to enable HTTP/2, use the browser's Dev/Inspect tools to verify that the
browser is using the HTTP/2 protocol:
1. On the Director login page, right click and select Inspect to display the Dev/Inspect tools. The following screenshot
shows how to do this in Google Chrome:
2. In the Inspect window, select the Network tab.
3. Right-click the column selector and select Protocol to display the Protocol column.
51
4. Reload the portal page and check the Protocol column for the H2 protocol (for the API calls made to the server).
Request Technical Support
To request technical support, go to https://support.riverbed.com. If you are contacting support for the first time,
register and create an account. You can also send email to [email protected] or contact your Riverbed sales
account team.
52
Riverbed and any Riverbed product or service name or logos used herein are trademarks of Riverbed Technology. All other trademarks used herein belong to their respective owners. The trademarks and logos displayed herein may not be used without the prior written consent of Riverbed Technology or their respective owners.