TNSR 22.10 Release Notes

About the TNSR 22.10 Release

This is a regularly scheduled TNSR software release including new features and bug fixes.

TNSR 22.10 revision 2

There is a minor revision to the initial release, TNSR software version 22.10-2. This revision corrects update URLs in the ISO image and includes an OpenSSL security update.

Note

This is not a point release or new full release, but a rebuild of TNSR 22.10 to address errata.

For users already running TNSR 22.10-1, use the Updating via the shell method to pull in the latest updates for Ubuntu and TNSR to get 22.10-2. Afterward, use the following command to ensure key TNSR packages are updated to the latest revisions:

$ sudo apt install tnsr=22.10-2 tnsr-dataplane-netns=22.10-2

This does not apply to users upgrading from 22.06 to 22.10-2 as that process will pull in the latest version of the packages automatically.

General

Changes

Changes in TNSR software version 22.10

ACLs

• Added: Include clixon show acl output in tnsr-diag [8957]

CLI

• Changed: Remove deprecated CLI commands from 22.06 release [7909]

• Fixed: BGP as-path objects cannot be deleted from the running configuration [8382]

• Fixed: Incorrect CLI commands generated for trace match UDP port configuration output [8397]

• Fixed: CLI ospf and ospf6 modes do not offer names of route-map entries for help list or tab completion [8988]

DHCP Client

• Fixed: Default gateway received via DHCP is not added to the routing table when the interface uses a non-default VRF [7254]

• Fixed: Changing VRF for an interface configured as a DHCP client does not trigger dhclient restart [8689]

Dataplane

• Fixed: Multiple large routing table insertions crash VPP [8286]

• Changed: Update VPP to 22.06 stable branch [8437]

• Changed: Set vfio-pci as default UIO driver on AWS [8483]

• Fixed: VPP crash with IPsec when using IPSECMB and 6 workers [8938]

• Added: Option to enable interrupt mode for dispatching asynchronous cryptographic operations [9030]

General

• Added: Script to backup/restore configuration and certificates (tnsr-backup) [4903]

• Fixed: Cannot commit a candidate database which removes tunnel next-hop entries [8759]

IPsec

• Added: Certificate-based authentication for IPsec [1105]

• Added: Support for IPv6 IPsec tunnel endpoints [2396]

• Fixed: Buffer exhaustion with TCP/UDP when using c62x QAT device prevents traffic from passing [6711]

• Fixed: CLI requires integrity algorithm on IPsec tunnel using AEAD cipher when a PRF should be sufficient [6926]

• Added: Support for ChaCha20-Poly1305 encryption with IPsec [8340]

• Fixed: strongSwan and swanctl log errors about failing to load some modules [8914]

• Changed: Update strongswan to 5.9.8 [9089]

Interfaces

• Added: Support for interrupt mode on hardware interfaces [7802]

• Fixed: Validation does not prevent setting interface MTU below 1280 when an IPv6 address is configured [8246]

• Fixed: Interface link MTU can be implicitly decreased below 1280 when an IPv6 address is configured [8377]

• Fixed: Remove unnecessary decap-next-node VXLAN option [8434]

• Added: Support for new Intel i226 interface PHY identifiers in DPDK [8908]

• Fixed: Interrupt mode state is not correctly reflected in Clixon [9033]

LACP

• Fixed: LACP status includes incorrect PTX state values [8630]

NAT

• Fixed: Value of “Last Used” field in output of show nat sessions verbose is expressed in seconds since VPP startup [8277]

• Fixed: Endpoint Independent NAT mode is limited to 259 addresses in a NAT pool [8706]

• Fixed: NAT pool content in show nat output is not in IP address order [8708]

Operating System

• Changed: Upgrade TNSR base OS to Ubuntu Jammy 22.04.1 [8684]

PKI

• Fixed: Validate PKI key names [8371]

• Added: SSH key management [9036]

RESTCONF

• Fixed: RESTCONF returns invalid JSON output for NTP state raw values [8347]

• Fixed: Validate RESTCONF configuration database values [8370]

Routing

• Fixed: Change made to a prefix list used in an OSPF3 route map does not affect redistributed routes [3644]

• Added: Resource Public Key Infrastructure (RPKI) support for BGP [4349]

• Added: BGP import vrf commands to import routes from another VRF [4763]

• Added: Policy Based Routing (ACL Based Forwarding) [6782]

• Fixed: Extended BGP community lists do not work as expected [7772]

• Fixed: RPC error message when using exact prefix match in show route table command for non-existent route [8088]

• Changed: Update FRR from upstream [8372]

• Fixed: Route maps currently used by dynamic routing protocols can be removed [8387]

• Fixed: OSPF server configuration incorrectly includes a redistribute ospf command [8426]

• Added: Display table ID when looking up a route for a prefix [8482]

• Fixed: Objects referred to by a route map can be removed [8489]

• Fixed: Route map set aggregator as command does not function properly [8779]

• Fixed: Route map set src option is not applied by FRR [8896]

• Fixed: FRR daemon VTY address bindings are inconsistent [8901]

• Fixed: All BGP neighbors reset when one is enabled or disabled with cluster-id set [9041]

• Fixed: Unable to configure match community <comm-list-name> exact-match [9095]

Tunnel Protocols

• Added: IPIP tunnel support [3904]

• Changed: Support for WireGuard DoS mitigation and cookie processing in VPP [5825]

• Fixed: Only the first peer in a WireGuard instance functions properly [8106]

• Fixed: Incorrect UDP checksum of IPv6 WireGuard packets [8163]

• Added: WireGuard remote access and roaming support [8339]

• Fixed: show tunnel next-hops accumulates duplicate entries when the dataplane restarts [8618]

• Changed: Improve error processing in WireGuard backend code [8671]

• Fixed: VPP crashes while editing an IPIP tunnel if there is an IPv6 tunnel next-hop configured [8776]

• Fixed: WireGuard handshake packets can be sent when the tunnel interface is down [8780]

Known Issues

Known Issues in TNSR software version 22.10

BFD

• Unable to setup delayed option for an existing BFD session via REST [2709]

• IPv6 session is not restored when virtual direct link gets disabled/enabled [4916]

• TNSR cannot commit configuration candidate database loaded from a file if it contains a BFD session for an interface that does not exist [7150]

Bridge

• Bridge domain ARP entries cannot be displayed via CLI [2378]

• Bridge domain ARP entries cannot be removed via CLI [2380]

• Bridge domain mac-age value cannot be removed via CLI [2381]

• Bridge domains and split-horizon groups are not functioning properly [5500]

• Bridging fails with virtual interfaces as members [7762]

CLI

• CLI does not always return from a shell prompt [2651]

• Deleting the startup configuration database does not fully remove the active configuration [3723]

• Specifying interface to traceroute requires root privileges [5376]

• Input validation of unbound message cache slabs value does not work as expected [5472]

• CLI and RESTCONF behavior are different for no bgp default ipv4-unicast [6303]

• RIP information does not contain a legend for kernel routes [7230]

• Interface vrf command is missing argument description when there are no VRFs defined [8941]

Counters

• Contradictory output of detailed counters on bond interface in ‘broadcast’ mode [8351]

DHCP Server

• CLI offers to delete mandatory variable in DHCP server subnet configuration [5240]

• DHCP4 Kea config-file output shows VPP TAP interface names in its configuration instead of TNSR interface names [5264]

• Unable to setup a custom DHCP option with certain data types in the record [5299]

DNS

• show system output does not contain DNS resolver parameters [5397]

Dataplane

• Link state is always up when using e1000 network drivers [2831]

• Cannot create rx-queues for interfaces on KVM and VirtualBox [3674]

• Static routes with an interface as the next hop using resolve-via-attached appear to break dataplane ARP [5259]

• TNSR on AWS does not pass traffic when using the uio_pci_generic driver [7015]

• IPv6 Neighbor Discovery starts to fail until Linux neighbor cache is cleared [9135]

General

• Non-root users cannot access the FRR log file [4826]

• Unable to specify TNSR interface as a source in ping and traceroute commands via REST [5605]

• Startup entry is not created in configuration history log [7400]

• Cannot commit a candidate configuration database if a tap interface is present [7458]

Host

• Cannot remove an IP address assigned to a host interface during the installation process via TNSR CLI [3013]

• Cannot configure the default gateway for host namespace via TNSR CLI [3702]

• VRF interface for a custom route table persists in the operating system after restarting services [4866]

• dns-resolver configured for host namespace remains in system after removing from TNSR [7830]

• dns-resolver configuration values for host namespace remain in resolv.conf after restarting TNSR [7975]

• package commands use apt, which prints console warnings [9127]

IPsec

• IPsec daemon does not support using non-default VRF entries [7266]

• Cannot disable IPsec dpd-interval option [8012]

• Cannot configure IPsec with manual key type [8396]

• Error when creating IPsec tunnel via RESTCONF with tunnel-enable set [8432]

• IPsec tunnel without a child SA does not appear in IPsec state data [8433]

Installation

• TNSR installer fails if interfaces are configured with IP addresses but have no Internet connectivity [7807]

Interfaces

• VLAN subinterfaces do not work with virtio network drivers on KVM [2189]

• Unable to set IPv6 link-local address on an interface [2394]

• Unable to create subinterface with dot1q any tag [2652]

• Invalid routes remain in table when next-hop IP address is no longer directly connected [3161]

• Reassembly timeout is not working when full IP reassembly is configured [3269]

• Shallow virtual reassembly cannot be disabled when it is implicitly enabled by other features [3361]

• Second fragment of a packet is not virtually reassembled when max-reassemblies is set to 1 [3384]

• Unable to delete a MAC address explicitly set for the TNSR side of a TAP interface [4433]

• XG-1541 link speed auto-negotiation incorrect with direct connected interfaces [5323]

• Errors indicate TNSR is attempting to assign a MAC address to IPsec ipipX interfaces [6285]

• L3 packets can be sent from bridged interfaces [6975]

• Unable to setup DPDK uio_pci_generic driver on XG-1541 [6981]

• Unable to setup DPDK vfio-pci driver on XG-1537 [6985]

• Unable to setup DPDK vfio-pci driver on various environments [6989]

• TAP instance tcpdump method only captures received packets [7137]

• Unable to delete a non-existent multicast-interface from VXLAN tunnel configuration [7278]

• Pings between IPIP interfaces become intermittent when BGP is applied to them [7392]

• Interface IP address is shown in IPv4 route table instead of associated subnet [7511]

• Setting a new MTU value does not affect the MRU for IPv6 packets [8245]

• Unable to delete link MTU from an interface when default MTU is set less than 1280 [8837]

Memif

• Unable to connect to memif interface using default socket [4448]

NAT

• Twice-NAT does not work [1023]

• 1:1 NAT drops packets with ttl=2 from inbound interface [2849]

• Full IP reassembly does not work with MAP [3386]

• MAP-T adds bogus zeroes when translating short IPv4 to IPv6 [3460]

• NAT pool route table option only available when specifying a range [3628]

• Packets larger than 2034 bytes are dropped when performing IPv4 to IPv6 MAP translation [3742]

• MAP-T domain usage causes IPv6 traffic class value to always be copied from IPv4 ToS value [3774]

• TCP MSS value is not applied to IPv4 packets when IPv6 to IPv4 decapsulation is performed on MAP-E BR [3783]

• MAP does not relay IPv6 ICMP error messages to IPv4 [3809]

• NAT static mappings for ICMP do not work [4373]

• NAT static mappings for TCP/UDP protocol on any port result in translation for port 0 instead [4384]

• NAT static mappings assume external port 0 when port is omitted [4432]

• Packets not destined to a NAT pool are dropped when NAT simple mode is configured with out2in-dpo option [4927]

• Full IPv4 reassembly doesn’t work with NAT endpoint-independent mode [5476]

• Cannot increase NAT Sessions per thread past ~1e6 [6550]

• Dataplane SIGSEGV crash and backtrace when exceeding NAT session limit [6551]

• Expired NAT sessions become active again when increasing the timeout value [7090]

• NAT sessions do not expire in endpoint-independent mode [7098]

• Cannot commit a clean candidate configuration database if NAT static mapping is configured [7286]

• Unable to establish NAT hairpin connection [8014]

• NAT in endpoint-dependent mode drops packets when it cannot identify the correct worker thread [8262]

• Routing through NAT in EI mode doesn’t work if NAT outside interface is IPSec tunnel [8333]

NTP

• NTP does not properly handle IPv6 restrictions [4626]

• Delay in CLI display of NTP configuration when NTP has noquery set [6818]

• Interfaces in the TNSR NTP configuration are not validated when generating the NTP daemon configuration [7153]

Neighbor / ARP / NDP

• Packet loss during ARP transactions [2868]

• The MAC address of a static IPv6 neighbor cannot be changed [4454]

RESTCONF

• Adding a user via RESTCONF requires a password even when providing an ssh key [2875]

• RESTCONF “pretty-printed” JSON contains incorrect indentation [3521]

• OSPF interfaces are not validated when configured via RESTCONF [3528]

• Cannot change GRE tunnel type to or from ERSPAN via RESTCONF [4353]

• Response of /restconf/data/ and /restconf/data/netgate-interface:interfaces-state/ does not include any of *-table [5399]

• RESTCONF allows configuring dataplane options for non-existent devices [5748]

• RESTCONF route-state response does not contain actual state data [7115]

• RESTCONF dataplane service does not work on interfaces in a non-default VRF [7265]

• History version count does not match the count of REST configuration requests if they are sent without a delay [7440]

Routing

• Changing default metric for OSPF server does not result in update on other routers [2586]

• OSPF RIB is not updated when the ABR type is changed between standard and shortcut [2699]

• BGP updates for new prefixes ignore the advertisement-interval value and are sent every 60 seconds [2757]

• RIP “timeout” timer does not work [2796]

• ttl-security hops value can be set when ebgp-multihop is already configured [2832]

• BGP session soft reset option does not work for IPv6 peers [2833]

• extended-nexthop capability isn’t being negotiated between IPv6 BGP peers [2850]

• Unable to verify received prefix-list entries via CLI when using ORF capability [2864]

• BGP network backdoor feature isn’t working without service restart [2873]

• BGP next-hop attribute aren’t being sent unmodified to the eBGP peer when route-server-client option is configured [2940]

• Unable to verify dynamic BGP peer information from TNSR CLI [3044]

• Unable to delete OSPF3 config for an interface [3481]

• TNSR does not prevent creating static routes for directly connected networks [3813]

• OSPF conditional default route injection does not work [3846]

• Unable to verify received routes when high number of routes received via BGP [3918]

• TNSR allows OSPF network type for a loopback interface, which is rejected by FRR [4800]

• Unable to set a custom path for the FRR log file [4825]

• Reverting to the startup configuration doesn’t restore packet forwarding for BGP over IPsec prefixes [5321]

• RIP route-map-filter option does not filter routes [5910]

• Unable to disable IPv4 AF without BGP service restart [6393]

• BGP failover logs “Failed to delete neighbor” error from linux-cp [6400]

• OSPF virtual-link authentication does not work [6601]

• Unable to remove OSPF virtual-link configuration [6962]

• OSPF can announce interfaces from other VRFs on initial configuration [7002]

• Cannot add a static recursive route [7010]

• VPP crashes on applying custom VRF to loopback interface used in OSPF [7056]

• Creating route-map, prefix-list, or access-list entries takes longer than expected [7068]

• Cannot disable logging of adjacency changes for OSPF6 if detail option is set [7097]

• Routes that exactly overlap an interface link route are accepted by CLI but are problematic [7101]

• OSPF neighbor adjacency is established in wrong VRF in VirtualBox [7144]

• Interfaces in the TNSR RIP configuration are not validated when generating the FRR RIP daemon configuration [7155]

• Interfaces in TNSR route-map entries are not validated when generating the FRR daemon configurations [7156]

• Interfaces in the TNSR OSPF configuration are not validated when generating the FRR OSPF daemon configuration [7177]

• Interfaces in the TNSR BGP configuration are not validated when generating the FRR BGP daemon configuration [7218]

• Dynamic routing protocols lose static routes after link they resolve through goes down and then comes up [7357]

• OSPF logging for some options does not work if logging level is set explicitly [7411]

• BGP debug option updates in <peer> does not filter messages for selected peer [7476]

• BGP session does not become active after interface goes down and recovers [7501]

• OSPF6 continues to redistribute connected/kernel routes resolved via interface with linkdown status [7624]

• BGP address family neighbor option maximum-prefix restart does not work correctly [7709]

• Malfunction of BGP process after entering maximum-prefix restart without the basic maximum-prefix limit command [7748]

• OSPF6 does not advertise loopback address to another area if the loopback is configured first [7757]

• Cannot set BGP unsuppress-map option for IPv6 neighbor [7760]

• Routes remain in table after interface with VRRP configured is marked down until dataplane is restarted [7790]

• OSPF stops working after configuring mtu-ignore option on an interface [8085]

• Routes do not match by route-map if match criteria is set to ip next-hop ... [8148]

• Output of show conf differs for route-map [8375]

• Route map source-protocol match condition matches routes from any source [8381]

• redistribute table configuration in RIP/OSPF does not affect route redistribution [8390]

• Cannot change distance for one BGP prefix [8690]

• Forwarding address from OSPF6 LSA5 is not installed as the next hop for the route [8732]

• BGP bestpath med missing-as-worst command does function correctly [8805]

• OSPFv3 repeatedly drops connection on AWS when redistribution is configured [8822]

• Route Map with IPv6 Access List does not filter redistributed OSPF6 routes [8857]

• Route-Map set src option does not function correctly [9045]

• show route displays no routes for a VRF until it is placed on an interface [9073]

• RPKI settings do not get applied until the BGP service is restarted [9122]

• Column headers in BGP routes table are not aligned with data when RPKI status is available [9123]

• FRR cannot connect to RPKI cache server if a route to it does not exist in default VRF [9146]

• The redistribute kernel and import vrf BGP options do not work at the same time if the static route is redistributed with an output interface in a third-party VRF [9147]

• ABF policy does not forward IPv6 packets when ipv6-next-hop is set to local [9149]

• Applying a subsequent route map with import vrf cancels a previous applied route map [9156]

SNMP / IPFIX / Prometheus

• Prometheus filters with non-alphanumeric characters can cause HTTP requests to fail [5467]

• Prometheus filters containing spaces cannot be removed [5470]

• SNMP does not work on interfaces in a non-default VRF [7261]

SPAN

• Span config disappears/appears when repeatedly restarting dataplane [6526]

• Incorrect error message when requesting SPAN info from a missing interface [7209]

• SPAN mirroring can not be disabled [7560]

• SPAN does not work correctly for outbound packets on VLAN subinterface [7801]

Static Routes

• Static route next-hop options stack when updated, but only one works [5326]

• Static route description is not showing up in show commands or REST state data [5478]

• Static route overwrites kernel route in the operating system routing table [7215]

• Transit traffic goes to an interface with inactive link when there is another (active) path [8041]

Tunnel Protocols

• Changes to an existing VXLAN tunnel configuration do not apply until the dataplane is restarted [1778]

• TNSR IPv6 interface address does not appear in traceroute when next-hop is IPsec tunnel interface [5178]

• VxLAN with multicast destination does not pass traffic [6491]

• GRE interface configuration remains in running config after changing GRE tunnel ID [7050]

• Configuring option route-table in a WireGuard peer does not affect next-hop lookup of the endpoint address [8070]

• VPP processes packets received on disabled tunnel interfaces [8111]

• WireGuard tunnel interfaces still function with a tunnel next-hops entry having an incorrect next-hop-address [8256]

• IPv6 VXLAN does not work over WireGuard IPv6 tunnel [8360]

• Tunnel next-hop entries do not function in non-default VRFs [8653]

• Incorrect WireGuard tunnel next-hop after roaming [8764]

clixon

• log_upgrade does not print cxobj paths correctly in tnsr-upgrade.log [4747]

• clixon_backend exhausts memory while displaying high amount of routes [5226]

• Configuration upgrade does not run when loading configuration via history [6968]

• Unable to set up a password that starts and finishes with a double quotation mark [7571]

• Unable to set up a password that contains a backslash symbol [7572]