From 34ba2f6acef16332bef69fd33b39f11556e83dde Mon Sep 17 00:00:00 2001 From: mbaj Date: Thu, 4 Jun 2026 10:08:43 -0400 Subject: [PATCH 01/10] Replace divergent text for the same issue with same text --- docs/release_notes_128t_4.0.md | 2 +- docs/release_notes_128t_4.1.md | 95 +++--------- docs/release_notes_128t_4.2.md | 139 +++++++++-------- docs/release_notes_128t_4.3.md | 190 ++++++++++------------- docs/release_notes_128t_4.4.md | 88 ++++------- docs/release_notes_128t_4.5.md | 89 ++++++----- docs/release_notes_128t_5.0.md | 7 +- docs/release_notes_128t_5.1.md | 49 ++++-- docs/release_notes_128t_5.2.md | 33 ++-- docs/release_notes_128t_5.3.md | 4 +- docs/release_notes_128t_5.4.md | 64 ++++---- docs/release_notes_128t_5.5.md | 79 +++++----- docs/release_notes_128t_5.6.md | 162 +++++++++++-------- docs/release_notes_128t_6.0.md | 82 ++++++---- docs/release_notes_128t_6.1.md | 156 ++++++++++--------- docs/release_notes_128t_6.2.md | 102 ++++++------ docs/release_notes_128t_6.3.md | 69 ++++---- docs/release_notes_128t_7.0.md | 25 ++- docs/release_notes_128t_7.1.md | 30 ++-- docs/release_notes_128t_installer_2.7.md | 1 - docs/release_notes_128t_installer_3.0.md | 1 - 21 files changed, 736 insertions(+), 731 deletions(-) diff --git a/docs/release_notes_128t_4.0.md b/docs/release_notes_128t_4.0.md index 6cc196bdf38..5f640376289 100644 --- a/docs/release_notes_128t_4.0.md +++ b/docs/release_notes_128t_4.0.md @@ -37,7 +37,7 @@ sidebar_label: '4.0' - **I95-25356** Device and network Interface graphs are rendering as having no data when data is traversing links. -- **I95-25425** DHCP relay service defined as /32 causes traffic to be black-holed. +- **I95-25425** DHCP Relay with `/32` and FIB next-hop set to none requires additional service configuration - **I95-25454** Forwarding interfaces are not able to come up when deployed in AWS. diff --git a/docs/release_notes_128t_4.1.md b/docs/release_notes_128t_4.1.md index 670290ec90d..7b2d600bf2a 100644 --- a/docs/release_notes_128t_4.1.md +++ b/docs/release_notes_128t_4.1.md @@ -7,7 +7,7 @@ sidebar_label: 4.1 ### Issues Fixed -- **I95-30610** RTP is not properly classified for subsequent 128T routers +- **I95-30610** RTP is not properly classified for subsequent 128T routers. ------ - **I95-33279** Path MTU discovery unresolvable when no ICMP is generated ------ @@ -35,7 +35,7 @@ sidebar_label: 4.1 ------ - **I95-34310** Secure fields from the 128T configuration are in the commit audit events from config diff operations. ------ -- **I95-34744** highway process can fault when a DHCP server assigns the IP address 0.0.0.0 to the 128T router +- **I95-34744** highway process can fault when a DHCP server assigns the IP address 0.0.0.0 to the 128T router. ## Release 4.1.9 @@ -76,11 +76,7 @@ The 4.1.8 release is a superset of the 4.1.7 release. Features and corrections i _**Corrective Action:**_ This condition is rare and is exacerbated by DNS responses that change for the same request. Typically the order of the A records have changed for load balancing purposes. This can be mitigated by ensuring the DNS responses are consistent, or removing the FQDN from the service configuration. ------ -- **I95-33296** Removing a redundant device-interface and its corresponding redundancy-group as part of the same commit will cause the commit operation to fail. - - _**Symptom:**_ Unable to commit configuration changes - - _**Corrective Action:**_ Perform two commit operations. The first commit must be to remove the redundancy-group. +- **I95-33296** Removing a redundant interface and its corresponding redundancy-group within the same commit would terminate the commit ------ - **I95-32843** System can fault when routing loop is created with OSPF and BGP @@ -96,9 +92,9 @@ The 4.1.7 release is a superset of the 4.1.6 release. Features and corrections i ### Issues Fixed -- **I95-31170** NodeMonitor Application fault on shutdown. +- **I95-29801, I95-31170, I95-31116** NodeMonitor application fault when sysLimitsOverride parameters are set ------ -- **I95-32449,I95-25567,I95-31060,I95-31675** failed to reserve ports for WayPoint resulting in loss of traffic +- **I95-32449** WayPoint allocation failures resulting in session setup failures ## Release 4.1.6 @@ -131,11 +127,15 @@ The 4.1.6 release is a superset of the 4.1.5 release. Features and corrections i ------ - **I95-29821** Packet fragmentation for SVR paths is larger than configured MTU by the L4 packet header size ------ -- **I95-29990** When a KNI interface starts as operationally down, the state remains the default of unknown and never transition to down. +- **I95-29990** When a KNI interface starts as operationally down, either due to oper status or monitoring script or a watched interface down for T1, the state remains the default of unknown and never transition to down. ------ - **I95-30002** Service route generation skipped for generation set to true if another service with the same name is set to generation false ------ -- **I95-30078, I95-30268** Traffic does not switch to standby interface on management path communication failure +- **I95-30078** - HA node communication failure results in two systems both taking control of a shared (redundant) interface + + _**Symptom:**_ Traffic egressing a highly available device may get pinned to the wrong node in a highly available pair. + + _**Mitigation (pre-4.1.5):**_ Manually purge specific traffic flows that are pinned to the wrong node, to allow them to regenerate. ------ - **I95-30315** DHCP Server fails to start after system power failure and power recovery ------ @@ -155,7 +155,7 @@ The 4.1.6 release is a superset of the 4.1.5 release. Features and corrections i ------ - **I95-30742** Incorrect packet fragmentation when first packet is a jumbo packet ------ -- **I95-30781** Warning not provided when neighborhood does not have an end port range +- **I95-30781** Invalid configuration accepted when adjacency or neighborhood port-range does not have end-port configured ------ - **I95-30833** BGP over SVR neighbor not connecting due to missing route ------ @@ -167,7 +167,7 @@ The 4.1.6 release is a superset of the 4.1.5 release. Features and corrections i ------ - **I95-31208** continuous configuration updates do to network anomalies lead to increased memory usage ------ -- **I95-31232** Highway application may fault during network port scanning of the router +- **I95-31232** Peer router highwayManager faults when pinhole traffic originating from this peer is sent to a remote peer that is restarting. ------ - **I95-31244** When a pinhole session is restored upon failover, if the routing table is not up-to-date, the packet will incorrectly be routed to the same interface from which it came from. ------ @@ -264,7 +264,7 @@ Prior versions of the 128T software did not support two routers with the same WA ------ - **I95-30143** High state is applied to nodes when configuration has changed, causing unnecessary Conductor to router communication. This has been changed to only apply high state when necessary. (Note: when a node is disconnected and reconnects high state is always applied) ------ -- **I95-30011** SVR packets dropped briefly when standby node in an HA router pair is restarted. +- **I95-30011** System hostnames that cannot be resolved cause two HA nodes to achieve quorum after DNS lookup times out (approximately 40 seconds) ## Release 4.1.4 @@ -347,7 +347,7 @@ Prior versions of the 128T software did not support two routers with the same WA ------ - **I95-27763** BGP neighbor local-as is ignored when set to neighbor remote-as ------ -- **I95-27830** System can fault when multiple "first" packets are processed simultaneously +- **I95-27830** 2 or more ICMP packets within milliseconds resulted in a software fault ------ - **I95-27878** Database process can consume large amount of CPU due to internal debugging data. This database has been removed ------ @@ -450,7 +450,7 @@ The 4.1.3 release requires the 128T-installer 2.3.0 or greater. By default, the - **I95-27792** Asset status not updated correctly ------ -- **I95-27339** DHCP stuck flows +- **I95-27339** Sessions for a DHCP relay service can linger, causing subsequent DHCP request failures ## Release 4.1.2 @@ -471,7 +471,7 @@ The 4.1.2 release requires the 128T-installer 2.3.0 or greater. By default, the ------ - **I95-25790** Peer path statistics on PCLI may be missing for routers with multiple paths ------ -- **I95-26021** WEB/GUI page scrolling stops working after router AP upgrade +- **I95-26021** Window scroll bar become inoperable requiring a complete browser page reload ------ - **I95-26154** System can fault when executing `save tech-support-info` ------ @@ -574,7 +574,7 @@ The 4.1.2 release requires the 128T-installer 2.3.0 or greater. By default, the ------ - **I95-27604** FIB Next Hops is `` when there are only service-routes with services with application-name ------ -- **I95-27614** The 128T would send ICMP unreachable responses for destination MACs that were not its own +- **I95-27614** When operating in promiscuous mode, the 128T can send ICMP unreachables for dest macs that are not its own ------ - **I95-27799** Per-router services fail validation when a service applies to more than one router-group ------ @@ -725,7 +725,7 @@ The 4.1.0 release requires the 128T-installer 2.2.0 or greater. By default, this ------ - **I95-25311** GUI FIB table is inconsistent with output of `show fib` on PCLI. ------ -- **I95-25329** PCLI in Conductor GUI creates nested navigation bars +- **I95-25329** Nested navigation bars are created when launching the PCLI from within the GUI ------ - **I95-25425** DHCP Relay with `/32` and FIB next-hop set to none requires additional service configuration ------ @@ -803,18 +803,7 @@ The 4.1.0 release requires the 128T-installer 2.2.0 or greater. By default, this ## Caveats -- **I95-30103** Entering flat configuration into PCLI does not always create the configuration - - _**Symptom:**_ - When performing configuration using flat (or cut and paste of the complete flat configuration line) the configuration is not applied - - _**Conditions:**_ - When a configuration object does not previously exist and setting an attribute of that configuration object. For example in the following configuration line: - ``` - configure authority tenant one name one - ``` - - If the "tenant one" configuration object does not exist, the tenant object will not be created. If it does exist then the command will set the attribute "name" to "one" - - _**Corrective Action:**_ - On initial creation, do not use flat configuration operations for creating the configuration. +- **I95-30103** Creating tenants using output of `show config running flat` does not work (Entering flat configuration into PCLI does not always create the configuration) ------ - **I95-29842** Nodes with Overlapping DHCP addresses will not be displayed when 'show peers' command is run @@ -824,13 +813,7 @@ The 4.1.0 release requires the 128T-installer 2.2.0 or greater. By default, this _**Corrective Action:**_ After upgrading the Conductors perform a commit operation from either the PCLI or the Conductor GUI ------ -- **I95-29733** Conductor UI may not provide an indication that a refresh is in progress (flashing blue dot) - - _**Symptom:**_ When selecting the Router to fresh the available versions to upgrade, the flashing blue indicator may not be present - - _**Conditions:**_ Shortly after both HA conductors have been upgraded and the refresh button is selected for a router - - _**Corrective Action:**_ N/A, no user corrective action can be performed. Waiting for a moment will result in the appearance of the solid blue dot if an upgrade is available (Note: Both conductors must be running a version greater than or equal to the target router version) +- **I95-29733** Conductor UI may not provide an indication that a software version check is in progress ------ - **I95-29592** Conductor UI and/or PCLI may not update the asset software version correctly @@ -851,37 +834,11 @@ The 4.1.0 release requires the 128T-installer 2.2.0 or greater. By default, this _**Corrective Action:**_ N/A, no user corrective action is required. ------ -- **I95-29134** `save tech-support-info` fails to create tech support file - - _**Symptom:**_ `save tech-support-info` fails with the following error message: - ``` - "Error: Failed to execute the 'save-tech-support-info' RPC: Fatal error creating tarball" - ``` - - _**Conditions:**_ When configuration exports have been saved with spaces it in the name of the exported configuration file - - _**Corrective Action:**_ Remove the saved configuration files with spaces in the name and avoid using spaces when exporting configuration. Note: Exporting configuration files with spaces in the name may be prevented in a future release. +- **I95-29134** `save tech-support-info` indicates the failure `%Error: Failed to execute the 'save tech-support-info' RPC: Fatal error creating tarball` when files being archived contain spaces; even though the operation completes successfully ------ - **I95-28766** Conductor PCLI shows configuration change when no changes have been performed - - _**Symptom:**_ Conductor PCLI may incorrectly provide an * that there is a candidate configuration change - - _**Conditions:**_ Unknown - - _**Corrective Action:**_ None, if the configuration has not changed this indicator can be ignored. A comparison can be performed with `compare config running candidate` ------ - **I95-27946** Commit may fail on Conductor when node in router pair is stopped - - _**Symptom:**_ When performing a commit to a router where one of the nodes is offline, the commit from the Conductor may not respond or may fail. Performing a validate operation a second time may provide the following error response: - - ``` - “✖ Validating... - % Error: Candidate configuration is invalid: - 1. A request of type validate is already in progress” - ``` - _**Conditions:**_ When a node in the router pair is offline. - - _**Corrective Action:**_ The validate operation is sent from the conductor to the nodes to verify that the configuration is correct. The validate will timeout to the node that is offline. Bring the node back online and perform the operation a second time. ------ - **I95-27944** Network error may cause upgrade to fail and not retry. @@ -902,13 +859,7 @@ The 4.1.0 release requires the 128T-installer 2.2.0 or greater. By default, this _**Corrective Action:**_ Perform the PCLI command on the router to update the information on the conductor. ------ - **I95-27722** Alarms for "Peer not reachable" may not clear and will persist after nodes are back and operational - - _**Symptom:**_ Alarms for "peer not reachable" provided in on the Conductor - - _**Conditions:**_ Unknown, seen after system upgrade - - _**Corrective Action:**_ NA, The alarms will clear within 15 minutes. ------- +------ - **I95-25947** The upgrade to 4.1 can take upwards of 40 minutes to complete. The increase in installation time is due to the underlying OS upgrade. ------ - **I95-25828** Rollback to the previous version of software is not supported due to the underlying operating system upgrade. diff --git a/docs/release_notes_128t_4.2.md b/docs/release_notes_128t_4.2.md index 6b46507bafe..de08ea7e7cf 100644 --- a/docs/release_notes_128t_4.2.md +++ b/docs/release_notes_128t_4.2.md @@ -19,17 +19,30 @@ Before upgrading, ensure that there is at least one user on each 128T system tha ------ - **I95-33594 Changing the `neighbor-as` of an existing bgp neighbor prevents it from connecting.** The BGP neighbor now connects correctly. ------ -- **I95-33989 Incorrect error message reported within PCLI when trying to execute `validate` after a previous _validate_ was terminated with `CTRL+c`.** Resolved conflicting validation operation messaging. +- **I95-33989** Terminating a "validate" command with CTRL-c returns to the PCLI prompt but does not stop the in-progress validation. This prevents subsequent validation attempts until the in-progress validation completes in the background. + + _**Symptom:**_ The following can be seen in the PCLI output: + ``` + ✖ Validating... + % Error: Candidate configuration is invalid: + 1. A request of type validate is already in progress. The first request was started 13 seconds ago. + ``` + Until the system is upgraded to 4.4.2, this issue will resolve itself after the background tasks have completed. ------ - **I95-34649 `best-effort` path handling for `proportional` load balancing is not honored by service-policy.** Path handling for `best effort` load balancing is handled correctly. ------ -- **I95-34650 In a multihop SVR scenario, the system may incorrectly attribute incoming packets as coming from a different peer path.** This has been resolved and no longer results in packet loss. +- **I95-34650** In a multihop SVR scenario, the system may incorrectly attribute incoming packets as coming from a different peer path. This results in packet loss until the load-balancer learns of the loss and migrates the session. + + _**Symptom:**_ `show peers` will show the physically disconnected peer as UP while in this state. ------ - **I95-35111 `No active NTP server` alarm erroneously generated when 128T can successfully reach a provisioned NTP server.** The error is no longer thrown when multiple NTP servers are configured and at least one is reachable. ------ -- **I95-35406 Shutdown race condition may cause improper DHCP server clean up, causing DHCP server to fail on next start of 128T.** The shutdown race condition no longer occurs. +- **I95-35406** Shutdown race condition may cause improper DHCP server clean up, causing DHCP server to fail on next start of 128T. ------ -- **I95-35567, I95-37833 Weak Password Policy.** New restrictions on password properties have been added to ensure strong passwords. +- **I95-37833 Apply password policy more consistently:** The password policy for SSR users has been updated, and now requires passwords to have a special character in addition to previous requirements. +:::important +Please refer to [Password Policies](config_password_policies.md) for updated password requirements. +::: ------ - **I95-35694 A `service-route` of type `host` results in an invalid service path during session establishment.** This issue has been resolved by adding a missing gateway-ip address to the process. ------ @@ -47,15 +60,17 @@ Before upgrading, ensure that there is at least one user on each 128T system tha ------ - **I95-36149 Committing a configuration change to a device-interface capture-filter when actively capturing traffic on that interface can cause the highway process to fault.** Updated to verify the order of operations and prevent the fault. ------ -- **I95-36341 A race condition can occur when receiving a BGP packet destined for the 128T during startup without a fully populated FIB, causing a system fault.** The race condition has been resolved. +- **I95-36341** Race condition can occur when receiving a BGP packet destined for the 128T during startup without a fully populated FIB, causing a system fault. ------ - **I95-36356 Loading a configuration that changes the BGP graceful-restart restart-time may cause a highway process fault if a subsequent graceful-restart timeout occurs.** Changes to the BGP `graceful-restart restart-time` no longer cause a process fault. ------ -- **I95-36394 Auto-generated conductor service names that include a '.' will fail to commit configuration.** This issue has been resolved. +- **I95-36394** Auto-generated conductor service names that include a '.' will fail to commit configuration + + _**Conditions:**_ Conductor version is on >= 4.5 and router version is < 4.5 ------ -- **I95-36525 TLS 1.0 is no longer supported.** +- **I95-36525** Due to known vulnerabilities, only TLS versions 1.2 and 1.3 are supported. We do not support TLS 1.0 and 1.1. ------ -- **I95-36632 Empty office365 metadata file results in HTTP 400 bad request error.** Office365 modules no longer generate bad requests. +- **I95-36632** Empty office365 metadata file results in HTTP 400 bad request error. ------ - **I95-37652 SSH Follows Weak Security Practices.** [Several fixes have been put in place to harden SSH access.](config_access_mgmt.md) Please see the warning regarding SSH Root Login at the top of this page. :::note @@ -64,19 +79,19 @@ As part of the SSH hardening process, inactive SSH sessions will be logged out a ------ - **I95-36672 Deleting all session-capture filters on a _device-interface_ with active traffic can cause the highway process to restart.** Traffic on the device interface is handled before deleting the filters. ------ -- **I95-36770 Salt minion log file was not being properly rotated.** The log file is now rotated correctly. +- **I95-36770** Salt minion log file was not being properly rotated. ------ -- **I95-36841 TCP RST can cause the highway process to fault on a SVR path performing UDP transform.** TCP resets generate properly into SVR when UDP transform is enabled. +- **I95-36841** TCP RST can cause the highway process to fault on a SVR path performing UDP transform. ------ -- **I95-36873 Alarms generated by a router in an authority are incorrectly sent as SNMP traps from all other routers in the authority.** Alarms from other routers are now correctly filtered. +- **I95-36873** Alarms generated by a router in an authority are incorrectly sent as SNMP traps from all other routers in the authority. ------ -- **I95-36927 A race condition exists that can cause a fault in the highway process during session setup while applying a configuration change that removes BGP over SVR service-route(s).** This race condition has been resolved. +- **I95-36927** A race condition exists that can cause a fault in the highway process during session setup and configuration changes, that will remove the BGP service route path. ------ -- **I95-37457 `show rib` and `show bgp` do not support more than one pagination session.** The routing service agent show commands no longer cache the text output when there are more lines than requested. +- **I95-37457 `show rib` and `show bgp` do not support more than one pagination session.** Pagination issues have been resolved for `show rib` and `show bgp`. ------ -- **I95-37577 LDAP authentication fails for users that contain a '-' in their name.** Naming issues causing LDAP authentication failures have been resolved. +- **I95-37577 LDAP authentication fails for users that contain a '-' in their name.** Naming issues have been resolved with LDAP authentication. ------ -- **I95-37588 Value for `configure > authority > router > system > software-update > repository > address` uses the first lexicographically sorted router for all other routers in authority instead of using a unique value per router.** Resolved the issue where a managed router had the incorrect IP address. +- **I95-37588** Value for `configure > authority > router > system > software-update > repository > address` uses the first lexicographically sorted router for all other routers in authority instead of using a unique value per router. ------ - **I95-37642 A user cannot change their password from the 128T GUI.** A user can now change their 128T password from the web application GUI. ------ @@ -88,13 +103,13 @@ As part of the SSH hardening process, inactive SSH sessions will be logged out a ------ - **I95-37647 Server-Sent-Events pass values in the clear for some internal request URIs.** Vulnerabilities identified with server sent events have been resolved. ------ -- **I95-37650 The 128T web UI incorrectly supports being embedded as an iFrame within another page.** The 128T Web UI does not support iFrame embedding. +- **I95-37650 The 128T web UI incorrectly supports being embedded as an iFrame within another page.** The 128T UI does not support embedded iFrames. ------ - **I95-37651 Unrestricted File Upload.** [Restrictions are in place](config_access_mgmt.md#file-upload-limitations) that make it impossible to import or upload files that do not match tar.gz format. ------ - **I95-37800 Apply MSS Clamping on SYN/SYN+ACK packets.** MSS enforcement has been enabled on SYN-ACK packets. ------ -- **I95-37843 Require username and password when updating environmental configuration.** The initializer has been updated to require both a username and password when installing 128T and configuring it as the second peer in an HA configuration. +- **I95-37843 Require username and password when updating environmental configuration.** The initializer has been updated to require both a username and password when installing 128T and configuring it as the second peer in an HA configuration. ## Release 4.2.8 @@ -102,7 +117,7 @@ As part of the SSH hardening process, inactive SSH sessions will be logged out a - **I95-24681** Grammatical improvements to HA initialization, providing more clarity around the use of specific IP addresses. ------ -- **I95-30610** RTP is not properly classified for subsequent 128T routers +- **I95-30610** RTP is not properly classified for subsequent 128T routers. ------ - **I95-33842** Race condition on 128T startup, causing DHCP server to fail to start _**Conditions:**_ DHCP server is not running. The following log message can be seen: @@ -120,19 +135,19 @@ init[5720]: [dh00000001 | dhcp-server-ns-1:1073742075] Command "/usr/sbin/ip net Until the system is upgraded to 4.2.8, this issue can be mitigated by attempting the commit again. ------ -- **I95-34716** Fixed a rare race condition crash on startup of the Automated Provisioner +- **I95-34716** Fixed a rare race condition crash on startup of the Automated Provisioner. ------ -- **I95-34744** highway process can fault when a DHCP server assigns the IP address 0.0.0.0 to the 128T router +- **I95-34744** highway process can fault when a DHCP server assigns the IP address 0.0.0.0 to the 128T router. ------ - **I95-34790** Dual node HA routers with large numbers of peer paths (>500) may see some flows get blackholed after a node failover occurs. ------ -- **I95-34842** The configuration attribute `authority > router > node > device-interface > vrrp` has been removed from configuration in the GUI as the capability does not exist +- **I95-34842** The configuration attribute `authority > router > node > device-interface > vrrp` has been removed from configuration in the GUI as the capability does not exist. ------ - **I95-34961** Using a QuickStart file to provision a router fails if the ZScaler plugin is installed on the Conductor. ------ -- **I95-34968** Self-signed certificates created during initial installation of 128T are invalid +- **I95-34968** Self-signed certificates created during initial installation of 128T are invalid. ------ -- **I95-35062** Non-permanent LTE failures are incorrectly displayed as a failure context in `show device-interface` +- **I95-35062** Non-permanent LTE failures are incorrectly displayed as a failure context in `show device-interface`. ------ - **I95-35082** When a 128T is deployed behind a NAT firewall and has path MTU (PMTU) discovery enabled, SVR sessions established for outbound-only connections are set up with the configured interface MTU, not the discovered PMTU. ------ @@ -142,9 +157,9 @@ init[5720]: [dh00000001 | dhcp-server-ns-1:1073742075] Command "/usr/sbin/ip net Until the system is upgraded to 4.2.8, this issue can be mitigated by disabling rather than deleting the user. ------ -- **I95-35115** Aggregate bandwidth charts may not display data accurately +- **I95-35115** Aggregate bandwidth charts may not display data accurately. ------ -- **I95-35155** `show device-interface` output did not include duplex mode +- **I95-35155** `show device-interface` output did not include duplex mode. ------ - **I95-35188** Adding a tenant or changing the order of tenants in the configuration can lead to traffic being dropped upon session recovery @@ -156,14 +171,12 @@ init[5720]: [dh00000001 | dhcp-server-ns-1:1073742075] Command "/usr/sbin/ip net Until the system is upgraded to 4.3.5, the learned MTU value can be directly set within Linux ------ -- **I95-35323** BGP over SVR does not work if both sides of the routers have VLAN tagged interfaces - - Until the system is upgraded to 4.3.5, configure the outgoing SVR interfaces without vlans. At least one side of the BGP over SVR routers should not utilize VLAN tagging. +- **I95-35323** BGP over SVR does not work when both sides are using VLAN tags. ------ - **I95-35401** SVR traffic would be dropped as a result of tenant members source type being incorrectly classified. _**Conditions:**_ When the interface has an adjacency and Tenant members are applied via neighborhoods and/or child tenants. The tenant table will show the source type as `PUBLIC` for that entry when it should show as `HYBRID` ------ -- **I95-35602** The command `show network-interface` may result in a `Unhandled TypeError` in the PCLI when a PPPoE interface is down +- **I95-35602** The command `show network-interface` may result in a `Unhandled TypeError` in the PCLI when a PPPoE interface is down. ## Release 4.2.7 @@ -186,13 +199,14 @@ The 4.2.6 release is a superset of the 4.2.5 release. Features and corrections i ### Resolved Issues - **I95-34068** SVR sessions fail to establish due to waypoint allocation failures after HA node failover. + _**Symptom:**_ The following warning log is generated: ``` - Mar 03 09:25:10.813 [HWMC| – ] WARN (icmpManager ) Base Exception: failed to allocate ports for WayPoint; intf=5.0; local=172.27.233.47; remote=10.61.55.109 + Mar 03 09:25:10.813 [HWMC| – ] WARN (icmpManager ) Base Exception: failed to allocate ports for WayPoint; intf=5.0; local=192.0.2.100; remote=198.51.100.128 ``` - Until the system is upgraded to 4.2.6, this issue can be mitigated by removing the corresponding adjacency configuration and adding it back. + Until the system is upgraded to 4.1.10, this issue can be mitigated by removing the corresponding adjacency configuration and adding it back. ------ - **I95-34164** Load balancer occasionally returns standby paths during packet duplication flow setup ------ @@ -206,7 +220,7 @@ The 4.2.6 release is a superset of the 4.2.5 release. Features and corrections i ------ - **I95-34645** Swagger API for "clone" and "move" operations are incorrect. They are `/config/{configStore}/authority/district/{district}/clone` when they should be `/config/{configStore}/authority/district/clone` ------ -- **I95-34577** Interface never becomes active when `shared-physical-address` is configured to be the same as the physical MAC +- **I95-34577** Interface never becomes active when `shared-phys-address` is configured to be the same as the physical MAC ## Release 4.2.5 @@ -222,33 +236,24 @@ The 4.2.5 release is a superset of the 4.2.4 release. Features and corrections i - **I95-27764** `write log snapshot` does not work for process highway ------ - **I95-28190** Addressed issue causing PPPoE passwords to be incorrectly changed to `(removed)`. + _**Symptom:**_ `device-interface > pppoe > password` gets converted to `(removed)` upon changing `device-interface > name`. _**Conditions:**_ Changing the object's key, in this case `device-interface > name` causes secure fields to be incorrectly converted to `(removed)`. - Until the system is upgraded to 4.2.5, this issue can be mitigated by deleting the existing `device-interface` object and recreate it. + Until the system is upgraded to 4.3.2, this issue can be mitigated by deleting the existing `device-interface` object and recreate it. ------ -- **I95-30011** HA router nodes may take upwards of 40 seconds to achieve quorum. - - _**Symptom:**_ SVR traffic may be dropped while a redundant node is restarting. - - _**Conditions:**_ The hostname of the platform cannot be resolved - - Until the system is upgraded to 4.2.5, this issue can be mitigated by setting the hostname of the node to a value that can be resolved or add an address for the system in `/etc/hosts` +- **I95-30011** System hostnames that cannot be resolved cause two HA nodes to achieve quorum after DNS lookup times out (approximately 40 seconds) ------ - **I95-31597** Configuring a static ARP entry within a `neighbor` configuration is not honored _**Symptom:**_ Dynamic ARP entries take precedence over statically configured ARP entries ------ -- **I95-32244** Cannot upgrade after software download completes - - _**Conditions:**_ Managed router being upgraded via Conductor can intermittently fail due to transient network conditions, 4.2.5 will now perform multiple attempts to verify the download completed. - - Until the system is upgraded to 4.2.5, this issue can be mitigated by performing the Download operation again. +- **I95-32244** Download of software upgrade may fail and not provide feedback ------ - **I95-32509** Generated configuration objects are shown by default in GUI and PCLI ------ -- **I95-32660** `saltMaster.log` files rotate once daily with a maximum of 25 rotated files, consuming a large amount of disk space. This has been changed to rotate hourly, with a maximum of 25 rotated files. +- **I95-32660** Log files were only rotated daily which may result in larger than expected log file size for the following: saltmaster, radvd, influxdb_http, t128tuntap. ------ - **I95-33024** Specifying a `metric` value within `advertise-default` of OSPF causes advertisements to be withdrawn @@ -320,11 +325,7 @@ The 4.2.5 release is a superset of the 4.2.4 release. Features and corrections i ------ - **I95-33857, I95-33643** Short OTP QuickStart DHCP server lease time results in an initial OTP QuickStart failure. ------ -- **I95-34058** Session setup fails for outbound only when first packet exceeds MTU - - _**Symptoms:**_ Session setup fails - - _**Conditions:**_ Paths configured as `outbound-only`, and the first packet of the flow exceeds MTU (typically UDP). +- **I95-34058** Session setup fails for paths configured as `outbound-only` when first packet of a flow exceeds MTU (typically UDP) ------ - **I95-34090** A network-interface configured with multiple neighborhoods, where one of the neighborhoods defines a port range, will result in traffic being dropped on the defined range @@ -392,7 +393,11 @@ The 4.2.4 release is a superset of the 4.2.3 release. Features and corrections i ------ - **I95-32754** DHCP Server can flood the journal with monitoring messages ------ -- **I95-32843** System can fault when routing loop is created with OSPF +- **I95-32843** System can fault when routing loop is created with OSPF and BGP + + _**Symptom:**_ highwayManager process faults after configuration is loaded. + + _**Corrective Action:**_ Restore existing configuration to remove routing loop created by OSPF. ------ - **I95-32902** LTE APN name not displayed correctly ------ @@ -434,7 +439,13 @@ The 4.2.4 release is a superset of the 4.2.3 release. Features and corrections i ------ - **I95-33529** Promiscuous mode on ethernet interfaces is not dynamically reconfigurable ------ -- **I95-33536** 128T fault on shutdown with very large number of peer paths +- **I95-33536** Fixed highway terminate condition on shutdown with large number of peer paths + + _**Symptom:**_ highwayManager process aborts on shutdown or restart + + _**Conditions:**_ 128T router with greater than 2500 active peer paths restarted with `systemctl restart 128T` + + _**Corrective Action:**_ None required, system will automatically recover. ------ - **I95-33586** Using hostnames rather than IP addresses for nat-target or target-address in a service-route would cause config validation to fail and report an Invalid IP when inspector is enabled. @@ -448,9 +459,9 @@ The 4.2.3 release is a superset of the 4.2.2 release. Features and corrections i ### Resolved Issues -- **I95-33264** Secondary HA node reboot may result in traffic no longer flowing through the fabric +- **I95-33264** Race condition exists for HA shared LAN interfaces wherein if the primary node is restarted, the primary interface may not take over after the restart, causing traffic to be blackholed ------ -- **I95-33278** Asset/hostname missing from syslog messages +- **I95-33278** End of log messages were being truncated when sent to syslog ## Release 4.2.2 @@ -581,7 +592,7 @@ The 4.2.0 software reserves address range 169.254.130.0/24 by default. This is f ------ - **I95-27805** Generated configuration is now hidden by default. A toggle exists in Config Explorer to display generated configuration ------ -- **I95-27886** Session Duplication support for inter-node links +- **I95-27886 Packet Duplication for Inter-Node High Availability:** Packet duplication over multiple inter-node links helps reduce packet loss during transmission. For protocols such as UDP that do not verify packet integrity, this helps ensure full transmission of traffic. See [service-policy](config_reference_guide.md#service-policy) for usage information. ------ - **I95-28187** Packet Duplication for non-SVR packets ------ @@ -597,7 +608,7 @@ The 4.2.0 software reserves address range 169.254.130.0/24 by default. This is f ------ - **I95-28482** `device-interface/target-interface` does not have input validation, allowing for incorrect configuration ------ -- **I95-28744** GraphQL API added for service ping +- **I95-28744** GraphQL API for Service Ping ------ - **I95-28881, I95-31050** SIP ALG support via plugin ------ @@ -609,7 +620,7 @@ The 4.2.0 software reserves address range 169.254.130.0/24 by default. This is f ------ - **I95-29149** NIC Flow Control enable/disable support ------ -- **I95-29273** Node page within GUI offers link to launch PCLI session directly to device +- **I95-29273** Quick-Connect: Button to remote login to 128T router from Conductor ------ - **I95-29568** BGP withdrawal of routes if path does not meet SLA ------ @@ -617,7 +628,7 @@ The 4.2.0 software reserves address range 169.254.130.0/24 by default. This is f ------ - **I95-29933** Improved system performance for peer path state processing ------ -- **I95-30884** New Data process CPU Core count mode attribute +- **I95-30884** DHCP server sends responses out multiple interfaces, with incorrect MAC ------ - **I95-31331** `lte-info` now support JSON output ------ @@ -627,7 +638,7 @@ The 4.2.0 software reserves address range 169.254.130.0/24 by default. This is f - **I95-19549** Configuration Generation will fail to generate a peer configuration if the peer name is not the same as the router name ------ -- **I95-19779** Peer Path stats use Device Interface ID, in 4.2.0 the name will now be used. +- **I95-19779** Peer Paths are now referenced by object names instead of the internal IDs. The format for a peer path is: peer-name | destination (can be an adjacency IP or a host-name | node-name | device-port | VLAN-id ------ - **I95-20458** No feedback is provided to the user from the GUI in the event of an upgrade failure on the Conductor ------ @@ -689,7 +700,7 @@ The 4.2.0 software reserves address range 169.254.130.0/24 by default. This is f ------ - **I95-26634** BGP routes are not updated when VLANed interface is operationally down ------ -- **I95-26793** service-routes associated with services outside of router-based-services are incorrectly being applied +- **I95-26793** Validation does not exist to prevent provisioning a service-route for a service belonging to another router-group ------ - **I95-26996** When synchronizing a new node into a HA pair (RMA), if the new node is on a version older than the existing node, there will not be an option to upgrade the newly added node through the GUI ------ @@ -773,7 +784,11 @@ The 4.2.0 software reserves address range 169.254.130.0/24 by default. This is f ------ - **I95-30011** System hostnames that cannot be resolved cause two HA nodes to achieve quorum after DNS lookup times out (approximately 40 seconds) ------ -- **I95-30078, I95-30268** Traffic does not switch to standby interface on management path communication failure +- **I95-30078** - HA node communication failure results in two systems both taking control of a shared (redundant) interface + + _**Symptom:**_ Traffic egressing a highly available device may get pinned to the wrong node in a highly available pair. + + _**Mitigation (pre-4.1.5):**_ Manually purge specific traffic flows that are pinned to the wrong node, to allow them to regenerate. ------ - **I95-30103** Creating tenants using output of `show config running flat` does not work (Entering flat configuration into PCLI does not always create the configuration) ------ diff --git a/docs/release_notes_128t_4.3.md b/docs/release_notes_128t_4.3.md index 308da16f79b..6c8381ecdbc 100644 --- a/docs/release_notes_128t_4.3.md +++ b/docs/release_notes_128t_4.3.md @@ -7,7 +7,6 @@ sidebar_label: 4.3 ### Resolved Issues - **I95-39167 IP violations caused by un-natted packets:** Resolved an issue where ICMP unreachables on an LTE interface are generating IP violations causing an unexpected disconnect. ------ - ## Release 4.3.11 :::warning SSH Root Login is not permitted. @@ -16,11 +15,14 @@ Before upgrading, ensure that there is at least one user on each 128T system tha ::: ### Resolved Issues -- **I95-35164 Concurrent upgrade and download activity causes invalid upgrade.** The download of a new software image during an upgrade has been blocked. +- **I95-35164** Downloading a new software image during an upgrade will incorrectly complete the upgrade if the download was successful before the upgrade has fully completed. ------ -- **I95-35354 Unlikely race condition during asynchronous upgrade and download causes premature termination of upgrade.** The possibility of asynchronous download and upgrade/install has been removed and the race condition resolved. +- **I95-35354** There exists an unlikely race condition wherein the successful return code of a download operation (that happens asynchronously) causes an upgrade in progress to terminate prematurely. ------ -- **I95-35567, I95-37833 Weak Password Policy.** New restrictions on password properties have been added to ensure strong passwords. +- **I95-37833 Apply password policy more consistently:** The password policy for SSR users has been updated, and now requires passwords to have a special character in addition to previous requirements. +:::important +Please refer to [Password Policies](config_password_policies.md) for updated password requirements. +::: ------ - **I95-37211 Webserver Quickstart Integration.** Several improvements have been made to the Quickstart process during the OTP ISO installation, including a significantly shorter run time. ------ @@ -77,8 +79,7 @@ As part of the SSH hardening process, inactive SSH sessions will be logged out a - **I95-38008 Automated Provisioner race condition.** Resolved an issue causing a race condition when multiple events arrived at the same time. ------ - **I95-38078 CVE updates.** Addressed latest CVEs. ------- - +------ ## Release 4.3.10 ### Resolved Issues @@ -87,13 +88,13 @@ As part of the SSH hardening process, inactive SSH sessions will be logged out a _**Symptom:**_ `show peers` will show the physically disconnected peer as UP while in this state. ------ -- **I95-35927** When deleting a VLAN network interface and simultaneously assigning its VLAN ID to the only other remaining network interface on the same device interface, future operational state changes on that interface may be ignored. +- **I95-35927 When deleting a VLAN network interface and simultaneously assigning its VLAN ID to the only other remaining network interface on the same device interface, future operational state changes on that interface may be ignored.** This issue has been resolved. ------ - **I95-36341** Race condition can occur when receiving a BGP packet destined for the 128T during startup without a fully populated FIB, causing a system fault. ------ -- **I95-36564** Higher pinned core count may result in large packet latency on session setup, when a burst of new sessions are being setup. +- **I95-36564** Buffer queue depth allocation algorithm was inefficient causing latency in session setup. ------ -- **I95-36672** Deleting all session-capture filters on a _device-interface_ with active traffic can cause the highway process to restart. +- **I95-36672 Deleting all session-capture filters on a _device-interface_ with active traffic can cause the highway process to restart.** Traffic on the device interface is handled before deleting the filters. ------ - **I95-36727** A non-forwarding, external (i.e. management) interface configured in 128T does not obtain a DHCP IP upon disconnecting and reconnecting the cable. ------ @@ -103,7 +104,7 @@ As part of the SSH hardening process, inactive SSH sessions will be logged out a ------ - **I95-36841** TCP RST can cause the highway process to fault on a SVR path performing UDP transform. ------ -- **I95-36850** An asset's available and downloaded versions are incorrectly cleared when an upgrade or rollback is initiated. +- **I95-36850, I95-36851** An asset's available and downloaded versions were incorrectly cleared when an upgrade or rollback is initiated. ------ - **I95-36873** Alarms generated by a router in an authority are incorrectly sent as SNMP traps from all other routers in the authority. ------ @@ -127,56 +128,48 @@ As part of the SSH hardening process, inactive SSH sessions will be logged out a ------ - **I95-37442** The summary is missing from PCLI `ping` and `service-ping`. ------ -- **I95-37457** `show rib` and `show bgp` do not support more than one pagination session. +- **I95-37457 `show rib` and `show bgp` do not support more than one pagination session.** Pagination issues have been resolved for `show rib` and `show bgp`. ------ - **I95-37513** Network interface cards that do not respond to physical stats may result in system lockup. ------ -- **I95-37577** LDAP authentication fails for users that contain a '-' in their name. +- **I95-37577 LDAP authentication fails for users that contain a '-' in their name.** Naming issues have been resolved with LDAP authentication. ------ - **I95-37588** Value for `configure > authority > router > system > software-update > repository > address` uses the first lexicographically sorted router for all other routers in authority instead of using a unique value per router. ------ -- **I95-37650** The 128T web UI incorrectly supports being embedded as an iFrame within another page. +- **I95-37650 The 128T web UI incorrectly supports being embedded as an iFrame within another page.** The 128T UI does not support embedded iFrames. ------ - **I95-37660** Outdated python-pip package exposes vulnerability to sniffing, cross-origin redirect, or injection attacks. ------ -- **I95-37680** nodeMonitor process may fault on shutdown of 128T. +- **I95-37680 nodeMonitor process may fault on shutdown of 128T.** `nodeMonitor` no longer faults on 128T shutdown. ## Release 4.3.9 ### Resolved Issues -- **I95-18807** Innocuous error produced in journal due to imudp module loaded by rsyslog daemon - _**Symptoms:**_ The following message can be seen in the journal - ``` - rsyslogd[1337]: imudp: module loaded, but no listeners defined - no input will be gathered [v8.24.0 try http://www.rsyslog.com/e/2212 ] - ``` +- **I95-18807 An error displays in the journal due to imudp module loaded by rsyslog daemon.** The error condition has been resolved and the error no longer displays. ------ -- **I95-32298** KNI interfaces created by the IPsec plugin do not transition to "operationally down" when being set to "administrative down" +- **I95-32298 KNI interfaces created by the IPsec plugin do not transition to "operationally down" when being set to "administrative down".** The KNI interfaces now transition smoothly. ------ -- **I95-33471** Adaptive encryption counters are incorrectly incremented when encryption is disabled and adaptive-encryption is enabled +- **I95-33471** Adaptive encryption counters are incorrectly incremented when encryption is disabled and adaptive-encryption is enabled. ------ -- **I95-33594** Changing the `neighbor-as` of an existing BGP neighbor prevents it from connecting - - Until the system is upgraded to 4.3.9, this issue can be mitigated by restarting the 128T or by removing and recreating the BGP configuration +- **I95-33594 Changing the `neighbor-as` of an existing bgp neighbor prevents it from connecting.** The BGP neighbor now connects correctly. ------ -- **I95-33989** Incorrect error message reported within PCLI when trying to execute `validate` after a previous _validate_ was terminated with `CTRL+c` +- **I95-33989** Terminating a "validate" command with CTRL-c returns to the PCLI prompt but does not stop the in-progress validation. This prevents subsequent validation attempts until the in-progress validation completes in the background. _**Symptom:**_ The following can be seen in the PCLI output: ``` ✖ Validating... % Error: Candidate configuration is invalid: - 1. A request of type validate is already in progress. The first request was started 13 seconds ago + 1. A request of type validate is already in progress. The first request was started 13 seconds ago. ``` - Until the system is upgraded to 4.3.9, this issue will resolve itself after the background tasks have completed + Until the system is upgraded to 4.4.2, this issue will resolve itself after the background tasks have completed. ------ -- **I95-35111** `No active NTP server` alarm erroneously generated when 128T can successfully reach a provisioned NTP server - - _**Conditions:**_ When multiple NTP servers are configured, at least one is reachable and at least one is not reachable +- **I95-35111 `No active NTP server` alarm erroneously generated when 128T can successfully reach a provisioned NTP server.** The error is no longer thrown when multiple NTP servers are configured and at least one is reachable. ------ -- **I95-35331** A custom chart that contains multiple line charts selects the incorrect graph when clicking on the corresponding legend +- **I95-35331** A custom chart that contains multiple line charts selects the incorrect graph when clicking on the corresponding legend. ------ -- **I95-35544** LTE SIM number (ICCID) is absent from the output of `show device interface` on LTE interfaces +- **I95-35544** LTE SIM number (ICCID) is absent from the output of `show device-interface` on LTE interfaces. ------ - **I95-35873,I95-35679** Asset stuck in a connected state as a result of a corrupted Linux rpmdb. The issue requires the system be updated to the 128T-installer version 2.6.1 (see [IN-267](release_notes_128t_installer_2.6.md#release-261). If the conductor is used to upgrade systems, the latest installer will be updated from the repository being used. If the systems do not have access to the 128T public repositories, the repository being used should be updated with the 128T-installer 2.6.1 version. With the correction of this issue, the PCLI command `send command yum-cache-refresh` has been updated to perform the rpmdb repair if the rpmdb is corrupted. @@ -186,46 +179,44 @@ As part of the SSH hardening process, inactive SSH sessions will be logged out a rpm --rebuilddb ``` ------ -- **I95-35793** Large responses from a DNS server may be rejected by 128T. When this happens, provisioned FQDNs remain unresolved. - +- **I95-35793** Large responses from a DNS server may be rejected by 128. When this happens, FQDNs in the configuration remain unresolved. _**Conditions:**_ The following log message can be seen: ``` Jun 16 06:09:25.272 [DNS |DNSR] WARN (dnsManagerTP ) Failed to parse Ipv4Host (1) response for edge-global.plcm.vc: Message too long ``` ------ -- **I95-35799** When a dynamic route is removed that exactly matches the prefix of a configured service, the route is removed from the RIB but it may remain in the FIB and still be used for establishing new sessions +- **I95-35799 When a dynamic route is removed that exactly matches the prefix of a configured service, the route is removed from the RIB but it may remain in the FIB and still be used for establishing new sessions.** This issue has been resolved. ------ -- **I95-35933** `show device-interface` displays incorrect values for speed and duplex for PPPoE interfaces +- **I95-35933 `show device-interface` displays incorrect values for speed and duplex for PPPoE interfaces.** The correct speeds are now displayed for `show device-interface`. ------ -- **I95-35935** Configuring the same value for `router > conductor-address` on different routers will generate invalid configuration +- **I95-35935 Configuring the same value for `router > conductor-address` on different routers will generate invalid configuration.** The router-based conductor map has been separated from the global conductor map. ------ -- **I95-36012** `show device-interface` displays incorrect values for speed and duplex for LTE interfaces +- **I95-36012** `show device-interface` displays incorrect values for speed and duplex for LTE interfaces. ------ -- **I95-36109** Sessions may not reestablish properly on a fail-over between different routers to the same destination router (e.g., Session originates on R1 to R2. Later, the same session fails over to traverse R3 to R2) +- **I95-36109** Sessions may not reestablish properly on a fail-over between different routers to the same destination router (e.g., Session originates on R1 to R2. Later, the same session fails over to traverse R3 to R2). ------ -- **I95-36149** Committing a configuration change to a device-interface capture-filter when actively capturing traffic on that interface can cause the highway process to fault +- **I95-36149 Committing a configuration change to a device-interface capture-filter when actively capturing traffic on that interface can cause the highway process to fault.** Updated to verify the order of operations and prevent the fault. ------ -- **I95-36246** IMSI and MSISDN are absent from the output from `show platform` on systems with LTE interfaces +- **I95-36246** IMSI and MSISDN are absent from the output from `show platform` on systems with LTE interfaces. ------ -- **I95-36283** The 128T router asset state is stuck on its current state - +- **I95-36283** The 128T router asset state is stuck on its current state. _**Conditions:**_ The following log message can be seen: ``` TypeError: heap argument must be a list ``` - Until the system is upgraded to 4.3.9, this issue can be mitigated by restarting the salt-minion service by executing `systemctl restart salt-minion` on the Linux shell. If not manually restarted, the salt-minion watchdog will also restart the salt-minion after one hour. + Until the system is upgraded to 4.5.0, this issue can be mitigated by restarting the salt-minion service by executing `systemctl restart salt-minion` on the Linux shell. If not manually restarted, the salt-minion watchdog will also restart the salt-minion after one hour. ------ -- **I95-36356** Loading a configuration that changes the BGP graceful-restart restart-time may cause a highway process fault if a subsequent graceful-restart timeout occurs +- **I95-36356 Loading a configuration that changes the BGP graceful-restart restart-time may cause a highway process fault if a subsequent graceful-restart timeout occurs.** Changes to the BGP `graceful-restart restart-time` no longer cause a process fault. ------ - **I95-36394** Auto-generated conductor service names that include a '.' will fail to commit configuration _**Conditions:**_ Conductor version is on >= 4.5 and router version is < 4.5 ------ -- **I95-36574** After a HA interface fail over, a session collision can occur between the recovered flow and an existing reverse flow. The recovered flow does not get setup properly and can cause the highway process to fault upon session expiry. +- **I95-36574** After an HA interface fail over, a session collision can occur between the recovered flow and an existing reverse flow. The recovered flow does not get set up properly and can cause the highway process to fault upon session expiry. - _**Conditions:**_ Symmetrical services must be configured that match both forward and reverse flows + _**Conditions:**_ Symmetrical services must be configured that match both forward and reverse flows. ------ -- **I95-36632** Empty office365 metadata file results in HTTP 400 bad request error +- **I95-36632** Empty office365 metadata file results in HTTP 400 bad request error. ------ - **I95-36638** Polling SNMP OID 1.3.6.1.2.1.1.2 returns `NET-SNMP-TC::linux` instead of `T128-MIB::t128NetworkingPlatform (1.3.6.1.4.1.45956.1)` @@ -237,30 +228,28 @@ The minimum 128T-installer version of 2.6.0 is required for the 4.3.8 update. (r ### Resolved Issues -- **I95-34649** `best-effort` path handling for `proportional` load balancing is not honored by service-policy +- **I95-34649 `best-effort` path handling for `proportional` load balancing is not honored by service-policy.** Path handling for `best effort` load balancing is handled correctly. ------ -- **I95-35313** Startup delay of 128T when many peer paths exist +- **I95-35313** Startup delay of 128T when many peer paths exist. ------ -- **I95-35406** Shutdown race condition may cause improper DHCP server clean up, causing DHCP server to fail on next start of 128T - - Until the system is upgraded to 4.3.8, this issue can be mitigated by restarting the 128T. +- **I95-35406** Shutdown race condition may cause improper DHCP server clean up, causing DHCP server to fail on next start of 128T. ------ - **I95-35563** Startup race condition can lead to LTE initialization failure Until the system is upgraded to 4.3.8, this issue can be mitigated by restarting the 128T. ------ -- **I95-35636** SNMP query for ifIndex of interface incorrectly returns +- **I95-35636** SNMP query for ifIndex of interface incorrectly returns: ``` No Such Object available on this agent at this OID ``` ------ - **I95-35655** New metrics - RSRP, RSRQ, Active Band and Active Channel were added to (the existing) show device-interface PCLI command and lte-state script output for LTE interface. ------ -- **I95-35694** A `service-route` of type `host` results in an invalid service path during session establishment +- **I95-35694 A `service-route` of type `host` results in an invalid service path during session establishment.** This issue has been resolved by adding a missing gateway-ip address to the process. ------ -- **I95-35701** Configuration validation incorrectly rejects valid config when a `service-route` references a service with both `applies-to` `authority` and `router-group` not matching the router of that service-route +- **I95-35701 Configuration validation incorrectly rejects valid config when a `service-route` references a service with both `applies-to` `authority` and `router-group` not matching the router of that service-route.** Configuration validation no longer rejects the valid configuration. ------ -- **I95-35781** Rare race condition during `rotate logs` PCLI command may cause applications to fault +- **I95-35781 Rare race condition during `rotate logs` PCLI command may cause applications to fault.** The `rotate logs` PCLI command no longer causes the race condition. ------ - **I95-35866** Addressed latest CVEs (this requires the latest installer see I95-36033 below) ------ @@ -272,29 +261,28 @@ The minimum 128T-installer version of 2.6.0 is required for the 4.3.8 update. (r ### Resolved Issues -- **I95-24681** Grammatical improvements to HA initialization, providing more clarity around the use of specific IP addresses +- **I95-24681** Grammatical improvements to HA initialization, providing more clarity around the use of specific IP addresses. ------ -- **I95-26276** Enabled OSPF authentication in configuration +- **I95-26276** Enabled OSPF authentication in configuration. ------ -- **I95-30610** RTP is not properly classified for subsequent 128T routers +- **I95-30610** RTP is not properly classified for subsequent 128T routers. ------ -- **I95-35172** Adding DHCP server instances requires a software restart +- **I95-35172** Adding DHCP server instances requires a software restart. ------ - **I95-35401** SVR traffic would be dropped as a result of tenant members source type being incorrectly classified. - - _**Conditions:**_ When the interface has an adjacency and tenant members are applied via neighborhoods and/or child tenants. The tenant table will show the source type as `PUBLIC` for that entry when it should show as `HYBRID`, resulting in traffic being dropped. + _**Conditions:**_ When the interface has an adjacency and Tenant members are applied via neighborhoods and/or child tenants. The tenant table will show the source type as `PUBLIC` for that entry when it should show as `HYBRID` ------ -- **I95-35602** The command `show network-interface` may result in a `Unhandled TypeError` in the PCLI when a PPPoE interface is down +- **I95-35602** The command `show network-interface` may result in a `Unhandled TypeError` in the PCLI when a PPPoE interface is down. ------ -- **I95-35633** The GUI performance has been improved for configuration edit operations +- **I95-35633** The GUI performance has been improved for configuration edit operations. ------ -- **I95-35644** Added support for `bgp route-reflector allow-outbound-policy` +- **I95-35644** Added support for `bgp route-reflector allow-outbound-policy`. ## Release 4.3.6 ### Resolved Issues -- **I95-35377** Additional metrics added to realize active traffic engineering behavior +- **I95-35377** Additional metrics added to realize active traffic engineering behavior. ------ - **I95-35394** salt-minion may fault during an upgrade or rollback operation. This issue does not impact the upgrade or rollback operations. @@ -304,13 +292,12 @@ The minimum 128T-installer version of 2.6.0 is required for the 4.3.8 update. (r ### Resolved Issues - **I95-33842** Race condition on 128T startup, causing DHCP server to fail to start - _**Conditions:**_ DHCP server is not running. The following log message can be seen: ``` init[5720]: [dh00000001 | dhcp-server-ns-1:1073742075] Running command ['/usr/sbin/ip', 'netns', 'set', 'dhcp-server-ns-1', '1073742075'] init[5720]: [dh00000001 | dhcp-server-ns-1:1073742075] Command "/usr/sbin/ip netns set dhcp-server-ns-1 1073742075" failed: RTNETLINK answers: No space left on device ``` - Until the system is upgraded to 4.3.5, this issue can be mitigated by restarting the 128T. + Until the system is upgraded to 4.2.8, this issue can be mitigated by restarting the 128T process. ------ - **I95-34053** When configured to use LDAP, locally created user credentials and access are not honored for those users that already exist in LDAP. @@ -320,21 +307,21 @@ init[5720]: [dh00000001 | dhcp-server-ns-1:1073742075] Command "/usr/sbin/ip net Until the system is upgraded to 4.3.5, this issue can be mitigated by attempting the commit again. ------ -- **I95-34716** Fixed a rare race condition crash on startup of the Automated Provisioner +- **I95-34716** Fixed a rare race condition crash on startup of the Automated Provisioner. ------ -- **I95-34744** highway process can fault when a DHCP server assigns the IP address 0.0.0.0 to the 128T router +- **I95-34744** highway process can fault when a DHCP server assigns the IP address 0.0.0.0 to the 128T router. ------ - **I95-34790** Dual node HA routers with large numbers of peer paths (>500) may see some flows get blackholed after a node failover occurs. ------ -- **I95-34842** The configuration attribute `authority > router > node > device-interface > vrrp` has been removed from configuration in the GUI as the capability does not exist +- **I95-34842** The configuration attribute `authority > router > node > device-interface > vrrp` has been removed from configuration in the GUI as the capability does not exist. ------ - **I95-34961** Using a QuickStart file to provision a router fails if the ZScaler plugin is installed on the Conductor. ------ -- **I95-34968** Self-signed certificates created during initial installation of 128T are invalid +- **I95-34968** Self-signed certificates created during initial installation of 128T are invalid. ------ -- **I95-35035** Significantly improved the performance of populating the FIB from configuration and dynamic routes +- **I95-35035** Significantly improved the performance of populating the FIB from configuration and dynamic routes. ------ -- **I95-35062** Non-permanent LTE failures are incorrectly displayed as a failure context in `show device-interface` +- **I95-35062** Non-permanent LTE failures are incorrectly displayed as a failure context in `show device-interface`. ------ - **I95-35082** When a 128T is deployed behind a NAT firewall and has path MTU (PMTU) discovery enabled, SVR sessions established for outbound-only connections are set up with the configured interface MTU, not the discovered PMTU. ------ @@ -344,9 +331,9 @@ init[5720]: [dh00000001 | dhcp-server-ns-1:1073742075] Command "/usr/sbin/ip net Until the system is upgraded to 4.3.5, this issue can be mitigated by disabling rather than deleting the user. ------ -- **I95-35115** Aggregate bandwidth charts may not display data accurately +- **I95-35115** Aggregate bandwidth charts may not display data accurately. ------ -- **I95-35155** `show device-interface` output did not include duplex mode +- **I95-35155** `show device-interface` output did not include duplex mode. ------ - **I95-35188** Adding a tenant or changing the order of tenants in the configuration can lead to traffic being dropped upon session recovery @@ -358,13 +345,11 @@ init[5720]: [dh00000001 | dhcp-server-ns-1:1073742075] Command "/usr/sbin/ip net Until the system is upgraded to 4.3.5, the learned MTU value can be directly set within Linux ------ -- **I95-35303** `persistentDataManager` process can fault on shutdown of 128T +- **I95-35303** `persistentDataManager` process can fault on shutdown of 128T. ------ -- **I95-35323** BGP over SVR does not work if both sides of the routers have VLAN tagged interfaces - - Until the system is upgraded to 4.3.5, configure the outgoing SVR interfaces without vlans. At least one side of the BGP over SVR routers should not utilize VLAN tagging. +- **I95-35323** BGP over SVR does not work when both sides are using VLAN tags. ------ -- **I95-35395** Enabled BGP router reflector `cluster-id` in configuration +- **I95-35395** Enabled BGP router reflector `cluster-id` in configuration. ## Release 4.3.4 @@ -402,29 +387,17 @@ init[5720]: [dh00000001 | dhcp-server-ns-1:1073742075] Command "/usr/sbin/ip net Until the system is upgraded to 4.3.2, this issue can be mitigated by deleting the existing `device-interface` object and recreate it. ------ -- **I95-30011** HA router nodes may take upwards of 40 seconds to achieve quorum. - - _**Symptom:**_ SVR traffic may be dropped while a redundant node is restarting. - - _**Conditions:**_ The hostname of the platform cannot be resolved - - Until the system is upgraded to 4.3.2, this issue can be mitigated by setting the hostname of the node to a value that can be resolved or add an address for the system in `/etc/hosts` +- **I95-30011** System hostnames that cannot be resolved cause two HA nodes to achieve quorum after DNS lookup times out (approximately 40 seconds) ------ - - **I95-31597** Configuring a static ARP entry within a `neighbor` configuration is not honored _**Symptom:**_ Dynamic ARP entries take precedence over statically configured ARP entries - ------ -- **I95-32244** Cannot upgrade after software download completes - - _**Conditions:**_ Managed router being upgraded via Conductor can intermittently fail due to transient network conditions, 4.3.2 will now perform multiple attempts to verify the download completed. - - Until the system is upgraded to 4.3.2, this issue can be mitigated by performing the Download operation again. +- **I95-32244** Download of software upgrade may fail and not provide feedback ------ - **I95-32509** Generated configuration objects are shown by default in GUI and PCLI ------ -- **I95-32660** `saltMaster.log` files rotate once daily with a maximum of 25 rotated files, consuming a large amount of disk space. This has been changed to rotate hourly, with a maximum of 25 rotated files. +- **I95-32660** Log files were only rotated daily which may result in larger than expected log file size for the following: saltmaster, radvd, influxdb_http, t128tuntap. ------ - **I95-33024** Specifying a `metric` value within `advertise-default` of OSPF causes advertisements to be withdrawn @@ -621,12 +594,11 @@ Mar 03 09:25:10.813 [HWMC| – ] WARN (icmpManager ) Base Exception: failed to a ------ - **I95-34653** SNMP IF-MIB does not display correctly when a non-forwarding management interface is present ------ - ## Release 4.3.1 ### Resolved Issues -- **I95-34058, I95-34064** Session setup fails for outbound only when first packet exceeds MTU +- **I95-34058** Session setup fails for paths configured as `outbound-only` when first packet of a flow exceeds MTU (typically UDP) ## Release 4.3.0 @@ -646,7 +618,7 @@ Mar 03 09:25:10.813 [HWMC| – ] WARN (icmpManager ) Base Exception: failed to a - **I95-25913** Address Latest CVEs -- **I95-26271** Hugepage Calculator +- **I95-26271** Application to assist in determining appropriate huge pages - **I95-27263** GUI: DHCP Lease Management @@ -706,7 +678,11 @@ Mar 03 09:25:10.813 [HWMC| – ] WARN (icmpManager ) Base Exception: failed to a ------ - **I95-32754** DHCP Server can flood the journal with monitoring messages ------ -- **I95-32843** System can fault when routing loop is created with OSPF +- **I95-32843** System can fault when routing loop is created with OSPF and BGP + + _**Symptom:**_ highwayManager process faults after configuration is loaded. + + _**Corrective Action:**_ Restore existing configuration to remove routing loop created by OSPF. ------ - **I95-32902** LTE APN name not displayed correctly ------ @@ -744,12 +720,11 @@ Mar 03 09:25:10.813 [HWMC| – ] WARN (icmpManager ) Base Exception: failed to a ------ - **I95-33441** Changing node name can cause the 128T to fault on shutdown due to a rare race condition ------ - ## Special Considerations If upgrading from 4.1 consult the [4.2.3 release notes Special Considerations](release_notes_128t_4.2.md#special-considerations) section -- **I95-36525** TLS 1.0 is no longer supported +- **I95-36525** Due to known vulnerabilities, only TLS versions 1.2 and 1.3 are supported. We do not support TLS 1.0 and 1.1. ## Caveats @@ -772,14 +747,7 @@ systemctl restart salt-minion _**Corrective Action:**_ Perform the PCLI command on the router to update the information on the Conductor. ------ -- **I95-32789** Peer stats in Conductor UI not provided during upgrade - - _**Symptom:**_ When upgrading a node from pre 4.3 to 4.3, the peer node will not provide general stats in the conductor UI until the peer is also upgraded. - - _**Conditions:**_ When nodes of a router or conductor pair are on different versions (for routers this is the short transition where the first node is upgraded and the second node is in the process of upgrading but still operational) - - _**Corrective Action:**_ NA, when both nodes are operational and on the 4.3 version the stats information on the router dialog will be provided. Stats can still be retrieved from the PCLI of the node while it is running. - +- **I95-32789 Peer metrics unavailable after Conflux synchronization:** Resolved an issue with HA routers where the metrics application stops streaming metrics to the peer node after loading configuration. ------ - **I95-36033** 4.3.8 does not enforce the 128T-installer-2.6.0 version that deprecates rpms for CVE corrections diff --git a/docs/release_notes_128t_4.4.md b/docs/release_notes_128t_4.4.md index 5ae6e4f212a..952ae7da795 100644 --- a/docs/release_notes_128t_4.4.md +++ b/docs/release_notes_128t_4.4.md @@ -7,26 +7,17 @@ sidebar_label: 4.4 ### Issues Fixed -- **I95-18807** Removed a benign error displayed in journal due to imudp module loaded by rsyslog daemon. - - _**Symptoms:**_ The following message can be seen in the journal: - ``` - rsyslogd[1337]: imudp: module loaded, but no listeners defined - no input will be gathered [v8.24.0 try http://www.rsyslog.com/e/2212 ] - ``` +- **I95-18807 An error displays in the journal due to imudp module loaded by rsyslog daemon.** The error condition has been resolved and the error no longer displays. ------ -- **I95-32298** Admin down of KNI in t128-ipsec address space does not result in the interface state change to operationally down. +- **I95-32298 KNI interfaces created by the IPsec plugin do not transition to "operationally down" when being set to "administrative down".** The KNI interfaces now transition smoothly. ------ -- **I95-32594** Validation allows for mismatched adjacency security-policy with peer network-interface security-policy for cases where multiple network interfaces in a router have the same IP address. Only the first one is considered for matching inter-router-security policy between the network interface and peer adjacency. - - Until the system is upgraded to 4.4.2, this issue can be mitigated by manually checking the inter-router-security policy between the network interface and peer adjacency match. +- **I95-32594** Validation allows for mismatched adjacency security-policy with peer network-interface security-policy for cases where multiple network interfaces in a router have the same IP Address. Only the first one is considered for matching inter-router-security policy between the network interface and peer adjacency. ------ -- **I95-32660** Log files were only rotated daily which may result in larger then expected log file size for the following: saltmaster, radvd, influxdb_http, t128tuntap. +- **I95-32660** Log files were only rotated daily which may result in larger than expected log file size for the following: saltmaster, radvd, influxdb_http, t128tuntap. ------ - **I95-33471** Adaptive encryption counters are incorrectly incremented when encryption is disabled and adaptive-encryption is enabled. ------ -- **I95-33594** Changing the `neighbor-as` of an existing BGP neighbor prevents it from connecting. - - Until the system is upgraded to 4.4.2, this issue can be mitigated by restarting the 128T or by removing and recreating the BGP configuration. +- **I95-33594 Changing the `neighbor-as` of an existing bgp neighbor prevents it from connecting.** The BGP neighbor now connects correctly. ------ - **I95-33989** Terminating a "validate" command with CTRL-c returns to the PCLI prompt but does not stop the in-progress validation. This prevents subsequent validation attempts until the in-progress validation completes in the background. @@ -38,13 +29,10 @@ sidebar_label: 4.4 ``` Until the system is upgraded to 4.4.2, this issue will resolve itself after the background tasks have completed. ------ -- **I95-35111** `No active NTP server` alarm erroneously generated when 128T can successfully reach a provisioned NTP server. - - _**Conditions:**_ When multiple NTP servers are configured, at least one is reachable and at least one is not reachable. +- **I95-35111 `No active NTP server` alarm erroneously generated when 128T can successfully reach a provisioned NTP server.** The error is no longer thrown when multiple NTP servers are configured and at least one is reachable. ------ - **I95-35193** Performing a download of software may fail. - - _**Conditions:**_ 128T connection to the conductor is disconnected or restarted. + _**Conditions**_ 128T connection to the conductor is disconnected or restarted. ------ - **I95-35331** A custom chart that contains multiple line charts selects the incorrect graph when clicking on the corresponding legend. ------ @@ -58,26 +46,25 @@ sidebar_label: 4.4 rpm --rebuilddb ``` ------ -- **I95-35793** Large responses from a DNS server may be rejected by 128T. When this happens, provisioned FQDNs remain unresolved. - +- **I95-35793** Large responses from a DNS server may be rejected by 128. When this happens, FQDNs in the configuration remain unresolved. _**Conditions:**_ The following log message can be seen: ``` - Jun 16 06:09:25.272 [DNS |DNSR] WARN (dnsManagerTP ) Failed to parse Ipv4Host (1) response for some.domain.com: Message too long + Jun 16 06:09:25.272 [DNS |DNSR] WARN (dnsManagerTP ) Failed to parse Ipv4Host (1) response for edge-global.plcm.vc: Message too long ``` ------ -- **I95-35799** When a dynamic route is removed that exactly matches the prefix of a configured service, the route is removed from the RIB but it may remain in the FIB and still be used for establishing new sessions. +- **I95-35799 When a dynamic route is removed that exactly matches the prefix of a configured service, the route is removed from the RIB but it may remain in the FIB and still be used for establishing new sessions.** This issue has been resolved. ------ -- **I95-35933** `show device-interface` displays incorrect values for speed and duplex for PPPoE interfaces. +- **I95-35933 `show device-interface` displays incorrect values for speed and duplex for PPPoE interfaces.** The correct speeds are now displayed for `show device-interface`. ------ -- **I95-35935** Configuring the same value for `router > conductor-address` on different routers will generate invalid configuration. +- **I95-35935 Configuring the same value for `router > conductor-address` on different routers will generate invalid configuration.** The router-based conductor map has been separated from the global conductor map. ------ - **I95-36012** `show device-interface` displays incorrect values for speed and duplex for LTE interfaces. ------ - **I95-36109** Sessions may not reestablish properly on a fail-over between different routers to the same destination router (e.g., Session originates on R1 to R2. Later, the same session fails over to traverse R3 to R2). ------ -- **I95-36146** Pagination prompts are incorrectly stored in PCLI history. +- **I95-36146** Non-PCLI commands, such as pagination responses, are incorrectly stored in command history. ------ -- **I95-36149** Committing a configuration change to a device-interface capture-filter when actively capturing traffic on that interface can cause the highway process to fault. +- **I95-36149 Committing a configuration change to a device-interface capture-filter when actively capturing traffic on that interface can cause the highway process to fault.** Updated to verify the order of operations and prevent the fault. ------ - **I95-36212** Fixed an issue where some Automated Provisioner actions would fail silently or return an error. @@ -99,18 +86,17 @@ sidebar_label: 4.4 ``` ------ - **I95-36283** The 128T router asset state is stuck on its current state. - _**Conditions:**_ The following log message can be seen: ``` TypeError: heap argument must be a list ``` - Until the system is upgraded to 4.4.2, this issue can be mitigated by restarting the salt-minion service by executing `systemctl restart salt-minion` in the Linux shell. If not manually restarted, the salt-minion watchdog will also restart the salt-minion after one hour. + Until the system is upgraded to 4.5.0, this issue can be mitigated by restarting the salt-minion service by executing `systemctl restart salt-minion` on the Linux shell. If not manually restarted, the salt-minion watchdog will also restart the salt-minion after one hour. ------ - **I95-36341** Race condition can occur when receiving a BGP packet destined for the 128T during startup without a fully populated FIB, causing a system fault. ------ -- **I95-36351** User without admin privileges can not change their password. +- **I95-36351** User without admin privileges cannot change their password. ------ -- **I95-36356** Loading a configuration that changes the BGP graceful-restart restart-time may cause a highway process fault if a subsequent graceful-restart timeout occurs. +- **I95-36356 Loading a configuration that changes the BGP graceful-restart restart-time may cause a highway process fault if a subsequent graceful-restart timeout occurs.** Changes to the BGP `graceful-restart restart-time` no longer cause a process fault. ------ - **I95-36358** Currently downloading version in the asset state would persist after a download has completed. @@ -140,7 +126,7 @@ sidebar_label: 4.4 ------ - **I95-36638** Polling SNMP OID 1.3.6.1.2.1.1.2 returns `NET-SNMP-TC::linux` instead of `T128-MIB::t128NetworkingPlatform (1.3.6.1.4.1.45956.1)` ------ -- **I95-36672** Deleting all session-capture filters on a _device-interface_ with active traffic can cause the highway process to restart. +- **I95-36672 Deleting all session-capture filters on a _device-interface_ with active traffic can cause the highway process to restart.** Traffic on the device interface is handled before deleting the filters. ------ - **I95-36727** A non-forwarding, external (i.e. management) interface configured in 128T does not obtain a DHCP IP upon disconnecting and reconnecting the cable. ------ @@ -156,7 +142,7 @@ sidebar_label: 4.4 ------ - **I95-36891** Exception thrown in PCLI when `CMD`+`right arrow` jumping past the end of an auto complete command. ------ -- **I95-37042** 128T process `prank` journal log was incorrectly excluded from output of `save tech-support-info` +- **I95-37042** 128T process `prank` journal logs were incorrectly excluded from output of `save tech-support-info`. ------ - **I95-37106** Initiating a download on an HA router may silently be ignored on one of the nodes if it was in "connected" state. @@ -179,20 +165,19 @@ Upgrading to the 4.4.1 release requires version 2.6.0 or newer of the 128T insta ------ - **I95-33762** Unable to provision multiple DHCP servers per network interface on unmanaged, standalone router. ------ -- **I95-33842** Race condition on 128T startup, causing DHCP server to fail to start. - +- **I95-33842** Race condition on 128T startup, causing DHCP server to fail to start _**Conditions:**_ DHCP server is not running. The following log message can be seen: ``` init[5720]: [dh00000001 | dhcp-server-ns-1:1073742075] Running command ['/usr/sbin/ip', 'netns', 'set', 'dhcp-server-ns-1', '1073742075'] init[5720]: [dh00000001 | dhcp-server-ns-1:1073742075] Command "/usr/sbin/ip netns set dhcp-server-ns-1 1073742075" failed: RTNETLINK answers: No space left on device ``` - Until the system is upgraded to 4.4.1, this issue can be mitigated by restarting the 128T. + Until the system is upgraded to 4.2.8, this issue can be mitigated by restarting the 128T process. ------ - **I95-34053** When configured to use LDAP, locally created user credentials and access are not honored for those users that already exist in LDAP. Until the system is upgraded to 4.4.1, this issue can be mitigated by restarting the 128T. ------ -- **I95-34649** `best-effort` path handling for `proportional` load balancing is not honored by service-policy. +- **I95-34649 `best-effort` path handling for `proportional` load balancing is not honored by service-policy.** Path handling for `best effort` load balancing is handled correctly. ------ - **I95-34751** LTE certified to run on Verizon wireless networks. ------ @@ -223,12 +208,9 @@ init[5720]: [dh00000001 | dhcp-server-ns-1:1073742075] Command "/usr/sbin/ip net - **I95-35395** Enabled BGP router reflector `cluster-id` in configuration. ------ - **I95-35401** SVR traffic would be dropped as a result of tenant members source type being incorrectly classified. - - _**Conditions:**_ When the interface has an adjacency and tenant members are applied via neighborhoods and/or child tenants. The tenant table will show the source type as `PUBLIC` for that entry when it should show as `HYBRID`, resulting in traffic being dropped. + _**Conditions:**_ When the interface has an adjacency and Tenant members are applied via neighborhoods and/or child tenants. The tenant table will show the source type as `PUBLIC` for that entry when it should show as `HYBRID` ------ - **I95-35406** Shutdown race condition may cause improper DHCP server clean up, causing DHCP server to fail on next start of 128T. - - Until the system is upgraded to 4.4.1, this issue can be mitigated by restarting the 128T. ------ - **I95-35517** [Selective Packet Capture](ts_packet_capture.md#selective-packet-capture) ------ @@ -251,13 +233,13 @@ init[5720]: [dh00000001 | dhcp-server-ns-1:1073742075] Command "/usr/sbin/ip net ------ - **I95-35644** Added support for `bgp route-reflector allow-outbound-policy`. ------ -- **I95-35655** RSRP and RSRQ values are now displayed in the output of `show device-interface` for LTE interfaces. +- **I95-35655** New metrics - RSRP, RSRQ, Active Band and Active Channel were added to (the existing) show device-interface PCLI command and lte-state script output for LTE interface. ------ -- **I95-35694** A `service-route` of type `host` results in an invalid service path during session establishment. +- **I95-35694 A `service-route` of type `host` results in an invalid service path during session establishment.** This issue has been resolved by adding a missing gateway-ip address to the process. ------ -- **I95-35701** Configuration validation incorrectly rejects valid config when a `service-route` references a service with both `applies-to` `authority` and `router-group` not matching the router of that service-route. +- **I95-35701 Configuration validation incorrectly rejects valid config when a `service-route` references a service with both `applies-to` `authority` and `router-group` not matching the router of that service-route.** Configuration validation no longer rejects the valid configuration. ------ -- **I95-35781** Rare race condition during `rotate logs` PCLI command may cause applications to fault. +- **I95-35781 Rare race condition during `rotate logs` PCLI command may cause applications to fault.** The `rotate logs` PCLI command no longer causes the race condition. ------ - **I95-35866** Addressed latest CVEs. ------ @@ -297,7 +279,7 @@ init[5720]: [dh00000001 | dhcp-server-ns-1:1073742075] Command "/usr/sbin/ip net - **I95-32760** Selected Events remain highlighted when navigating the event page. -- **I95-32783** ["show assets summary" enhancements](cli_reference.md#show-assets-summary) +- **I95-32783** [`show assets summary` enhancements](cli_reference.md#show-assets-summary) - **I95-33374** Address Latest Vulnerabilities 4.4. @@ -349,14 +331,13 @@ AttributeError: 'NoneType' object has no attribute 'StreamClosedError' ------ - **I95-33465** UI sometimes does not provide an indication that it is committing the configuration when importing from backup. ------ -- **I95-33842** Race condition on 128T startup, causing DHCP server to fail to start. - +- **I95-33842** Race condition on 128T startup, causing DHCP server to fail to start _**Conditions:**_ DHCP server is not running. The following log message can be seen: ``` init[5720]: [dh00000001 | dhcp-server-ns-1:1073742075] Running command ['/usr/sbin/ip', 'netns', 'set', 'dhcp-server-ns-1', '1073742075'] init[5720]: [dh00000001 | dhcp-server-ns-1:1073742075] Command "/usr/sbin/ip netns set dhcp-server-ns-1 1073742075" failed: RTNETLINK answers: No space left on device ``` - Until the system is upgraded to 4.4.0, this issue can be mitigated by restarting the 128T process. + Until the system is upgraded to 4.2.8, this issue can be mitigated by restarting the 128T process. ------ - **I95-33983** User role can see a list of config exports by executing `show config exports`. ------ @@ -428,7 +409,7 @@ init[5720]: [dh00000001 | dhcp-server-ns-1:1073742075] Command "/usr/sbin/ip net ## Special Considerations -- **I95-36525** TLS 1.0 is no longer supported. +- **I95-36525** Due to known vulnerabilities, only TLS versions 1.2 and 1.3 are supported. We do not support TLS 1.0 and 1.1. ------ - Python has been upgraded from version 2 to version 3. Any custom salt states that have been written that include python code, may need to be upgraded or rewritten in advance of the upgrading to 4.4. (I95-31073) ------ @@ -451,13 +432,12 @@ init[5720]: [dh00000001 | dhcp-server-ns-1:1073742075] Command "/usr/sbin/ip net _**Corrective Action:**_ No action required. The webserver will immediately restart. ------ -- **I95-33560** When upgrading a HA conductor to version 4.4.0 or later there is a compatibility issue due to an upgrade of the asset provisioning software. This results in a reported asset error that will persist until the two nodes are upgraded to the same version. +- **I95-33560** When upgrading an HA conductor to version 4.4.0 or later there is a compatibility issue due to an upgrade of the asset provisioning software. This results in a reported asset error that will persist until the two nodes are upgraded to the same version. _**Symptom:**_ This error is seen during the upgrade of an HA conductor pair to version 4.4.0 or later. An upgrade of a single standalone conductor node will not see this error. The following error will be reported by the node running software version earlier than 4.4.0: ``` -"128T highstate: ["Rendering SLS '128T:reverse_ssh' failed: Jinja variable 'dict object' has no attribute 'iteritems'"]" + "128T highstate: ["Rendering SLS '128T:reverse_ssh' failed: Jinja variable 'dict object' has no attribute 'iteritems'"]" ``` This error can be viewed by running the following PCLI command from either node: `show assets `. Where asset-id is the asset-id of the node running pre 4.4.0 version that has not yet been upgraded. - _**Corrective Action:**_ This error is transient and will only persist for the duration of the upgrade. The error it will not self-correct. Continue to upgrade the second conductor node. After upgrade, verify that there are no asset state errors. ------- + _**Corrective Action:**_ This error is transient and will only persist for the duration of the upgrade. The error will not self-correct. Continue to upgrade the second conductor node. After upgrade, verify that there are no asset state errors. diff --git a/docs/release_notes_128t_4.5.md b/docs/release_notes_128t_4.5.md index 8d66851bb73..913b260a554 100644 --- a/docs/release_notes_128t_4.5.md +++ b/docs/release_notes_128t_4.5.md @@ -21,7 +21,7 @@ Alternatively, refer to the **[List of Releases](about_releases.md)** page for r ## Resolved Issues -- **I95-40035/I95-40030 Jute maxbuffer limit for running/candidate configurations:** Created an alarm when the zookeeper jute buffer exceeds a threshold (75%), and an alert to change the system environment configuration. +- **I95-40035/I95-40030 Jute maxbuffer limit for running/candidate configurations:** Created an alarm when the zookeeper jute buffer exceeds a threshold (75%) and an alert to change the system environment config. ------ - **I95-40239 CVE-2021-26937:** This vulnerability has been resolved. ------ @@ -76,16 +76,28 @@ Alternatively, refer to the **[List of Releases](about_releases.md)** page for r - **I95-39477 Configuration validation failure when conductor non-forwarding fabric interfaces are configured in different subnets:** Updated to display a warning to the user to correct the issue, rather than failing. ------ - **I95-39761 Influx process not releasing memory:** Resolved an issue where influx would not release unneeded memory resulting in task restarts. -------- +------ - **I95-39780 Hugepage tool incorrectly calculates hugepages based on Tenant table:** Revised the scaling of the Hugepage tool. ------ -- **I95-39852 Synchronize Hardware clock to NTP Server:** Resolved an issue where the hardware and system clocks were not synchronized. +- **I95-39852 Sync System clock to the Hardware clock with NTP:** The hardware clock now synchronizes with the NTP server. ------ - **I95-39887 Router deployments taking longer than expected to complete:** Resolved an issue where assets take a long time to transition out of the connected state. ------ -- **I95-39953 IPFIX Export Loop:** Resolved a race condition causing the IPFIX collector to get into an infinite loop exporting interim records. +- **I95-39953 Spike in IPFIX records:** Resolved a race condition causing a collector to enter an infinite loop. ------ -- **I95-39985 Template save error:** Resolved an issue where creating persistent fields on an **existing** template in Advanced Mode generated a validation error and the template changes were not saved. +- **I95-39985 Template save error:** When creating persistent fields on an **existing** template in Advanced Mode, a validation error appears and the template changes are not saved. +_**Workaround:**_ There are two workarounds. + +You can either; use GraphQL to set `persistInput` on each template to `true` to resolve the issue for that template. + +OR + +1. Copy the contents of the variables pane to your clipboard. +2. Open the Settings dropdown. +3. Click “Persist Input” to disable the option. +4. Click “Proceed” in the warning modal. +5. Open the Settings menu and click “Persist Input” again to turn it back on. +6. Paste your variables back into the variables pane and save the template. This template should no longer encounter the issue. ------ - **I95-39986 Mellanox driver discarding large segmented packets:** Resolved an issue where the Mellanox driver was discarding large segmented packets and reporting them as errors. ------ @@ -123,7 +135,7 @@ Alternatively, refer to the **[List of Releases](about_releases.md)** page for r ------ - **I95-39788 Inconsistent services after modifying certain service configs:** The system's underlying service configurations may have been in an inconsistent state when modifying a dhcp-relay or template application-type service. ------ -- **I95-39798 Version update check may get stuck on GPG key access when using an access token:** The software upgrade version check has been modified to support access tokens. +- **I95-39798 Token Update and Available Version Update stuck on GPG key access:** In rare occasions the GPG key access may cause the token and version updates to hang, and block access to the software. To prevent this issue, log out of all open web and PCLI sessions before applying the token. ------ - **I95-39826 Management over forwarding pppoe generates v6 services or service-routes:** Resolved an issue where pppoe config generation is treated as a possible ipv6 address family interface. ------ @@ -165,7 +177,14 @@ OR ------ - **I95-39649/BEL-42 Conductors/Routers on initial deployment not going to running state.** Resolved an issue where Conductors or Routers on initial deployment would not transition to a running state until a certificate was added. ------ -- **I95-39793 Conductor fails to self-upgrade:** This issue affected only 4.5.6-1 systems performing Conductor self-upgrade with Installer version 2.7.0 (or later). This issue has been resolved. +- **I95-39793 Conductor fails to self-upgrade:** This issue affects only 4.5.6-1 systems performing conductor self-upgrade with Installer version 2.7.0 (or later). Released versions of 128T prior or after 4.5.6-1 are not affected. + +The following error is displayed: +``` +/usr/bin/nice: /usr/lib/128T-installer/install128t.par: No such file or directory +Failed to upgrade 128T! +``` +The recommended course of action is to perform a manual interactive upgrade of the conductor. Please refer to [Upgrading Using the Interactive Installer](upgrade_legacy.md#upgrading-using-the-interactive-installer) for that process. ### Caveats @@ -190,7 +209,9 @@ OR - **I95-30812 PCLI session terminated when actively running commands:** Prior to this change only the enter key would reset the PCLI activity timer. With this change, the `tab` and `?` operations will also reset the PCLI activity timer. ------ -- **I95-35521 Ambiguous validation error:** Errors now more clearly identify the source of the error. +- **I95-35521** pcli may provide a validation error but does not provide the specific configuration in error. + + _**Corrective Action:**_ If a validation error is provided, review the configuration of each sub list between the items identified in the error response provided. For example, the same vlan id cannot be used for different networks interfaces on the same device interface. ------ - **I95-36053 High number of System Events on 128T Config changes:** Added a filter to audit logs of type SERVICE-START and SERVICE-STOP based on service to filter just the required services. ------ @@ -214,9 +235,9 @@ OR ------ - **I95-38393 Router Cannot Get Past Connected State:** Resolved an issue where assets could become stuck in Connected state. ------ -- **I95-38395 TCP Out of Order can cause Stuck Flow:** Resolved an issue where a TCP FIN received before the data that preceded it could cause a stuck flow. +- **I95-38395** Resolved an issue where a TCP FIN received before the data that proceeded it could cause a stuck flow. ------ -- **I95-38458 PCLI fails to start after upgrade:** Resolved an issue where caching errors prevented 128T from starting. +- **I95-38458 PCLI fails to start after upgrade:** Resolved an issue where caching errors prevented SSR from starting. ------ - **I95-38474 The `router > dns-config` does not account for the immutable bit on `/etc/resolv.conf`:** Resolved an issue with the DNS proxy not working due to the immutable bit set by ISO. ------ @@ -288,7 +309,6 @@ OR ------ - **I95-39543 Out of order packets when traffic-eng is enabled in multicore environments:** Fixed occasional reorder issue when `traffic-eng` is enabled in a multicore environment. ------ - ### Caveats - **I95-39793 Conductor fails to self-upgrade:** This issue affects only 4.5.6-1 systems performing conductor self-upgrade with Installer version 2.7.0 (or later). Released versions of 128T prior or after 4.5.6-1 are not affected. @@ -349,11 +369,13 @@ Before upgrading, ensure that there is at least one user on each 128T system tha - **I95-37855 Configurable waypoint allocation.** The `max-way-points` value is configurable at the adjacency level for each associated inter-router path. The `max-inter-node-way-points` value is configurable at the router level for all inter-node paths. Please refer to [`max-inter-node-way-points`](config_reference_guide.md#max-inter-node-way-points) and [`max-way-points`](config_reference_guide.md#max-way-points) for more details. ------ - ### Resolved Issues - **I95-39044 OTP ISO bootstrap sets HA nodes with name of first node** The OTP bootstrap operation now updates the second node in an HA pair with the correct name. This correction has been applied to the v2 version of the 4.5.3 OTP ISO. This fix does not apply to the 4.5.4 nor the 4.5.5 OTP ISO at this time (03/01/2021). ------ -- **I95-35567, I95-37833 Weak Password Policy.** New restrictions on password properties have been added to ensure strong passwords. +- **I95-37833 Apply password policy more consistently:** The password policy for SSR users has been updated, and now requires passwords to have a special character in addition to previous requirements. +:::important +Please refer to [Password Policies](config_password_policies.md) for updated password requirements. +::: ------ - **I95-35987 Downloading exported config files does not preserve the file name.** The download process correctly preserves the file name. ------ @@ -396,7 +418,7 @@ As part of the SSH hardening process, inactive SSH sessions will be logged out a ------ - **I95-37680 nodeMonitor process may fault on shutdown of 128T.** `nodeMonitor` no longer faults on 128T shutdown. ------ -- **I95-37752 A race condition exists when a session is manually deleted through the `delete sessions` PCLI command.** The `delete sessions` command no longer creates a race condition. (Interim IPFIX record generation or HA session synchronization could also cause trigger the same fault, and is also addressed by this fix.) +- **I95-37752** A race condition exists when a session is manually deleted through the `delete sessions` PCLI command; interim IPFIX record generation or HA session synchronization may cause the highway process to fault. ------ - **I95-37777 Adding SNMP configuration may cause webserver to be inaccessible.** This issue has been resolved; adding SNMP configurations no longer impacts the Webserver. ------ @@ -442,7 +464,7 @@ As part of the SSH hardening process, inactive SSH sessions will be logged out a _**Symptom:**_ Show peers will show the physically disconnected peer as UP while in this state. ------ -- **I95-35927** When deleting a VLAN network interface and simultaneously assigning its VLAN ID to the only other remaining network interface on the same device interface, future operational state changes on that interface may be ignored. +- **I95-35927 When deleting a VLAN network interface and simultaneously assigning its VLAN ID to the only other remaining network interface on the same device interface, future operational state changes on that interface may be ignored.** This issue has been resolved. ------ - **I95-36540** Session expiry logic algorithm was inefficient causing latency in session setup. ------ @@ -512,12 +534,7 @@ As part of the SSH hardening process, inactive SSH sessions will be logged out a ### Resolved Issues -- **I95-18807** Removed a benign error displayed in journal due to imudp module loaded by rsyslog daemon. - - _**Symptoms:**_ The following message can be seen in the journal: - ``` - rsyslogd[1337]: imudp: module loaded, but no listeners defined - no input will be gathered [v8.24.0 try http://www.rsyslog.com/e/2212 ] - ``` +- **I95-18807 An error displays in the journal due to imudp module loaded by rsyslog daemon.** The error condition has been resolved and the error no longer displays. ------ - **I95-32660** Log files were only rotated daily which may result in larger than expected log file size for the following: saltmaster, radvd, influxdb_http, t128tuntap. ------ @@ -533,9 +550,7 @@ As part of the SSH hardening process, inactive SSH sessions will be logged out a ``` Until the system is upgraded to 4.5.1, this issue will resolve itself after the background tasks have completed. ------ -- **I95-35111** `No active NTP server` alarm erroneously generated when 128T can successfully reach a provisioned NTP server. - - _**Conditions:**_ When multiple NTP servers are configured, at least one is reachable and at least one is not reachable. +- **I95-35111 `No active NTP server` alarm erroneously generated when 128T can successfully reach a provisioned NTP server.** The error is no longer thrown when multiple NTP servers are configured and at least one is reachable. ------ - **I95-35331** A custom chart that contains multiple line charts selects the incorrect graph when clicking on the corresponding legend. ------ @@ -543,7 +558,7 @@ As part of the SSH hardening process, inactive SSH sessions will be logged out a ------ - **I95-35544** LTE SIM number (ICCID) is absent from the output of `show device-interface` on LTE interfaces. ------ -- **I95-35933** `show device-interface` displays incorrect values for speed and duplex for PPPoE interfaces. +- **I95-35933 `show device-interface` displays incorrect values for speed and duplex for PPPoE interfaces.** The correct speeds are now displayed for `show device-interface`. ------ - **I95-36050** Race condition on HA Conductor may incorrectly report pending configuration changes when no changes exist. @@ -594,7 +609,7 @@ As part of the SSH hardening process, inactive SSH sessions will be logged out a ------ - **I95-36646** SVR Savings page automatically refreshes, resetting router selector. ------ -- **I95-36672** Deleting all session-capture filters on a _device-interface_ with active traffic can cause the highway process to restart. +- **I95-36672 Deleting all session-capture filters on a _device-interface_ with active traffic can cause the highway process to restart.** Traffic on the device interface is handled before deleting the filters. ------ - **I95-36727** A non-forwarding, external (i.e. management) interface configured in 128T does not obtain a DHCP IP upon disconnecting and reconnecting the cable. ------ @@ -608,7 +623,7 @@ As part of the SSH hardening process, inactive SSH sessions will be logged out a ------ - **I95-36841** TCP RST can cause the highway process to fault on a SVR path performing UDP transform. ------ -- **I95-36850, I95-36851** An asset's available and downloaded versions are incorrectly cleared when an upgrade or rollback is initiated. +- **I95-36850, I95-36851** An asset's available and downloaded versions were incorrectly cleared when an upgrade or rollback is initiated. ------ - **I95-36866** When adding an access policy in a service in the GUI, the tenant drop down list comes up empty on the first try. @@ -620,7 +635,7 @@ As part of the SSH hardening process, inactive SSH sessions will be logged out a ------ - **I95-36891** Exception thrown in PCLI when `CMD`+`right arrow` jumping past the end of an auto complete command. ------ -- **I95-36927** Race condition can cause a fault in the highway process during session setup and configuration change removes BGP service route path +- **I95-36927** A race condition exists that can cause a fault in the highway process during session setup and configuration changes, that will remove the BGP service route path. ------ - **I95-37006** Peer path establishment may fail for waypoint interfaces that use DHCP (e.g., LTE) when upgrading from 4.4.x. ------ @@ -664,7 +679,7 @@ As part of the SSH hardening process, inactive SSH sessions will be logged out a ------ - **I95-32783** [`show assets summary` enhancements](cli_reference.md#show-assets-summary) ------ -- **I95-33174** Automatic LTE band management per carrier +- **I95-33174** Some LTE cards do not use the correct wireless bands for the AT&T network ------ - **I95-33215** [Audiocodes M800 watchdog](plugin_m800_watchdog.md) ------ @@ -686,9 +701,7 @@ As part of the SSH hardening process, inactive SSH sessions will be logged out a ------ - **I95-34112** Rename `show config events` -> `show events config`. ------ -- **I95-33594** Changing the `neighbor-as` of an existing bgp neighbor prevents it from connecting. - - Until the system is upgraded to 4.5.0, this issue can be mitigated by restarting the 128T or by removing and recreating the bgp configuration. +- **I95-33594 Changing the `neighbor-as` of an existing bgp neighbor prevents it from connecting.** The BGP neighbor now connects correctly. ------ - **I95-35193** Performing a download of software may fail. _**Conditions**_ 128T connection to the conductor is disconnected or restarted. @@ -701,7 +714,7 @@ As part of the SSH hardening process, inactive SSH sessions will be logged out a Jun 16 06:09:25.272 [DNS |DNSR] WARN (dnsManagerTP ) Failed to parse Ipv4Host (1) response for edge-global.plcm.vc: Message too long ``` ------ -- **I95-35799** When a dynamic route is removed that exactly matches the prefix of a configured service, the route is removed from the RIB but it may remain in the FIB and still be used for establishing new sessions. +- **I95-35799 When a dynamic route is removed that exactly matches the prefix of a configured service, the route is removed from the RIB but it may remain in the FIB and still be used for establishing new sessions.** This issue has been resolved. ------ - **I95-35873,I95-35679** Asset stuck in a connected state as a result of a corrupted linux rpmdb. The issue requires the system be updated to the 128T-installer version 2.6.1 (see [IN-267](release_notes_128t_installer_2.6.md#release-261). If the conductor is used to upgrade systems, the latest installer will be updated from the repository being used. If the systems do not have access to the 128T public repositories, the repository being used should be updated with the 128T-installer 2.6.1 version. With the correction of this issue, the PCLI command `send command yum-cache-refresh` has been updated to perform the rpmdb repair if the rpmdb is corrupted. @@ -711,11 +724,11 @@ As part of the SSH hardening process, inactive SSH sessions will be logged out a rpm --rebuilddb ``` ------ -- **I95-35935** Configuring the same value for `router > conductor-address` on different routers will generate invalid configuration. +- **I95-35935 Configuring the same value for `router > conductor-address` on different routers will generate invalid configuration.** The router-based conductor map has been separated from the global conductor map. ------ - **I95-36012** `show device-interface` displays incorrect values for speed and duplex for LTE interfaces. ------ -- **I95-36109** Sessions may not reestablish properly on a fail-over between different routers to the same destination router (e.g., Session originates on R1 to R2. Later, the same session fails over to traverse R3 to R2.) +- **I95-36109** Sessions may not reestablish properly on a fail-over between different routers to the same destination router (e.g., Session originates on R1 to R2. Later, the same session fails over to traverse R3 to R2). ------ - **I95-36146** Non-PCLI commands, such as pagination responses, are incorrectly stored in command history. ------ @@ -726,16 +739,16 @@ As part of the SSH hardening process, inactive SSH sessions will be logged out a ``` Until the system is upgraded to 4.5.0, this issue can be mitigated by restarting the salt-minion service by executing `systemctl restart salt-minion` on the Linux shell. If not manually restarted, the salt-minion watchdog will also restart the salt-minion after one hour. ------ -- **I95-36356** Loading a configuration that changes the BGP graceful-restart restart-time may cause a highway process crash if a subsequent graceful-restart timeout occurs. +- **I95-36356 Loading a configuration that changes the BGP graceful-restart restart-time may cause a highway process fault if a subsequent graceful-restart timeout occurs.** Changes to the BGP `graceful-restart restart-time` no longer cause a process fault. ## Special Considerations - **I95-33004** RoadRunner Removed The RoadRunner process collected anonymous information from the router and sent it to 128 Technology for storage and analysis. This helped inform and allows 128 Technology to support and improve the 128 Networking Platform. The anonymous data collection tool RoadRunner has been removed from the product. ------ +------ - **I95-35629** The threshold for broadcast announcement for concurrent PCLI sessions has been increased from 4 to 10 as a result of I95-28366. ------ -- **I95-36525** TLS 1.0 is no longer supported. +- **I95-36525** Due to known vulnerabilities, only TLS versions 1.2 and 1.3 are supported. We do not support TLS 1.0 and 1.1. ## Caveats diff --git a/docs/release_notes_128t_5.0.md b/docs/release_notes_128t_5.0.md index 25e01231094..437bcb1cf68 100644 --- a/docs/release_notes_128t_5.0.md +++ b/docs/release_notes_128t_5.0.md @@ -83,10 +83,9 @@ Before upgrading, ensure that there is at least one user on each 128T system tha ------ - **I95-38170 Updated path metrics for `show service-path`:** Latency, loss, and jitter metrics are displayed when they are available, even if performance monitor is not enabled for the path. ------ - ### Resolved Issues -- **I95-20718:** Keywords as Configuration Values - the PCLI now prevents the use of keywords as configuration values. +- **I95-20718** PCLI now produces a warning when creating configuration objects with the keywords ("delete", "force", "move", "clone", "all") as their name. ------ - **I95-29643** Changing the name of an existing configuration object to one that already exists merges the two objects. ------ @@ -117,9 +116,9 @@ Before upgrading, ensure that there is at least one user on each 128T system tha ------ - **I95-35722** PCLI warning message formatting is now consistent with error messages. ------ -- **I95-35892** Regex use during search and replace config negatively impacts performance. +- **I95-34983, I95-35892** Remove unused PCLI Commands. ------ -- **I95-36645** UI: Bytes converter does not handle values larger than Terabyte (TB). +- **I95-36645** Bytes converter in the GUI does not handle values larger than Terabyte (TB), leaving value in bytes. ------ - **I95-36828** Unable to acquire logs through GUI when `remote-login` is disabled. ------ diff --git a/docs/release_notes_128t_5.1.md b/docs/release_notes_128t_5.1.md index 677c23a8c26..65c9cec0532 100644 --- a/docs/release_notes_128t_5.1.md +++ b/docs/release_notes_128t_5.1.md @@ -95,13 +95,13 @@ Before upgrading please review the [**Upgrade Considerations**](intro_upgrade_co ------ - **I95-43329 ISO imaged system missing rescue boot image:** The Rescue Boot Image was missing on systems with 5.1.6 or 5.1.7 installed. This has been corrected in the 5.1.8 release with `128T-5.1.8-1.el7.OTP.v2.x86_64.iso`. ------ -- **I95-43389 Salt Minion file truncation:** This issue has been resolved. +- **I95-43389 Minion files truncated:** Corrected condition when empty SSR configuration would cause the minion file to be incorrectly created. ------ - **I95-43454 Plugin highstate not sync'd:** When applying DNS cache configuration changes via PCLI or GUI, highstate is not being applied from the conductor to router. This issue was resolved by removing support of legacy pillar generation for plugins. ------ - **I95-43591 When deleting a linux user, the default bash is not restored:** A protection has been added to the SSR to disallow the creation of a user that already exists on the linux system. ------ -- **I95-43604 NAT keepalive problem:** Resolved an issue where the keepalive cache entry was being removed when the flow was invalidated. +- **I95-43604 NAT Keepalive Issue:** Resolved an issue where the keep-alive cache entry was being removed if the flow was invalidated. ------ - **I95-43643 EoSVR services frozen:** Resolved an issue where EoSVR services were not setting up actions properly. ------ @@ -153,7 +153,7 @@ Before upgrading please review the [**Upgrade Considerations**](intro_upgrade_co ------ - **I95-42563 Attempting to get help on `adjacency` throws an exception:** Resolved an issue when entering `?` while configuring an adjacency was throwing an exception. ------ -- **I95-42619 Remove ping_interval from salt minion config:** Resolved an issue where salt minions would spontaneous restart themselves and transition back into the connected state, especially when the conductor is under heavy load. +- **I95-42619 Salt-minion spontaneous restarts:** Resolved an issue where salt minions would spontaneously restart themselves and transition back into the connected state, especially when the conductor is under heavy load. ------ - **I95-42625 Unable to add egress-source-nat-pool to interface:** This issue has been resolved. ------ @@ -196,7 +196,7 @@ This release replaces the existing `5.1.6-1` release. - **I95-26075 Generate PCAP directly from Session table:** A button has been added to both the Session Debug table and the Top Sessions table that allows the user to create a PCAP file containing the specific row data from each table. ------ -- **I95-41457 OSPF VRF:** Multiple independent OSPF configurations are supported (zero or one per VRF), as well as on the default VRF. The `show ospf` commands accept an optional `vrf name` argument, and display the `vrf name` column appropriately. +- **I95-41457 VRF Learning via OSPF:** VRF can now learn via OSPF as well as BGP. For more information, see [VRF Learning.](config_vrf_learning.md) ------ - **I95-41905 Download Tech Support Info to the About page:** A button has been added to the Info page in the GUI that generates and downloads a zip file containing the Tech Support information. @@ -312,7 +312,7 @@ This release replaces the existing `5.1.6-1` release. - **I95-35414 Refresh actions now available for individual sections on the Router Page:** The Device interface, Network Interface, and Peer Paths table sections now can be refreshed independently. ------ -- **I95-38244 The Routers Page is easier to Search:** Added a column selector and a search matching system to make the search function more granular. +- **I95-38244 Router Page search enhanced:** Searches on the Routers page can now be targeted to specific columns using the search selector. ------ - **I95-38445 [GUI Session Capture](ts_packet_capture.md#session-capture-in-the-gui):** Added pages to the user interface that allow you to view and configure capture information. ------ @@ -320,7 +320,7 @@ This release replaces the existing `5.1.6-1` release. ------ - **I95-40458 Added the ability to toggle between Advanced and Basic Configuration mode:** Added the option to limit the main configuration screen to the most frequently used fields, or display all configuration options. ------ -- **I95-40532 Added Tenant prefix support on network interface:** Provides a simpler way to configure the tenant prefixes on a per branch basis. +- **I95-40532 Added Tenant prefix support on network interface:** This provides a simpler way to configure the tenant prefixes on a per branch basis. ### Resolved Issues @@ -360,7 +360,7 @@ This release replaces the existing `5.1.6-1` release. ------ - **I95-40473 API Username not being recorded:** Resolved an issue where the `modify_user` event was omitting the `fullName` modified field. ------ -- **I95-40489 ISO missing 128T-minion-connector rpm:** The 128T-minion-connector plugin rpm was not included in the 5.1 OTP ISO. This has been corrected in the 128T-5.1.3-1.el7.OTP.v3.x86_64.iso ISO. +- **I95-40489 ISO missing 128T-minion-connector rpm:** The 128T-minion-connector plugin rpm was not included in the 5.1 OTP ISO. This has been corrected in the `128T-5.1.3-1.el7.OTP.v3.x86_64.iso` ISO. ------ - **I95-40577 Import certificate webserver not copying the private key:** This issue has been resolved. ------ @@ -376,9 +376,10 @@ This release replaces the existing `5.1.6-1` release. ### Caveats -- **I95-39457 ServiceSecurityCheck validator should check for next-peer in service-route:** A missing validation check on `next-peer` service routes allows the configuration to be committed without presenting an error, preventing the establishment of an SVR session. This issue has been resolved in an upcoming release (5.3.0). +- **I95-39457 ServiceSecurityCheck validator should check for next-peer in service-route:** A missing validation check on `next-peer` service routes allows the configuration to be committed without presenting an error, preventing the establishment of an SVR session. This issue has been resolved in 5.3.0. - **_Resolution:_** Manually configure a security policy on each service with a `peer` and `next-peer` service route. + **_To reconcile pre-5.3.0 configurations:_** Manually configure a security policy on each service with a `peer` and `next-peer` service route. +::: ## Release 5.1.3 **Release Date:** May 14, 2021 @@ -401,7 +402,7 @@ This release replaces the existing `5.1.6-1` release. ------ - **I95-39887 Router deployments taking longer than expected to complete:** Resolved an issue where assets take a long time to transition out of the connected state. ------ -- **I95-39953 IPFIX Export Loop:** Resolved a race condition causing the IPFIX collector to get into an infinite loop exporting interim records. +- **I95-39953 Spike in IPFIX records:** Resolved a race condition causing a collector to enter an infinite loop. ------ - **I95-39986 Mellanox driver discarding large segmented packets:** Resolved an issue where the Mellanox driver was discarding large segmented packets and reporting them as errors. ------ @@ -418,7 +419,7 @@ This release replaces the existing `5.1.6-1` release. ### Resolved Issues -- **I95-29583 Default Language Setting:** Changes to the default language are now saved per user, not per system. +- **I95-29583 Default Language Setting:** The default language is now saved per user, so the default language is displayed wherever the user logs into the GUI. ------ - **I95-39245 Show detected domain names on the Applications Seen page:** Domain names are now displayed on the Applications Seen page in the GUI. ------ @@ -472,7 +473,19 @@ This release replaces the existing `5.1.6-1` release. ------ - **I95-39936 Pagination for the output of `show fib` does not work correctly:** Pagination headers are now handled correctly, and pagination is supported in the `show fib` output. ------ -- **I95-39985 Template save error:** Resolved an issue where creating persistent fields on an **existing** template in Advanced Mode generated a validation error and the template changes were not saved. +- **I95-39985 Template save error:** When creating persistent fields on an **existing** template in Advanced Mode, a validation error appears and the template changes are not saved. +_**Workaround:**_ There are two workarounds. + +You can either; use GraphQL to set `persistInput` on each template to `true` to resolve the issue for that template. + +OR + +1. Copy the contents of the variables pane to your clipboard. +2. Open the Settings dropdown. +3. Click “Persist Input” to disable the option. +4. Click “Proceed” in the warning modal. +5. Open the Settings menu and click “Persist Input” again to turn it back on. +6. Paste your variables back into the variables pane and save the template. This template should no longer encounter the issue. ------ - **I95-39992 AuthClient request queue fills up with concurrent requests:** Resolved an issue with using authenticated REST APIs when under heavy load. @@ -487,7 +500,7 @@ This release replaces the existing `5.1.6-1` release. - **I95-39650 Repository access tokens provisioned on the Conductor are not automatically distributed to its managed routers.** Access Tokens are now distributed to managed routers. ------ -- **I95-39649/BEL-42 Conductors/Routers on initial deployment not going to running state.** Resolved an issue where Conductors or Routers on initial deployment would not transition to a running state until a certificate was added. +- **I95-39649/BEL-42 Conductors/Routers on initial deployment not going to running state.** Resolved an issue where Conductors or Routers on initial deployment would not transition to a running state until a certificate was added. ### Caveats @@ -554,7 +567,7 @@ Please refer to the [**Caveats**](#caveats) section for important information pr ### Resolved Issues -- **I95-30812 PCLI session terminated when actively running commands:** PCLI sessions now recognize all activity. +- **I95-30812 PCLI session terminated when actively running commands:** Prior to this change only the enter key would reset the PCLI activity timer. With this change, the `tab` and `?` operations will also reset the PCLI activity timer. ------ - **I95-30883 Add Enumeration Description to Combo Dropdown in Edit Config Pages:** GUI drop downs now display descriptions. ------ @@ -568,7 +581,9 @@ Please refer to the [**Caveats**](#caveats) section for important information pr ------ - **I95-34443 Provisioner status in router dialog not matching the Asset status in router page:** Asset Reconciliation now takes place automatically every 1.5 minutes in the GUI to assure the states of all assets are correctly reflected in the UI. ------ -- **I95-35521 Ambiguous validation error:** Errors now more clearly identify the source of the error. +- **I95-35521** pcli may provide a validation error but does not provide the specific configuration in error. + + _**Corrective Action:**_ If a validation error is provided, review the configuration of each sub list between the items identified in the error response provided. For example, the same vlan id cannot be used for different networks interfaces on the same device interface. ------ - **I95-35646 Wrong date for weekday in date picker:** The date-picker logic has been updated to resolve this issue. ------ @@ -600,7 +615,7 @@ Please refer to the [**Caveats**](#caveats) section for important information pr ------ - **I95-37910 AWS c5.xlarge instance shows 2 cores in GUI:** Custom Report charts now persist the displayed data even if an error occurs, specifically if internet connection drops or a node becomes unavailable. A small error indicator now appears above the chart, which can be hovered and displays the error. ------ -- **I95-38378 Salt-minion config broken after enabling asset connection resiliency:** The minion config is now loaded on conductor migration operations at time of operation. +- **I95-38378 Router unable to establish connection to conductor after enabling asset connection resiliency:** The salt-minion configuration file now loads at the time of a migration operation, to ensure the latest version of the configuration is available. ------ - **I95-38389 PDM gets pegged at 100% which makes the GUI and PCLI inaccessible:** The config export process has been made more efficient to reduce the chance of a race condition. ------ @@ -658,7 +673,7 @@ Please refer to the [**Caveats**](#caveats) section for important information pr - **I95-39023 Conductor Upgrade process forces a log out from the GUI:** An issue has been identified that when upgrading the conductor, the user is logged out of the GUI, and presented with an error message when attempting to log back in. The installation is running, and does complete. Log in is again available after the system has restarted. ------ -- **I95-39406 Installer Fails to Update:** In some situations, such as an installer conflict, the Installer will fail to update, but the 5.1 software has downloaded and installed. +- **I95-39406 Installer Update/software upgrade dependencies:** Upgrades from the Conductor now require an updated Installer before downloading and installing software to the Router. ------ - **I95-38622 5.1.0 Kernel Upgrade Required for Wireguard Support:** Support for the wireguard plugin is not available on a router with 5.1.0 installed. The wireguard plugin can be installed on a Conductor, provided that the Routers are running a version older than 5.1.0. ------ diff --git a/docs/release_notes_128t_5.2.md b/docs/release_notes_128t_5.2.md index 2fec17fb468..c54c3ec61a8 100644 --- a/docs/release_notes_128t_5.2.md +++ b/docs/release_notes_128t_5.2.md @@ -36,41 +36,43 @@ Before upgrading please review the [**Upgrade Considerations**](intro_upgrade_co ------ ---> - **I95-35228 DHCP waypoint addresses not displayed on standby node in UI:** Resolved an issue where the PCLI logic was not matching the GUI Network Interface table. ------ -- **I95-40904 Power save mode not working:** This issue has been resolved. +- **I95-40904 Power save mode not working:** Add a method to read current power saver mode setting from existing config before committing the new configuration, and changing the setting. ------ - **I95-43239 LTE APN on Modem not set up correctly:** The APN is now always written to the the modem using the default index of 1. ------ -- **I95-43606 No communication between Routers:** In rare instances the BFD Pinhole feature experienced collisions between forward session flows. Session modification has been addressed and collisions are now avoided. +- **I95-43606 No communication between Routers:** In rare instances, BFD outbound-only flows experienced collisions between forward session flows. Session modification has been addressed and collisions are now avoided. ------ -- **I95-43779 DHCP IP Address is not released:** Updated the state machine to cause DHCP-enabled interfaces to send out a DHCP Request for their current IP address. +- **I95-43779 DHCP IP Address not releasing appropriately:** When the cable is physically disconnected and reconnected from DHCP-enabled interfaces, the interfaces are now triggered to send out a DHCP Request for their current IP address. ------ - **I95-44001 Peer uptime showing "Unavailable":** Peer path uptime now displays the correct values. ------ -- **I95-44551 DHCP Relay not working after upgrade:** A packet for traffic matching a summary service may be dropped because it was incorrectly flagged as hierarchical on the SVR peer. Well known non-hierarchical services such asDHCP relay will no longer perform hierarchical service checks on the peer. +- **I95-44551 DHCP Relay not working after upgrade:** A packet for traffic matching a summary service may be dropped because it was incorrectly flagged as hierarchical on the SVR peer. Well known non-hierarchical services such as DHCP relay will no longer perform hierarchical service checks on the peer. ------ -- **I95-44722 Time based HMAC failure after HA reboot:** Resolved a buffering issue where device interfaces are now flushed upon becoming active to avoid handling of inactive packets. +- **I95-44722 Time series HMAC failures after rebooting node in HA router:** Device interfaces are flushed upon becoming active to avoid handling of packets which have been delayed due to inactivity. ------ - **I95-44913 kmod-i40e metapackage causing upgrade issues:** The metapackage has been removed and upgrade issues have been resolved. ------ - **I95-45094 Unnecessary rotation of salt minion config:** Resolved an issue where the global.init and salt minion config are unnecessarily rotated and updated with no changes to the actual contents of the file. ------ -- **I95-45113 SNMP override of the IfTable:** An issue with SNMP reporting has been resolved. +- **I95-45113 SNMP override of the IfTable:** `ifAlias` and `IfDescr` have been swapped in our SNMP reporting; `ifDescr` is always the `ifName`. This change was made for consistency with other Juniper products. ------ - **I95-45126 Split-brain after the sync interface goes down:** Resolved an issue that if the SSR software experienced a crash while it owned an interface from an X553 device, other devices hosted by the same chip could be impacted. ------ - **I95-45162 Improve download/upgrade error message if a router name does not exist:** In situations where a router does not exist, the download and upgrade message now indicates that the router does not exist. ------ -- **I95-45164 `show-active-peers` missing some information:** Resolved a corner case where an RFC-compliant device ahead of a non-compliant device with a smaller MTU, the SSR misinterprets the non-compliant device's timeouts and the MTU will be unresolvable. +- **I95-45164 Active peers show Unavailable for PATH-MTU, LATENCY, JITTER, LOSS & MOS for some transports:** Resolved a rare issue in the case of an RFC-compliant device ahead of a non-compliant device with a smaller MTU, the non-compliant device's timeouts are incorrectly interpreted and the MTU becomes unresolvable. ------ - **I95-45211 New users run into permissions errors:** Access Control Lists are now preserved on file rotations. ------ -- **I95-45220 Conductor local forwarding parameters not dynamic:** Resolved an issue when transitioning a conductor from standalone to HA, the managed routers were not automatically connecting to the newly added conductor node. +- **I95-45220 Conductor local forwarding parameters not dynamic:** Resolved an issue when transitioning a conductor from standalone to HA the managed routers were not automatically connecting to the newly added conductor node. ------ - **I95-45489 `ifcfg` custom options issues:** Resolved an issue where interface ifcfg option changes were not being processed. ------ - **I95-45541 LDAP users are unable to login to the PCLI due to permission errors:** This issue has been resolved. ------ -- **I95-45559 Corrupted `resolv.conf` after ODM imaging:** Resolved an issue on SSR systems running dns-proxy services with external interfaces configured using `PEERDNS=yes`, where a race condition may occur that results in corrupt nameservers being added to the `/etc/resolv.conf` file. +- **I95-45559 Corrupted `resolv.conf` after ODM imaging:** On SSR systems running dns-proxy services with external interfaces configured using `PEERDNS=yes`, a race condition may occur that results in corrupt nameservers being added to the `/etc/resolv.conf` file. + + **_Workaround:_** A temporary workaround is to force an update of this file by either of the following methods: ------ - **I95-45696 Memory leak in PAM challenge library:** Resolved a memory leak in the PAM challenge library. ------ @@ -117,7 +119,7 @@ Before upgrading please review the [**Upgrade Considerations**](intro_upgrade_co ------ - **I95-43071 Service health learning and path avoidance working intermittently for inter-node paths:** Race condition causing paths to be determined non-viable prior to service routes being created. ------ -- **I95-43091 `show fib` does not display interface next hop when gateway IP address is empty:** The display has been corrected. +- **I95-43091 `show fib` does not display interface next hop when gateway IP address is empty:** Corrected display. ------ - **I95-43239 LTE APN on Modem not set up correctly:** The APN is now always written to the the modem using the default index of 1. ------ @@ -125,7 +127,7 @@ Before upgrading please review the [**Upgrade Considerations**](intro_upgrade_co ------ - **I95-44142 Automated Provisioner race condition:** Resolved a rare crash where applications would attempt to get information about already-closed sockets when responding to API requests. ------ -- **I95-44991 SSR not passing Aruba data on GRE Tunnels:** Resolved an issue where GRE packets with a reserved bit in the header are incorrectly dropped as invalid. +- **I95-44991 SSR not passing Aruba data on GRE Tunnels:** Resolved an issue where GRE packets with reserved bit in the header are incorrectly dropped as invalid. ------ - **I95-45583 HA Connection lost during commit:** Resolved an issue where session was missing necessary path data information relating to the peer path. @@ -172,11 +174,11 @@ Contains fixes from: [Release 5.1.4, June 28, 2021](release_notes_128t_5.1.md#re ------ - **I95-36224 Handle names in application-id JSON:** The application-module json output `common-name object` now includes a list of referenced common-names, in addition to the transport-information list. ------ -- **I95-38244 The Routers Page is easier to Search:** Added a column selector and a search matching system to make the search function more granular. +- **I95-38244 Router Page search enhanced:** Searches on the Routers page can now be targeted to specific columns using the search selector. ------ - **I95-38445 GUI Session Capture:** Added pages to the user interface that allow you to view and configure capture information. ------ -- **I95-40458 Added the ability to toggle between Advanced and Basic Configuration mode:** Added the option to limit the main configuration screen to the most frequently used fields, or display all configuration options. +- **I95-40458 Added the ability to toggle between Advanced and Basic Configuration mode:** Added the option to limit the main configuration screen to the most frequently used fields, or display all configuration options. ### Resolved Issues @@ -192,9 +194,8 @@ Contains fixes from: [Release 5.1.4, June 28, 2021](release_notes_128t_5.1.md#re ------ - **I95-40191 Office365 service failing on boot-up:** This issue has been resolved. ------ -- **I95-40888`show application modules status` generating an unhandled error:** Resolved an issue with `show application modules status` causing unandled errors. +- **I95-40888`show application modules status` generating an unhandled error:** Resolved an issue with `show application modules status` causing unhandled errors. ------ - ## Release 5.2.0 **Release Date:** May 10, 2021 @@ -224,9 +225,7 @@ Contains fixes from: [Release 5.1.4, June 28, 2021](release_notes_128t_5.1.md#re ------ - **I95-39336 Best Path Criteria:** The [service-policy](config_reference_guide.md#service-policy) has been enhanced to include values that allow the router to select the best path based on the current latency/MOS values of the paths. ------ - ### Resolved Issues - ------ - **I95-37101 PCLI Updates for `show stats since` command:** The PCLI notes inconsistencies in data between current values and historical ones to indicate when the data may not be accurate. ------ diff --git a/docs/release_notes_128t_5.3.md b/docs/release_notes_128t_5.3.md index e1df859910d..5167de35a22 100644 --- a/docs/release_notes_128t_5.3.md +++ b/docs/release_notes_128t_5.3.md @@ -27,7 +27,7 @@ Before upgrading please review the [**Upgrade Considerations**](intro_upgrade_co ------ - **I95-35414 Refresh actions now available for individual sections on the Router Page:** The Device interface, Network Interface, and Peer Paths table sections now can be refreshed independently. ------ -- **I95-38244 The Routers Page is easier to Search:** Added a column selector and a search matching system to make the search function more granular. +- **I95-38244 Router Page search enhanced:** Searches on the Routers page can now be targeted to specific columns using the search selector. ------ - **I95-38445 [GUI Session Capture](ts_packet_capture.md#session-capture-in-the-gui):** Added pages to the user interface that allow you to view and configure capture information. ------ @@ -87,7 +87,7 @@ Before upgrading please review the [**Upgrade Considerations**](intro_upgrade_co ------ - **I95-40473 API Username not being recorded:** Resolved an issue where the `modify_user` event was omitting the `fullName` modified field. ------ -- **I95-40489 ISO missing 128T-minion-connector rpm:** The 128T-minion-connector plugin rpm was not included in the 5.1 OTP ISO. This has been corrected in the 128T-5.1.3-1.el7.OTP.v3.x86_64.iso ISO. +- **I95-40489 ISO missing 128T-minion-connector rpm:** The 128T-minion-connector plugin rpm was not included in the 5.1 OTP ISO. This has been corrected in the `128T-5.1.3-1.el7.OTP.v3.x86_64.iso` ISO. ------ - **I95-40577 Import certificate webserver not copying the private key:** This issue has been resolved. ------ diff --git a/docs/release_notes_128t_5.4.md b/docs/release_notes_128t_5.4.md index 98ed35d8bbf..af01703a02c 100644 --- a/docs/release_notes_128t_5.4.md +++ b/docs/release_notes_128t_5.4.md @@ -16,11 +16,11 @@ Alternatively, refer to the **[List of Releases](about_releases.md)** page for r Before upgrading please review the [**Upgrade Considerations**](intro_upgrade_considerations.md) and the [**Rolling Back Software**](intro_rollback.md) pages. Several modifications have been made to the process for verifying configurations, which will impact existing configurations. ::: -- **I95-43243/IN-460 Upgrade and Rollback:** Upgrading or rolling back a system (conductor or router) with the interactive installer `install128t`, that is managed by a conductor may result in the system becoming unresponsive. It is highly recommended that upgrades be performed through the conductor UI. Manual upgrades and rollbacks may not be resilient to failures. See [Rolling Back Software](intro_rollback.md) for more information on these operations. +- **I95-43243/IN-460 Upgrade and Rollback:** Upgrading or rolling back a system (conductor, peer, or router) with the interactive installer `install128t`, that is managed by a conductor may result in the system becoming unresponsive. It is highly recommended that upgrades be performed through the conductor UI. Manual upgrades and rollbacks may not be resilient to failures. See [Rolling Back Software](intro_rollback.md) for more information on these operations. ------ -- **I95-42452 Conductor Upgrade Time:** Upgrades to version 5.4 can take up to 40 minutes due to the number of rpms being upgraded. Please plan accordingly. +- **I95-42452 Conductor Upgrade Time:** Upgrades to version 5.4 and above can take up to 40 minutes due to the number of rpms being upgraded. Please plan accordingly. ------ -- **I95-42624 Upgrade Installer:** Before **upgrading to, or installing** version 5.4, update the Installer to at least version 3.1.0. Failing to upgrade the installer may result in a rollback failure, should a rollback be necessary at any time. The Installer typically prompts you update when a new version is available. Select **Update** when prompted. +- **I95-42624 Upgrade Installer:** Before **upgrading to, or installing** version 5.4 and above, update the Installer to at least version 3.1.0. Failing to upgrade the installer may result in a rollback failure, should a rollback be necessary at any time. The Installer typically prompts you update when a new version is available. Select **Update** when prompted. ------ - **Plugin Upgrades:** If you are running with plugins, updates are required for some plugins **before** upgrading the conductor to SSR version 5.4.0. Please review the [Plugin Configuration Generation Changes](intro_upgrade_considerations.md#plugin-configuration-generation-changes) for additional information. @@ -54,7 +54,7 @@ The Juniper SSR team does not publicly disclose known or resolved CVEs in our pu - **The following CVEs have been addressed in this release:** I95-48644, I95-48648, I95-48650, I95-48653. ------ -- **I95-48529 BFD sending link notification before hold-down timer expires:** Resolved an issue where peer service-paths do not remain down while the BFD session / peer status is in the hold-down period after transitioning from down to up. Peer service-paths status now correctly reflect the peer status. Sessions will not be moved back to peers that have re-established connectivity but are still in the hold-down period. +- **I95-48529 BFD hold-down timer does not hold-down peer service-paths:** Resoled an issue where peer service-paths do not remain down while the BFD session / peer status is in the hold-down period after transitioning from down to up. Peer service-paths status now reflects the peer status, and sessions will not be moved back to peers that have re-established connectivity, but are still in the hold-down period. ------ - **I95-48656 Reduce TSI service log limit:** The size of the Tech Support Info journal has been restricted to prevent excessive resource consumption. ------ @@ -92,7 +92,7 @@ For immediate resolution on the impacted releases, contact Juniper Technical Sup ------ - **I95-47787 Worker core packet processing spikes to 100%:** Added the ability to tune the Reverse Packet Session Resiliency Minimum Packet Count (default is 3) and Detection Interval (default is 5) settings for session failover without requiring forward packet, and resolved the underlying issue that caused excessively high worker-core CPU. ------ -- **I95-47909 Handle GRE tunnels in ICMP reachability probe:** The base interface for egress is now used if the icmp-probe probe-address is the same as the tunnel destination, and the internal-address is used as the source if the egress-interface is gre-overlay. +- **I95-47909 Handle GRE tunnels in ICMP reachability probe:** We now use the base interface for egress if the `icmp-probe probe-address` is the same as the tunnel destination, and use the `internal-address` as the source if the `egress-interface` is `gre-overlay`. ------ - **I95-48103 Commit triggered BGP issue:** Resolved an issue where BGP neighbors configured with a short hold time might experience a BGP session flap during a configuration commit when app-ID is enabled. ------ @@ -112,7 +112,7 @@ For immediate resolution on the impacted releases, contact Juniper Technical Sup - **I95-41072 Enhanced Web Filtering:** Web Filtering allows administrators to limit or prevent user access to internet content. These limitations may be based on company or organization policies, or because a domain may be know to contain malicious, inappropriate, or dangerous content. Individual services and service policies can be configured on the SSR to allow or deny access to an entire domain category, or specific domains within a category. For more information, see [Web Filtering.](config_domain-based_web_filter.md) ------ -- **I95-47418 Audit Events for Plugin Install/Remove:** There is a new audit event that tracks when a plugin is installed or uninstalled. This can be viewed on the Audit History page in the GUI or in the PCLI by running `show events type admin.plugin` +- **I95-47418 Audit Events for Plugins:** A new audit event has been added that tracks when a plugin is installed or uninstalled. This can be viewed on the Audit History page in the GUI or in the PCLI by running `show events type admin.plugin`. ### Resolved Issues @@ -120,11 +120,11 @@ For immediate resolution on the impacted releases, contact Juniper Technical Sup ------ - **I95-39454 Created User cannot access PCLI operations:** Resolved an issue where in rare cases, during bulk user additions, it was possible for the operation to fail, leaving the new user created but unable to login. ------ -- **I95-44976 Highway issue when modifying an app-id session:** Resolved an issue where modifying an app-id session with a new session-id can lead to a crash. +- **I95-44976 Highway issue when modifying an app-id session:** SSR software versions 5.1.5 and greater are susceptible to a crash during a flow migration when `application-identification` is enabled (modes `tls` or `all`) on spoke to hub traffic traversing over SVR. The condition occurs for sessions migrating that have timed out or that are traversing the ha-fabric link in the reverse direction. ------ - **I95-45847 Duplicate Alarms on Multiple Routers:** Resolved duplicate alarms by obtaining alarms from only one node in an HA pair. ------ -- **I95-46126 Router Status:** Resolved an issue in HA configurations when a router is connected to HA Conductor 1, but not directly connected to HA Conductor 2, alarms generated on the router are now seen on Conductor 2 - the conductor to which the router is not directly connected. +- **I95-46126 Router Status:** In HA configurations where a router is connected to HA Conductor 1, but not directly connected to HA Conductor 2, alarms generated on the router will not be seen on Conductor 2 - the conductor to which the router is not directly connected. To see alarms on a router, the Conductor must be directly connected to the Router. ------ - **I95-46281 Update Kernel to RHCK 8.6:** Updated the kernel to integrate the latest security fixes. ------ @@ -191,15 +191,15 @@ PCLI: The PCLI command `save tech-support-info` can now collect logs from anothe ------ - **I95-45999 Azure Router Crash:** Added support for NetVSC/VF hotswapping to resolve this issue. ------ -- **I95-46056 `show ntp` has no output from PCLI, even though NTP is configured:** The output of show ntp will now report IP addresses of the time servers rather than resolve hostnames. +- **I95-46056 `show ntp` has no output from PCLI, even though NTP is configured:** The output of `show ntp` now reports IP addresses of the time servers rather than resolve hostnames. ------ -- **I95-46230 Highway Crash:** Resolved an issue where uncaught exceptions were causing highway issues. +- **I95-46230 Exceptions with invalid giid causing a highway crash:** Resolved an issue where uncaught exceptions (invalid giid of 0) were causing highway issues. ------ - **I95-46332 VRRP Does Not Work with Ethernet Controller X710 for 10GbE SFP+:** Configuring VRRP on an Intel X700 series NIC can see discard broadcast packets due to the source pruning feature which is enabled by default. This change disables source pruning when VRRP is enabled on these NICs. ------ - **I95-46454 ICMP manager excessively logs ICMP echo replies with no matching context:** This issue has been resolved. ------ -- **I95-46822 Revertible failover traffic not restored when reverse traffic is present:** For a "revertible-failover" service policy, when the preferred path is restored and a session no longer traverses an internode dogleg path, it was taking several seconds for traffic to be restored when forward traffic is present; in situations where only reverse traffic is present, traffic may not be restored. This issue has been resolved. +- **I95-46822 Revertible failover traffic may not be restored when reverse traffic is present:** For a "revertible-failover" service policy, when the preferred path is restored and a session no longer traverses an internode dogleg path, it may take seconds for traffic to be restored when forward traffic is present; in situations where **only** reverse traffic is present, traffic may not be restored. This issue will be resolved in a future release. ------ - **I95-46826 Carrier detection logic not recognizing disaster recovery modem:** Updated the carrier detection logic to properly recognize the carrier when a modem is attached to a disaster recovery cell tower. ------ @@ -229,13 +229,13 @@ PCLI: The PCLI command `save tech-support-info` can now collect logs from anothe ------ - **I95-38408 DHCP server on wrong vlan sends offer in response to discover message:** Hosted DHCP servers that do not have an explicit vlan configured are now explicitly treated as vlan 0, and handle any DHCP packets that are untagged/vlan 0, in order to prevent those packets from being multicasted to multiple DHCP servers. ------ -- **I95-40904 Power save mode not working:** This issue has been resolved. +- **I95-40904 Power save mode not working:** Add a method to read current power saver mode setting from existing config before committing the new configuration, and changing the setting. ------ - **I95-42438 `save tech-support-info` tries to run when SSR service is down:** In situations where the PCLI is still active, but the SSR service is down, trying to run `save tech-support-info` will appear to work, but does not return any info. This issue has been resolved, and will return a message when information is not retrievable. ------ - **I95-43606 No communication between Routers:** In rare instances, BFD outbound-only flows experienced collisions between forward session flows. Session modification has been addressed and collisions are now avoided. ------ -- **I95-43779 DHCP IP Address not releasing appropriately:** Reboot now triggers DHCP-enabled interfaces to send out a DHCP Request for their current IP address. +- **I95-43779 DHCP IP Address not releasing appropriately:** When the cable is physically disconnected and reconnected from DHCP-enabled interfaces, the interfaces are now triggered to send out a DHCP Request for their current IP address. ------ - **I95-44001 Peer uptime showing "Unavailable":** Peer path uptime now displays the correct values. ------ @@ -245,17 +245,17 @@ PCLI: The PCLI command `save tech-support-info` can now collect logs from anothe ------ - **I95-44988 SSR Stuck in Upgrade status:** Improved logging to detect when an installer session is started and there is an already an active interactive installer session; for example when an interactive installer session was left open. ------ -- **I95-45113 SNMP override of the IfTable:** An issue with SNMP reporting has been resolved. +- **I95-45113 SNMP override of the IfTable:** `ifAlias` and `IfDescr` have been swapped in our SNMP reporting; `ifDescr` is always the `ifName`. This change was made for consistency with other Juniper products. ------ -- **I95-45124 RBAC Config Endpoints Leaking Information:** Resolved an issue where some configuration endpoints would allow users with insufficient permissions to make configuration requests. +- **I95-45124 RBAC Config Endpoints Leaking Information:** Resolved an issue where some configuration endpoints would allow users with incorrect permissions make requests. ------ - **I95-45126 Split-brain after the sync interface goes down:** Resolved an issue that if the SSR software experienced a crash while it owned an interface from an X553 device, other devices hosted by the same chip could be impacted. ------ - **I95-45162 Improve download/upgrade error message if a router name does not exist:** In situations where a router does not exist, the download and upgrade message now indicates that the router does not exist. ------ -- **I95-45164 `show-active-peers` missing some information:** Resolved a corner case where an RFC-compliant device ahead of a non-compliant device with a smaller MTU, the SSR misinterprets the non-compliant device's timeouts and the MTU will be unresolvable. +- **I95-45164 Active peers show Unavailable for PATH-MTU, LATENCY, JITTER, LOSS & MOS for some transports:** Resolved a rare issue in the case of an RFC-compliant device ahead of a non-compliant device with a smaller MTU, the non-compliant device's timeouts are incorrectly interpreted and the MTU becomes unresolvable. ------ -- **I95-45220 Conductor local forwarding parameters not dynamic:** Resolved an issue when transitioning a conductor from standalone to HA, the managed routers were not automatically connecting to the newly added conductor node. +- **I95-45220 Conductor local forwarding parameters not dynamic:** Resolved an issue when transitioning a conductor from standalone to HA the managed routers were not automatically connecting to the newly added conductor node. ------ - **I95-45271 Error while trying to change appearance or selecting custom reports:** In some cases where error messages are vague, a path to the error location is provided. ------ @@ -263,7 +263,7 @@ PCLI: The PCLI command `save tech-support-info` can now collect logs from anothe ------ - **I95-45541 LDAP users are unable to login to the PCLI due to permission errors:** This issue has been resolved. ------ -- **I95-45643 User-created users are missing after upgrade:** Resolved an issue where the XML values true/false are also handled as 1/0. +- **I95-45643 Users that were created by non-admin users were missing after upgrade:** Resolved a config type conversion issue that caused users to disappear after upgrade. ------ - **I95-45696 Memory leak in PAM challenge library:** Resolved a memory leak in the PAM challenge library. ------ @@ -271,7 +271,7 @@ PCLI: The PCLI command `save tech-support-info` can now collect logs from anothe ------ - **I95-45842 PCLI `show events` does not paginate correctly:** This issue has been resolved. ------ -- **I95-45882 Rare case where an invalid DHCP server configuration generated:** This issue has been resolved. +- **I95-45882 Invalid DHCP server config causes a crash:** Resolved an issue when the DHCP server was misconfigured with duplicate interfaces and then committed, the validation would not catch this and cause a crash. The SSR code has been hardened to handle the misconfiguration. ------ - **I95-46055 Add warning when transmit caps are too low:** Users now get a warning when configuring a traffic-engineering transmit-cap under 1Mbps. ------ @@ -287,7 +287,7 @@ PCLI: The PCLI command `save tech-support-info` can now collect logs from anothe ------ - **I95-46458 `set password` from PCLI hangs at "Modifying password":** This issue has been resolved. ------ -- **I95-46613 Flow move may not properly happen without forward packet for outbound only sessions:** Resolved an issue where a session that has been idle for more than 10 seconds, sessions for outbound-only connections may not failover properly without a forward packet. +- **I95-46613 Flow move may not happen without forward packet for outbound only sessions:** Resolved an issue that when a session has been idle for more than 10 seconds, sessions for outbound-only connections may not failover properly without a forward packet. ------ - **I95-46641 Modem lockup after reset on dual LTE system:** Resolved an issue with dual LTE modem lockup after reset. @@ -345,11 +345,11 @@ PCLI: The PCLI command `save tech-support-info` can now collect logs from anothe ------ - **I95-44568 VRRP interfaces both report "vrrp-standby" after provisional down of primary interface:** Resolved an issue when using `provisional-down` on the primary interface while reconfiguring `shared-phy` to `vrrp` causes a deadlock in the highway process. ------ -- **I95-44591 Paste-config does not allow small config snippets to be posted:** Resolved an issue where the list keys were not being passed in as part of the `value` in the transaction. +- **I95-44591 Paste-config does not allow small config snippets to be pasted:** Resolved an issue where the list keys were not being passed as part of the `value` in the transaction. ------ - **I95-44618 OS package update:** This package has been updated to resolve a CVE issue. ------ -- **I95-44722 Time based HMAC failure after HA reboot:** Resolved a buffering issue where device interfaces are now flushed upon becoming active to avoid handling of inactive packets. +- **I95-44722 Time series HMAC failures after rebooting node in HA router:** Device interfaces are flushed upon becoming active to avoid handling of packets which have been delayed due to inactivity. ------ - **I95-44726 Invalid return code returned by T1 card firmware creating a memory leak:** Resolved a buffer leak in the wanpipe driver. ------ @@ -367,9 +367,9 @@ PCLI: The PCLI command `save tech-support-info` can now collect logs from anothe ------ - **I95-44985 Update salt-minion minimum version to resolve CVEs:** This issue has been resolved. ------ -- **I95-44991 SSR not passing Aruba data on GRE Tunnels:** Resolved an issue where GRE packets with a reserved bit in the header are incorrectly dropped as invalid. +- **I95-44991 SSR not passing Aruba data on GRE Tunnels:** Resolved an issue where GRE packets with reserved bit in the header are incorrectly dropped as invalid. ------ -- **I95-45063 SSR Azure instances unstable on large machine types:** Resolved an issue with Mellanox5 after upgrading the SSR to 5.4. +- **I95-45063 SSR azure instances unstable on large machine types:** Resolved an unpgrade issue causing instability in Azure instances using Mellanox5. ------ - **I95-45094 Unnecessary rotation of salt minion config:** Resolved an issue where the global.init and salt minion config are unnecessarily rotated and updated with no changes to the actual contents of the file. ------ @@ -385,11 +385,13 @@ PCLI: The PCLI command `save tech-support-info` can now collect logs from anothe ------ - **I95-45489 `ifcfg` custom options issues:** Resolved an issue where interface ifcfg option changes were not being processed. ------ -- **I95-45559 Corrupted `resolv.conf` after ODM imaging:** Resolved an issue on SSR systems running dns-proxy services with external interfaces configured using `PEERDNS=yes`, where a race condition may occur that results in corrupt nameservers being added to the `/etc/resolv.conf` file. +- **I95-45559 Corrupted `resolv.conf` after ODM imaging:** On SSR systems running dns-proxy services with external interfaces configured using `PEERDNS=yes`, a race condition may occur that results in corrupt nameservers being added to the `/etc/resolv.conf` file. + + **_Workaround:_** A temporary workaround is to force an update of this file by either of the following methods: ------ - **I95-45583 HA Connection lost during commit:** Resolved an issue where session was missing necessary path data information relating to the peer path. ------ -- **I95-45618 Issue with MAC address in Azure environment:** Resolved this issue by handling non-ethernet MAC addresses during MLX device discovery. +- **I95-45618 MAC address issue in Azure environment:** Non-ethernet MAC addresses are now handled correctly during MLX device discovery. ------ - **I95-45641 Stuck BGPoSVR Sessions after Failover:** Made changes to provide updates to less specific FIB entries when routes are updated to resolve this issue. ------ @@ -541,7 +543,7 @@ I95-40268, I95-41591, I95-41794, I95-41863, I95-42448, I95-43258, I95-43260, I95 ------ - **I95-43089 Cannot import custom charts:** Corrected issue that prevented custom charts with tables from being imported. ------ -- **I95-43066 Issue with Database Query:** Resolved an issue when the buffer queue is full, the inflight message was dropped. +- **I95-43066 Requests for metrics are timing out:** Resolved an issue that when the buffer queue is full, the message is dropped, but the event was not handling the inflight message. ------ - **I95-43091 `show fib` does not display interface next hop when gateway IP address is empty:** Corrected display. ------ @@ -719,7 +721,7 @@ This release replaces the existing `5.4.0-104` release. ------ - **I95-42441 AP downloads taking too long:** Resolved an issue where a download request would timeout if too many routers were requested at once. ------ -- **I95-42563 Attempting to open Help (?) for Adjacency fails:** An issue with the help traceback has been resolved. +- **I95-42563 Attempting to get help on `adjacency` throws an exception:** Resolved an issue when entering `?` while configuring an adjacency was throwing an exception. ------ - **I95-42619 Salt-minion spontaneous restarts:** Resolved an issue where salt minions would spontaneously restart themselves and transition back into the connected state, especially when the conductor is under heavy load. ------ @@ -743,7 +745,7 @@ This release replaces the existing `5.4.0-104` release. ------ - **I95-43135 Rare Race condition in an HA configuration:** Resolved a rare race condition that may occur if an `export config` command is run during a failover. ------ -- **I95-43194 GraphQL Type Supports Proto Primitive:** Incorrect integer types causing an error. This issue has been resolved. +- **I95-43194 Web graphql handling of `loadBalanceService` mos should be `float`, not `int`:** Whole number integers have been changed to be precision `float`. ------ - **I95-43244 Reverse Packet injection on Affinity Mismatch:** Resolved an issue where a reverse packet was being injected into a flow with no flow affinity. ------ @@ -751,11 +753,11 @@ This release replaces the existing `5.4.0-104` release. ## Caveats -- **I95-42973 `show config running generated` not displaying configuration:** At the time of release, the following commands were not displaying the configuration. +- **I95-42973 `show config running generated` does not display generated configuration:** Corrected display output. - `show config running generated` - `show config running candidate generated` This is being addressed, and will be resolved in an upcoming point release. ------ - **I95-43283 Not all configured device interfaces are available in charts:** After upgrading to 5.4, only the `device-interfaces`, `network-interfaces` and `services` that have observed active traffic will be available as permutations for charts and graphs. ------ -- **I95-43380 PCLI and UI does not allow the user to edit the [`http-probe-profile`](plugin_http_probe.md) configuration:** There is no known workaround at this time. This is being addressed in an upcoming point release. +- **I95-43380 Validation errors created by plugins augmenting existing configuration:** Corrected plugin validation handling. diff --git a/docs/release_notes_128t_5.5.md b/docs/release_notes_128t_5.5.md index b3fdc4644a1..1164f5d3ff5 100644 --- a/docs/release_notes_128t_5.5.md +++ b/docs/release_notes_128t_5.5.md @@ -16,11 +16,11 @@ Alternatively, refer to the **[List of Releases](about_releases.md)** page for r Before upgrading please review the [**Upgrade Considerations**](intro_upgrade_considerations.md) and the [**Rolling Back Software**](intro_rollback.md) pages. Several modifications have been made to the process for verifying configurations, which will impact existing configurations. ::: -- **I95-43243/IN-460 Upgrade and Rollback:** Upgrading or rolling back a system (conductor peer or router) with the interactive installer `install128t`, that is managed by a conductor may result in the system becoming unresponsive. It is highly recommended that upgrades be performed through the conductor UI. Manual upgrades and rollbacks may not be resilient to failures. See [Rolling Back Software](intro_rollback.md) for more information on these operations. +- **I95-43243/IN-460 Upgrade and Rollback:** Upgrading or rolling back a system (conductor, peer, or router) with the interactive installer `install128t`, that is managed by a conductor may result in the system becoming unresponsive. It is highly recommended that upgrades be performed through the conductor UI. Manual upgrades and rollbacks may not be resilient to failures. See [Rolling Back Software](intro_rollback.md) for more information on these operations. ------ - **I95-42452 Conductor Upgrade Time:** Upgrades to version 5.4 and above can take up to 40 minutes due to the number of rpms being upgraded. Please plan accordingly. ------ -- **I95-42624 Upgrade Installer:** Before **upgrading to, or installing** version 5.4 and above, update the Installer to at least version 3.1.0. Failing to upgrade the installer may result in a rollback failure, should a rollback be necessary at any time. +- **I95-42624 Upgrade Installer:** Before **upgrading to, or installing** version 5.4 and above, update the Installer to at least version 3.1.0. Failing to upgrade the installer may result in a rollback failure, should a rollback be necessary at any time. The Installer typically prompts you update when a new version is available. Select **Update** when prompted. ------ - **Plugin Upgrades:** If you are running with plugins, updates are required for some plugins **before** upgrading the conductor to SSR version 5.4.0 or higher. Please review the [Plugin Configuration Generation Changes](intro_upgrade_considerations.md#plugin-configuration-generation-changes) for additional information. @@ -88,7 +88,7 @@ The Juniper SSR team does not publicly disclose known or resolved CVEs in our pu ------ - **I95-53858 Active sessions counter continuously incrementing:** The SSC active sessions counter has been updated to correctly handle session removal. ------ -- **I95-53894 DNS cache-service does not start:** Resolved a race condition that caused the DNS process to fail to start. The log message `No TimeoutQueue:` can be seen in the logs during this condition. +- **I95-53894 DNS cache-service does not start:** Resolved a race condition that causes the DNS process to fail to start. The log message `No TimeoutQueue:` can be seen in the logs during this condition. ------ - **I95-53916 Pre-existing teams interfaces conflict with HA interfaces:** In a Mist-managed HA configuration where an HA node has been configured with non-default HA interfaces, performing a release operation on a node in an HA pair leaves the pre-configured HA interfaces in place, and creates a conflict when a new configuration is pushed down from Mist. This would prevent the HA node from operating correctly and forming its HA connections again. This issue has been resolved, and the release operation now removes any pre-existing HA interfaces. ------ @@ -111,7 +111,7 @@ Resolution: The high value was due to an internal corruption when the metrics fo ### Resolved Issues -- **I95-50562 / I95-52626 Forwarding plane control message bursts create exception, causing a packet buffer leak:** Resolved a condition where backpressure from fastlane caused the messaging mechanism between highway manager and fastlane to drop mbufs. Proper handling of exception now prevents buffer leaks. Additionally, increased the control buffer capacity to better handle bursts as part of the resolution. +- **I95-50562 / I95-52626 Forwarding plane control message bursts create exception, causing a packet buffer leak:** Resolved a condition where backpressure caused the messaging mechanism to develop buffer leaks. Proper handling of exceptions now prevents buffer leaks. The control buffer capacity has been increased to better handle bursts as part of the resolution. ## Release 5.5.10-6 @@ -198,7 +198,7 @@ Resolution: The high value was due to an internal corruption when the metrics fo ------ - **I95-48518 Application Identification not recognizing Apps on HA systems:** Resolved an issue where the GUI was only pulling Application data from one node in an HA configuration. Application ID Summary display now aggregates data from both nodes. ------ -- **I95-48931 Service area Highway crash:** Now prevents crashing in SSR's highway process in unusual race conditions when a session's flow is removed before the session is fully established. +- **I95-48931 Service area Highway crash:** Now prevent crashing in SSR's highway process in rare race conditions when a session's flow is removed before the session is fully established. ------ - **I95-48942 Routing policy filter condition reference type not validated:** Added a check to verify that when a routing policy condition references a filter, the condition type and filter type match. ------ @@ -224,11 +224,11 @@ Resolution: The high value was due to an internal corruption when the metrics fo ------ - **I95-49756 RDP sessions failure over peer path:** Resolved an issue that caused RDP traffic to fail when adaptive encryption and AppId are both enabled. ------ -- **I95-49791 Add audit rules to track modification of grub config files:** Added rules to log notifications in case of changes to grub configuration files. +- **I95-49791 Audit rules to track modification of config files:** Added rules to track the modification of grub configuration files, to aid in troubleshooting. ------ - **I95-49925 GRE tunnel health-check not migrating sessions when path is down:** The GRE tunnel manager now removes all sessions before adding new ones rather than modifying the existing sessions. ------ -- **I95-49974 Stuck flow not cleared when reverse metadata is incomplete:** Resolved an issue where reverse metadata is coming through incomplete - without the source tenant. The source tenant has been added to the reverse metadata. +- **I95-49974 Stuck flow is not clearing when the reverse metadata is incomplete:** Added the source tenant to the reverse metadata to prevent the metadata parsing exception. ------ - **I95-50014 Hitting Buffer Overflow during configuration changes:** Resolved an issue where a config change request may not make it to a managed router, and returns a buffer overflow error. ------ @@ -240,7 +240,7 @@ Resolution: The high value was due to an internal corruption when the metrics fo ------ - **I95-50262 Routers disconnected from their conductor may have incorrect log rotation settings:** Resolved an issue where a managed router was not able to pull down the configuration from the Conductor - which includes the log rotation config. The default salt log rotation configuration has been improved, preventing the log from growing too large before the connection to the Conductor can be established. ------ -- **I95-50269 Router clone operation fails:** Implemented checks to prevent cloning obsolete elements and internal lists/containers on legacy versions of the SSR software. +- **I95-50269 Router clone operation fails:** Implemented checks to prevent cloning obsolete elements and internal lists/containers on legacy versions of the SSR software (pre-4.4). ------ - **I95-50286 Rebooting a node of an HA pair from Linux breaks routing:** Resolved an issue where a delay in the shutdown process caused a node to take over a VRRP interface, creating routing issues. ------ @@ -283,11 +283,13 @@ Resolution: The high value was due to an internal corruption when the metrics fo ------ - **I95-51044 Hide `forwarding-core-mode` on conductor:** Disabled the `forwarding-core-mode` setting on conductor nodes, since this setting doesn't apply to conductor. ------ -- **I95-51087 SSR fails to download firmware after upgrading the conductor:** Resolved an issue where the first time a conductor is upgraded and **conductor-only** is selected in the software-update settings, the proxy service on the conductor does not work correctly, and downloads fail. The downloads no longer fail. +- **I95-51087 SSR fails to download firmware after upgrading the conductor:** An issue has been identified where the first time a conductor is upgraded and `conductor-only` is selected in the `software-update` settings. The proxy service on the conductor does not work correctly, and downloads attempted by the router will fail. This issue will be resolved in the next release. + + **_Workaround:_** Make a simple configuration change and commit the change. Any configuration change is sufficient to start the internal proxy service. Once this commit has been made this will no longer be an issue. ------ -- **I95-51177 EoSVR sets wrong egress MAC:** `ethernet-over-svr` now correctly sets egress MAC address when using `outbound-only` mode. +- **I95-51177 Ethernet over SVR setting wrong egress MAC address:** Ethernet over SVR now correctly sets the egress MAC address when using outbound-only mode. ------ -- **I95-51427 GUI not displaying full version information:** The GUI **About Page** now displays additional version information that was previously only displayed in the PCLI `show system version detail`. +- **I95-51427 GUI not displaying all the version information:** The GUI About page now displays additional version information previously only displayed in the PCLI `show system version detail.` ------ - **WAN-1958 Mist agent crashes:** Increased internal file system limits which were preventing some services from starting correctly at boot. Limits were raised based on expected system usage. @@ -369,7 +371,7 @@ Upgrading to this release version will cause `coredump.conf` to be re-written wi ------ - **I95-49242 When HMAC is disabled, the automatic MSS adjustment calculation for `enforced-mss = automatic` may be wrong :** The Automatic MSS adjustment calculation has been corrected (expanded). ------ -- **I95-49341 BGP next hop exception being thrown:** Resolved an issue where a duplicate BGP next hop resulted in an exception. +- **I95-49341 BGP next hop exception being thrown:** Resolved an issue where a duplicate BGP next hop resulted in an exception. ## Release 5.5.7-3 @@ -400,7 +402,7 @@ Upgrading to this release version will cause `coredump.conf` to be re-written wi ------ - **I95-47787 Worker core packet processing spikes to 100%:** Added the ability to tune the [Reverse Packet Session Resiliency](config_reference_guide.md#reverse-packet-session-resiliency) `Minimum Packet Count` (default is 3) and `Detection Interval` (default is 5) settings for session failover without requiring forward packet, and resolved the underlying issue that caused excessively high worker-core CPU. ------ -- **I95-47909 Handle GRE tunnels in ICMP reachability probe:** The base interface for egress is now used if the `icmp-probe probe-address` is the same as the tunnel destination, and the `internal-address` is used as the source if the `egress-interface` is `gre-overlay`. +- **I95-47909 Handle GRE tunnels in ICMP reachability probe:** We now use the base interface for egress if the `icmp-probe probe-address` is the same as the tunnel destination, and use the `internal-address` as the source if the `egress-interface` is `gre-overlay`. ------ - **I95-48076 SSR Failover on GRE tunnels not working:** The base interface giid is now used to identify the state of a GRE tunnel next-hop. ------ @@ -445,9 +447,9 @@ For immediate resolution on the impacted releases, contact Juniper Technical Sup ------ - **I95-42320 BGP aggregate-address not working:** Add support for BGP address summarization. ------ -- **I95-44957 Azure is not able to identify the asset-id of the deployed conductor and router:** The Azure ID has been modified to be more easily identifiable. +- **I95-44957 Azure is not able to identify the asset-id of the deployed conductor and router:** The Azure ID has been modified to a value that can be processed by Azure. ------ -- **I95-44976 Highway issue when modifying an app-id session:** Resolved an issue where modifying an app-id session with a new session-id can lead to a crash. +- **I95-44976 Highway issue when modifying an app-id session:** SSR software versions 5.1.5 and greater are susceptible to a crash during a flow migration when `application-identification` is enabled (modes `tls` or `all`) on spoke to hub traffic traversing over SVR. The condition occurs for sessions migrating that have timed out or that are traversing the ha-fabric link in the reverse direction. ------ - **I95-46701 Packet Loss on Headend Router:** Added `device-interface` rx/tx descriptor ring size to resolve this issue. ------ @@ -461,7 +463,7 @@ For immediate resolution on the impacted releases, contact Juniper Technical Sup ------ - **I95-47767 Next Hop choice of "Blackhole" does not stay visible in Conductor:** This option was displayed in error, as the option is ignored. It has been removed. ------ -- **I95-47872 App-ID summary tracking of failed sessions still incremented when feature disabled:** App-ID stats tracking for failed sessions now checks if the feature is enabled and responds appropriately. +- **I95-47872 App-ID summary tracking of failed sessions still incremented when feature disabled:** App-ID stats tracking for failed sessions now checks the feature enabled flag and responds appropriately. ------ - **I95-47967 Cloud bootstrapper does not bootstrap the deployed Conductor:** Resolved an issue where the configuration was being rejected by the cloud bootstrapper when the device was a conductor. ------ @@ -483,7 +485,7 @@ For immediate resolution on the impacted releases, contact Juniper Technical Sup ### Resolved Issues: -- **I95-48038 502 Error returned if managed routers are offline:** Resolved an issue introduced in Release 5.5.4-8 that caused HTTP requests on the conductor to return a 502 error for all requests if a managed router is offline. +- **I95-48038 502 Error returned if managed routers are offline:** Resolved an issue that caused HTTP requests on the conductor to return a 502 error for all requests if a managed router is offline. ## Release 5.5.4-8 @@ -495,7 +497,7 @@ Release 5.5.4-8 has been withdrawn from the Release Repository due to an issue i ### Resolved Issues Requiring Configuration Changes -- **I95-47418 Audit Events for Plugin Install/Remove:** There is a new audit event that tracks when a plugin is installed or uninstalled. This can be viewed on the Audit History page in the GUI or in the PCLI by running `show events type admin.plugin` +- **I95-47418 Audit Events for Plugins:** A new audit event has been added that tracks when a plugin is installed or uninstalled. This can be viewed on the Audit History page in the GUI or in the PCLI by running `show events type admin.plugin`. ### Resolved Issues @@ -503,11 +505,11 @@ Release 5.5.4-8 has been withdrawn from the Release Repository due to an issue i ------ - **I95-38408 DHCP server on wrong vlan sends offer in response to discover message:** Hosted DHCP servers that do not have an explicit vlan configured are now explicitly treated as vlan 0, and handle any DHCP packets that are untagged/vlan 0, in order to prevent those packets from being multicasted to multiple DHCP servers. ------ -- **I95-44976 Highway issue when modifying an `app-id` session:** Resolved an issue where modifying an app-id session with a new session-id can lead to a crash. +- **I95-44976 Highway issue when modifying an app-id session:** SSR software versions 5.1.5 and greater are susceptible to a crash during a flow migration when `application-identification` is enabled (modes `tls` or `all`) on spoke to hub traffic traversing over SVR. The condition occurs for sessions migrating that have timed out or that are traversing the ha-fabric link in the reverse direction. ------ - **I95-45847 Duplicate Alarms on Multiple Routers:** Resolved duplicate alarms by obtaining alarms from only one node in an HA pair. ------ -- **I95-46126 Router Status:** Resolved an issue in HA configurations when a router is connected to HA Conductor 1, but not directly connected to HA Conductor 2, alarms generated on the router are now seen on Conductor 2 - the conductor to which the router is not directly connected. +- **I95-46126 Router Status:** In HA configurations where a router is connected to HA Conductor 1, but not directly connected to HA Conductor 2, alarms generated on the router will not be seen on Conductor 2 - the conductor to which the router is not directly connected. To see alarms on a router, the Conductor must be directly connected to the Router. ------ - **I95-46281 Update Kernel to RHCK 8.6:** Updated the kernel to integrate the latest security fixes. ------ @@ -517,7 +519,7 @@ Release 5.5.4-8 has been withdrawn from the Release Repository due to an issue i ------ - **I95-46919 LDAP Users Not Shown in GUI Users Display:** Updated username requirements and the ability to identify issues with usernames not meeting those requirements. See [Username and Password Policies](config_password_policies.md) for username requirements. ------ -- **I95-46921 `128status.sh` script incorrectly checks for non-existent listening port:** Removed port 830 check for software versions 5.3.0 and greater +- **I95-46921 `128status.sh` script incorrectly checks for non-existent listening port:** Removed port 830 check for software versions 5.3.0 and greater. ------ - **I95-47551 Keep-alives are not generated for unidirectional outbound-only sessions:** Resolved an issue with keep-alive generation for unidirectional outbound-only sessions. ------ @@ -546,14 +548,14 @@ Release 5.5.4-8 has been withdrawn from the Release Repository due to an issue i - **I95-44434 Peer metric sends IP of WAN interface instead of the expected string:** Logic has been added to show the available destination address. ------ - **I95-44548 Application Summary Sort Order:** Resolved an issue with the Application Summary sort order changing unintentionally. ------- +------ - **I95-45890 Service paths for BGP over SVR routes are not being rebuilt:** Resolved an issue when the vector configuration is changed on a network interface, the service paths for BGP over SVR routes are not being rebuilt. ------ -- **I95-46056 `show ntp` has no output from PCLI, even though NTP is configured:** The output of show ntp will now report IP addresses of the time servers rather than resolve hostnames. +- **I95-46056 `show ntp` has no output from PCLI, even though NTP is configured:** The output of `show ntp` now reports IP addresses of the time servers rather than resolve hostnames. ------ -- **I95-46281 Kernel Update:** Update to RHCK 8.6 for the latest security fixes. +- **I95-46281 Update Kernel to RHCK 8.6:** Updated the kernel to integrate the latest security fixes. ------ -- **I95-46822 Revertible failover traffic not restored when reverse traffic is present:** For a "revertible-failover" service policy, when the preferred path is restored and a session no longer traverses an internode dogleg path, it was taking several seconds for traffic to be restored when forward traffic is present; in situations where only reverse traffic is present, traffic may not be restored. This issue has been resolved. +- **I95-46822 Revertible failover traffic may not be restored when reverse traffic is present:** For a "revertible-failover" service policy, when the preferred path is restored and a session no longer traverses an internode dogleg path, it may take seconds for traffic to be restored when forward traffic is present; in situations where **only** reverse traffic is present, traffic may not be restored. This issue will be resolved in a future release. ------ - **I95-46826 Carrier detection logic not recognizing disaster recovery modem:** Updated the carrier detection logic to properly recognize the carrier when a modem is attached to a disaster recovery cell tower. ------ @@ -592,7 +594,7 @@ PCLI: The PCLI command `save tech-support-info` can now collect logs from anothe ------ - **I95-46114 SSR flooded with Highway messages:** The chatty `InterfaceMap::Exception: Unable to find path to peer` highway log has been suppressed. ------ -- **I95-46136 Unused app-id stats not being purged fast enough:** Resolved an issue where app-id stats tracked per client, per app, per next-hop are not cleaned up when inactive. +- **I95-46136 Unused Application ID stats not being purged fast enough:** Resolved an issue where application ID stats tracked per client, per app, per next-hop are not cleaned up when inactive. ------ - **I95-46169 RIB Doesn't Update Connected Route After Changing Network Interface Address Prefix from /24 to /27:** Resolved an issue when changing the prefix length for a network interface address, the RIB was not updated and routing protocols were not aware of the change. ------ @@ -606,11 +608,11 @@ PCLI: The PCLI command `save tech-support-info` can now collect logs from anothe ------ - **I95-46451 Active Node not updating properly:** Resolved an issue with inter-node VRRP wherein the virtual interface could get stuck in a bad state after a flap. ------ -- **I95-46454 ICMP manager excessively logs ICMP echo replies with no matching context:** This issue has bee resolvd. +- **I95-46454 ICMP manager excessively logs ICMP echo replies with no matching context:** This issue has been resolved. ------ - **I95-46613 Flow move may not happen without forward packet for outbound only sessions:** Resolved an issue that when a session has been idle for more than 10 seconds, sessions for outbound-only connections may not failover properly without a forward packet. ------ -- **I95-46641 Modem lockup after reset on dual LTE system:** This issue has been resolved. +- **I95-46641 Modem lockup after reset on dual LTE system:** Resolved an issue with dual LTE modem lockup after reset. ### Caveats @@ -624,9 +626,9 @@ PCLI: The PCLI command `save tech-support-info` can now collect logs from anothe - **I95-37417 Additional factory default session-type configuration:** Added factory-default session-types for NetBIOS Name Service, NTP, and LDAP over UDP. ------ -- **I95-40130 Factory Defaults for Conductor Communication:** Added SaltStack, Conductor, and IKE default session-types. For new deployments, SIP, SIPS, and IPSEC-NAT use NAT Keep Alive by default, and the timeout for IPSEC-NAT is 125 seconds. +- **I95-40130 Create factory defaults for all router-conductor communication:** SaltStack, Conductor, and IKE default session-types have been added. For new deployments, SIP, SIPS, and IPSEC-NAT use NAT Keep Alive by default, and the timeout for IPSEC-NAT is now 5 seconds. ------ -- **I95-44769 Add linux system logs to the Tech Support Information data:** Added settings to SaveTechSupportInfo to allow for customizations of journalctl settings, as well as some additional collection. +- **I95-44769 Add Linux system logs to the Tech Support Information data:** This patch allows for customizations of the systemd journal content included in the `tech-support-info` bundle, and includes additional default content. ### Resolved Issues @@ -643,19 +645,19 @@ I95-45054, I95-45056, I95-45059 ------ - **I95-40348 Unable to rename a router:** Increased the maximum message size so that the larger configuration changes can be processed correctly. ------ -- **I95-40904 Power save mode not working:** This issue has been resolved. +- **I95-40904 Power save mode not working:** Add a method to read current power saver mode setting from existing config before committing the new configuration, and changing the setting. ------ - **I95-41931 Peers show the IP address not the router name in the GUI:** This issue has been resolved, and both the IP address and router name are displayed. ------ - **I95-42318 Broken symlink for plugins results in a highway crash:** Resolved the handling of a broken symlink for plugins, which was resulting in a failure to apply config and a highway crash. ------ -- **I95-42438 Save Tech Support tries to run when SSR service is down:** In situations where the PCLI is still active, but the SSR service is down, trying to run `save tech support` will appear to work, but does not return any info. This issue has been resolved, and will return a message when information is not retrievable. +- **I95-42438 `save tech-support-info` tries to run when SSR service is down:** In situations where the PCLI is still active, but the SSR service is down, trying to run `save tech-support-info` will appear to work, but does not return any info. This issue has been resolved, and will return a message when information is not retrievable. ------ - **I95-42608 BGP over SVR not able to open BGP session when routingManager is active on different node than interface:** This has been resolved by sending the packet to the node where routingManager is active via the inter node path. ------ -- **I95-43606 No communication between Routers:** In rare instances the BFD Pinhole feature experienced collisions between forward session flows. Session modification has been addressed and collisions are now avoided. +- **I95-43606 No communication between Routers:** In rare instances, BFD outbound-only flows experienced collisions between forward session flows. Session modification has been addressed and collisions are now avoided. ------ -- **I95-43779 DHCP IP Address is not released:** Updated the state machine to cause DHCP-enabled interfaces to send out a DHCP Request for their current IP address. +- **I95-43779 DHCP IP Address not releasing appropriately:** When the cable is physically disconnected and reconnected from DHCP-enabled interfaces, the interfaces are now triggered to send out a DHCP Request for their current IP address. ------ - **I95-43897 Planned failover did not work properly:** Resolved an issue where a waypoint missing from an internal database prevented failover. ------ @@ -665,11 +667,11 @@ I95-45054, I95-45056, I95-45059 ------ - **I95-44443 NTP Server config not always picked up:** Resolved an issue where NTP configuration was changed but the backend would not take action on those changes. ------ -- **I95-44551 DHCP Relay not working after upgrade:** A packet for traffic matching a summary service may be dropped because it was incorrectly flagged as hierarchical on the SVR peer. Well known non-hierarchical services such asDHCP relay will no longer perform hierarchical service checks on the peer. +- **I95-44551 DHCP Relay not working after upgrade:** A packet for traffic matching a summary service may be dropped because it was incorrectly flagged as hierarchical on the SVR peer. Well known non-hierarchical services such as DHCP relay will no longer perform hierarchical service checks on the peer. ------ - **I95-44554 Metadata packets may incorrectly pin flow affinity:** Worker core affinity latching has been prevented, resolving this issue. ------ -- **I95-44722 Time based HMAC failure after HA reboot:** Resolved a buffering issue where device interfaces are now flushed upon becoming active to avoid handling of inactive packets. +- **I95-44722 Time series HMAC failures after rebooting node in HA router:** Device interfaces are flushed upon becoming active to avoid handling of packets which have been delayed due to inactivity. ------ - **I95-44726 Invalid return code returned by T1 card firmware creating a memory leak:** Resolved a buffer leak in the wanpipe driver. ------ @@ -679,7 +681,7 @@ I95-45054, I95-45056, I95-45059 ------ - **I95-44988 SSR Stuck in Upgrade status:** Improved logging to detect when an installer session is started and there is an already an active interactive installer session; for example when an interactive installer session was left open. ------ -- **I95-45113 snmp override of the IfTable:** An issue with SNMP reporting has been resolved. +- **I95-45113 SNMP override of the IfTable:** `ifAlias` and `IfDescr` have been swapped in our SNMP reporting; `ifDescr` is always the `ifName`. This change was made for consistency with other Juniper products. ------ - **I95-45124 RBAC Config Endpoints Leaking Information:** Resolved an issue where some configuration endpoints would allow users with incorrect permissions make requests. ------ @@ -698,11 +700,10 @@ I95-45054, I95-45056, I95-45059 ------ - **I95-45842 PCLI `show events` does not paginate correctly:** This issue has been resolved. ------ -- **I95-45882 Rare case where an invalid DHCP server configuration generated:** This issue has been resolved. +- **I95-45882 Invalid DHCP server config causes a crash:** Resolved an issue when the DHCP server was misconfigured with duplicate interfaces and then committed, the validation would not catch this and cause a crash. The SSR code has been hardened to handle the misconfiguration. ------ - **I95-46055 Add warning when transmit caps are too low:** Users now get a warning when configuring a traffic-engineering transmit-cap under 1Mbps. ------ - ### Caveats - **I95-45348: Update salt master and minion to 3002.8:** When upgrading an HA pair to version 5.5.1, please be aware of the following: While updating the conductors in an HA pair, the upgraded conductor node asset state will remain DISCONNECTED if the active `automatedProvisioner` is not running a corrected version (see table below). When performing an HA conductor upgrade the node running the oldest software assumes leadership. However, the older version will not be able to talk to the new software on the upgraded conductor. diff --git a/docs/release_notes_128t_5.6.md b/docs/release_notes_128t_5.6.md index 59a6b520219..4de7bd98274 100644 --- a/docs/release_notes_128t_5.6.md +++ b/docs/release_notes_128t_5.6.md @@ -16,7 +16,7 @@ Alternatively, refer to the **[List of Releases](about_releases.md)** page for r Before upgrading please review the [**Upgrade Considerations**](intro_upgrade_considerations.md) and the [**Rolling Back Software**](intro_rollback.md) pages. Several modifications have been made to the process for verifying configurations, which will impact existing configurations. ::: -- **I95-43243/IN-460 Upgrade and Rollback:** Upgrading or rolling back a system (conductor peer or router) with the interactive installer `install128t`, that is managed by a conductor may result in the system becoming unresponsive. It is highly recommended that upgrades be performed through the conductor UI. Manual upgrades and rollbacks may not be resilient to failures. See [Rolling Back Software](intro_rollback.md) for more information on these operations. +- **I95-43243/IN-460 Upgrade and Rollback:** Upgrading or rolling back a system (conductor, peer, or router) with the interactive installer `install128t`, that is managed by a conductor may result in the system becoming unresponsive. It is highly recommended that upgrades be performed through the conductor UI. Manual upgrades and rollbacks may not be resilient to failures. See [Rolling Back Software](intro_rollback.md) for more information on these operations. ------ - **I95-42452 Conductor Upgrade Time:** Upgrades to version 5.4 and above can take up to 40 minutes due to the number of rpms being upgraded. Please plan accordingly. ------ @@ -53,11 +53,11 @@ CVE-2024-21011, CVE-2024-21012, CVE-2024-21068, CVE-2024-21085, CVE-2024-21094, ------ - **I95-56236 Routers unable to onboard after upgrading the Conductor:** Resolved an issue where the automated provisioner and the Quickstart processes overlapped, preventing the device state from being reviewed for errors, which stopped the onboarding process. ------ -- **I95-56326 / I95-57000 Potential crash while collecting TSI:** Added protection against unmapped memory access to resolve an issue where, if a TSI is collected at just the wrong time, it can cause a highway crash. +- **I95-57000 Hub crash while generating TSI:** Protection has been added to prevent unmapped memory access during packet buffer location walk. ------ - **I95-56455 Zero-byte files when updating conductor hardware using an OTP image:** A check has been added to verify that `api.key` and `router-api.key` are non-zero length and valid. If not, the keys are regenerated. ------ -- **I95-56527 Failure to validate and commit config; system incorrectly expected escape sequence:** Resolved an issue where capture-filter expected an escape sequence for input when it was not necessary. +- **I95-56527 `compare config` returns an `Invalid JSON` error:** Resolved an issue where the use of a backslash (`\`) in a list key or a list element generates an `Invalid JSON` error when `compare config` is run. This error occurred in cases where there is a difference between the configs in a child of the list element with a `\` in its key; Or when the parent list or leaf-list exists in both configs but the list or leaf-list element with the `\` only exists in one; Or if the list element with the `\` is renamed. ------ - **I95-56575 Reduce polling rate of disk monitoring and add optimization:** The disk monitoring agent polling frequently is inefficient. Reduced the frequency that disk usage is checked, and streamlined the process. ------ @@ -87,7 +87,7 @@ CVE-2024-21011, CVE-2024-21012, CVE-2024-21068, CVE-2024-21085, CVE-2024-21094, ------ - **I95-57082 Unable to delete a capture-filter that contains a forward slash (/):** This issue has been resolved. ------ -- **I95-57110 Crash seen during add and delete peers while sending traffic:** A race condition has been fixed that could cause a crash in the packet-processing highway process if a peer-path is removed from configuration. +- **I95-57110 Crash seen during add and delete peers while sending traffic:** A race condition has been fixed that could cause a crash in the forwarding plane (highway) process if a peer-path is removed from configuration. ------ - **I95-57114 Unable to upgrade AWS Conductor:** Resolved an issue where an incorrect package version was installed, triggering a downgrade and preventing the upgrade. ------ @@ -99,7 +99,7 @@ CVE-2024-21011, CVE-2024-21012, CVE-2024-21068, CVE-2024-21085, CVE-2024-21094, ------ - **I95-57593 No option to require password change on first login:** Added a Require Password Change On First Login checkbox to the Create User dialog. Previously this feature was only available in the create-user command. ------ -- **I95-58201 Increase AMD performance:** Throughput performance on AMD processors has been improved through the tuning of some kernel parameters. +- **I95-58201 Throughput Performance Improvements Across Platforms:** Kernel parameter tuning has improved throughput performance on most AMD and Intel platforms (excluding Intel Atom), with the greatest gains on AMD processors. This includes Juniper-branded platforms like the SSR1200 and SSR1500, as well as cloud instances, VM hosts, and other hardware configurations. ------ - **I95-58528 SSR OS renaming:** The SSR OS has been renamed/rebranded from "CentOS7" to "SSR OS" to more accurately reflect its customized Linux distribution. All internal naming has been updated. ------ @@ -121,13 +121,13 @@ CVE-2024-21011, CVE-2024-21012, CVE-2024-21068, CVE-2024-21085, CVE-2024-21094, - **The following CVE's have been identified and addressed in this release:** CVE-2020-22218, CVE-2024-20918, CVE-2024-20919, CVE-2024-20921, CVE-2024-20926, CVE-2024-20945, CVE-2024-20952, CVE-2023-40217, CVE-2023-20569, CVE-2022-43552, CVE-2023-48795, CVE-2023-2176, CVE-2023-40283, CVE-2023-4623, CVE-2024-22019, CVE-2023-46724,CVE-2023-46728, CVE-2023-49285, CVE-2023-49286, CVE-2023-50269, CVE-2024-25617. ------ -- **I95-50697 RFC1918 sessions (private IP addresses) are reclassified in error:** When a session destined for a private IP (RFC1918) experiences an App-ID modify, the session will now only be reclassified if the classification data reflects a positive classification change. +- **I95-50697 Private RFC1918 Web Applications ignored by Mist when collecting SLE data:** Handling of RFC1918 traffic classification returned a private domain causing an undesirable clumping of session stats. With the new behavior, when a session destined for a private IP (RFC1918) experiences an App-ID modify, the session will only be reclassified if the classification data reflects a positive classification change. ------ - **I95-52251 Changes to the conductor address on the router result in loss of ssh connection to the router:** Resolved an issue where changing the router level `conductor-address` did not update the salt-created services with the new addresses. ------ -- **I95-52500 SVR multi-hop failover causes traffic to drop when using outbound-only:** Added a session ID lookup to resolve a situation where sessions failing between multi-hop SVR and direct SVR connections may lead to duplicate flow exceptions and dropped traffic. +- **I95-52500 SVR Multi Hop Failover:** Added a session lookup by session-ID to resolve a situation where sessions failing between multi-hop SVR and direct SVR connections may lead to duplicate flow exceptions and dropped traffic. ------ -- **I95-53216 Unable to change password for users managed through external user databases (such as LDAP or RADIUS):** Resolved an issue that caused a Password Change dialog to appear for remotely authenticated users. +- **I95-53216 "Unable to change password" message showing for remote users:** Resolved an issue that caused a "Password Change" dialog to appear for remotely authenticated users. ------ - **I95-54127 Users managed through external user databases (such as LDAP or RADIUS) cannot generate or view TSI:** Resolved an issue that did not provide a home directory for custom roles, which prevented LDAP users from viewing the systemd journal. ------ @@ -143,7 +143,7 @@ CVE-2024-21011, CVE-2024-21012, CVE-2024-21068, CVE-2024-21085, CVE-2024-21094, ------ - **I95-55164 Dropping GRE encapsulated packets:** Classification support for Enhanced GRE Header, version 1, as defined by RFC 2637 Point-to-Point Tunneling Protocol (PPTP) has been added. ------ -- **I95-55208 Asset fails to transition state and never reaches RUNNING:** In some cases where the RPM database may be corrupt or another process holds an indefinite lock, the highstate will block other processes from starting. A timeout has been added for the `rpm -q` process in highstate to allow other processes to run. +- **I95-55208 Asset fails to transition state:** In certain cases when the RPM database is corrupted or another process holds its lock indefinitely, the highstate can block forever running rpm -q. Since other highstate attempts see an existing highstate job, they don't try to do anything else and the asset stays stuck like that forever without manual intervention. ------ - **I95-55226 Validation incorrectly allows a network interface to be used as both DHCP relay and server:** The validation process has been updated to include several checks against DHCP relays, clients, servers, and access-policies. ------ @@ -151,13 +151,13 @@ CVE-2024-21011, CVE-2024-21012, CVE-2024-21068, CVE-2024-21085, CVE-2024-21094, ------ - **I95-55389 Queries for private domains with Websense classified as Miscellaneous:** Domains categorized by Websense as Uncategorized are now classified as Uncategorized/Uncategorized, rather than Miscellaneous/Uncategorized. ------ -- **I95-55550 node0 went down and did not fail over to node1:** Multiple disk errors caused corruption on the `128T_root` filesystem causing it to enter `read-only` mode and becoming non-responsive. To resolve this issue, issues in the filesystem now result in kernel panic mode, launching a reboot and in HA systems, failover. Additionally, the filesystem check is run to check and repair the filesystem. +- **I95-55550 Abrupt power failure may result in filesystem corruption:** Multiple disk errors caused corruption on the 128T_root filesystem causing it to enter read-only mode and becoming non-responsive. To resolve this issue, the filesystem triggers a kernel panic, launching a reboot and in HA systems, failover. Additionally, the filesystem check is run to check and repair the filesystem. ------ - **I95-55586 GraphQL API returns `IsActive` incorrectly if the `device-interface` is `vrrp_standby`:** The `router-peer-path` setting now returns the correct value when in `vrrp-standby`. ------ - **I95-55591 Some network interface stats are not updated:** Some network interface stats are not updated with the port name when a device interface is renamed. Device interface name changes are now handled correctly, and `network-interface` metrics are properly updated when `device-interface name` changes. ------ -- **I95-55603 HA router stuck in connected state due to runtime corruption issue:** Resolved an issue causing an unzip race condition with Python files. The packaging and installation process has been improved to prevent this issue. +- **I95-55603 HA router stuck in connected state due to runtime corruption issue:** Resolved an issue with an unzip race condition with Python files. The packaging and installation process has been improved to prevent this issue. ------ - **I95-55762 Unable to view more than 50 prefixes in BGP:** Updated the routing engine to display all rows for BGP show commands if a count parameter is not specified. ------ @@ -177,11 +177,11 @@ CVE-2024-21011, CVE-2024-21012, CVE-2024-21068, CVE-2024-21085, CVE-2024-21094, ------ - **I95-56475 HA-sync network interface shows warning after router upgrade:** Resolved an issue where non-forwarding interfaces would appear to be administratively down in the web UI when they were not. ------ -- **I95-56492 Sessions configured for outbound-only with nat-keep-alive enabled experience reverse flow packet drops after flow migration:** A flow move from a WAN path to an inter-router path causes repeated session modifies on the hub side causing reverse traffic packet drops due to NAT keepalives incorrectly testing the failed WAN path for the migrated session. This issue has been resolved. +- **I95-56492 Sessions configured for outbound-only with nat-keep-alive enabled experience reverse flow packet drops after flow migration:** A flow move from an inter-router (WAN) peer path to an inter-node (fabric) peer path causes repeated session modifies on the hub side causing reverse traffic packet drops due to NAT keepalives incorrectly testing the failed WAN path for the migrated session. This issue has been resolved. ------ - **I95-56541 Include kernel journal entries in TSI:** A separate `kernel.log` journal file is now created in the TSI output. ------ -- **I95-56575 Reduce polling rate of disk monitoring and add optimization:** The `ComponentDiskUtilizationMonitor` checks the disk usage too frequently and is inefficient. Reduced the frequency that disk usage is checked, and streamlined the process. +- **I95-56575 Reduce polling rate of disk monitoring and add optimization:** The disk monitoring agent polling frequently is inefficient. Reduced the frequency that disk usage is checked, and streamlined the process. ------ - **I95-56600 Add `show tenant members` to the TSI output:** `show tenant members` and additional network scripts have been added to the TSI output. @@ -193,17 +193,17 @@ CVE-2024-21011, CVE-2024-21012, CVE-2024-21068, CVE-2024-21085, CVE-2024-21094, - **The following CVE's have been identified and addressed in this release:** CVE-2022-41974, CVE-2023-32360, CVE-2023-22045, CVE-2023-22049, CVE-2022-41741, CVE-2022-41742, CVE-2020-12321, CVE-2023-2650, CVE-2023-3446, CVE-2023-3817, CVE-2023-3341, CVE-2023-22081, CVE-2022-0934, CVE-2023-46847, CVE-2021-43975, CVE-2022-28388, CVE-2022-3594, CVE-2022-3640, CVE-2022-38457, CVE-2022-40133, CVE-2022-40982, CVE-2022-42895, CVE-2022-45869, CVE-2022-45887, CVE-2022-4744, CVE-2023-0458, CVE-2023-0590, CVE-2023-0597, CVE-2023-1073, CVE-2023-1074, CVE-2023-1075, CVE-2023-1079, CVE-2023-1118, CVE-2023-1206, CVE-2023-1252, CVE-2023-1382, CVE-2023-1855, CVE-2023-1989, CVE-2023-1998, CVE-2023-23455, CVE-2023-2513, CVE-2023-26545, CVE-2023-28328, CVE-2023-28772, CVE-2023-30456, CVE-2023-31084, CVE-2023-3141, CVE-2023-31436, CVE-2023-3161, CVE-2023-3212, CVE-2023-3268, CVE-2023-33203, CVE-2023-33951, CVE-2023-33952, CVE-2023-35823, CVE-2023-35824, CVE-2023-35825, CVE-2023-3609, CVE-2023-3611, CVE-2023-3772, CVE-2023-4128, CVE-2023-4132, CVE-2023-4155, CVE-2023-4206, CVE-2023-4207, CVE-2023-4208, CVE-2023-4732, CVE-2022-45884, CVE-2022-45886, CVE-2022-45919, CVE-2023-1192, CVE-2023-2163, CVE-2023-3812, CVE-2023-5178, CVE-2023-38406, CVE-2023-38407, CVE-2023-47234, CVE-2023-47235. ------ -- **I95-38188 Re-Homing an SSR in certain circumstances leaves residual services:** If an SSR is rehomed from an HA conductor to a standalone conductor, the services pointing to the second node of the HA conductor were not removed. Resolved the issue where the reverse SSH tunnels from a managed router to the second HA conductor node were not cleaned up if the conductor was converted back to a standalone conductor. +- **I95-38188 Repurposing an HA conductor to a standalone conductor left services for the second conductor:** Resolved an issue where the reverse SSH tunnels from a managed router to the second HA conductor node were not cleaned up if the conductor was converted back to a standalone conductor. The salt states now stop services to a second conductor when it is removed from the HA configuration. ------ - **I95-48783 Conductor process logs are unbounded, risking storage exhaustion:** `auditd` logs consuming the disk space when the node monitor is in a disconnected state and the audit logs are left unconsumed. There was a limit to the log file size, but not the number of files. The number of files is now limited. ------ -- **I95-50493 Memory calculation for alarms is confusing:** This alarm was designed to trigger when memory usage went above 90% and clear only when memory usage went below 80%, causing confusion. The memory usage alarm no longer requires memory usage to go below 80% to clear; it will clear when memory usage goes below 90%. +- **I95-50493 Memory calculation for alarms is confusing:** This alarm was designed to trigger when memory usage went above 90% and clear only when memory usage went below 80%, causing confusion. Memory usage alarm no longer requires memory usage to go below 80% to clear; it will clear when memory usage goes below 90%. ------ - **I95-50540 Denied traffic events not displaying in the GUI or PCLI:** Resolved an issue that prevented displaying denied traffic events in the `show events` PCLI command and in the GUI. Users would see `% Error: Unhandled TypeError: list indices must be integers or slices` in the PCLI, and `An unknown traffic event occurred` in the GUI. ------ - **I95-51191 BFD metrics not cleaned up properly:** The BFDAgent holds onto the stats for peer paths; If the config is changed on a router, new stats are made but the old ones were not being deleted. The old BFD by-peer-path stats are now deleted when a VLAN configuration change is made. ------ -- **I95-51459 Logs and exception pcaps are periodically filled with error logs and truncated packets:** Resolved an issue where ICMP error respond packets for encapsulated traffic caused `PacketBufferDataNotFound: Could not find specified data in packet` error logs to be generated, or truncated packets to arrive in the FastLane exceptions pcap. +- **I95-51459 Logs and exception pcaps are periodically filled with error logs and truncated packets:** Resolved an issue where ICMP error response packets for encapsulated traffic caused `PacketBufferDataNotFound: Could not find specified data in packet error logs` to be generated, or truncated packets to arrive in the FastLane exceptions pcap. ------ - **I95-51492 Password expiration not working:** This issue has been resolved. Administrators must use the global setting `configure authority password-policy lifetime N ` to indicate that all user passwords must be changed every `N` days. ------ @@ -227,7 +227,7 @@ CVE-2024-21011, CVE-2024-21012, CVE-2024-21068, CVE-2024-21085, CVE-2024-21094, ------ - **I95-53538 Custom audit rules not preserved on SSR upgrade:** Resolved an issue where the image-based upgrade (IBU) was not preserving audit rules or `dnf.conf`. ------ -- **I95-53787 Stats not present on conductor:** Running `show device-interface router all` on a conductor caused stats (in-octets, in-unicast-pkts, etc.) to be incorrectly displayed as "n/a" instead of the correct value. This issue has been resolved. +- **I95-53787 Stats not present on conductor:** Running `show device-interface router all` on a conductor caused stats (in-octets, in-unicast-pkts, etc...) to be incorrectly displayed as "n/a" instead of the correct value. This issue has been resolved. ------ - **I95-53852 `host-service snmp-server` blocks SVR pings to a `network-interface` owned address:** Ping traffic was hitting the generated (wildcarded) snmp-server service. The session could not setup due to security policy conflicts. This issue has been resolved; the generated service from an snmp-server host-service now has a UDP transport. ------ @@ -243,19 +243,19 @@ CVE-2024-21011, CVE-2024-21012, CVE-2024-21068, CVE-2024-21085, CVE-2024-21094, ------ - **I95-53986 `nodeMonitor` failed to get data for `show platform disk`:** Some of the dynamic access for `smartctl` objects were not protected. A check for the object existence has been added before attempting to read it. ------ -- **I95-54086 Conductor memory exceeded:** In certain cases the salt master on the conductor could grow indefinitely in memory. This may be related to situations with both poor connectivity and the use of the `asset-connection-resiliency` feature. An update to the salt package has been made to resolve this issue. +- **I95-54086 Conductor memory exceeded:** In certain cases, the salt master on the conductor could grow indefinitely in memory. This may be related to situations with both poor connectivity and the use of the asset-connection-resiliency feature. An update to the salt package has been made to resolve this issue. ------ - **I95-54155 nodeMonitor coredump on secondary node after upgrade:** During an upgrade where `deviceType` was `LTE` the attempt to get a linux interface name (not supported) failed. This issue has been resolved by implementing a device interface type verification. ------ - **I95-54180 Unable to fetch reports from Conductor GUI:** A refactor moved the connectivity check exception, which prevented a service restart. This has been resolved, and the stats now being written to the database and GUI tables. ------ -- **I95-54189 Application mapping does not correctly match services:** Resolved an issue where the application director was misclassifying sessions due to IP overlap; this is a valid configuration, when services use an IP address with different ports assigned to different services. The SSR now recognizes these different port configurations. +- **I95-54189 Application classification mapping does not correctly match configured services:** Resolved an issue where DPI was misclassifying sessions due to IP overlap. When services use an IP address with different ports assigned to different services, the SSR now recognizes these different port configurations. ------ -- **I95-54271 Race condition after a configuration change related to the source nat:** Resolved a rare condition wherethe SharedNatPool was being reset while it was accessed for session setup. This caused a race condition that led to a highway process crash. +- **I95-54271 Race condition during a configuration change related to source NAT leading to crash:** Resolved a rare condition where the NAT pool was being reset while it was accessed for session setup. This caused a race condition that led to a highway process crash. ------ - **I95-54294 Unable to delete capture-filter created with `&&` operator:** Resolved an issue that disallowed deleting capture-filters containing `&&`. Customers on older versions of software can work around this by creating capture-filters using `and` instead of `&&`. ------ -- **I95-54340 Hub-to-spoke sessions break when failing over from outbound-only Path:** When a session modify occurs due to an ingress change (inter-node -> inter-router) AND an egress change is also detected, the incorrect security was being looked up for the old flow, causing an exception to be thrown and the modify to fail. This would present itself as dropped packets and in logs as a SecurityNotFound error. This issue has been resolved. +- **I95-54340 Hub-to-spoke sessions fail during failover from outbound-only path:** When a session modify occurs due to an ingress change (inter-node -> inter-router) AND an egress change is also detected, the incorrect security was looked up for the old flow, causing an exception to be thrown and the modify to fail. This would present itself as dropped packets and in logs as a SecurityNotFound error. This issue has been resolved. ------ - **I95-54490 Permission denied when trying to open a user config file:** Resolved a permissions issue for the `connect router` command by adding ACLs for reverse SSH so that this is accessible for admin users. ------ @@ -286,9 +286,9 @@ Resolution: The high value was due to an internal corruption when the metrics fo - **I95-48174 Expand supported values for DHCP option:** DHCP option 43 is now a supported option, as well as a binary encoded-type (hex/byte) support. Valid examples are `0xabcdef` and `0x123456`. ------ -- **I95-51181 Improve `save-tech-support-info` command:** The PCLI command `save tech-support-info` now has a default of one day. Additionally, a `since` argument has been added that limits log collection to only logs generated after the specified value. The `since` argument can be a relative time delta or an absolute timestamp. The GUI's About and Logs pages has the same functionality with a drop down that allows limiting the time window for the displayed/downloaded logs/tech-support-info. +- **I95-51181 Improve `save-tech-support-info` command:** The PCLI command `save tech-support-info` now has a default collection period of one day. Additionally, a `since` argument has been added that limits log collection to only logs generated after the specified value. The `since` argument can be a relative time delta or an absolute timestamp. The GUI's About and Logs pages has the same functionality with a drop down that allows limiting the time window for the displayed/downloaded logs/tech-support-info. ------ -- **I95-52406 Add ability to download MIBs from GUI:** A button has been added to the GUI, in the Documentation pane of the About Page, to download the SNMP MIB definitions for SSR. +- **I95-52406 Download MIBs from the GUI:** A button has been added to the GUI, in the Documentation pane of the About Page, to download the SNMP MIB definitions for SSR. ### Resolved Issues @@ -300,7 +300,7 @@ Resolution: The high value was due to an internal corruption when the metrics fo ------ - **I95-50708 Time series data for memory of the salt_master process periodically significantly decreases:** Incorrect method for polling application memory data; this resulted in dips in application memory being presented. This issue has been resolved. ------ -- **I95-51864 Ethernet Over SVR (EoSVR) not working for multi-hop SVR scenarios:** When EoSVR traffic traverses over a dogleg path in a HA node topology, traffic failed to traverse the middle node. EoSVR packets are no longer incorrectly dropped when routed over an inter-node path when coming from an SVR path. +- **I95-51864 Ethernet Over SVR (EoSVR) not working for multi-hop SVR scenarios:** When EoSVR traffic traverses over a dogleg path in a HA node topology, traffic failed to traverse intermediate nodes. EoSVR packets are no longer incorrectly dropped when routed over an inter-node path when coming from an SVR path. ------ - **I95-52491 Crash in highway process due to segmented metadata:** Resolved an issue processing metadata that is segmented across two packet buffers. The segmented packets are no longer discarded and the dataplane no longer crashes when processing a packet comprised of segmented metadata. ------ @@ -320,7 +320,7 @@ Resolution: The high value was due to an internal corruption when the metrics fo ------ - **I95-53015 Highway log has large number of unnecessary INFO messages:** A previous log message of icmp response packet failed was incorrectly logged at INFO level. It is neither an error nor actually informational, and has now been downgraded to DEBUG level. ------ -- **I95-53017 Some files incorrectly marked as executable:** While strengthening the security posture of the platform, some files with superfluous executable bits set have been identified and correctly marked. +- **I95-53017 Some files incorrectly marked as executable:** Some cache files were incorrectly marked as executable, and were flagged as part of the Common Criteria validation. These files have been correctly identified and marked. ------ - **I95-53105 Conductor to router API RBAC rules not being followed:** Resolved an issue where the user is getting elevated to admin on the managed router, thus returning more data than necessary. ------ @@ -335,7 +335,7 @@ Resolution: The high value was due to an internal corruption when the metrics fo - **I95-53285 User datastore issue when renaming a router:** Resolved an issue where HTTP requests would stop working to a router after the router's name was changed, but before the SSR was restarted. ------ - **I95-53321 Syslog datamodel is limited:** Added the following configurable syslog facility values `auth`, `authpriv`, `cron`, `daemon`, `kern`, `lpr`, `mail`, `news`, `syslog`, `user`, and `uucp`. - +------ ### Caveats - **I95-53833 Timeout prevents startup:** 5.6.11 introduced a regression in the SSR reboot startup logic. If any of the processes take longer than 30 seconds to complete, the startup sequence is abandoned and renders the platform inoperable. The system can be recovered by manually restarting the SSR software. This issue is tracked by I95-53833. @@ -348,7 +348,9 @@ Resolution: The high value was due to an internal corruption when the metrics fo - **I95-52198 Handle incoming public keys from peer conductor node:** Added functionality to allow conductor nodes to share the authorized keys of managed routers between each other. If the SSH public key is retrieved from a managed router by one conductor node, then it is automatically shared with its conductor peer node. ------ -- **I95-52316 Enhancements to Overlapping FIB Services:** The [`fib-service-match`](config_command_guide.md#configure-authority-fib-service-match) command allows you to configure either `best-match-only` or `any-match`. +- **I95-52316 Enhancements to Overlapping FIB Services:** The [`fib-service-match`](config_command_guide.md#configure-authority-fib-service-match) command has been added to provide additional control over the creation of FIB entries in combination with routing updates. + - `best-match-only` This is the default value, and legacy behavior. When comparing prefixes from a route update to addresses configured in services, only addresses with the longest prefix match for a particular route are considered. In cases of transport overlap, services are visited in alphabetical order. + - `any-match` introduces new behavior. All service addresses that match the route update are considered when creating the FIB entries, including those with prefixes shorter than the update or those that do not have the best match service address. The transports from the service with the longest prefix are considered first. This minimizes missed entries, but may result in a higher FIB usage. - `best-match-only` considers the best matching prefix length. In cases of transport overlap, services are visited in alphabetical order. - Using `any-match` will consider all services that match the route update but do not have the best match service address when creating FIB entries, minimizing missed entries. The transports from the service with the longest prefix are considered first. ------ @@ -398,7 +400,7 @@ Resolution: The high value was due to an internal corruption when the metrics fo ------ - **I95-48931 Service area Highway crash:** Now prevent crashing in SSR's highway process in rare race conditions when a session's flow is removed before the session is fully established. ------ -- **I95-49587 ICMP session classification improvement:** The application lookup for ICMP sessions now accurately identifies the correct service. +- **I95-49587 ICMP session classification improvement:** The application lookup for ICMP sessions has been optimized to accurately identify the correct service. ------ - **I95-50722 Highway crashes during session migration:** Resolved a crash in the SSR's highway process, due to a race condition between configuration changes and BFD sessions. ------ @@ -416,7 +418,7 @@ Resolution: The high value was due to an internal corruption when the metrics fo ------ - **I95-51359 Unable to set the OSPF MTU:** Added the ability for users to set the MTU to a non-default value. ------ -- **I95-51403 GUI displays download in progress even after the download is complete:** Resolved an issue where a download success event is never created even though the version shows as downloaded in the software versions. +- **I95-51403 GUI displays "Download in Progress" even after the download is complete:** Resolved an issue where a download success event is not created after the version shows up as downloaded in the Software Versions. ------ - **I95-51427 GUI not displaying all the version information:** The GUI About page now displays additional version information previously only displayed in the PCLI `show system version detail.` ------ @@ -437,7 +439,7 @@ Resolution: The high value was due to an internal corruption when the metrics fo ------ - **I95-51794 Core dump on systems with greater than 10 physical interfaces, such as Lenovo SR-650:** Resolved an issue where the SR-650 was crashing due to uninitialized flags field. Support has been added for these devices. ------ -- **I95-51865 NTP not syncing for HA nodes:** Added the ability to configure the orphan stratum for the HA peer node. This was previously hard-coded to 5 but this change allows an HA peer to be able to sync when the upstream server is of a lower stratum, if so desired by the user. +- **I95-51865 NTP not syncing for HA nodes:** Added the ability to configure the orphan stratum for the HA peer node. This was previously hard-coded to 5 but this change allows an HA peer to sync when the upstream server is of a lower stratum, if so desired by the user. ------ - **I95-51915 Report buffer allocation failures to watchdog:** `alloc-failure` stats are now gathered per device and included in the device stats, allowing the watchdog to detect a failure and respond. ------ @@ -453,7 +455,7 @@ Resolution: The high value was due to an internal corruption when the metrics fo - **I95-48862 Load balance sessions across BGP RIB Entries with multiple paths:** Resolved an issue when BGP was used to build a routing table, only the first next hop was used. All next hops are now used, and load balancing occurs over all routing protocol routes. ------ -- **I95-50510 New fields for IPFIX:** The SSR IPFIX implementation was not sending the industry standard fields of flowStartMilliseconds and flowEndMilliseconds. In the new implementation, all IPFIX records include these fields. The start time is set to the start time of the flow, and the end time is always set to the time the last packet was received on the flow. For intermediate records, this indicates that the flow is still ongoing but provides the last activity timestamp. For the end records, this indicates when the last packet was received on the flow prior to the session terminating. For additional information, see [IPFIX](concepts_application_discovery.md#ipfix). +- **I95-50510 New fields for IPFIX:** The SSR IPFIX implementation was not sending the industry standard fields of `flowStartMilliseconds` and `flowEndMilliseconds`. In the new implementation, all IPFIX records include these fields. The start time is set to the start time of the flow, and the end time is always set to the time the last packet was received on the flow. For intermediate records, this indicates that the flow is still ongoing but provides the last activity timestamp. For the end records, this indicates when the last packet was received on the flow prior to the session terminating. For additional information, see [IPFIX](concepts_application_discovery.md#ipfix). ------ - **I95-50571 Add packet buffer tracking to help analyze buffer exhaustion:** The following features have been added to help diagnose packet buffer pool depletions in certain environments: - Track packet buffer locations. @@ -498,13 +500,13 @@ and there are established flows for any of these services, a link flap triggerin ------ - **I95-49754 Waypoint reuse causing duplicate reverse flows:** Resolved a case where when the waypoint pool is nearly depleted, released waypoints were reused prematurely causing errors when installing reverse flows. ------ -- **I95-49791 Add audit rules to track modification of grub config files:** Added rules to log notifications in case of changes to grub configuration files. +- **I95-49791 Audit rules to track modification of config files:** Added rules to track the modification of grub configuration files, to aid in troubleshooting. ------ - **I95-49925 GRE tunnel health-check not migrating sessions when path is down:** The GRE tunnel manager now removes all sessions before adding new ones rather than modifying the existing sessions. ------ - **I95-49969 Permission Denied error when attempting to self-generate a webserver certificate:** Resolved an issue that prevented users with the admin role from creating a new self-signed web certificate via the PCLI command `create certificate self-signed webserver`. ------ -- **I95-49974 Stuck flow not cleared when reverse metadata is incomplete:** Resolved an issue where reverse metadata is coming through incomplete - without the source tenant. The source tenant has been added to the reverse metadata. +- **I95-49974 Stuck flow is not clearing when the reverse metadata is incomplete:** Added the source tenant to the reverse metadata to prevent the metadata parsing exception. ------ - **I95-50047 Conductor config unable to pass local validation on one of the routers:** Resolved an issue where a router missing the `reachability-profile` configuration may pass validation on conductor. ------ @@ -514,7 +516,7 @@ and there are established flows for any of these services, a link flap triggerin ------ - **I95-50262 Routers disconnected from their conductor may have incorrect log rotation settings:** Resolved an issue where a managed router was not able to pull down the configuration from the Conductor - which includes the log rotation config. The default salt log rotation configuration has been improved, preventing the log from growing too large before the connection to the Conductor can be established. ------ -- **I95-50269 Router clone operation fails:** Implemented checks to prevent cloning obsolete elements and internal lists/containers on legacy versions of the SSR software. +- **I95-50269 Router clone operation fails:** Implemented checks to prevent cloning obsolete elements and internal lists/containers on legacy versions of the SSR software (pre-4.4). ------ - **I95-50286 Rebooting a node of an HA pair from Linux breaks routing:** Resolved an issue where a delay in the shutdown process caused a node to take over a VRRP interface, creating routing issues. ------ @@ -559,11 +561,32 @@ and there are established flows for any of these services, a link flap triggerin ------ - **I95-51006 Nodes stuck in connected state after upgrade:** On an HA conductor, if the user is performing an upgrade on the first conductor node and that user makes a config commit during the upgrade, then the configuration's modified time will become out of sync between the two conductor nodes. When the conductor first node is finished upgrading the result is a loop where the configuration keeps getting committed by each node back and forth until a new commit is made. This issue has been resolved by allowing the peer conductor node to accept the config despite the perceived version disparity. Please note performing a commit mid-upgrade is not supported. ------ -- **I95-51007 Conductor is incorrectly honoring core pinning:** The cpuProperties cores setting in /etc/128technology/local.init was erroneously isolating cores on conductor nodes when set, even though this setting is intended for a router. This would cause a reduction in available processing cores for normal conductor operations. This setting will now be ignored on the conductor. +- **I95-51007 Conductor only - cpuProperties-core value isolating cores:** *In SSR software versions 6.0.0 and greater*, the `cpuProperties-cores` setting in `/etc/128technology/local.init` is erroneously isolating cores on conductor nodes when set. Because the conductor does not forward packets, there should be no traffic cores allocated to or isolated on the conductor for packet forwarding. This setting was previously ignored on the conductor, but while resolving an earlier issue with the installer and initializer that allocated CPU cores for traffic, that is no longer the case. + +It is recommended that prior to upgrading the conductor that the user modify local.init to set this setting to `0`. For example, a setting like this in `/etc/128technology/local.init`: + +``` + "cpuProperties" : { + "cores" : 4 + }, +``` +should be changed to: +``` + "cpuProperties" : { + "cores" : 0 + }, +``` + +Note that only the relevant section of `local.init` is shown for clarity. All other settings should be left the same. +The change should be made on both nodes of an HA system. If a conductor is already running 6.0.0 or later it will be necessary to `systemctl restart 128T` on each node after making this change. If the modification is made prior to upgrade it is not necessary to restart 128T service as this will be performed during the upgrade. Making this change on versions earlier than 6.0.0 will not affect operation, and will not require a restart. + +This issue will be corrected in an upcoming release. ------ - **I95-51044 Hide `forwarding-core-mode` on conductor:** Disabled the `forwarding-core-mode` setting on conductor nodes, since this setting doesn't apply to conductor. ------ -- **I95-51087 SSR fails to download firmware after upgrading the conductor:** Resolved an issue where the first time a conductor is upgraded and **conductor-only** is selected in the software-update settings, the proxy service on the conductor does not work correctly, and downloads fail. The downloads no longer fail. +- **I95-51087 SSR fails to download firmware after upgrading the conductor:** An issue has been identified where the first time a conductor is upgraded and `conductor-only` is selected in the `software-update` settings. The proxy service on the conductor does not work correctly, and downloads attempted by the router will fail. This issue will be resolved in the next release. + + **_Workaround:_** Make a simple configuration change and commit the change. Any configuration change is sufficient to start the internal proxy service. Once this commit has been made this will no longer be an issue. ------ - **WAN-1958 Mist agent crashes:** Increased internal file system limits which were preventing some services from starting correctly at boot. Limits were raised based on expected system usage. @@ -581,12 +604,16 @@ and there are established flows for any of these services, a link flap triggerin - TBW (Terabyte Written) - TBW per year ------ -- **I95-50072 Support for ConnectX-6 Lx PCIe device:** Support has been added for this device. +- **I95-50072 Support for ConnectX-6 Lx PCIe device:** Support has been added for this device. ### Resolved Issues :::important -- **I95-49594 Highway Crash:** In a system where any of the following are configured: +- **I95-49594 Highway Crash:** Resolved an issue for systems where any of the following are configured: + - `application-identification` is enabled, + - a service is defined with `domain-name child services`, or + - a `service address` is configured as a `domain` +and there are established flows for any of these services, a link flap triggering a flow invalidation (changes to FIB) will induce a crash in the highway process of the SSR. This issue exists in versions 6.1.0 and 6.1.1, and is resolved in 6.1.2. - `application-identification` is enabled, - a service is defined with `domain-name child services`, or - a `service address` is configured as a `domain` @@ -613,7 +640,14 @@ and there are established flows for any of these services, a link flap triggerin ------ - **I95-49350 BFD echo generating latency overhead:** BFD echo tests are now staggered to minimize application latency's contribution to overall peer path latency. ------ -- **I95-49377 Transmit packets dropped by NIC for established sessions - packet counters are incrementing and can be seen in packet capture, but not seen by next-hop:** Added hooks for NIC driver to trigger an unrecoverable event and invoke the Highway lockup detector mechanism. +- **I95-50445, I95-49377 i40e and ice devices enter malicious descriptor detection state, preventing forwarding of traffic:** Resolved an issue where fragmented packet chains larger than 8 buffers were discarded causing a malicious descriptor event. + - The below `dpdk.log` snippet provides an example of the event: +``` +[DPDK| -- ] ERROR (00007f03ec18e700) i40e_dev_alarm_handler(): ICR0: malicious programming detected +[DPDK| -- ] WARN (00007f03ec18e700) i40e_handle_mdd_event(): Malicious Driver Detection event 0x02 on TX queue 6 PF number 0x01 VF number 0x00 device 0000:08:00.1 +[DPDK| -- ] WARN (00007f03ec18e700) i40e_handle_mdd_event(): TX driver issue detected on PF +``` + - Added hooks for the NIC driver to trigger an unrecoverable event and invoke the Highway lockup detector mechanism. ------ - **I95-49431 Unable to edit or add static route config from Conductor GUI:** When editing configuration on the stand-by node of an HA pair, creating a list item with a slash, /, such as specifying the destination-address of a static-route, caused an error. This has been resolved. ------ @@ -625,7 +659,7 @@ and there are established flows for any of these services, a link flap triggerin ------ - **I95-49564 Reduce volume of logs during pending lookups:** The error logs during a pending lookup has been changed to a muted error log with a stat. ------ -- **I95-49604 Alarm when a node is disconnected:** An alarm is now raised when a node is disconnected from the internal synchronization database. +- **I95-49604 No alarm raised when a node is disconnected from the internal synchronization database:** When nodes are unable to connect to the internal synchronization database, a critical alarm is now raised. ------ - **I95-49633 Validation not strict for static assignment within DHCP server configuration:** Configuration for static addresses within DHCP server exists in multiple locations per design. Cross-validation has been added to prevent the same ip-address from being configured and assigned to multiple dhcp-clients. ------ @@ -709,13 +743,13 @@ Upgrading to this release version will cause `coredump.conf` to be re-written wi ------ - **I95-48107 EoSVR sessions not stable:** Resolved an issue with loss of connectivity to STEP EoSVR peer. The STEP route is now held in place and available when STEP connectivity is restored. ------ -- **I95-48163 Only services with load-balanced paths are shown in `show services`:** Resolved an issue where services without load-balanced paths weremissing from show services output. +- **I95-48163 Only services with load-balanced paths are shown in `show services`:** Resolved an issue where services without load-balanced paths were missing from show services output. ------ -- **I95-48324 Application Identification not parsing domain names:** The App-ID parsing mode has been updated to correctly parse domain names. +- **I95-48324 Application Identification not parsing domain names:** The Application Identification parsing mode has been updated to correctly parse domain names on hub to spoke outbound traffic. ------ - **I95-48396 `show-rib` limited to 512 entries:** The `show rib` count maximum has been increased. ------ -- **I95-48529 BFD sending link notification before hold-down timer expires:** Resolved an issue where peer service-paths do not remain down while the BFD session / peer status is in the hold-down period after transitioning from down to up. Peer service-paths status now correctly reflect the peer status. Sessions will not be moved back to peers that have re-established connectivity but are still in the hold-down period. +- **I95-48529 BFD hold-down timer does not hold-down peer service-paths:** Resoled an issue where peer service-paths do not remain down while the BFD session / peer status is in the hold-down period after transitioning from down to up. Peer service-paths status now reflects the peer status, and sessions will not be moved back to peers that have re-established connectivity, but are still in the hold-down period. ------ - **I95-48580 Application summary classification fails for hub-to-spoke sessions:** The spoke now learns application names for sessions when receiving packets from a hub with application identification disabled. ------ @@ -835,7 +869,7 @@ For immediate resolution on the impacted releases, contact Juniper Technical Sup ------ - **I95-47787 Worker core packet processing spikes to 100%:** Added the ability to tune the [Reverse Packet Session Resiliency](config_reference_guide.md#reverse-packet-session-resiliency) `Minimum Packet Count` (default is 3) and `Detection Interval` (default is 5) settings for session failover without requiring forward packet, and resolved the underlying issue that caused excessively high worker-core CPU. ------ -- **I95-47909 Handle GRE tunnels in ICMP reachability probe:** The base interface for egress is now used if the `icmp-probe probe-address` is the same as the tunnel destination, and the `internal-address` is used as the source if the `egress-interface` is `gre-overlay`. +- **I95-47909 Handle GRE tunnels in ICMP reachability probe:** We now use the base interface for egress if the `icmp-probe probe-address` is the same as the tunnel destination, and use the `internal-address` as the source if the `egress-interface` is `gre-overlay`. ------ - **I95-47967 Cloud bootstrapper does not bootstrap the deployed Conductor:** Resolved an issue where the configuration was being rejected by the cloud bootstrapper when the device was a conductor. ------ @@ -887,9 +921,9 @@ For immediate resolution on the impacted releases, contact Juniper Technical Sup ------ - **I95-45847 Duplicate Alarms on Multiple Routers:** Resolved duplicate alarms by obtaining alarms from only one node in an HA pair. ------ -- **I95-46056 `show ntp` has no output from PCLI, even though NTP is configured:** The output of show ntp will now report IP addresses of the time servers rather than resolve hostnames. +- **I95-46056 `show ntp` has no output from PCLI, even though NTP is configured:** The output of `show ntp` now reports IP addresses of the time servers rather than resolve hostnames. ------ -- **I95-46126 Router Status:** Resolved an issue in HA configurations when a router is connected to HA Conductor 1, but not directly connected to HA Conductor 2, alarms generated on the router are now seen on Conductor 2 - the conductor to which the router is not directly connected. +- **I95-46126 Router Status:** In HA configurations where a router is connected to HA Conductor 1, but not directly connected to HA Conductor 2, alarms generated on the router will not be seen on Conductor 2 - the conductor to which the router is not directly connected. To see alarms on a router, the Conductor must be directly connected to the Router. ------ - **I95-46281 Update Kernel to RHCK 8.6:** Updated the kernel to integrate the latest security fixes. ------ @@ -901,7 +935,7 @@ For immediate resolution on the impacted releases, contact Juniper Technical Sup ------ - **I95-46701 Packet Loss on Headend Router:** Added device-interface rx/tx descriptor ring size to resolve this issue. ------ -- **I95-46807 Validation insufficient for reachability-detection:** Added validation logic to report and error when `service-route > reachability-detection` was configured, but neither `icmp-probe-profile` or `reachability-profile` exist. +- **I95-46807 Validation not catching when a router does not have an icmp-probe-profile or reachability-profile configured:** This issue has been resolved. ------ - **I95-46826 Carrier detection logic not recognizing disaster recovery modem:** Updated the carrier detection logic to properly recognize the carrier when a modem is attached to a disaster recovery cell tower. ------ @@ -909,7 +943,7 @@ For immediate resolution on the impacted releases, contact Juniper Technical Sup ------ - **I95-46919 LDAP Users Not Shown in GUI Users Display:** Updated username requirements and the ability to identify issues with usernames not meeting those requirements. See [Username and Password Policies](config_password_policies.md) for username requirements. ------ -- **I95-46921 `128status.sh` script incorrectly checks for non-existent listening port:** Removed port 830 check for software versions 5.3.0 and greater +- **I95-46921 `128status.sh` script incorrectly checks for non-existent listening port:** Removed port 830 check for software versions 5.3.0 and greater. ------ - **I95-46966 BGP Connection Restarts on SVR Peer Failover:** Resolved an issue with FIB entry setup that was causing BGP connection reset when the session fails over. ------ @@ -974,7 +1008,7 @@ For immediate resolution on the impacted releases, contact Juniper Technical Sup - **I95-46562 Allow targeting another router or node when saving tech-support-info:** GUI: A button has been added to the **Logs** page in the GUI to download a tech-support-info bundle. This allows downloading a router's `tech-support-info` directly from the Conductor GUI.
PCLI: The PCLI command `save tech-support-info` can now collect logs from another node. Using the Conductor's PCLI, a `tech-support-info` bundle can be collected from a Managed Router or the HA peer. ------ -- **I95-46747 Improved the Password user experience:** You now are re-propmpted up to three times for the current password if it is incorrect. If a new password does not meet the strength check, you are prompted with that information, and required to update the password. +- **I95-46747 Improved the Password user experience:** You now are re-prompted up to three times for the current password if it is incorrect. If a new password does not meet the strength check, you are prompted with that information, and required to update the password. ### Resolved Issues @@ -984,9 +1018,9 @@ PCLI: The PCLI command `save tech-support-info` can now collect logs from anothe ------ - **I95-39274 DNS-based services kill asset connection resiliency:** Resolved an issue where an internal commit was bouncing the kni254 interface and causing a series of connection resets. ------ -- **I95-42438 Save Tech Support tries to run when SSR service is down:** In situations where the PCLI is still active, but the SSR service is down, trying to run `save tech support` will appear to work, but does not return any info. This issue has been resolved, and will return a message when information is not retrievable. +- **I95-42438 `save tech-support-info` tries to run when SSR service is down:** In situations where the PCLI is still active, but the SSR service is down, trying to run `save tech-support-info` will appear to work, but does not return any info. This issue has been resolved, and will return a message when information is not retrievable. ------ -- **I95-43606 No communication between Routers:** In rare instances the BFD Pinhole feature experienced collisions between forward session flows. Session modification has been addressed and collisions are now avoided. +- **I95-43606 No communication between Routers:** In rare instances, BFD outbound-only flows experienced collisions between forward session flows. Session modification has been addressed and collisions are now avoided. ------ - **I95-43779 DHCP IP Address not releasing appropriately:** When the cable is physically disconnected and reconnected from DHCP-enabled interfaces, the interfaces are now triggered to send out a DHCP Request for their current IP address. ------ @@ -1004,7 +1038,7 @@ PCLI: The PCLI command `save tech-support-info` can now collect logs from anothe ------ - **I95-45126 Split-brain after the sync interface goes down:** Resolved an issue that if the SSR software experienced a crash while it owned an interface from an X553 device, other devices hosted by the same chip could be impacted. ------ -- **I95-45164 `show-active-peers` missing some information:** Resolved a corner case where an RFC-compliant device ahead of a non-compliant device with a smaller MTU, the SSR misinterprets the non-compliant device's timeouts and the MTU will be unresolvable. +- **I95-45164 Active peers show Unavailable for PATH-MTU, LATENCY, JITTER, LOSS & MOS for some transports:** Resolved a rare issue in the case of an RFC-compliant device ahead of a non-compliant device with a smaller MTU, the non-compliant device's timeouts are incorrectly interpreted and the MTU becomes unresolvable. ------ - **I95-45271 Error while trying to change appearance or selecting custom reports:** In some cases where error messages are vague, a path to the error location is provided. ------ @@ -1016,7 +1050,7 @@ PCLI: The PCLI command `save tech-support-info` can now collect logs from anothe ------ - **I95-45842 PCLI `show events` does not paginate correctly:** This issue has been resolved. ------ -- **I95-45882 Rare case where an invalid DHCP server configuration generated:** This issue has been resolved. +- **I95-45882 Invalid DHCP server config causes a crash:** Resolved an issue when the DHCP server was misconfigured with duplicate interfaces and then committed, the validation would not catch this and cause a crash. The SSR code has been hardened to handle the misconfiguration. ------ - **I95-45890 Service paths for BGP over SVR routes are not being rebuilt:** Resolved an issue when the vector configuration is changed on a network interface, the service paths for BGP over SVR routes are not being rebuilt. ------ @@ -1030,14 +1064,14 @@ PCLI: The PCLI command `save tech-support-info` can now collect logs from anothe ------ - **I95-46169 RIB Doesn't Update Connected Route After Changing Network Interface Address Prefix from /24 to /27:** Resolved an issue when changing the prefix length for a network interface address, the RIB was not updated and routing protocols were not aware of the change. ------ -- **I95-46230 Highway Crash:** Resolved an issue where uncaught exceptions were causing highway issues. +- **I95-46230 Exceptions with invalid giid causing a highway crash:** Resolved an issue where uncaught exceptions (invalid giid of 0) were causing highway issues. ------ - **I95-46314 Configuring Static Assignment with Client-Identifier Causes DHCP failure:** Updated config validation to verify that, within a single DHCP server host-service, all static assignments use unique client-identifiers. ------ - **I95-46332 VRRP Does Not Work with Ethernet Controller X710 for 10GbE SFP+:** Configuring VRRP on an Intel X700 series NIC can see discard broadcast packets due to the source pruning feature which is enabled by default. This change disables source pruning when VRRP is enabled on these NICs. ------ - **I95-46411 PPPoE over VLAN interface status missing in `show` commands:** Added attribute to show the missing information. ------- +------ - **I95-46419 Forward Error Correction (FEC) with OutBound Only Fails:** Resolved an issue where FEC actions are not installed properly after the modification to resolve the outbound only path. ------ - **I95-46454 ICMP manager excessively logs ICMP echo replies with no matching context:** This issue has been resolved. @@ -1048,11 +1082,11 @@ PCLI: The PCLI command `save tech-support-info` can now collect logs from anothe ------ - **I95-46641 Modem lockup after reset on dual LTE system:** Resolved an issue with dual LTE modem lockup after reset. ------ -- **I95-46822 Revertible failover traffic not restored when reverse traffic is present:** For a "revertible-failover" service policy, when the preferred path is restored and a session no longer traverses an internode dogleg path, it was taking several seconds for traffic to be restored when forward traffic is present; in situations where only reverse traffic is present, traffic may not be restored. This issue has been resolved. +- **I95-46822 Revertible failover traffic may not be restored when reverse traffic is present:** For a "revertible-failover" service policy, when the preferred path is restored and a session no longer traverses an internode dogleg path, it may take seconds for traffic to be restored when forward traffic is present; in situations where **only** reverse traffic is present, traffic may not be restored. This issue will be resolved in a future release. ------ - **I95-46931 Hardware using ConnectX6-DX fails to initialize:** Added support for this card variant. ------ -- **I95-46959 PPPoE over VLAN not working when target interface is down:** Added code to bring up parent interface before VLAN interface. +- **I95-46959 PPPoE over VLAN not working when target interface is down:** Added code to bring up the parent interface before VLAN interface. ------ - **I95-47111 Issues with redundant interfaces on startup:** Resolved an issue where the notifications for active interfaces may get lost when using VRRP for redundancy. @@ -1076,7 +1110,7 @@ PCLI: The PCLI command `save tech-support-info` can now collect logs from anothe ------ - **I95-39712 Hierarchical Service Inheritance For STEP Learned Routes:** Child services now inherit routes of their parent services, when the parent route is learned through STEP. For more information see [Hierarchical Services.](config_STEP.md#hierarchical-services) ------ -- **I95-40130 Factory Defaults for Conductor Communication:** Added SaltStack, Conductor, and IKE default session-types. For new deployments, SIP, SIPS, and IPSEC-NAT use NAT Keep Alive by default, and the timeout for IPSEC-NAT is 125 seconds. +- **I95-40130 Create factory defaults for all router-conductor communication:** SaltStack, Conductor, and IKE default session-types have been added. For new deployments, SIP, SIPS, and IPSEC-NAT use NAT Keep Alive by default, and the timeout for IPSEC-NAT is now 5 seconds. ------ - **I95-40660 Kernel Upgrade:** The OS kernel has been upgraded to address several CVEs and provide support for Wireguard and Cordoba. ------ @@ -1114,7 +1148,7 @@ PCLI: The PCLI command `save tech-support-info` can now collect logs from anothe ------ - **I95-38408 DHCP server on wrong vlan sends offer in response to discover message:** Hosted DHCP servers that do not have an explicit vlan configured are now explicitly treated as vlan 0, and handle any DHCP packets that are untagged/vlan 0, in order to prevent those packets from being multicasted to multiple DHCP servers. ------ -- **I95-40904 Power save mode not working:** This issue has been resolved. +- **I95-40904 Power save mode not working:** Add a method to read current power saver mode setting from existing config before committing the new configuration, and changing the setting. ------ - **I95-41992 Warning for Rate-Limit with Flow-Limit values at 0:** A warning has been added to advise users that this will cause dropped packets. ------ @@ -1140,7 +1174,7 @@ PCLI: The PCLI command `save tech-support-info` can now collect logs from anothe ------ - **I95-45063 SSR azure instances unstable on large machine types:** Resolved an unpgrade issue causing instability in Azure instances using Mellanox5. ------ -- **I95-45113 snmp override of the IfTable:** An issue with SNMP reporting has been resolved. +- **I95-45113 SNMP override of the IfTable:** `ifAlias` and `IfDescr` have been swapped in our SNMP reporting; `ifDescr` is always the `ifName`. This change was made for consistency with other Juniper products. ------ - **I95-45123 CVE Issue:** The latest Security vulnerabilities have been identified and addressed. ------ @@ -1163,7 +1197,9 @@ PCLI: The PCLI command `save tech-support-info` can now collect logs from anothe ------ - **I95-45541 LDAP users are unable to login to the PCLI due to permission errors:** This issue has been resolved. ------ -- **I95-45559 Corrupted resolv.conf after ODM imaging:** Resolved an issue on SSR systems running dns-proxy services with external interfaces configured using PEERDNS=yes, where a race condition may occur that results in corrupt nameservers being added to the /etc/resolv.conf file. +- **I95-45559 Corrupted `resolv.conf` after ODM imaging:** On SSR systems running dns-proxy services with external interfaces configured using `PEERDNS=yes`, a race condition may occur that results in corrupt nameservers being added to the `/etc/resolv.conf` file. + + **_Workaround:_** A temporary workaround is to force an update of this file by either of the following methods: ------ - **I95-45583 HA Connection lost during commit:** Resolved an issue where session was missing necessary path data information relating to the peer path. ------ @@ -1171,7 +1207,7 @@ PCLI: The PCLI command `save tech-support-info` can now collect logs from anothe ------ - **I95-45641 Stuck BGPoSVR Sessions after Failover:** Made changes to provide updates to less specific FIB entries when routes are updated to resolve this issue. ------ -- **I95-45643 User created users missing after upgrade:** Resolved an issue where the XML values true/false are also handled as 1/0. +- **I95-45643 Users that were created by non-admin users were missing after upgrade:** Resolved a config type conversion issue that caused users to disappear after upgrade. ------ - **I95-45696 Memory leak in pam challenge library:** Resolved a memory leak in the PAM challenge library. ------ @@ -1179,7 +1215,7 @@ PCLI: The PCLI command `save tech-support-info` can now collect logs from anothe ------ - **I95-45761 SSH ClientAliveInterval change:** The SSH `ClientAliveInterval` has been reset to 900. ------ -- **I95-45783 User home directories different across the topology during upgrade:** Resolved an issue with incorrect LDAP user roles during upgrade. +- **I95-45783 User home directories are different across the network topology:** Resolved an issue where findUser was hitting a "User not Found" error and exiting. ------ - **I95-45816 "TCP State Stream Parse Error" filling up the flpp.log:** This log issue has been addressed. diff --git a/docs/release_notes_128t_6.0.md b/docs/release_notes_128t_6.0.md index c51bc4abfb7..8e1eddf023f 100644 --- a/docs/release_notes_128t_6.0.md +++ b/docs/release_notes_128t_6.0.md @@ -16,7 +16,7 @@ Alternatively, refer to the **[List of Releases](about_releases.md)** page for r Before upgrading please review the [**Upgrade Considerations**](intro_upgrade_considerations.md) and the [**Rolling Back Software**](intro_rollback.md) pages. Several modifications have been made to the process for verifying configurations, which will impact existing configurations. ::: -- **I95-43243/IN-460 Upgrade and Rollback:** Upgrading or rolling back a system (conductor peer or router) with the interactive installer `install128t`, that is managed by a conductor may result in the system becoming unresponsive. It is highly recommended that upgrades be performed through the conductor UI. Manual upgrades and rollbacks may not be resilient to failures. See [Rolling Back Software](intro_rollback.md) for more information on these operations. +- **I95-43243/IN-460 Upgrade and Rollback:** Upgrading or rolling back a system (conductor, peer, or router) with the interactive installer `install128t`, that is managed by a conductor may result in the system becoming unresponsive. It is highly recommended that upgrades be performed through the conductor UI. Manual upgrades and rollbacks may not be resilient to failures. See [Rolling Back Software](intro_rollback.md) for more information on these operations. ------ - **I95-42452 Conductor Upgrade Time:** Upgrades to version 5.4 and above can take up to 40 minutes due to the number of rpms being upgraded. Please plan accordingly. ------ @@ -63,7 +63,7 @@ This issue will be corrected in an upcoming release. ------ - **I95-50072 Support for ConnectX-6 Lx PCIe device:** Support has been added for this device. ------ -- **I95-50510 New fields for IPFIX:** The SSR IPFIX implementation was not sending the industry standard fields of flowStartMilliseconds and flowEndMilliseconds. In the new implementation, all IPFIX records include these fields. The start time is set to the start time of the flow, and the end time is always set to the time the last packet was received on the flow. For intermediate records, this indicates that the flow is still ongoing but provides the last activity timestamp. For the end records, this indicates when the last packet was received on the flow prior to the session terminating. For additional information, see [IPFIX](concepts_application_discovery.md#ipfix). +- **I95-50510 New fields for IPFIX:** The SSR IPFIX implementation was not sending the industry standard fields of `flowStartMilliseconds` and `flowEndMilliseconds`. In the new implementation, all IPFIX records include these fields. The start time is set to the start time of the flow, and the end time is always set to the time the last packet was received on the flow. For intermediate records, this indicates that the flow is still ongoing but provides the last activity timestamp. For the end records, this indicates when the last packet was received on the flow prior to the session terminating. For additional information, see [IPFIX](concepts_application_discovery.md#ipfix). ------ - **I95-50571 Add packet buffer tracking to help analyze buffer exhaustion:** The following features have been added to help diagnose packet buffer pool depletions in certain environments: - Track packet buffer locations. @@ -101,7 +101,7 @@ Please refer to [Password Policies](config_password_policies.md) for updated pas ------ - **I95-49603 Process Manager crash:** When a long running process was being cleaned up by the subprocess, the cleanup would fail causing a crash. Long running processes are now properly terminated, which allows the cleanup subprocess to complete correctly. ------ -- **I95-49604 Alarm when a node is disconnected:** An alarm is now raised when a node is disconnected from the internal synchronization database. +- **I95-49604 No alarm raised when a node is disconnected from the internal synchronization database:** When nodes are unable to connect to the internal synchronization database, a critical alarm is now raised. ------ - **I95-49633 Validation not strict for static assignment within DHCP server configuration:** Configuration for static addresses within DHCP server exists in multiple locations per design. Cross-validation has been added to prevent the same ip-address from being configured and assigned to multiple dhcp-clients. ------ @@ -109,17 +109,17 @@ Please refer to [Password Policies](config_password_policies.md) for updated pas ------ - **I95-49754 Waypoint reuse causing duplicate reverse flows:** Resolved a case where when the waypoint pool is nearly depleted, released waypoints were reused prematurely causing errors when installing reverse flows. ------ -- **I95-49791 Add audit rules to track modification of grub config files:** Added rules to log notifications in case of changes to grub configuration files. +- **I95-49791 Audit rules to track modification of config files:** Added rules to track the modification of grub configuration files, to aid in troubleshooting. ------ - **I95-49912 Login banner not displayed on serial console:** The login banner is now displayed on the serial console. ------ -- **I95-49913 Some Login/Logout events not logged in Audit Logs:** All login and logout events are now logged in the audit logs. +- **I95-49913 Some Login/Logout Events not logged in Audit Logs:** A new function has been added to create an event to process USER_LOGOUT audit messages. ------ - **I95-49925 GRE tunnel health-check not migrating sessions when path is down:** The GRE tunnel manager now removes all sessions before adding new ones rather than modifying the existing sessions. ------ - **I95-49969 Permission Denied error when attempting to self-generate a webserver certificate:** Resolved an issue that prevented users with the admin role from creating a new self-signed web certificate via the PCLI command `create certificate self-signed webserver`. ------ -- **I95-49974 Stuck flow not cleared when reverse metadata is incomplete:** Resolved an issue where reverse metadata is coming through incomplete - without the source tenant. The source tenant has been added to the reverse metadata. +- **I95-49974 Stuck flow is not clearing when the reverse metadata is incomplete:** Added the source tenant to the reverse metadata to prevent the metadata parsing exception. ------ - **I95-50014 Hitting Buffer Overflow during configuration changes:** Resolved an issue where a config change request may not make it to a managed router, and returns a buffer overflow error. ------ @@ -129,17 +129,17 @@ Please refer to [Password Policies](config_password_policies.md) for updated pas ------ - **I95-50050 VRRP High Availability gets stuck in Active/Active:** The DPDK version has been updated to resolve this issue. ------ -- **I95-50247 Duplicate peer path alarms:** Resolved an issue where both BFD and the path MTU feature were generating alarms for the same peer path being down. The criteria for which peerPath state changes can trigger peer path events has been tightened. +- **I95-50247 Duplicate peer path alarms:** Resolved an issue where both BFD and the path MTU feature were generating alarms for the same peer path being down. The criteria for which peer path state changes can trigger peer path events has been tightened. ------ - **I95-50260 `show idp events` does not honor the `router` or `node` arguments:** Resolved an issue where `show idp events` did not honor the `router` and `node` arguments and always executed against the local node. The command is now executed correctly, using the specified arguments. ------ - **I95-50262 Routers disconnected from their conductor may have incorrect log rotation settings:** Resolved an issue where a managed router was not able to pull down the configuration from the Conductor - which includes the log rotation config. The default salt log rotation configuration has been improved, preventing the log from growing too large before the connection to the Conductor can be established. ------ -- **I95-50269 Router clone operation fails:** Implemented checks to prevent cloning obsolete elements and internal lists/containers on legacy versions of the SSR software. +- **I95-50269 Router clone operation fails:** Implemented checks to prevent cloning obsolete elements and internal lists/containers on legacy versions of the SSR software (pre-4.4). ------ - **I95-50286 Rebooting a node of an HA pair from Linux breaks routing:** Resolved an issue where a delay in the shutdown process caused a node to take over a VRRP interface, creating routing issues. ------ -- **I95-50331 System fails to synchronize keys on startup:** The SSR now dynamically updates rsync IP host address from the non forwarding HA sync interfaces, and will fall back to the global.init host IPs if they don't exist. +- **I95-50331 System fails to synchronize keys on startup:** The SSR now dynamically updates the `rsync IP host address` from the non forwarding HA sync interfaces, and will fall back to the `global.init` host IPs if they don't exist. ------ - **I95-50363 MOS Metrics not refreshing:** Resolved an issue where the SLA and MOS values were not being updated in the stats (or PeerPathTable) when a BFD session was brought down. The SLA and MOS stats are now set to 0 when the BFD session is brought down. ------ @@ -156,7 +156,7 @@ Please refer to [Password Policies](config_password_policies.md) for updated pas ------ - **I95-50534 Race condition between NetworkInterfaceManager and FastLane:** Resolved a race condition caused by adding and deleting the same network interface in a very short window of time, potentially causing a system crash. ------ -- **I95-50543 systemd unable to start 128T after upgrade:** This issue has been resolved by ensuring that the netfilter kernel is installed. +- **I95-50543 SSR may not start after upgrade:** A race condition during startup may cause some services to start out of order, causing the SSR to not start. A reboot is required to start the system normally. ------ - **I95-50554 No dynamic synchronization of repos to the routers:** Resolved an issue where it was necessary to restart 128T on the Conductor in order for the Conductor to recognize newly added repositories and sync them down to the assets. Authenticated repos are now automatically synchronized when repos are added to the conductor. ------ @@ -184,11 +184,30 @@ Please refer to [Password Policies](config_password_policies.md) for updated pas ------ - **I95-51006 Nodes stuck in connected state after upgrade:** On an HA conductor, if the user is performing an upgrade on the first conductor node and that user makes a config commit during the upgrade, then the configuration's modified time will become out of sync between the two conductor nodes. When the conductor first node is finished upgrading the result is a loop where the configuration keeps getting committed by each node back and forth until a new commit is made. This issue has been resolved by allowing the peer conductor node to accept the config despite the perceived version disparity. Please note performing a commit mid-upgrade is not supported. ------ -- **I95-51007 Conductor is incorrectly honoring core pinning:** The `cpuProperties` cores setting in `/etc/128technology/local.init` was erroneously isolating cores on conductor nodes when set, even though this setting is intended for a router. This would cause a reduction in available processing cores for normal conductor operations. This setting will now be ignored on the conductor. +- **I95-51007 Conductor only - cpuProperties-core value isolating cores:** *In SSR software versions 6.0.0 and greater*, the `cpuProperties-cores` setting in `/etc/128technology/local.init` is erroneously isolating cores on conductor nodes when set. Because the conductor does not forward packets, there should be no traffic cores allocated to or isolated on the conductor for packet forwarding. This setting was previously ignored on the conductor, but while resolving an earlier issue with the installer and initializer that allocated CPU cores for traffic, that is no longer the case. + +It is recommended that prior to upgrading the conductor that the user modify local.init to set this setting to `0`. For example, a setting like this in `/etc/128technology/local.init`: + +``` + "cpuProperties" : { + "cores" : 4 + }, +``` +should be changed to: +``` + "cpuProperties" : { + "cores" : 0 + }, +``` + +Note that only the relevant section of `local.init` is shown for clarity. All other settings should be left the same. +The change should be made on both nodes of an HA system. If a conductor is already running 6.0.0 or later it will be necessary to `systemctl restart 128T` on each node after making this change. If the modification is made prior to upgrade it is not necessary to restart 128T service as this will be performed during the upgrade. Making this change on versions earlier than 6.0.0 will not affect operation, and will not require a restart. + +This issue will be corrected in an upcoming release. ------ - **I95-51021 Package to Image conversion fails on FIPS enabled SSR:** Conversion of package-based to image-based is now supported for systems with FIPS 140-2 mode enabled. ------ -- **I95-51044 Hide forwarding-core-mode on conductor:** Disabled the `forwarding-core-mode` setting on conductor nodes, since this setting does not apply to a conductor. +- **I95-51044 Hide `forwarding-core-mode` on conductor:** Disabled the `forwarding-core-mode` setting on conductor nodes, since this setting doesn't apply to conductor. ### Caveats - **I95-51087 SSR fails to download firmware after upgrading the conductor:** An issue has been identified where the first time a conductor is upgraded and `conductor-only` is selected in the `software-update` settings. The proxy service on the conductor does not work correctly, and downloads attempted by the router will fail. This issue will be resolved in the next release. @@ -202,7 +221,11 @@ Please refer to [Password Policies](config_password_policies.md) for updated pas ### Resolved Issues :::important -- **I95-49594 Highway Crash:** In a system where any of the following are configured: +- **I95-49594 Highway Crash:** Resolved an issue for systems where any of the following are configured: + - `application-identification` is enabled, + - a service is defined with `domain-name child services`, or + - a `service address` is configured as a `domain` +and there are established flows for any of these services, a link flap triggering a flow invalidation (changes to FIB) will induce a crash in the highway process of the SSR. This issue exists in versions 6.1.0 and 6.1.1, and is resolved in 6.1.2. - `application-identification` is enabled, - a service is defined with `domain-name child services`, or - a `service address` is configured as a `domain` @@ -225,7 +248,6 @@ Upgrading to this release version will cause `coredump.conf` to be re-written wi ------ - **I95-48571 IDP Topology User Experience Improvements:** The SSR will include the auto-generated IDP mode when enabled as a part of `show idp application status`. Additionally, enabling `hub` mode will not result in engine bring-up errors. ------ - ### Resolved Issues - **The following CVE's have been identified and addressed in this release:** I95-48464, I95-48859, I95-48907, I95-49039, I95-49079, I95-49445, I95-49745, I95-49746, I95-49747, I95-49748. @@ -250,9 +272,9 @@ Upgrading to this release version will cause `coredump.conf` to be re-written wi ------ - **I95-48232 Ability to ping lost after failover:** We now prevent unnecessary FIB changes (which may lead to a short traffic interruption) when new routes are added to the RIB that are more specific than some configured service IP prefixes. ------ -- **I95-48324 Application Identification not parsing domain names:** The App-ID parsing mode has been updated to correctly parse domain names. +- **I95-48324 Application Identification not parsing domain names:** The Application Identification parsing mode has been updated to correctly parse domain names on hub to spoke outbound traffic. ------ -- **I95-48352 Application ID is not identifying MS-Teams correctly:** Resolved an issue where sessions with IP addresses as their domain names were not classified correctly. Sessions with IP addresses as their domain name are now verified against the IP tree, and not the domain name database. +- **I95-48352 Application ID is not identifying MS-Teams correctly:** Resolved an issue where sessions with IP addresses as their domain names were not classified correctly when the information was received via HTTP web proxy. Sessions with IP addresses as their domain name are now verified against the IP tree, and not the domain name database. ------ - **I95-48396 `show-rib` limited to 512 entries:** The `show rib` count maximum has been increased. ------ @@ -260,7 +282,7 @@ Upgrading to this release version will cause `coredump.conf` to be re-written wi ------ - **I95-48580 Application summary classification fails for hub-to-spoke sessions:** The spoke now learns application names for sessions when receiving packets from a hub with application identification disabled. ------ -- **I95-48581 Missing entry timestamp for `show app-id cache`:** Additional timing information has been added to `show app-id cache` to help identify the oldest entry. +- **I95-48581 No entry timestamp for `show app-id cache`:** Additional timing information has been added to `show app-id cache`. ------ - **I95-48582 `show bfd` command ignoring parameters:** The query parameters are now passed to the REST endpoint to be used byt the `show bfd` command. ------ @@ -282,7 +304,7 @@ Upgrading to this release version will cause `coredump.conf` to be re-written wi ------ - **I95-48904 Stuck pinhole session after flow invalidation:** Resolved an issue with a stuck session that was setup from hub to HA spoke after a routing change. ------ -- **I95-48927 Audit log disc failure mode:** Added a Failure Notification parameter and failure mode to inform users that the `auditd.conf` log disc is nearing capacity, or has reached capacity, and that action is required. +- **I95-48927 Audit log disk failure mode:** Added a Failure Notification parameter and failure mode to inform users that the `auditd.conf` log disk is nearing capacity, or has reached capacity, and that action is required. ------ - **I95-48942 Routing policy filter condition reference type not validated:** Added a check to verify that when a routing policy condition references a filter, the condition type and filter type match. ------ @@ -345,7 +367,7 @@ Upgrading to this release version will cause `coredump.conf` to be re-written wi - **The following CVE's have been addressed and resolved:** I95-48644, I95-48648, I95-48650, I95-48653. ------ - **I95-32789 Peer metrics unavailable after Conflux synchronization:** Resolved an issue with HA routers where the metrics application stops streaming metrics to the peer node after loading configuration. ------- +------ - **I95-43302 Rename Third-Party menu text:** The menu text has been changed to **External** to more accurately reflect the links to other Juniper platforms. ------ - **I95-44957 Azure is not able to identify the asset-id of the deployed conductor and router:** The Azure ID has been modified to a value that can be processed by Azure. @@ -370,7 +392,7 @@ Upgrading to this release version will cause `coredump.conf` to be re-written wi ------ - **I95-47787 Worker core packet processing spikes to 100%:** Added the ability to tune the [Reverse Packet Session Resiliency](config_reference_guide.md#reverse-packet-session-resiliency) `Minimum Packet Count` (default is 3) and `Detection Interval` (default is 5) settings for session failover without requiring forward packet, and resolved the underlying issue that caused excessively high worker-core CPU. ------ -- **I95-47909 Handle GRE tunnels in ICMP reachability probe:** The base interface for egress is now used if the `icmp-probe probe-address` is the same as the tunnel destination, and the `internal-address` is used as the source if the `egress-interface` is `gre-overlay`. +- **I95-47909 Handle GRE tunnels in ICMP reachability probe:** We now use the base interface for egress if the `icmp-probe probe-address` is the same as the tunnel destination, and use the `internal-address` as the source if the `egress-interface` is `gre-overlay`. ------ - **I95-47929 Missing BGP advertisement after deleting all sessions after an upgrade:** Resolved an issue where BGP update suppress was not removing any pending withdrawals. ------ @@ -388,7 +410,7 @@ Upgrading to this release version will cause `coredump.conf` to be re-written wi ------ - **I95-48158 Unable to capture child services using session capture:** When a session capture is configured on a child service (e.g., `social.internet` instead of `internet`), the session is now recorded. ------ -- **I95-48163 Only services with load-balanced paths are shown in "show services":** Resolved an issue where services without load-balanced paths weremissing from show services output. +- **I95-48163 Only services with load-balanced paths are shown in `show services`:** Resolved an issue where services without load-balanced paths were missing from show services output. ------ - **I95-48181 "Failed to send IPFIX interim record" log messages:** Changed log level from Error to appropriate logging level for the cases when ipfix records should not be generated. ------ @@ -408,7 +430,7 @@ Upgrading to this release version will cause `coredump.conf` to be re-written wi ------ - **I95-48508 Keep-alive cache may cause worker core CPU spikes:** Resolved potential worker core utilization CPU spikes by utilizing aggressive keep-alive timeouts. ------ -- **I95-48529 BFD sending link notification before hold-down timer expires:** Resolved an issue where peer service-paths do not remain down while the BFD session / peer status is in the hold-down period after transitioning from down to up. Peer service-paths status now correctly reflect the peer status. Sessions will not be moved back to peers that have re-established connectivity but are still in the hold-down period. +- **I95-48529 BFD hold-down timer does not hold-down peer service-paths:** Resoled an issue where peer service-paths do not remain down while the BFD session / peer status is in the hold-down period after transitioning from down to up. Peer service-paths status now reflects the peer status, and sessions will not be moved back to peers that have re-established connectivity, but are still in the hold-down period. ------ - **I95-48579 Application director does not handle overlapping prefixes correctly:** The radix tree has been updated and now handles overlapping prefixes correctly. ------ @@ -465,11 +487,11 @@ For immediate resolution on the impacted releases, contact Juniper Technical Sup ------ - **I95-42320 BGP aggregate-address not working:** Add support for BGP address summarization. ------ -- **I95-44976 Highway issue when modifying an app-id session:** Resolved an issue where modifying an app-id session with a new session-id can lead to a crash. +- **I95-44976 Highway issue when modifying an app-id session:** SSR software versions 5.1.5 and greater are susceptible to a crash during a flow migration when `application-identification` is enabled (modes `tls` or `all`) on spoke to hub traffic traversing over SVR. The condition occurs for sessions migrating that have timed out or that are traversing the ha-fabric link in the reverse direction. ------ - **I95-45847 Duplicate Alarms on Multiple Routers:** Resolved duplicate alarms by obtaining alarms from only one node in an HA pair. ------ -- **I95-46056 `show ntp` has no output from PCLI, even though NTP is configured:** The output of show ntp will now report IP addresses of the time servers rather than resolve hostnames. +- **I95-46056 `show ntp` has no output from PCLI, even though NTP is configured:** The output of `show ntp` now reports IP addresses of the time servers rather than resolve hostnames. ------ - **I95-46281 Update Kernel to RHCK 8.6:** Updated the kernel to integrate the latest security fixes. ------ @@ -481,7 +503,7 @@ For immediate resolution on the impacted releases, contact Juniper Technical Sup ------ - **I95-46919 LDAP Users Not Shown in GUI Users Display:** Updated username requirements and the ability to identify issues with usernames not meeting those requirements. See [Username and Password Policies](config_password_policies.md) for username requirements. ------ -- **I95-46921 `128status.sh` script incorrectly checks for non-existent listening port:** Removed port 830 check for software versions 5.3.0 and greater +- **I95-46921 `128status.sh` script incorrectly checks for non-existent listening port:** Removed port 830 check for software versions 5.3.0 and greater. ------ - **I95-46966 BGP Connection Restarts on SVR Peer Failover:** Resolved an issue with FIB entry setup that was causing BGP connection reset when the session fails over. ------ @@ -489,7 +511,7 @@ For immediate resolution on the impacted releases, contact Juniper Technical Sup ------ - **I95-47274 Service Paths not showing status:** The `state` column in the GUI now correctly reflects the Service Path state. ------ -- **I95-47390 Inline BFD collision issue:** Resolved an inline BFD collision issue that was preventing peering from occurring. +- **I95-47390 Inline BFD Collisions:** BFD peering between two router fails when one of the peer has a DHCP interface and has external NAT configured on neighborhood. This will occur in AWS deployments. This issue will be addressed in an future release. ------ - **I95-47437 TSI creation is leading into Network Failure - BGP BFD went down:** Refined the output for TSI to prevent failures. ------ @@ -565,7 +587,7 @@ For immediate resolution on the impacted releases, contact Juniper Technical Sup ------ - **I95-47314 Ping command has high session timeout:** The ICMP sessions for ping command will now use the correct timeout of 5 seconds. ------ -- **I95-47336 Running config change events are missing:** Resolved an issue where running config events under a different username were filtered out. +- **I95-47336 Running configuration change events are missing:** Updates have been made to include `username` in the running configuration change events log. ------ - **I95-47421 Quad Zero Tenant-Prefix Doesn't Get Applied in the Router:** Resolved an issue where the source lookup from global tenant took precedence over the local tenant. ------ @@ -611,7 +633,7 @@ For immediate resolution on the impacted releases, contact Juniper Technical Sup ------ - **I95-46545 Conductor Validation passing when a URL is configured in a Parent Service:** Validation for application-identification has been updated to include URL and subcategory. ------ -- **I95-46684 Image-based Installer / Interactive Installer:** `intialize128t` now runs automatically on first boot when using the image-based 6.0 installation with Interactive Install selected. +- **I95-46684 Image-based Installer / Interactive Installer:** When using the image-based 6.0 installation, be aware that if Interactive Install is selected, `intialize128t` does not launch automatically on first boot. This must be run manually; log in to the console as root using the default credentials, and type `initialize128t` to perform interactive initialization. This will be resolved in a future release. ------ - **I95-46931 Hardware using ConnectX6-DX fails to initialize:** Added support for this card variant. ------ @@ -621,7 +643,7 @@ For immediate resolution on the impacted releases, contact Juniper Technical Sup ------ - **I95-47129 Metadata is not disabled after flow-move for EoSVR sessions:** Added a metadata turnoff after session failover for EoSVR. ------ -- **I95-47336 Running configuration change events are missing:** Updates have been made to include `username` in the running configuration change events log. +- **I95-47336 Running configuration change events are missing:** Updates have been made to include `username` in the running configuration change events log. ### Caveats @@ -657,7 +679,7 @@ For immediate resolution on the impacted releases, contact Juniper Technical Sup ------ - **I95-46411 PPPoE over VLAN interface status missing in `show` commands:** Added attribute to show the missing information. ------ -- **I95-46822 Revertible failover traffic not restored when reverse traffic is present:** For a "revertible-failover" service policy, when the preferred path is restored and a session no longer traverses an internode dogleg path, it was taking several seconds for traffic to be restored when forward traffic is present; in situations where only reverse traffic is present, traffic may not be restored. This issue has been resolved. +- **I95-46822 Revertible failover traffic may not be restored when reverse traffic is present:** For a "revertible-failover" service policy, when the preferred path is restored and a session no longer traverses an internode dogleg path, it may take seconds for traffic to be restored when forward traffic is present; in situations where **only** reverse traffic is present, traffic may not be restored. This issue will be resolved in a future release. ------ - **I95-46826 Carrier detection logic not recognizing disaster recovery modem:** Updated the carrier detection logic to properly recognize the carrier when a modem is attached to a disaster recovery cell tower. ------ diff --git a/docs/release_notes_128t_6.1.md b/docs/release_notes_128t_6.1.md index 11b39c781c8..2ee7e15094b 100644 --- a/docs/release_notes_128t_6.1.md +++ b/docs/release_notes_128t_6.1.md @@ -16,7 +16,7 @@ Alternatively, refer to the **[List of Releases](about_releases.md)** page for r Before upgrading please review the [**Upgrade Considerations**](intro_upgrade_considerations.md) and the [**Rolling Back Software**](intro_rollback.md) pages. Several modifications have been made to the process for verifying configurations, which will impact existing configurations. ::: -- **I95-43243/IN-460 Upgrade and Rollback:** Upgrading or rolling back a system (conductor peer or router) with the interactive installer `install128t`, that is managed by a conductor may result in the system becoming unresponsive. It is recommended that upgrades be performed through the conductor UI. Manual upgrades and rollbacks may not be resilient to failures. See [Rolling Back Software](intro_rollback.md) for more information on these operations. +- **I95-43243/IN-460 Upgrade and Rollback:** Upgrading or rolling back a system (conductor, peer, or router) with the interactive installer `install128t`, that is managed by a conductor may result in the system becoming unresponsive. It is highly recommended that upgrades be performed through the conductor UI. Manual upgrades and rollbacks may not be resilient to failures. See [Rolling Back Software](intro_rollback.md) for more information on these operations. ------ - **I95-42542 Conductor Upgrade Time:** Upgrades can take up to 40 minutes due to the number of rpms being upgraded. Please plan accordingly. ------ @@ -51,7 +51,7 @@ This issue will be corrected in an upcoming release. ### Resolved Issues -- **I95-59745 Routers are stuck in the connected state:** Resolved an issue where the router would unnecessarily write to `yum.dnf` and `dnf.conf`, resulting in a race condition that prevented them from reaching the `running` state. +- **I95-59745 Routers are stuck in the connected state and not transitioning to running:** Resolved an issue where the router repeatedly sent the same incorrect values to the config during startup, resulting in a race condition. ## Release 6.1.12-12-lts @@ -65,16 +65,16 @@ This issue will be corrected in an upcoming release. ------ - **I95-57305 Add flow timeout value to Associated Paths:** The Associated Paths window accessed from the Session view of the SSR GUI now displays a Flow Timeout column, providing a way to determine when the session will expire following inactivity. ------ -- **I95-58428 DSCP Steering Collision on Flow Move:** When IPSec traffic exists on a router and the DSCP steering feature is enabled, upon a flow move DSCP 0 traffic would collide with the pre-existing tunnel session. This issue has been resolved; the DSCP 0 packet is no longer dropped, and traffic is treated correctly. +- **I95-58428 DSCP Steering Collision on Flow Move, resulting in traffic drops:** When traffic is traversing an IPSec connection and the DSCP steering feature is enabled, upon a flow-move DSCP 0 traffic would collide with the pre-existing tunnel session. This issue has been resolved; the DSCP 0 packet is no longer dropped, and traffic is treated correctly. ------ - **I95-58444 DSCP steering is not correctly using revertible-failover:** Resolved an issue where DSCP Steering on child services were not using learned peer routes from the parent service. DSCP steering child services now properly utilize revertible-failover resiliency policies. ------ -- **I95-58528 SSR OS renaming:** The SSR OS version has been updated from "CentOS" to "Oracle Linux" to accurately reflect its upstream Linux distribution. All internal naming has been updated. +- **I95-58528 SSR OS renaming:** The SSR OS has been renamed/rebranded from "CentOS7" to "SSR OS" to more accurately reflect its customized Linux distribution. All internal naming has been updated. ------ - **I95-58539 The `validate` command does not check or test for router `applies-to` config:** Resolved an issue whereby the DHCP relay inspector rule was not honoring router-based services for interfaces without DHCP relay. Errors from this rule are now warnings. ------ -- **I95-58583 Bypass message-authentication in RADIUS:** An option to to bypass the requirement for the Message-Authenticator check in RADIUS requests and responses has been added. Disabling this check is considered unsafe and will allow for vulnerabilities to be exploited for users authenticating. Disabling this check is NOT recommended, but may be necessary for some backwards compatibility scenarios. ------- +- **I95-58583 Bypass message-authentication in RADIUS:** An option to bypass the requirement for the Message-Authenticator check in RADIUS requests and responses has been added. Disabling this check is considered unsafe and will allow for vulnerabilities to be exploited for users authenticating. Disabling this check is NOT recommended, but may be necessary for some backwards compatibility scenarios. +------ - **I95-58637 Relax API RBAC policies for quickstart files:** Users with config-read permissions are now able to generate quickstart files. ------ - **I95-58722 Update allowed Key Exchange Algorithms to add better support for Gov Cloud environments:** Expand the list of supported Key Exchange Algorithms in both FIPS and non-FIPS mode. @@ -95,7 +95,7 @@ This issue will be corrected in an upcoming release. ------ - **I95-59431 MTU mismatch on PPPoE interfaces:** Resolved an issue where the namespace target KNI resource incorrectly sets target-interface MTU based on network-interface maximum MTU. This issue was encountered with restarts of the 128T service. ------ -- **I95-59477 Race condition can lead to highway crash on HA node when application identification is enabled:** Resolved an issue in dual node High Availability configurations, highway crashes happen when `node1` does not successfully classify during the TCP handshake, but `node2` does successfully classify. See I95-59563, I95-59618 below for additional information. +- **I95-59477 Race condition can lead to highway crash on HA node when application identification is enabled:** In dual node High Availability configurations, highway crashes happen when `node1` does not successfully classify during the TCP handshake, but `node2` does successfully classify. This issue is currently under investigation and will be resolved in an upcoming release. For this release, defensive code has been added to preserve the session state and avoid a crash. ------ - **I95-59537, I95-59551 Apply `ingress-source-nat-pool` to local breakout sessions:** Resolved an issue where `ingress-source-nat-pool` was only applied to SVR sessions. The `ingress-source-nat-pool` has been updated with the `applies-to-local-breakout` flag. ------ @@ -118,15 +118,14 @@ This issue will be corrected in an upcoming release. ------ - **I95-55982 X722 interface MAC being set to 00:00:00:00:00:00 on SSR1300/SSR1400:** Identified an issue where the MAC address would change during a power cycle. Another power cycle can restore the MAC to its previous value. An upgrade to the X722 firmware addresses this issue. NOTE: A power cycle is required as part of the firmware flashing sequence. All power feeds must be manually disconnected and reconnected to cycle it correctly. ------ -- **I95-57128 Slow inter-vlan traffic due to i40e performance issue:** Resolved an issue where devices controlled by i40e driver (x710, x722) were incurring 8ms (8000us) latency due to an incorrect MAX value. This has been resolved and latency reduced to 32us. +- **I95-57128 Inter-VLAN traffic slow:** Identified an issue where devices controlled by the i40e driver (x710, x722) were incurring 8ms latency due to incorrectly setting a device throttling register to a MAX of 8ms. This has been reduced to 32us to resolve the issue. ------ - **I95-57538 WayPoint exception - failing to allocate waypoint ports on mesh peer re-establishment:** Resolved an issue where a configuration change may cause existing waypoint ports to become invalidated, creating an exhaustion scenario. ------ -- **I95-57712 DSCP steering issue with outbound traffic:** Resolved an issue with processing reverse pinhole packets when DSCP steering is enabled. -------- +- **I95-57712 DSCP steering issue with outbound traffic:** Resolved an issue with processing reverse pinhole packets when DSCP steering is enabled. - **I95-57730 Peer Service Next Hops Not Reloaded After Provisional Status Change:** Resolved an issue where a `bgp-over-svr service-route` does not failback to primary node on a `provisional-status` change. ------ -- **I95-58201 Increase AMD performance:** Throughput performance on AMD processors has been improved through the tuning of some kernel parameters. +- **I95-58201 Throughput Performance Improvements Across Platforms:** Kernel parameter tuning has improved throughput performance on most AMD and Intel platforms (excluding Intel Atom), with the greatest gains on AMD processors. This includes Juniper-branded platforms like the SSR1200 and SSR1500, as well as cloud instances, VM hosts, and other hardware configurations. ------ - **I95-58264 EoSVR session breaks after upgrading:** Resolved an issue where a high number of STEP route updates carried in an FPM message disconnected the Routing manager to agent connection. This has been resolved by limiting the max number of STEP paths in a single STEP route. ------ @@ -146,9 +145,9 @@ This issue will be corrected in an upcoming release. ------ - **I95-49218 Filter OSPF routes using RIB Policy routes:** Use the `configure authority router routing rib-policy` command from either the routing default-instance (`configure authority router routing`) or inside `configure authority router routing vrf` to provide additional filtering for OSPF routes. For more information see [`configure authority router routing rib-policy`](config_command_guide.md#configure-authority-router-routing-rib-policy) and [`configure authority router routing vrf rib-policy`](config_command_guide.md#configure-authority-router-routing-vrf-rib-policy). ------ -- **I95-49712 Config Validation Error uniformative:** Resolved an issue where paths pointing to missing keys or elements returned error messages that did not provide recognizable information. Now the error message provides key or element names. ------- -- **I95-50697 RFC1918 sessions (private IP addresses) are reclassified in error:** When a session destined for a private IP (RFC1918) experiences an App-ID modify, the session will now only be reclassified if the classification data reflects a positive classification change. +- **I95-49712 Configuration validation error uniformative:** Resolved an issue that when configuring an SSR, invalid configuration parameters were returning errors that were not specific enough to allow the user to locate the invalid configuration. Now when invalid configuration elements are identified during validation, the messages include relevant information for the invalid element, such as an IP address, node name, router name, interface names, etc. +------ +- **I95-50697 Private RFC1918 Web Applications ignored by Mist when collecting SLE data:** Handling of RFC1918 traffic classification returned a private domain causing an undesirable clumping of session stats. With the new behavior, when a session destined for a private IP (RFC1918) experiences an App-ID modify, the session will only be reclassified if the classification data reflects a positive classification change. ------ - **I95-52251 Changes to the conductor address on the router result in loss of ssh connection to the router:** Resolved an issue where changing the router level `conductor-address` did not update the salt-created services with the new addresses. ------ @@ -158,23 +157,23 @@ This issue will be corrected in an upcoming release. ------ - **I95-55550 Abrupt power failure may result in filesystem corruption:** Multiple disk errors caused corruption on the 128T_root filesystem causing it to enter read-only mode and becoming non-responsive. To resolve this issue, the filesystem triggers a kernel panic, launching a reboot and in HA systems, failover. Additionally, the filesystem check is run to check and repair the filesystem. ------ -- **I95-55603 HA router stuck in connected state due to runtime corruption issue:** Resolved an issue causing an unzip race condition with Python files. The packaging and installation process has been improved to prevent this issue. +- **I95-55603 HA router stuck in connected state due to runtime corruption issue:** Resolved an issue with an unzip race condition with Python files. The packaging and installation process has been improved to prevent this issue. ------ -- **I95-55725 Highway crashes when peer-path routers are removed:** Resolved a race condition that could cause a crash in the highway worker-core packet-processor if peer routers are removed from the configuration. +- **I95-55725 Highway crashes when peer-path routers are removed:** Resolved a race condition that could cause a crash in the forwarding plane (highway) if peer routers are removed from the configuration. ------ - **I95-55912 Validate Patterns for Service Domains and URLs:** The `url` and `domain-name` fields on a service were an unformatted string. This allowed you to configure fields that would be silently discarded. The `domain-name` and `url` fields within services are now validated for correctness and viability from an App-ID perspective. Anything to be ignored during validation now triggers a config warning. ------ -- **I95-55965 IDP engine not starting due to invalid environmental conditions:** In cases where a container/csrx does not shut down cleanly, the IDP engine does not start. These conditions are now detected, and a force stop/remove of the container is implemented. +- **I95-55965 IDP engine not starting due to invalid environmental conditions:** In cases where the IDP engine does not shut down cleanly, the IDP engine will fail to restart. These conditions are now detected and handled correctly. ------ -- **I95-56127 Excessive CPU utilization on systems with a large number of KNI interfaces:** Relaxed KNI scheduling to improve CPU utilization. +- **I95-56127 Changes to KNI device driver increased CPU load per KNI device:** Added KNI module tuning, and excessive CPU usage by idle KNI devices has been alleviated. ------ -- **I95-56203 FAI scan archives in `/var/log/128technology` have zero-byte length:** Corrected log rotate function to prevent file truncation. +- **I95-56203 The First Article Inspection (FAI) scan archive is empty:** Resolved an issue with `logrotate` clearing all the FAI scan archives. This was due to each archive having a unique name using a timestamp. A different service is now used to rotate the FAI scan files. ------ -- **I95-56236 Quick Start config validation failures not being reported:** Made changes to the initialization process such that quick start errors can be reported. +- **I95-56236 Routers unable to onboard after upgrading the Conductor:** Resolved an issue where the automated provisioner and the Quickstart processes overlapped, preventing the device state from being reviewed for errors, which stopped the onboarding process. ------ - **I95-56263 Add `show capacity`, and debugging commands to the TSI output:** Support for additional information in the TSI output has been added. ------ -- **I95-56292 Increase the length of SSH keys to 4096:** The size of the Salt and 128T SSH keys has been changed to 4096 bits for newly deployed systems. +- **I95-56292 Increase the length of SSH keys to 4096:** The size of the Salt and SSH keys has been changed to 4096 bits for newly deployed systems. ------ - **I95-56317 Journal logs missing from Conductors running 6.2.3:** An issue related to a typo was creating zero byte files when downloading journal logs using the GUI. ------ @@ -194,7 +193,7 @@ This issue will be corrected in an upcoming release. ------ - **I95-56541 Include kernel journal entries in TSI:** A separate `kernel.log` journal file is now created in the TSI output. ------ -- **I95-56575 Reduce polling rate of disk monitoring and add optimization:** The `ComponentDiskUtilizationMonitor` checks the disk usage too frequently and is inefficient. Reduced the frequency that disk usage is checked, and streamlined the process. +- **I95-56575 Reduce polling rate of disk monitoring and add optimization:** The disk monitoring agent polling frequently is inefficient. Reduced the frequency that disk usage is checked, and streamlined the process. ------ - **I95-56600 Add `show tenant members` to the TSI output:** `show tenant members` and additional network scripts have been added to the TSI output. ------ @@ -234,9 +233,9 @@ This issue will be corrected in an upcoming release. ------ - **I95-57082 Unable to delete a capture-filter that contains a forward slash (/):** This issue has been resolved. ------ -- **I95-57099 BFD Session timeout discovered:** Resolved an issue where BFD sessions were deleted prematurely. +- **I95-57099 Race condition causing crash in highway process when peer path timers expire:** Resolved an issue with handling BFD timers in multi-threaded environments. ------ -- **I95-57110 Crash seen during add and delete peers while sending traffic:** A race condition has been fixed that could cause a crash in the packet-processing highway process if a peer-path is removed from configuration. +- **I95-57110 Crash seen during add and delete peers while sending traffic:** A race condition has been fixed that could cause a crash in the forwarding plane (highway) process if a peer-path is removed from configuration. ------ - **I95-57114 Unable to upgrade AWS Conductor:** Resolved an issue where an incorrect package version was installed, triggering a downgrade and preventing the upgrade. ------ @@ -281,7 +280,7 @@ These counters are available per-bond-member. - **The following CVE's have been identified and addressed in this release:** CVE-2023-38406, CVE-2023-38407, CVE-2023-47234, CVE-2023-47235, CVE-2024-20918, CVE-2024-20919, CVE-2024-20921, CVE-2024-20926, CVE-2024-20945, CVE-2024-20952, CVE-2023-40217, CVE-2023-20569, CVE-2022-43552, CVE-2023-48795, CVE-2023-2176, CVE-2023-40283, CVE-2023-4623, CVE-2024-22019, CVE-2023-46724, CVE-2023-46728, CVE-2023-49285, CVE-2023-49286, CVE-2023-50269, CVE-2024-25617. ------ -- **I95-53523 Bond interface shut down generates errors:** Resolved an issue where the device interface clean up process was out of order and generated a detach failure. +- **I95-53523 LAG interface unbind errors following shutdown of the 128T service:** The order in which a LAG interface is broken down and cleaned up after shutdown has been optimized and errors resolved. ------ - **I95-53565 Port state of LAG members not dynamically updated:** Resolved an issue where enabling or disabling a bond member port does not update the status until the 128T service is restarted. The adminisrative enable and disable now works as expected. ------ @@ -307,7 +306,7 @@ These counters are available per-bond-member. ------ - **I95-55444 ICMP probe stats missing per service route:** Statistics were not available for ICMP probes that did not meet SLA per service route. These stats have been added. ------ -- **I95-55467 Incorrect VLAN Tagging in Azure HCI Stack with Hyper-V Hypervisor:** When using VLANs on Azure HCI Stack with Hyper-V, bit shifting occurs resulting in incorrect VLAN tags. This has been resolved for **non-accelerated NICs** by adding handling for the VLAN tags on Azure HCI. However, this issue is still present when using accelerated mode with the Azure HCI Stack with Hyper-V. The current solution is to **not** use accelerated mode if configuring VLAN interfaces. +- **I95-55467 Incorrect VLAN Tagging in Azure HCI Stack with Hyper-V Hypervisor:** When using VLANs on Azure HCI Stack with Hyper-V, bit shifting occurs resulting in incorrect VLAN tags. This has been resolved for **non-accelerated NICs** by updating the DPDK and adding handling for the VLAN tags on Azure HCI. However, this issue is still present when using accelerated mode with the Azure HCI Stack with Hyper-V. The current solution is to **not** use accelerated mode if configuring VLAN interfaces. ------ - **I95-55562 BGP aggregate on router and in Mist intent may cause rare race condition:** Resolved a rare edge case: If an aggregate (summary) is configured in BGP, (e.g., 10.0.0.0/8), and that same prefix also exists as a BGP route present in the network, a race condition may occur and the router with the aggregate configuration may not originate the aggregate. ------ @@ -328,10 +327,10 @@ These counters are available per-bond-member. - **I95-55830 Rollback results in missing Admin user:** Resolved an issue where HA nodes running mixed versions of 5.6.0 or greater with versions less than 5.6.0, the admin user could be temporarily removed until both nodes were upgraded or rolled back to the same version. ------ - **I95-55850 Changing the name of a `bond-interface` fails:** Resolved an issue where changing the name of a `bond-interface` required a restart to take effect. ------- +------ - **I95-55904 No service-paths seen after upgrade:** Resolved an issue where adding services with overlapping address prefixes prevented the configuration from being applied. For additional details, refer to the Knowledge Base article [Upgrade from 5.6 to 6.1 may result in missing FIB entries](../kb/2024/04/24/I95-55904). ------ -- **I95-55949 Silicom Valencia Atom C1130 CPU flags are not properly detected:** Resolved an issue where the `cpuinfo` parser fails due to a collision between the processor key name and value - the Silicom Valencia model name in the `cpuinfo` contains the word ‘processor’. +- **I95-55949 Silicom Valencia Atom C1130 CPU flags are not properly detected:** Resolved an issue where the `cpuinfo` parser fails due to a collision between the processor key name and value - the Silicom Valencia model name in the `cpuinfo` contains the word `processor`. ------ - **I95-56127 Changes to KNI device driver increased CPU load per KNI device:** Added KNI module tuning, and excessive CPU usage by idle KNI devices has been alleviated. ------ @@ -355,9 +354,9 @@ These counters are available per-bond-member. ------ - **I95-50697 Private RFC1918 Web Applications ignored by Mist when collecting SLE data:** Handling of RFC1918 traffic classification returned a private domain causing an undesirable clumping of session stats. With the new behavior, when a session destined for a private IP (RFC1918) experiences an App-ID modify, the session will only be reclassified if the classification data reflects a positive classification change. ------ -- **I95-51663 TCP port reuse causes crash during application steering:** Resolved an issue where TCP state transitions was causing an issue with the client reusing ports. +- **I95-51663 TCP port reuse causing application steering crashes:** Resolved an issue where backwards state transitions was causing an issue with the TCP client reusing ports. ------ -- **I95-52250 Security Package Update:** Updates have been made to Intrusion Detection and Prevention (IDP). +- **I95-52250 Security Package Update:** Intrusion Detection and Prevention (IDP) signatures have been updated. ------ - **I95-52500 SVR Multi Hop Failover:** Added a session lookup by session-ID to resolve a situation where sessions failing between multi-hop SVR and direct SVR connections may lead to duplicate flow exceptions and dropped traffic. ------ @@ -369,7 +368,7 @@ These counters are available per-bond-member. ------ - **I95-54271 Race condition during a configuration change related to source NAT leading to crash:** Resolved a rare condition where the NAT pool was being reset while it was accessed for session setup. This caused a race condition that led to a highway process crash. ------ -- **I95-54340 Hub-to-spoke sessions break when failing over from outbound-only path:** When a session modify occurs due to an ingress change (inter-node -> inter-router) AND an egress change is also detected, the incorrect security was being looked up for the old flow, causing an exception to be thrown and the modify to fail. This would present itself as dropped packets and in logs as a SecurityNotFound error. This issue has been resolved. +- **I95-54340 Hub-to-spoke sessions fail during failover from outbound-only path:** When a session modify occurs due to an ingress change (inter-node -> inter-router) AND an egress change is also detected, the incorrect security was looked up for the old flow, causing an exception to be thrown and the modify to fail. This would present itself as dropped packets and in logs as a SecurityNotFound error. This issue has been resolved. ------ - **I95-54512 SSR-130 reconfigured to join an HA cluster does not come up properly:** Resolved an issue where the generation of an improper configuration could lead to a crash loop in the NodeMonitor process. ------ @@ -383,17 +382,17 @@ These counters are available per-bond-member. ------ - **I95-54909 Alarm when websense connection is down:** An alarm has been added to indicate that the connection to the Websense URL is down or responds with a 5xx error. ------ -- **I95-54927 Receiver can join stream without any tenant assigned to interface:** This issue has been resolved. Multicast boundaries have been added to block all multicast addresses on interfaces that do not match the multicast service access-policy. +- **I95-54927 Receiver can join stream without any tenant assigned to interface:** This issue has been resolved by creating multicast boundaries in the routing engine to block all multicast addresses on interfaces that do not match the multicast service access-policy. ------ - **I95-55002 Password reset loop:** Resolved an issue that caused users created with the **Require password change on first login?** set to `yes` to get stuck in an infinite loop of password changes when logging in using the GUI. ------ - **I95-55069 One HA node is missing from the Mist GUI:** Resolved an issue where a managed router had an empty product version config metadata field, which resulted in the conductor version metadata field being cleared. ------ -- **I95-55208 `state.apply` hangs and device does not get to the `running` state:** In certain cases the `highstate` prevents `rpm -q` from running. This issue has been resolved by instituting a timeout for `rpm -q` in highstate. +- **I95-55208 Asset fails to transition state:** In certain cases when the RPM database is corrupted or another process holds its lock indefinitely, the highstate can block forever running rpm -q. Since other highstate attempts see an existing highstate job, they don't try to do anything else and the asset stays stuck like that forever without manual intervention. ------ - **I95-55244 Unable to initialize DPDK; SSR does not start:** Resolved an issue with the way the initializer identified the amount of memory in the processor. The initializer is now more NUMA aware when sizing the number of hugepages on a system. ------ -- **I95-55261 Only run `validate` for plugins on the Conductor:** Resolved an issue where the plugin validator was running on routers. +- **I95-55261 Config validation incorrectly being run on router:** Resolved an issue where the plugin validator was running on routers. Validate is now correctly run only on the conductor. ------ - **I95-55270 DHCP server not coming up:** Resolved an issue where a network namespace was using a namespace ID that was not cleaned up properly after removal. ------ @@ -425,13 +424,13 @@ These counters are available per-bond-member. - **The following CVE's have been identified and addressed in this release:** CVE-2022-42896, CVE-2023-1281, CVE-2023-1829, CVE-2023-2124, CVE-2023-2194, CVE-2023-2235, CVE-2022-41974, CVE-2023-32360, CVE-2023-22045, CVE-2023-22049, CVE-2020-12321, CVE-2022-41742, CVE-2022-41741, CVE-2023-2650, CVE-2023-3446, CVE-2023-3817, CVE-2023-3341, CVE-2023-22081, CVE-2022-0934, CVE-2023-46847. ------ -- **I95-38188 Re-Homing an SSR in certain circumstances leaves residual services:** If an SSR is rehomed from an HA conductor to a standalone conductor, the services pointing to the second node of the HA conductor were not removed. Resolved the issue where the reverse SSH tunnels from a managed router to the second HA conductor node were not cleaned up if the conductor was converted back to a standalone conductor. +- **I95-38188 Repurposing an HA conductor to a standalone conductor left services for the second conductor:** Resolved an issue where the reverse SSH tunnels from a managed router to the second HA conductor node were not cleaned up if the conductor was converted back to a standalone conductor. The salt states now stop services to a second conductor when it is removed from the HA configuration. ------ - **I95-42466 Changing the PCI address of an HA interface breaks HA:** Resolved an issue where moving a non-forwarding fabric HA sync device-interface from one PCI address to another PCI address would not properly clean up the team interface from the old PCI address. ------ - **I95-48783 Conductor process logs are unbounded, risking storage exhaustion:** `auditd` logs consuming the disk space when the node monitor is in a disconnected state and the audit logs are left unconsumed. There was a limit to the log file size, but not the number of files. The number of files is now limited. ------ -- **I95-50493 Memory calculation for alarms is confusing:** This alarm was designed to trigger when memory usage went above 90% and clear only when memory usage went below 80%, causing confusion. The memory usage alarm no longer requires memory usage to go below 80% to clear; it will clear when memory usage goes below 90%. +- **I95-50493 Memory calculation for alarms is confusing:** This alarm was designed to trigger when memory usage went above 90% and clear only when memory usage went below 80%, causing confusion. Memory usage alarm no longer requires memory usage to go below 80% to clear; it will clear when memory usage goes below 90%. ------ - **I95-50537 Detect and log invalid TCP establishment flags:** TCP packets with illegal flag combinations are dropped before they can set up a session, rather than after. ------ @@ -439,16 +438,15 @@ These counters are available per-bond-member. ------ - **I95-51191 BFD metrics not cleaned up properly:** The BFDAgent holds onto the stats for peer paths; If the config is changed on a router, new stats are made but the old ones were not being deleted. The old BFD by-peer-path stats are now deleted when a VLAN configuration change is made. ------ -- **I95-51459 Logs and exception pcaps are periodically filled with error logs and truncated packets:** Resolved an issue where ICMP error respond packets for encapsulated traffic caused `PacketBufferDataNotFound: Could not find specified data in packet` error logs to be generated, or truncated packets to arrive in the FastLane exceptions pcap. +- **I95-51459 Logs and exception pcaps are periodically filled with error logs and truncated packets:** Resolved an issue where ICMP error response packets for encapsulated traffic caused `PacketBufferDataNotFound: Could not find specified data in packet error logs` to be generated, or truncated packets to arrive in the FastLane exceptions pcap. ------ -- **I95-51864 Ethernet Over SVR (EoSVR) not working for multi-hop SVR scenarios:** When EoSVR traffic traverses over a dogleg path in a HA node topology, traffic failed to traverse the middle node. EoSVR packets are no longer incorrectly dropped when routed over an inter-node path when coming from an SVR path. +- **I95-51864 Ethernet Over SVR (EoSVR) not working for multi-hop SVR scenarios:** When EoSVR traffic traverses over a dogleg path in a HA node topology, traffic failed to traverse intermediate nodes. EoSVR packets are no longer incorrectly dropped when routed over an inter-node path when coming from an SVR path. ------ - **I95-52018 Overlapping IP Prefix validation may be incorrect, causing a false configuration warning:** Configuration validation for IP Prefixes has been corrected. ------ - **I95-52414 RBAC not being honored for `show fib` output:** Resolved an issue where `show fib` included entries that the current user did not have permission to view. ------ - **I95-52498 AppID allows session when it should be blocked:** When utilizing the Application Identification functionality, a TCP reset is now sent to clients to correct this behavior. -------- - **I95-52615 Set TTL multi-hop range correctly:** The TTL multi-hop field allowed a value of 0, but had no impact. The range has been corrected to 1-255, and no longer accepts a value of 0. ------ - **I95-52855 DHCP Relay stopped functioning after removing disabled DHCP Servers:** When a number of disabled DHCP servers were deleted from the configuration, the server interface mappings were deleted as well. Updates have been made to re-enable DHCP relay when a DHCP server or interface is removed. @@ -464,10 +462,10 @@ These counters are available per-bond-member. - **I95-53000 Process highway disconnected messages caused by NIC driver bug:** The DPDK driver code for the Broadcom NICs contained a bug that caused the querying of the extended statistic to fail. The Broadcom NIC driver has been upgraded to resolve the issue. ------ - **I95-53002 NTP setup check fails on startup:** Resolved an issue in the NTP startup sequence, due to an incorrect path for the NTP configuration. ------- +------ - **I95-53009 RPM signature verification missing for all artifacts:** Verification for all ISO RPMs has been added. ------ -- **I95-53015 Highway log fills with `INFO (divertedPackeTP) icmp response packet failed` messages when the BFD peer is down:** This message is informational and is now logged appropriately. +- **I95-53015 Highway log has large number of unnecessary INFO messages:** A previous log message of icmp response packet failed was incorrectly logged at INFO level. It is neither an error nor actually informational, and has now been downgraded to DEBUG level. ------ - **I95-53105 Conductor to router API RBAC rules not being followed:** Resolved an issue where the user is getting elevated to admin on the managed router, thus returning more data than necessary. ------ @@ -486,7 +484,7 @@ These counters are available per-bond-member. - **I95-53288 Fetching detailed bond info from the conductor for routers fails:** The conductor was incorrectly posting a `JSONDecodeError` when trying to parse bond information that was missing from the router response. This issue has been resolved. ------ - **I95-53321 Syslog datamodel is limited:** Added the following configurable syslog facility values `auth`, `authpriv`, `cron`, `daemon`, `kern`, `lpr`, `mail`, `news`, `syslog`, `user`, and `uucp`. ------ +------ - **I95-53344 Exception on device interface tear down terminates process:** Resolved a rare case where Highway process can terminate and core during config changes if there is an underlying exception to a device-interface on removal. ------ - **I95-53358 Disable/enable of LACP takes the Bond interface down:** Dynamic reconfiguration has been enhanced to support LACP enable/disable while traffic flows by removing the dedicated queue flow (for LACP) when removing a member from bond. @@ -497,7 +495,7 @@ These counters are available per-bond-member. ------ - **I95-53538 Custom audit rules not preserved on SSR upgrade:** Resolved an issue where the image-based upgrade (IBU) was not preserving audit rules or `dnf.conf`. ------ -- **I95-53641 BGP routes between peers do not immediately transition to the Connected state:** A change has been made to reduce the time that BGP routes learned from a BGP over SVR neighbor are withdrawn when the peer paths are lost to the neighbor. +- **I95-53641 BGP between peers does not immediately transition to the Connected state:** A change has been made to reduce the time that BGP routes learned from a BGP over SVR neighbor are withdrawn when we lose all peer paths to the neighbor. ------ - **I95-53787 Stats not present on conductor:** Running `show device-interface router all` on a conductor caused stats (in-octets, in-unicast-pkts, etc...) to be incorrectly displayed as "n/a" instead of the correct value. This issue has been resolved. ------ @@ -521,7 +519,7 @@ These counters are available per-bond-member. ------ - **I95-54051 Broadcom driver causing memory corruption, leading to a system fault:** Updated the driver support for BNXT NICs. ------ -- **I95-54086 Conductor memory exceeded:** In certain cases the salt master on the conductor could grow indefinitely in memory. This may be related to situations with both poor connectivity and the use of the `asset-connection-resiliency` feature. An update to the salt package has been made to resolve this issue. +- **I95-54086 Conductor memory exceeded:** In certain cases, the salt master on the conductor could grow indefinitely in memory. This may be related to situations with both poor connectivity and the use of the asset-connection-resiliency feature. An update to the salt package has been made to resolve this issue. ------ - **I95-54091 Software Lifecycle History page does not load:** A time selector has been added to allow the user to provide parameters around the amount of data that is loaded. ------ @@ -571,7 +569,7 @@ These counters are available per-bond-member. ------ - **I95-50708 Time series data for memory of the salt_master process periodically significantly decreases:** Incorrect method for polling application memory data; this resulted in dips in application memory being presented. This issue has been resolved. ------ -- **I95-51336 App-ID stats entry not getting cleaned up after expiration:** In some cases, a session may not have installed correctly, preventing the expired App-ID stats from being removed. The App-ID stats entries are now cleaned up appropriately. +- **I95-51336 App-ID memory leak for some uncommon cases, such as duplicate flow:** Resolved an issue where the `app-id stats` entry was not added to the `Expiring` list to be cleaned up. ------ - **I95-51450 Support for 100/Full Speed/Duplex on Intel I225-V Driver NICs:** The DPDK driver has been updated to allow fixed speed and duplex configuration to work with IGC i225 NICs. ------ @@ -636,8 +634,7 @@ This issue has been resolved; the LTE IP change is now handled it as a source-na ### Caveats -- **I95-52426 Incorrect behavior when configuring an IDP custom rule definition:** In a case where a user is modifying a rule to **decrease** the action type to an `alert`, alerts for that vulnerability will not work. The attack will be allowed to pass through undetected. For example, if the action `close-tcp-connection` is downgraded to `alert`, the attacks will pass through undetected. -This issue is actively being addressed, and will be resolved in an upcoming patch release. If you need to use this specific functionality, we recommend creating a custom exception rule specifying the source and destination IP address, along with the vulnerability name, rather than downgrading a vulnerability to an `alert`. +- **I95-52426 Alerts not issued when decreasing the action type on an IDP custom rule definition:** In a case where a user is modifying a rule to **decrease** the action type to an `alert`, alerts for that vulnerability will not be reported. The attack will be allowed to pass through undetected. For example, if the action `close-tcp-connection` is downgraded to `alert`, the attacks will pass through undetected. ------ - **I95-53124 Sessions destined to private IP address (RFC1918) are incorrectly reported using the application name as the service name:** We have identified an issue where sessions destined to private IP address (RFC1918), are incorrectly reported with the application name as the service name, even if the traffic is HTTP/HTTPS. Session traffic continues to follow the appropriate service / routing profile, but the stats reported may not accurately reflect the learned applications. This is actively being addressed and will be resolved in a future patch. ------ @@ -687,7 +684,7 @@ This issue is actively being addressed, and will be resolved in an upcoming patc ------ - **I95-47960 Incorrect progress message for `show dns resolutions`:** The progress message for this command now correctly displays `Retrieving dns resolutions...`. ------ -- **I95-49587 ICMP session classification improvement:** The application lookup for ICMP sessions now accurately identifies the correct service. +- **I95-49587 ICMP session classification improvement:** The application lookup for ICMP sessions has been optimized to accurately identify the correct service. ------ - **I95-49598 Automatically choose the number of session-processor threads:** If session-setup-scaling is provisioned to true, the SSR will now automatically determine the number of threads to use for session processing. ------ @@ -743,7 +740,6 @@ This issue is actively being addressed, and will be resolved in an upcoming patc - **I95-51788 Path index is not displayed correctly for `show sessions by-id`:** `show sessions by-id` has been updated to display MTU and PathIndex. ------ - **I95-51792 Low MTU threshold causing metadata fragmentation:** Fixed the incorrect handling of packets where metadata is fragmented due to unreasonably low MTU, causing the packet buffers to become exhausted. ------ - **I95-51793 Path MTU discovery dropping very low:** Fixed PMTU discovery from ever resolving to an unreasonably low MTU, which could previously occur during a link flap event. ------ - **I95-51794 Core dump on systems with greater than 10 physical interfaces, such as Lenovo SR-650:** Resolved an issue where the SR-650 was crashing due to uninitialized flags field. Support has been added for these devices. @@ -762,11 +758,7 @@ This issue is actively being addressed, and will be resolved in an upcoming patc ### Caveats -- **I95-52426 Incorrect behavior when configuring an IDP custom rule definition:** In a case where a user is modifying a rule to **decrease** the action type, for example, the action `close-tcp-connection` is downgraded to `alert`, this may impact other rules, and some attacks may pass through undetected. - - **Example:** If `HTTP:SQL:INJ:HEADER-1` is excluded from the ruleset, some other `HTTP` attacks may pass through undetected. **This behavior only occurs when decreasing the action type in the rule;** i.e.; the action `close-tcp-connection` is downgraded to `alert`. - - This issue is actively being addressed, and will be resolved in an upcoming patch release. If you need to use this specific functionality, we recommend avoiding this configuration and waiting for the SSR 6.1.5 patch release. +- **I95-52426 Alerts not issued when decreasing the action type on an IDP custom rule definition:** In a case where a user is modifying a rule to **decrease** the action type to an `alert`, alerts for that vulnerability will not be reported. The attack will be allowed to pass through undetected. For example, if the action `close-tcp-connection` is downgraded to `alert`, the attacks will pass through undetected. ------ - **I95-53777 Multicast traffic not passing after HA Failover:** High Availability with Multicast is not fully supported. Drop or complete loss of traffic may be seen when the primary node resumes traffic after a node failure and failover. @@ -776,7 +768,7 @@ This issue is actively being addressed, and will be resolved in an upcoming patc ### Resolved Issues -- **I95-48931 Service area Highway crash:** Now prevents crashing in SSR's highway process in unusual race conditions when a session's flow is removed before the session is fully established. +- **I95-48931 Service area Highway crash:** Now prevent crashing in SSR's highway process in rare race conditions when a session's flow is removed before the session is fully established. ------ - **I95-50722 Highway crashes during session migration:** Resolved a crash in the SSR's highway process, due to a race condition between configuration changes and BFD sessions. ------ @@ -795,7 +787,7 @@ This issue is actively being addressed, and will be resolved in an upcoming patc - **I95-48862 Load balance sessions across BGP RIB Entries with multiple paths:** Resolved an issue when BGP was used to build a routing table, only the first next hop was used. All next hops are now used, and load balancing occurs over all routing protocol routes. ------ - **I95-50510 New fields for IPFIX:** The SSR IPFIX implementation was not sending the industry standard fields of `flowStartMilliseconds` and `flowEndMilliseconds`. In the new implementation, all IPFIX records include these fields. The start time is set to the start time of the flow, and the end time is always set to the time the last packet was received on the flow. For intermediate records, this indicates that the flow is still ongoing but provides the last activity timestamp. For the end records, this indicates when the last packet was received on the flow prior to the session terminating. For additional information, see [IPFIX](concepts_application_discovery.md#ipfix). ---- +------ - **I95-50571 Add packet buffer tracking to help analyze buffer exhaustion:** The following features have been added to help diagnose frequent packet buffer pool depletions in customer environments: - Track packet buffer locations. - Enforce setting of packet location. @@ -821,11 +813,11 @@ and there are established flows for any of these services, a link flap triggerin ------ - **I95-49969 Permission Denied error when attempting to self-generate a webserver certificate:** Resolved an issue that prevented users with the admin role from creating a new self-signed web certificate via the PCLI command `create certificate self-signed webserver`. ------ -- **I95-49974 Stuck flow not cleared when reverse metadata is incomplete:** Resolved an issue where reverse metadata is coming through incomplete - without the source tenant. The source tenant has been added to the reverse metadata. +- **I95-49974 Stuck flow is not clearing when the reverse metadata is incomplete:** Added the source tenant to the reverse metadata to prevent the metadata parsing exception. ------ - **I95-50363 MOS Metrics not refreshing:** Resolved an issue where the SLA and MOS values were not being updated in the stats (or PeerPathTable) when a BFD session was brought down. The SLA and MOS stats are now set to 0 when the BFD session is brought down. ------ -- **I95-50543 systemd unable to start 128T after upgrade:** This issue has been resolved by ensuring that the netfilter kernel is installed. +- **I95-50543 SSR may not start after upgrade:** A race condition during startup may cause some services to start out of order, causing the SSR to not start. A reboot is required to start the system normally. ------ - **I95-50710 Configuration cannot be applied to router when its time is ahead of the conductor:** Implemented time detection for configurations using a future time that is corrected upon commit. This resulted in an `mtime` older than what is in the datastore, and the configurations were rejected. ------ @@ -843,15 +835,33 @@ and there are established flows for any of these services, a link flap triggerin ------ - **I95-50979 Routers remain in connected state:** Resolved an issue where assets will perform a new highstate unnecessarily if a commit occurs while a highstate is already in progress, causing assets to take a long time to get to the running state. ------ -- **I95-51006 Nodes stuck in connected state after upgrade:** On an HA conductor, if the user is performing an upgrade on the first conductor node and that user makes a config commit during the upgrade, then the configuration's modified time will become out of sync between the two conductor nodes. When the conductor first node is finished upgrading the result is a loop where the configuration keeps getting committed by each node back and forth until a new commit is made. This issue has been resolved by allowing the peer conductor node to accept the config despite the perceived version disparity. Please note performing a commit mid upgrade is not supported. +- **I95-51006 Nodes stuck in connected state after upgrade:** On an HA conductor, if the user is performing an upgrade on the first conductor node and that user makes a config commit during the upgrade, then the configuration's modified time will become out of sync between the two conductor nodes. When the conductor first node is finished upgrading the result is a loop where the configuration keeps getting committed by each node back and forth until a new commit is made. This issue has been resolved by allowing the peer conductor node to accept the config despite the perceived version disparity. Please note performing a commit mid-upgrade is not supported. ------ -- **I95-51007 Conductor is incorrectly honoring core pinning:** The cpuProperties cores setting in /etc/128technology/local.init was erroneously isolating cores on conductor nodes when set, even though this setting is intended for a router. This would cause a reduction in available processing cores for normal conductor operations. This setting will now be ignored on the conductor. +- **I95-51007 Conductor only - cpuProperties-core value isolating cores:** *In SSR software versions 6.0.0 and greater*, the `cpuProperties-cores` setting in `/etc/128technology/local.init` is erroneously isolating cores on conductor nodes when set. Because the conductor does not forward packets, there should be no traffic cores allocated to or isolated on the conductor for packet forwarding. This setting was previously ignored on the conductor, but while resolving an earlier issue with the installer and initializer that allocated CPU cores for traffic, that is no longer the case. + +It is recommended that prior to upgrading the conductor that the user modify local.init to set this setting to `0`. For example, a setting like this in `/etc/128technology/local.init`: + +``` + "cpuProperties" : { + "cores" : 4 + }, +``` +should be changed to: +``` + "cpuProperties" : { + "cores" : 0 + }, +``` + +Note that only the relevant section of `local.init` is shown for clarity. All other settings should be left the same. +The change should be made on both nodes of an HA system. If a conductor is already running 6.0.0 or later it will be necessary to `systemctl restart 128T` on each node after making this change. If the modification is made prior to upgrade it is not necessary to restart 128T service as this will be performed during the upgrade. Making this change on versions earlier than 6.0.0 will not affect operation, and will not require a restart. + +This issue will be corrected in an upcoming release. ------ - **I95-51021 Package to Image conversion fails on FIPS enabled SSR:** Conversion of `package-based` to `image-based` is now supported for systems with FIPS 140-2 mode enabled. ------ - **I95-51044 Hide `forwarding-core-mode` on conductor:** Disabled the `forwarding-core-mode` setting on conductor nodes, since this setting doesn't apply to conductor. ------ - ### Caveats - **I95-51087 SSR fails to download firmware after upgrading the conductor:** An issue has been identified where the first time a conductor is upgraded and **conductor-only** is selected in the software-update settings. The proxy service on the conductor does not work correctly, and downloads attempted by the router will fail. This issue will be resolved in the next release. @@ -891,7 +901,7 @@ The impacted sessions will time out when all packets for the failed sessions sto ------ - **I95-42379 BGP over SVR global service policy:** [Security and Service Policy](config_bgp.md#security-policy-and-service-policy) configuration options are provided for specifying the policy to be used for generated BGP-over-SVR services. ------ -- **I95-42483 STEP Diagnostics in GUI:** A Debug table and Replay visualization have been added to aid in STEP diagnostics. +- **I95-42483 STEP Page in the GUI:** [The STEP page in the GUI](howto_STEP_GUI.md) provides graphical representations of STEP data. ------ - **I95-44456 Support for DHCP vendor options:** DHCP options are now configurable on the SSR from the Mist dashboard. ------ @@ -914,7 +924,7 @@ The impacted sessions will time out when all packets for the failed sessions sto Please refer to [Password Policies](config_password_policies.md) for updated password requirements. ::: ------ -- **I95-40130 Factory Defaults for Conductor Communication:** Added SaltStack, Conductor, and IKE default session-types. For new deployments, SIP, SIPS, and IPSEC-NAT use NAT Keep Alive by default, and the timeout for IPSEC-NAT is 125 seconds. +- **I95-40130 Create factory defaults for all router-conductor communication:** SaltStack, Conductor, and IKE default session-types have been added. For new deployments, SIP, SIPS, and IPSEC-NAT use NAT Keep Alive by default, and the timeout for IPSEC-NAT is now 5 seconds. ------ - **I95-40904 Power save mode not working:** Add a method to read current power saver mode setting from existing config before committing the new configuration, and changing the setting. ------ @@ -922,7 +932,7 @@ Please refer to [Password Policies](config_password_policies.md) for updated pas ------ - **I95-43239 LTE APN on Modem not set up correctly:** The APN is now always written to the the modem using the default index of 1. ------ -- **I95-43779 DHCP IP Address is not refreshed when cable is physically removed and reinserted:** Updated the state machine to cause DHCP-enabled interfaces to send out a DHCP Request for their current IP address. +- **I95-43779 DHCP IP Address not releasing appropriately:** When the cable is physically disconnected and reconnected from DHCP-enabled interfaces, the interfaces are now triggered to send out a DHCP Request for their current IP address. ------ - **I95-44142 Automated Provisioner race condition:** Resolved a rare crash where applications would attempt to get information about already-closed sockets when responding to API requests. ------ @@ -944,15 +954,17 @@ Please refer to [Password Policies](config_password_policies.md) for updated pas ------ - **I95-45162 Improve download/upgrade error message if a router name does not exist:** In situations where a router does not exist, the download and upgrade message now indicates that the router does not exist. ------ -- **I95-45164 `show-active-peers` missing some information:** Resolved a corner case where an RFC-compliant device ahead of a non-compliant device with a smaller MTU, the SSR misinterprets the non-compliant device's timeouts and the MTU will be unresolvable. +- **I95-45164 Active peers show Unavailable for PATH-MTU, LATENCY, JITTER, LOSS & MOS for some transports:** Resolved a rare issue in the case of an RFC-compliant device ahead of a non-compliant device with a smaller MTU, the non-compliant device's timeouts are incorrectly interpreted and the MTU becomes unresolvable. ------ -- **I95-45220 Managed routers do not connect to newly added HA conductor:** Resolved an issue when transitioning a conductor from standalone to HA, the managed routers were not automatically connecting to the newly added conductor node. +- **I95-45220 Conductor local forwarding parameters not dynamic:** Resolved an issue when transitioning a conductor from standalone to HA the managed routers were not automatically connecting to the newly added conductor node. ------ - **I95-45489 `ifcfg` custom options are not real-time configurable:** Resolved an issue where interface `ifcfg` option changes were not being processed. ------ - **I95-45541 LDAP users are unable to login to the PCLI due to permission errors:** This issue has been resolved. ------ -- **I95-45559 Corrupted resolv.conf after ODM imaging:** Resolved an issue on SSR systems running dns-proxy services with external interfaces configured using PEERDNS=yes, where a race condition may occur that results in corrupt nameservers being added to the /etc/resolv.conf file. +- **I95-45559 Corrupted `resolv.conf` after ODM imaging:** On SSR systems running dns-proxy services with external interfaces configured using `PEERDNS=yes`, a race condition may occur that results in corrupt nameservers being added to the `/etc/resolv.conf` file. + + **_Workaround:_** A temporary workaround is to force an update of this file by either of the following methods: ------ - **I95-45641 Stuck BGPoSVR Sessions after Failover:** Made changes to provide updates to less specific FIB entries when routes are updated to resolve this issue. ------ @@ -978,9 +990,9 @@ B) if the connection is not critical, terminate the application that owns the de ------ - **I95-48274 Mixed IDP policy causes traffic to fail:** When a tenant is configured with an IDP policy enabled, and shares a service with another tenant that does not have IDP enabled, all traffic was being steered through the IDP. This issue has been resolved; the SSR now will automatically split the service into a maximum of 4 idpPolicy services; `alert`, `strict`, `standard`, and `none` to allow the correct handling of traffic. ------ -- **I95-48571 IDP topology improvements in the GUI:** The SSR now includes the auto-generated IDP mode if enabled as a part of `show idp application status`. Additionally, enabling `hub` mode will not result in engine bring-up errors. +- **I95-48571 IDP Topology User Experience Improvements:** The SSR will include the auto-generated IDP mode when enabled as a part of `show idp application status`. Additionally, enabling `hub` mode will not result in engine bring-up errors. ------ -- **I95-49340 Crash when the unexpected input of tenant-prefixes with no source-addresses is committed:** Validation has been added to restrict the tenant-prefixes's source-addresses to a minimum of one. + - **I95-49340 Crash when the unexpected input of `tenant-prefix` with no `source-address` is committed:** Validation has been added to restrict the `tenant-prefix source-address` to a minimum of one. ------ - **I95-49604 No alarm raised when a node is disconnected from the internal synchronization database:** When nodes are unable to connect to the internal synchronization database, a critical alarm is now raised. ------ @@ -994,7 +1006,7 @@ B) if the connection is not critical, terminate the application that owns the de ------ - **I95-50047 Conductor config unable to pass local validation on one of the routers:** Resolved an issue where a router missing the `reachability-profile` configuration may pass validation on conductor. ------ -- **I95-50247 Duplicate peer path alarms:** Resolved an issue where both BFD and the path MTU feature were generating alarms for the same peer path being down. The criteria for which peerPath state changes can trigger peer path events has been tightened. +- **I95-50247 Duplicate peer path alarms:** Resolved an issue where both BFD and the path MTU feature were generating alarms for the same peer path being down. The criteria for which peer path state changes can trigger peer path events has been tightened. ------ - **I95-50260 `show idp events` does not honor the `router` or `node` arguments:** Resolved an issue where `show idp events` did not honor the `router` and `node` arguments and always executed against the local node. The command is now executed correctly, using the specified arguments. ------ @@ -1004,7 +1016,7 @@ B) if the connection is not critical, terminate the application that owns the de ------ - **I95-50286 Rebooting a node of an HA pair from Linux breaks routing:** Resolved an issue where a delay in the shutdown process caused a node to take over a VRRP interface, creating routing issues. ------ -- **I95-50331 System fails to synchronize keys on startup:** The SSR now dynamically updates rsync IP host address from the non forwarding HA sync interfaces, and will fall back to the global.init host IPs if they don't exist. +- **I95-50331 System fails to synchronize keys on startup:** The SSR now dynamically updates the `rsync IP host address` from the non forwarding HA sync interfaces, and will fall back to the `global.init` host IPs if they don't exist. ------ - **I95-50376 Failure to make config changes after rollback:** Resolved an issue where commits would not take effect after rolling back an HA router, because of older/newer version conflicts. ------ @@ -1027,4 +1039,4 @@ B) if the connection is not critical, terminate the application that owns the de ------ - **I95-50754 Race condition between ICMP ping request and a reverse flow:** Resolved a crash due to a race condition when `service ping icmp-request` is matched against a partially installed flow. ------ -- **I95-50787 Rebooting the OS from the conductor throws error code 400:** Resolved an issue in the GUI with the reboot button on the Router page. When trying to reboot a router, the button would fail and display "Error: EOF"; this has been resolved. +- **I95-50787 Rebooting the OS from the conductor throws error code 400:** Resolved an issue in the GUI with the reboot button on the Router page. When trying to reboot a router, the button would fail and display **Error: EOF**. diff --git a/docs/release_notes_128t_6.2.md b/docs/release_notes_128t_6.2.md index acc8629e9ea..357e666d0ef 100644 --- a/docs/release_notes_128t_6.2.md +++ b/docs/release_notes_128t_6.2.md @@ -16,7 +16,7 @@ Alternatively, refer to the **[List of Releases](about_releases.md)** page for r Before upgrading please review the [**Upgrade Considerations**](intro_upgrade_considerations.md) and the [**Rolling Back Software**](intro_rollback.md) pages. Several modifications have been made to the process for verifying configurations, which will impact existing configurations. ::: -- **I95-43243/IN-460 Upgrade and Rollback:** Upgrading or rolling back a system (conductor peer or router) with the interactive installer `install128t`, that is managed by a conductor may result in the system becoming unresponsive. It is recommended that upgrades be performed through the conductor UI. Manual upgrades and rollbacks may not be resilient to failures. See [Rolling Back Software](intro_rollback.md) for more information on these operations. +- **I95-43243/IN-460 Upgrade and Rollback:** Upgrading or rolling back a system (conductor, peer, or router) with the interactive installer `install128t`, that is managed by a conductor may result in the system becoming unresponsive. It is highly recommended that upgrades be performed through the conductor UI. Manual upgrades and rollbacks may not be resilient to failures. See [Rolling Back Software](intro_rollback.md) for more information on these operations. ------ - **I95-42542 Conductor Upgrade Time:** Upgrades can take up to 40 minutes due to the number of rpms being upgraded. Please plan accordingly. ------ @@ -44,7 +44,7 @@ Before upgrading please review the [**Upgrade Considerations**](intro_upgrade_co ------ - **I95-61588 Console access failures post-migration:** Resolved an issue where a lower baud rate was being used by the serial console, resulting in unreadable output. The check and enforcement for the 115200 baud rate has been improved. ------ -- **I95-62421 DHCP relay failures causing clients to miss IP assignment:** Resolved an issue where DHCP session information is lost on the hub, causing the session reverse flow to collide with the forward flow of the session initiated originally from the spoke. This includes a new (configurable) default behavior for collision resolution. +- **I95-62421 DHCP relay failures causing clients to miss IP assignment:** Resolved an issue where DHCP session information is lost on the hub, causing the session reverse flow to collide with the forward flow of the session initiated originally from the spoke. This includes a new (configurable) default behavior for collision resolution. For detailed information, see [`configure authority service-policy prefer-established-session {true | false}`](config_command_guide.md#configure-authority-service-policy-prefer-established-session). ------ - **I95-62860 Web server connection limit not enforced:** Resolved an issue where the 250 maximum connection limit was not being properly enforced by the web server. ------ @@ -60,7 +60,7 @@ Before upgrading please review the [**Upgrade Considerations**](intro_upgrade_co ------ - **I95-63228 Premature route installation complete notification:** In some cases a premature internal notification that the route installation was complete was being transmitted, causing the Graceful Restart process to terminate early. This issue has been resolved. ------ -- **I95-63295 Highway crash due to mutex lock errors:** Resolved an issue where a time-intensive operation on a large entry was preventing other threads from accessing data, causing a highway crash due to mutex lock contention. +- **I95-63295 Highway crash when show fib is executed on very large FIB:** Resolved an issue where a time intensive operation on a large entry was preventing other threads from accessing data and causing a crash. ------ - **I95-63324 Duplicate static DHCP addresses cause crashes:** Added validation steps to identify and prevent duplicate MAC addresses for the static address assignment. ------ @@ -70,7 +70,7 @@ Before upgrading please review the [**Upgrade Considerations**](intro_upgrade_co ------ - **I95-63839 SNMP walk failures on Conductors onboarding to NMS:** Resolved an issue where SNMP walks on Conductors could fail with a `genError`, preventing successful onboarding into some network management systems. System MIB walks on Conductors now complete successfully; IF-MIB is no longer exposed on Conductors where it is not supported. ------ -- **I95-63943 Edge-case crash when changing from regular services to app-id:** Resolved an issue where a system that never had app-id services, or had app-id services reverted and the highway process restarted, and then modified an existing service to use app-id caused a crash. Protections have been added to safeguard against this edge case. +- **I95-63943 Edge-case crash when changing from regular services to app-id:** Resolved an issue where a system that never had app-id services or had app-id services, reverted them and restarted the highway process; and then modified an existing service to use app-id caused a crash. Protections have been added to safeguard against this edge case. ------ - **I95-63965 SNMP MIB subinterfaces not reporting correct stats:** Resolved an issue where SNMP MIB counters for subinterfaces (VLANs) returned the same statistics as the parent interface instead of per-subinterface statistics. ------ @@ -152,11 +152,11 @@ Before upgrading please review the [**Upgrade Considerations**](intro_upgrade_co ------ - **I95-61075 BGP does not re-establish after intermediate hop device restarts (e.g., a firewall):** Resolved an issue where when initiating a BFD for BGP session, the cached MAC to IP mapping was being used. If the MAC address had changed, stale information was used and the BFD session would not be established. We now issue an ARP request to get the latest MAC Address. ------ -- **I95-61176 Multicast Failover Optimization:** Several internal improvements have been made to improve failover and convergence in both HA and non-HA scenarios for Multicast/PIM. +- **I95-61176 Multicast Failover Optimization:** Several internal improvements have been made to improve failover and convergence in both HA and non-HA scenarios for Multicast/PIM, as well as failover times in general. ------ - **I95-61579 Highway crashes when executing command show device-interface name `` registers on an i40e network port:** Resolved an issue with the registers sub option that caused the crash on the i40e network port. The sub option has been removed. ------ -- **I95-61580 CLI does not prompt for required router restart:** Resolved an issue where making a configuration change requiring a restart only generates a warning for the router that the PCLI is running on. Committing a configuration change that requires a restart now results in a warning even when the change is on a different router. +- **I95-61580 CLI does not prompt for required router restart:** Resolved an issue where making a configuration change requiring a restart only generates a warning only for the router that the PCLI is running on. Committing a configuration change that requires a restart now results in a warning even when the change is on a different router. ------ - **I95-61869 Peer paths not coming back up after manual reboot:** Resolved an issue with the control message capacity. In configurations with more than 1000 VLANs, the aggregate size of all the control messages grew larger than the space allocated for the messages, and messages failed to send and some packet processing threads were left with incomplete interface tables. The capacity to handle these messages has been increased and can now handle up to 12,000 VLANs. ------ @@ -168,15 +168,15 @@ Before upgrading please review the [**Upgrade Considerations**](intro_upgrade_co ------ - **I95-62580 Conflicting network interface names slowing application traffic:** Resolved an issue in the app summary tracking logic related to conflicting network interface names for non-redundant ports of an HA router. ------ -- **I95-62703 Highway process crashes when BGP over SVR is activated:** Resolved an issue where the unicast code path was incorrectly invoking multicast variant of a function call. +- **I95-62703 Highway process crashed when BGP over SVR is activated:** Resolved an issue where the unicast code path was incorrectly calling the multicast variant of getBestMultiHomedPathIndex() and causing a highway crash. ------ - **I95-62859 Duplicate alarms created for duplicate asset IDs:** Resolved an issue where the Conductor created a duplicate asset ID alarm each time an asset with a duplicate ID tried to authenticate. ------ - **I95-62877 SSR continues to forward traffic to external MAC after failover:** Resolved an issue where the SSR was continuing to forward traffic for an existing session to the original next-hop after failover. A new configuration field has been added to the service policy configuration; `reverse-gateway-change-detection`. When enabled, this feature will identify a failover/MAC change, trigger a flow-move, and update the reverse next-hop accordingly. For additional details see [`reverse-gateway-change-detection`](config_command_guide.md#configure-authority-service-policy-reverse-gateway-change-detection). ------ -- **I95-63018 Memory corruption after reading VSA:** Resolved a rare issue where during remote authentication through the Radius server, `pam_radius` was causing memory corruption after VSA is read. +- **I95-63018 Memory corruption after reading VSA:** Resolved a rare issue where in remote authentication through a RADIUS server, pam_radius was causing memory corruption after a Vendor Specific Attribute (VSA) is read. ------ -- **I95-63353 Invalid assert that leads to a crash:** Resolved an issue where an incorrect assertion led to a crash. Protections have been added to prevent the race condition leading to the crash. +- **I95-63353 Invalid assert that leads to a crash:** Resolved an issue where an incorrect assertion led to a crash. Protections have been added to prevent the race condition leading to the crash. ## Release 6.2.9-5-lts @@ -185,24 +185,24 @@ Before upgrading please review the [**Upgrade Considerations**](intro_upgrade_co ### Resolved Issues - **The following CVEs have been identified and resolved in this release:** CVE-2024-24806, CVE-2023-26916, CVE-2024-56171, CVE-2025-24928, CVE-2024-11187, CVE-2024-1737, CVE-2024-1975, CVE-2024-3596, CVE-2024-37370, CVE-2024-37371, CVE-2025-24528, CVE-2023-46846, CVE-2024-45802, CVE-2024-12085, CVE-2025-27363. ------- +------ - **I95-56557 `show service` command not displaying URL:** Resolved an issue where even after adding a URL to the service, the URL was not showing in the output of the `show service` command. This has been resolved. ------ - **I95-57265 Highway crash when generating TSI on Azure instance:** An Azure instance can crash while accessing an uninitialized RX queue. This invalid access has been prevented and the issue resolved. -------- +------ - **I95-57508 Traffic from node1 LAN to node1 WAN does not show on graph:** When an HA interface becomes non-redundant (reconfigured as non-HA), state updates were not showing on the active-interface path. This led to the icmp-probe-manager not running. This issue has been resolved. ------ - **I95-57584 IGMP ingress packets not being accepted after defining tenant prefixes on LAN subnet:** Resolved an issue when using `tenant-prefix` on the interface, all PIM/IGMP messages were blocked. This issue has been resolved. In addition, the ability to only allow igmp messages sent from specific source-addresses has been added. For more information, see [`source-address-prefix-list`](config_command_guide.md#configure-authority-router-routing-igmp-interface-source-address-prefix-list) ------ -- **I95-58017 FIB entries on `show fib` not available for all headends:** Resolved an issue with `show fib` stalling and not returning complete data. +- **I95-58017 `show fib` output incomplete on routers:** Resolved an issue with `show fib` stalling and not returning complete data where the next hop entries are in excess of 200. The `show fib` output now correctly handles larger output. ------ -- **I95-58999 CPU usage for Packet Processing CPU always reads 100%:** Resolved an issue where the size of the packet transmit burst was reported, rather than the actual number transmitted when `transmit-on-standby` fails. The correct information is now provided. +- **I95-58999 Packet Processing CPU reads 100% when interface is operationally down:** Resolved an issue where an attempt to transmit packets on an operationally down standby interface resulted in a persistent false report of packet processing activity, which led to an erroneous calculation of 100% CPU utilization. ------ - **I95-59676 Alarm when default passwords are not changed:** An alarm has been added to detect when default password hashes are detected for standard system users. It is highly recommended that all system user passwords be updated to a secure password as soon as possible. ------ - **I95-59745 Routers are stuck in the connected state and not transitioning to running:** Resolved an issue where the router repeatedly sent the same incorrect values to the config during startup, resulting in a race condition. ------ -- **I95-59758 Prompt for password change:** The user is now prompted to change the `admin`, `t128`, and `root` passwords during installation. The password is changed to the same value for all three users. +- **I95-59758 Interactive Initializer updates all system account passwords:** Interactive initialization now changes the `admin`, `t128` and `root` user passwords to the same value. The initialization preference file has the fields, `t128-password`, `root-password`, and `admin-password`, to set password hashes for each user, respectively. ------ - **I95-60038 `show fib` lookup fails for IPv6 addresses:** Parsing IPv6 addresses was not performed properly, resulting in an invalid query. The code has been updated to properly parse the request before processing. ------ @@ -210,7 +210,7 @@ Before upgrading please review the [**Upgrade Considerations**](intro_upgrade_co ------ - **I95-60282 Disk space usage growing to more than 90%:** DNF logs were increasing in size and not being rotated, causing a significant increase in size. A `logrotate` configuration file for DNF has been added to limit the size of DNF log files to prevent them from filling the hard drive. When this fix is installed on the conductor, it is automatically propagated to all managed routers. ------ -- **I95-60287 Add option to disable Kernel Metric SLA Calculation:** In rare cases on a heavily loaded system, the kernel metric calculation process can sometimes hang for a period of time, causing an internal watchdog to fire. This results in a system restart. Setting the `service-metric-use-lsa` (under the `routing default-instance`) to `false` will prevent the kernel flap that causes this issue. See [`service-metric-use-lsa`](config_command_guide.md#configure-authority-router-routing-service-metric-use-sla) for additional information. +- **I95-60287 Add option to disable Kernel Metric SLA Calculation:** In rare cases on a heavily loaded system, the kernel metric calculation process can sometimes hang for a period of time, causing an internal watchdog to fire. This results in a system restart. Setting `routing default-instance > service-metric-use-lsa > false` will prevent the kernel flap that causes this issue. See [`service-metric-use-lsa`](config_command_guide.md#configure-authority-router-routing-service-metric-use-sla) for additional information. ------ - **I95-60321 DHCP relay service not honoring configuration change for the addition of a new subtenant:** Resolved an issue where new subtenants were not inheriting server mapping from the parent tenant. ------ @@ -230,7 +230,7 @@ Before upgrading please review the [**Upgrade Considerations**](intro_upgrade_co ------ - **I95-60948 RADIUS secret length limited to 16 characters:** The RADIUS secret size was erroneously set to 16 octets. The allowable RADIUS secret size has been updated from 1 to 255. ------ -- **I95-60960 After reboot, the PIM RP IP address moves to a VRF:** Resolved an issue where after reboot the PIM RP IP moves to a VRF, leaving the base instance without a PIM RP IP address. The VRF is now explicitly added to the config, preventing this issue. +- **I95-60960 The PIM RP moved from the base instance to a VRF after a reboot:** When PIM RPs are configured in different VRF, upon reboot the PIM RP could appear in the wrong VRF. This issue has been resolved by generating the VRF explicitly when configuring Multicast routing. ------ - **I95-61085 Highway crash after incorrectly adding an IP address for a Multicast service:** Resolved an issue where a packet reached the router and matched a FIB without a service association, i.e. a FIB created for multicast traffic. The SSR will now drop a packet for a summary service if it matches a FIB without an associated service. ------ @@ -270,7 +270,7 @@ Before upgrading please review the [**Upgrade Considerations**](intro_upgrade_co ------ - **I95-58444 DSCP steering is not correctly using revertible-failover:** Resolved an issue where DSCP Steering on child services were not using learned peer routes from the parent service. DSCP steering child services now properly utilize revertible-failover resiliency policies. ------ -- **I95-58528 SSR OS renaming:** The SSR OS version has been updated from "CentOS" to "Oracle Linux" to accurately reflect its upstream Linux distribution. All internal naming has been updated. +- **I95-58528 SSR OS renaming:** The SSR OS has been renamed/rebranded from "CentOS7" to "SSR OS" to more accurately reflect its customized Linux distribution. All internal naming has been updated. ------ - **I95-58539 The `validate` command does not check or test for router `applies-to` config:** Resolved an issue whereby the DHCP relay inspector rule was not honoring router-based services for interfaces without DHCP relay. Errors from this rule are now warnings. ------ @@ -304,7 +304,7 @@ Before upgrading please review the [**Upgrade Considerations**](intro_upgrade_co ------ - **I95-59431 MTU mismatch on PPPoE interfaces:** Resolved an issue where the namespace target KNI resource incorrectly sets target-interface MTU based on network-interface maximum MTU. This issue was encountered with restarts of the 128T service. ------ -- **I95-59477 Race condition can lead to highway crash on HA node when application identification is enabled:** Resolved an issue in dual node High Availability configurations, highway crashes happen when `node1` does not successfully classify during the TCP handshake, but `node2` does successfully classify. See I95-59563, I95-59618 below for additional information. +- **I95-59477 Race condition can lead to highway crash on HA node when application identification is enabled:** In dual node High Availability configurations, highway crashes happen when `node1` does not successfully classify during the TCP handshake, but `node2` does successfully classify. This issue is currently under investigation and will be resolved in an upcoming release. For this release, defensive code has been added to preserve the session state and avoid a crash. ------ - **I95-59478 Recover PPPoE after highway crash:** Updated the PPPoE re-init script to resolve an issue where, after a highway crash, the PPPoE NSID becomes invalid and causes the device status to stay `down` even if the monitoring script reports `up`. ------ @@ -319,7 +319,7 @@ Before upgrading please review the [**Upgrade Considerations**](intro_upgrade_co }, ``` ------ -- **I95-59745 Routers are stuck in the connected state:** Resolved an issue where the router would unnecessarily write to `yum.dnf` and `dnf.conf`, resulting in a race condition. +- **I95-59745 Routers are stuck in the connected state and not transitioning to running:** Resolved an issue where the router repeatedly sent the same incorrect values to the config during startup, resulting in a race condition. ------ - **I95-59813 The `unrelease mist agent` command fails:** Resolved an issue that caused the `unrelease mist agent` command to fail when run from a conductor against a router. @@ -331,13 +331,13 @@ Before upgrading please review the [**Upgrade Considerations**](intro_upgrade_co - **The following CVE's have been identified and addressed in this release:** CVE-2024-21131, CVE-2024-21138, CVE-2024-21140, CVE-2024-21144, CVE-2024-21145, CVE-2024-21147, CVE-2024-5564. ------ ---> -- **I95-53274 PIM scaling above 1500 multicast routes:** Resolved an issue where the SSR could not maintain more than 1400 active sessions. +- **I95-53274 PIM multicast routes unable to maintain more than 1,400 concurrent (Source, Group) sessions:** The SSR cannot maintain more than 1400 active (Source,Group) sessions. This scaling limitation has been addressed. ------ - **I95-57538 WayPoint exception - failing to allocate waypoint ports on mesh peer re-establishment:** Resolved an issue where a configuration change may cause existing waypoint ports to become invalidated, creating an exhaustion scenario. ------ - **I95-57667 / I95-57912 Traffic Engineering traffic throughput improvements:** Internal improvements have been made to optimize the throughput of traffic when traffic engineering is configured. ------ -- **I95-58201 Increase AMD performance:** Throughput performance on AMD processors has been improved through the tuning of some kernel parameters. +- **I95-58201 Throughput Performance Improvements Across Platforms:** Kernel parameter tuning has improved throughput performance on most AMD and Intel platforms (excluding Intel Atom), with the greatest gains on AMD processors. This includes Juniper-branded platforms like the SSR1200 and SSR1500, as well as cloud instances, VM hosts, and other hardware configurations. ## Release 6.2.6-15-sts @@ -359,7 +359,7 @@ Before upgrading please review the [**Upgrade Considerations**](intro_upgrade_co ------ - **I95-49712 Configuration validation error uniformative:** Resolved an issue that when configuring an SSR, invalid configuration parameters were returning errors that were not specific enough to allow the user to locate the invalid configuration. Now when invalid configuration elements are identified during validation, the messages include relevant information for the invalid element, such as an IP address, node name, router name, interface names, etc. ------ -- **I95-55725 Highway crashes when peer-path routers are removed:** Resolved a race condition that could cause a crash in the highway worker-core packet-processor if peer routers are removed from the configuration. +- **I95-55725 Highway crashes when peer-path routers are removed:** Resolved a race condition that could cause a crash in the forwarding plane (highway) if peer routers are removed from the configuration. ------ - **I95-55965 IDP engine not starting due to invalid environmental conditions:** In cases where the IDP engine does not shut down cleanly, the IDP engine will fail to restart. These conditions are now detected and handled correctly. ------ @@ -367,13 +367,13 @@ Before upgrading please review the [**Upgrade Considerations**](intro_upgrade_co ------ - **I95-56233 / I95-56546 Relay routers in AWS unresponsive, showing device errors:** Resolved an issue where ENA devices in some environments have shown command queue failures and are no longer able to retrieve device stats, or pass traffic. The device is now reinitialized when the driver watchdog issues a reset event. ------ -- **I95-56236 Quick Start config validation failures not being reported:** Made changes to the initialization process such that quick start errors can be reported. +- **I95-56236 Routers unable to onboard after upgrading the Conductor:** Resolved an issue where the automated provisioner and the Quickstart processes overlapped, preventing the device state from being reviewed for errors, which stopped the onboarding process. ------ - **I95-56345 Multiple reboots of the same node of a dual node router causes the multicast stream to stop:** Resolved an issue where multiple reboots of an HA node did not allow traffic to pass. Now in this scenario an exception is thrown, which allows the session to rebuild once the internode link comes up. ------ - **I95-56492 Sessions configured for outbound-only with nat-keep-alive enabled experience reverse flow packet drops after flow migration:** A flow move from an inter-router (WAN) peer path to an inter-node (fabric) peer path causes repeated session modifies on the hub side causing reverse traffic packet drops due to NAT keepalives incorrectly testing the failed WAN path for the migrated session. This issue has been resolved. ------ -- **I95-56527 Failure to validate and commit config; system incorrectly expected escape sequence:** Resolved an issue where capture-filter expected an escape sequence for input when it was not necessary. +- **I95-56527 `compare config` returns an `Invalid JSON` error:** Resolved an issue where the use of a backslash (`\`) in a list key or a list element generates an `Invalid JSON` error when `compare config` is run. This error occurred in cases where there is a difference between the configs in a child of the list element with a `\` in its key; Or when the parent list or leaf-list exists in both configs but the list or leaf-list element with the `\` only exists in one; Or if the list element with the `\` is renamed. ------ - **I95-56702 O365/Sharepoint application missing from the Applications list:** Resolved an issue where certain applications and protocols were excluded from automatic updates. ------ @@ -409,7 +409,7 @@ Before upgrading please review the [**Upgrade Considerations**](intro_upgrade_co ------ - **I95-57099 Race condition causing crash in highway process when peer path timers expire:** Resolved an issue with handling BFD timers in multi-threaded environments. ------ -- **I95-57110 Crash seen during add and delete peers while sending traffic:** A race condition has been fixed that could cause a crash in the packet-processing highway process if a peer-path is removed from configuration. +- **I95-57110 Crash seen during add and delete peers while sending traffic:** A race condition has been fixed that could cause a crash in the forwarding plane (highway) process if a peer-path is removed from configuration. ------ - **I95-57114 Unable to upgrade AWS Conductor:** Resolved an issue where an incorrect package version was installed, triggering a downgrade and preventing the upgrade. ------ @@ -451,7 +451,7 @@ Before upgrading please review the [**Upgrade Considerations**](intro_upgrade_co - **The following CVEs have been resolved in this release:** CVE-2024-2973, CVE-2023-20569, CVE-2023-48795, CVE-2023-2176, CVE-2023-40283, CVE-2023-4623, CVE-2024-22019, CVE-2023-46724, CVE-2023-46728, CVE-2023-49285, CVE-2023-49286, CVE-2023-50269, CVE-2024-25617. ------ -- **I95-52251 Router's conductor-address did not update the salt created services with the new addresses:** The router override for conductor addresses is now used in the software update info. This causes the router override value to properly trigger highstate and the salt created services to use the new conductor addresses. +- **I95-52251 Changes to the conductor address on the router result in loss of ssh connection to the router:** Resolved an issue where changing the router level `conductor-address` did not update the salt-created services with the new addresses. ------ - **I95-53619 Anomaly in Maintenance Mode reporting:** Resolved an issue where BGP alarms were not automatically shelved when routers are put into maintenance mode. `BGP peer path is down` alarms are now shelved properly on routers in maintenance mode. ------ @@ -459,9 +459,9 @@ Before upgrading please review the [**Upgrade Considerations**](intro_upgrade_co ------ - **I95-55226 Validation incorrectly allows a network interface to be used as both DHCP relay and server:** The validation process has been updated to include several checks against DHCP relays, clients, servers, and access-policies. ------ -- **I95-55550 node0 went down and did not fail over to node1:** Multiple disk errors caused corruption on the `128T_root` filesystem causing it to enter `read-only` mode and becoming non-responsive. To resolve this issue, issues in the filesystem now result in kernel panic mode, launching a reboot and in HA systems, failover. Additionally, the filesystem check is run to check and repair the filesystem. +- **I95-55550 Abrupt power failure may result in filesystem corruption:** Multiple disk errors caused corruption on the 128T_root filesystem causing it to enter read-only mode and becoming non-responsive. To resolve this issue, the filesystem triggers a kernel panic, launching a reboot and in HA systems, failover. Additionally, the filesystem check is run to check and repair the filesystem. ------ -- **I95-55603 HA router stuck in connected state due to runtime corruption issue:** Resolved an issue causing an unzip race condition with Python files. The packaging and installation process has been improved to prevent this issue. +- **I95-55603 HA router stuck in connected state due to runtime corruption issue:** Resolved an issue with an unzip race condition with Python files. The packaging and installation process has been improved to prevent this issue. ------ - **I95-55764 Race condition and highway crash with DHCP devices:** Resolved a race condition that caused a highway crash when the DHCP client is configured for LTE or PPPoE, and the respective link flaps prior to the lease being assigned. ------ @@ -485,9 +485,9 @@ Before upgrading please review the [**Upgrade Considerations**](intro_upgrade_co ------ - **I95-56279 When a multicast route changes due to failover, SSR does not forward traffic:** Resolved an issue that when the incoming interface changes from one SVR interface to another, the multicast route is not updated correctly. As a result the new incoming traffic does not match the incoming interface and is dropped. The multicast route is now correctly updated when there is an SVR incoming interface change. ------ -- **I95-56292 Increase the length of SSH keys to 4096:** The size of the Salt and 128T SSH keys has been changed to 4096 bits for newly deployed systems. +- **I95-56292 Increase the length of SSH keys to 4096:** The size of the Salt and SSH keys has been changed to 4096 bits for newly deployed systems. ------ -- **I95-56317 Journal logs missing from Conductors running 6.2.3:** An issue related to a typo was creating zero byt files when downloading journal logs using the GUI. +- **I95-56317 Journal logs missing from Conductors running 6.2.3:** An issue related to a typo was creating zero byte files when downloading journal logs using the GUI. ------ - **I95-56326 Potential crash while collecting TSI:** Added protection against unmapped memory access to resolve an issue where, if a TSI is collected at just the wrong time, it can cause a highway crash. ------ @@ -503,7 +503,7 @@ Before upgrading please review the [**Upgrade Considerations**](intro_upgrade_co ------ - **I95-56541 Include kernel journal entries in TSI:** A separate `kernel.log` journal file is now created in the TSI output. ------ -- **I95-56575 Reduce polling rate of disk monitoring and add optimization:** The `ComponentDiskUtilizationMonitor` checks the disk usage too frequently and is inefficient. Reduced the frequency that disk usage is checked, and streamlined the process. +- **I95-56575 Reduce polling rate of disk monitoring and add optimization:** The disk monitoring agent polling frequently is inefficient. Reduced the frequency that disk usage is checked, and streamlined the process. ------ - **I95-56600 Add `show tenant members` to the TSI output:** `show tenant members` and additional network scripts have been added to the TSI output. ------ @@ -523,7 +523,7 @@ Before upgrading please review the [**Upgrade Considerations**](intro_upgrade_co - **I95-53878 New LACP protocol stats added:** LACP related counters are now available at a per-bond-member resolution. For more information, see [show stats interface received lacp](cli_stats_reference.md#show-stats-interface-received-lacp) or [show stats interface sent lacp](cli_stats_reference.md#show-stats-interface-sent-lacp). ------ -- **I95-53821 Radius Remote Authentication:** Radius Authentication supports the remote authentication of users created remotely, automatically adding them to the appropriate local user databases. This is especially helpful for large organizations that are geographically diverse. See [Configuring RADIUS](config_radius.md#configuring-radius) for more information. +- **I95-53821 Radius Remote Authentication:** Users can now be added and identified on the server, with each user account created automatically upon successful authentication on a local device. This provides a simple method for managing user accounts connected to a single authentication server with devices deployed over a wide geography. See [Configuring RADIUS](config_radius.md#configuring-radius) for more information. ------ - **I95-55672 MSDP Alarms for Peer State Change:** MSDP Alarms have been added for peer state change. For more information, see [`show msdp peer`](cli_reference.md#show-msdp-peer) @@ -531,9 +531,9 @@ Before upgrading please review the [**Upgrade Considerations**](intro_upgrade_co - **The following CVEs have been resolved in this release:** CVE-2021-43975, CVE-2022-3594, CVE-2022-3640, CVE-2022-4744, CVE-2022-28388, CVE-2022-38457, CVE-2022-40133, CVE-2022-40982, CVE-2022-42895, CVE-2022-45869, CVE-2022-45887, CVE-2023-0458, CVE-2023-0590, CVE-2023-0597, CVE-2023-1073, CVE-2023-1074, CVE-2023-1075, CVE-2023-1079, CVE-2023-1118, CVE-2023-1206, CVE-2023-1252, CVE-2023-1382, CVE-2023-1855, CVE-2023-1989, CVE-2023-1998, CVE-2023-2513, CVE-2023-3141, CVE-2023-3161, CVE-2023-3212, CVE-2023-3268, CVE-2023-3609, CVE-2023-3611, CVE-2023-3772, CVE-2023-4128, CVE-2023-4132, CVE-2023-4155, CVE-2023-4206, CVE-2023-4207, CVE-2023-4208, CVE-2023-4732, CVE-2023-23455, CVE-2023-26545, CVE-2023-28328, CVE-2023-28772, CVE-2023-30456, CVE-2023-31084, CVE-2023-31436, CVE-2023-33203, CVE-2023-33951, CVE-2023-33952, CVE-2023-35823, CVE-2023-35824, CVE-2023-35825, CVE-2022-45884, CVE-2022-45886, CVE-2022-45919, CVE-2023-1192, CVE-2023-2163, CVE-2023-3812, CVE-2023-5178, CVE-2020-22218, CVE-2023-38406, CVE-2023-38407, CVE-2023-47234, CVE-2023-47235, CVE-2024-20918, CVE-2024-20919, CVE-2024-20921, CVE-2024-20926, CVE-2024-20945, CVE-2024-20952, CVE-2023-40217, CVE-2022-43552. ------ -- **I95-50697 RFC1918 sessions (private IP addresses) are reclassified in error:** When a session destined for a private IP (RFC1918) experiences an App-ID modify, the session will now only be reclassified if the classification data reflects a positive classification change. +- **I95-50697 Private RFC1918 Web Applications ignored by Mist when collecting SLE data:** Handling of RFC1918 traffic classification returned a private domain causing an undesirable clumping of session stats. With the new behavior, when a session destined for a private IP (RFC1918) experiences an App-ID modify, the session will only be reclassified if the classification data reflects a positive classification change. ------ -- **I95-51663 TCP port reuse causing session issues in session timeout management:** Resolved an issue where TCP client port reused caused backwards state transitions in TCP state tracking. +- **I95-51663 TCP port reuse causing application steering crashes:** Resolved an issue where backwards state transitions was causing an issue with the TCP client reusing ports. ------ - **I95-51787 SNMP alarms generation is not FIPS compliant:** SNMP now uses the SHA1 algorithm to identify a specific instance of an alarm. After upgrading to this release, you will see different values for these instance IDs. These values are defined as "opaque" and are not guaranteed to be consistent from release to release. ------ @@ -569,7 +569,7 @@ Before upgrading please review the [**Upgrade Considerations**](intro_upgrade_co ------ - **I95-54780 Forwarding CPU utilization metrics missing for duration greater than 1 hour:** Updated the retention policy for forwarding CPU utilization and other metrics. ------ -- **I95-54803 Control packets are treated with equal priority in overload conditions, causing drops:** Control packets now have preferential treatment, reducing the drop rate. +- **I95-54803 Control packets are treated with equal priority in overload conditions, causing drops:** Control packets now have preferential treatment under overload conditions, reducing the drop rate. ------ - **I95-54808 Ingress VLAN tag getting stripped for vSSR with SR-IOV:** Added measures to prevent the vlan reinsert flag from being reset. ------ @@ -581,7 +581,7 @@ Before upgrading please review the [**Upgrade Considerations**](intro_upgrade_co ------ - **I95-54901 During source specific multicast, the FHR is displaying the Register Flag (F):** The display was incorrectly showing the register flag (F); PIM registers are not sent for SSM groups, so this flag should not be sent. The display issue causing this has been resolved. ------ -- **I95-54909 Alarm not generated when Websense is down** Implemented an alarm when the connection to the Websense server is down or responds with a 5xx error. +- **I95-54909 Alarm when websense connection is down:** An alarm has been added to indicate that the connection to the Websense URL is down or responds with a 5xx error. ------ - **I95-54927 Receiver can join stream without any tenant assigned to interface:** This issue has been resolved by creating multicast boundaries in the routing engine to block all multicast addresses on interfaces that do not match the multicast service access-policy. ------ @@ -641,11 +641,11 @@ Before upgrading please review the [**Upgrade Considerations**](intro_upgrade_co ------ - **I95-55830 Rollback results in missing Admin user:** Resolved an issue where HA nodes running mixed versions of 5.6.0 or greater with versions less than 5.6.0, the admin user could be temporarily removed until both nodes were upgraded or rolled back to the same version. ------ -- **I95-55850 Changing the name of a `bond-interface` fails:** Resolved an issue where changing the name of a `bond-interface`required a restart to take effect. +- **I95-55850 Changing the name of a `bond-interface` fails:** Resolved an issue where changing the name of a `bond-interface` required a restart to take effect. ------ - **I95-55903 Memory alarm persists in LAG/HA/VRRP configuration:** The `Memory exceeded 90%` alarm appears and persists in an HA configuration due to multiple database connections being made and not released. These database connections are now properly released and memory use maintained at a reasonable level. ------ -- **I95-55904 No service-paths seen after upgrade:** Resolved an issue where adding services with overlapping address prefixes prevented the configuration from being applied. +- **I95-55904 No service-paths seen after upgrade:** Resolved an issue where adding services with overlapping address prefixes prevented the configuration from being applied. For additional details, refer to the Knowledge Base article [Upgrade from 5.6 to 6.1 may result in missing FIB entries](../kb/2024/04/24/I95-55904). ------ - **WAN-2753 IDP Engine Failed to Start:** Resolved an issue that prevented IDP from starting if its configuration had changed. @@ -663,7 +663,7 @@ Before upgrading please review the [**Upgrade Considerations**](intro_upgrade_co ------ - **I95-46120 HA Fabric Warning message suppression in Azure:** In Azure, it is not possible to configure a non-forwarding fabric interface on the SSR, thus this error will be present on every commit. This message is now suppressed. ------ -- **I95-47041 Selection of Mist Cloud instance during whitebox onboarding:** The onboarding interface now silently queries all Mist Instances and provides a drop down selector to allow login to the appropriate Mist instance (Global01, Global03, EU, etc.). +- **I95-47041 Selection of Mist Cloud during Adoption:** The onboarding process queries all Mist Instances and provides a drop down selector to allow login to the appropriate Mist instance (Global01, Global03, EU, etc.). ------ - **I95-47253 Stuck Session Detection:** In situations where forward traffic is received, but there is no reverse traffic; for example, when the local IP of an interface performing source-nat changes, or when the local IP of an interface changes while sending traffic over SVR to a waypoint, the SSR will now mark the session for a flow-move with new reverse flow needed. If the criteria is met, the source-NAT or waypoint will be updated with the correct information on the next forward packet. ------ @@ -690,7 +690,7 @@ Before upgrading please review the [**Upgrade Considerations**](intro_upgrade_co ------ - **I95-48783 Conductor process logs are unbounded, risking storage exhaustion:** auditd logs consuming the disk space when the node monitor is in a disconnected state and the audit logs are left unconsumed. There was a limit to the log file size, but not the number of files. The number of files is now limited. ------ -- **I95-50493 Memory calculation for alarms is confusing:** This alarm was designed to trigger when memory usage went above 90% and clear only when memory usage went below 80%, causing confusion. The memory usage alarm no longer requires memory usage to go below 80% to clear; it will clear when memory usage goes below 90%. +- **I95-50493 Memory calculation for alarms is confusing:** This alarm was designed to trigger when memory usage went above 90% and clear only when memory usage went below 80%, causing confusion. Memory usage alarm no longer requires memory usage to go below 80% to clear; it will clear when memory usage goes below 90%. ------ - **I95-50537 Detect and log invalid TCP establishment flags:** TCP packets with illegal flag combinations are dropped before they can set up a session, rather than after. ------ @@ -706,7 +706,7 @@ Before upgrading please review the [**Upgrade Considerations**](intro_upgrade_co ------ - **I95-53666 Unable to create webserver certificate request:** This issue has been resolved by providing ACL permissions for the webserver to the certificate directory. ------ -- **I95-53777 Multicast traffic not passing after an HA failover:** Resolved an issue where the multicast service next hops were not reloading on a configuration change. +- **I95-53777 Multicast traffic not passing after HA Failover:** High Availability with Multicast is not fully supported. Drop or complete loss of traffic may be seen when the primary node resumes traffic after a node failure and failover. ------ - **I95-53787 Stats not present on conductor:** Running show device-interface router all on a conductor caused stats (in-octets, in-unicast-pkts, etc...) to be incorrectly displayed as "n/a" instead of the correct value. This issue has been resolved. ------ @@ -750,7 +750,7 @@ Before upgrading please review the [**Upgrade Considerations**](intro_upgrade_co ### Caveats -- **I95-54780 Forwarding Utilization stats are not retained beyond one hour:** This issue is the result of the fix in place for the `stats default retention short` setting was not being honored (I95-53875). This will be resolved in the next patch release. +- **I95-54780 Forwarding CPU utilization metrics missing for duration greater than 1 hour:** Updated the retention policy for forwarding CPU utilization and other metrics. ------ - **I95-54856 Rollback issue after upgrade to 6.2 from versions 6.1 or earlier:** If the SSR is upgraded from 6.1 (or older) to 6.2 and you have BGP neighbors with address family configuration, and then try to downgrade to a version prior to 6.2, the downgrade will fail. @@ -799,7 +799,7 @@ Valid values for `remove-as-path`: ------ - **I95-50071 Lenovo SR650 platform support as a 100G ports solution:** The Lenovo SR650 has been added as a Juniper-certified platform to provide 100G port connectivity. ------ -- **I95-51181 Improve save-tech-support-info command:** The PCLI command `save tech-support-info` now has a `since` argument that limits log collection to only logs generated after a specified time. The `since` argument can be a relative time delta or an absolute timestamp. The GUI's About and Logs pages has the same functionality with a drop down that allows limiting the time window for the displayed/downloaded logs/tech-support-info. +- **I95-51181 Improve `save-tech-support-info` command:** The PCLI command `save tech-support-info` now has a default collection period of one day. Additionally, a `since` argument has been added that limits log collection to only logs generated after the specified value. The `since` argument can be a relative time delta or an absolute timestamp. The GUI's About and Logs pages has the same functionality with a drop down that allows limiting the time window for the displayed/downloaded logs/tech-support-info. ------ - **I95-51194 Support for Multicast Source Discovery Protocol (MSDP), and the SSR as a Rendezvous Point (RP):** MSDP support has been added, allowing the RP's to share active Multicast Sources. For detailed configuration information, see [Multicast Source Discovery Protocol (MSDP)](config_multicast.md#multicast-source-discovery-protocol-msdp). ------ @@ -842,11 +842,11 @@ Valid values for `remove-as-path`: ------ - **I95-51801 The SSR is unable to see DHCP ACK for the DHCP Request sent by an EX4100:** Added an `authoritative` field for DHCP servers to enable/disable `authoritative` mode, which allows the server to send a NAK in response to unknown clients. This field is set to `true` by default. ------ -- **I95-51864 Ethernet Over SVR (EoSVR) not working for multi-hop SVR scenarios:** When EoSVR traffic traverses over a dogleg path in a HA node topology, traffic failed to traverse the middle node. EoSVR packets are no longer incorrectly dropped when routed over an inter-node path when coming from an SVR path. +- **I95-51864 Ethernet Over SVR (EoSVR) not working for multi-hop SVR scenarios:** When EoSVR traffic traverses over a dogleg path in a HA node topology, traffic failed to traverse intermediate nodes. EoSVR packets are no longer incorrectly dropped when routed over an inter-node path when coming from an SVR path. ------ - **I95-51992 Multi-queue support for Bond interfaces:** Support for a bond `device-interface` to use multiple RX/TX queues has been added. ------ -- **I95-52018 Path returned contained ip-address with no escaping:** The Inspector path has been modified with the ability to escape. +- **I95-52018 Overlapping IP Prefix validation may be incorrect, causing a false configuration warning:** Configuration validation for IP Prefixes has been corrected. ------ - **I95-52113 Application Identification on the SSR runs at 100% CPU utilization:** Resolved an overrun bug that was causing the SSR to enter a loop when loading port ranges. This issue has been resolved. ------ @@ -857,7 +857,7 @@ This issue has been resolved; the LTE IP change is now handled it as a source-na ------ - **I95-52178 Reset of SSR IDP does not turn it off:** Resolved an issue when performing a factory reset on SSR IDP did not turn it off properly. ------ -- **I95-52279 Bond interface configured with VRRP not receiving UDP traffic when LACP is enabled:** An issue where VRRP Virtual MACs from being silently dropped has been resolved. Packets with VRRP virtual dest MACs are now processed by the Bond PMD when using LACP. +- **I95-52279 Bond configured with VRRP not receiving UDP traffic when LACP is enabled:** Resolved an issue on the SSR120/SSR130 where VRRP Virtual MACs are being silently dropped by Bond PMD in LACP mode. Packets with VRRP virtual destination MACs are now correctly processed by the Bond PMD when using LACP on the SSR120/SSR130. This issue will be resolved on the SSR1200/1300/1400/1500 in an upcoming release. ------ - **I95-52414 RBAC not being honored for `show fib` output:** Resolved an issue where `show fib` included entries that the current user did not have permission to view. ------ @@ -897,7 +897,7 @@ This issue has been resolved; the LTE IP change is now handled it as a source-na ------ - **I95-53114 Broadcom interfaces stuck in `admin down` after upgrade:** Resolved an issue where device-interfaces on Broadcom NICs wouldn't come up properly if initially configured with `enabled false`. ------ -- **I95-53124 AppID fails to get application category information:** If a service becomes refined to a child-service, sessions to an RFC1918 destination addresses now update their stats tracking under the new classified application. +- **I95-53124 Sessions destined to private IP address (RFC1918) are incorrectly reported using the application name as the service name:** We have identified an issue where sessions destined to private IP address (RFC1918), are incorrectly reported with the application name as the service name, even if the traffic is HTTP/HTTPS. Session traffic continues to follow the appropriate service / routing profile, but the stats reported may not accurately reflect the learned applications. This is actively being addressed and will be resolved in a future patch. ------ - **I95-53130 Errors seen on Q-in-Q enabled interface after upgrade:** Interfaces were unable to receive jumbo packets unless MTU is configured to be large enough. This resolution allows the reception of jumbo packets regardless of the MTU setting. ------ @@ -912,7 +912,7 @@ This issue has been resolved; the LTE IP change is now handled it as a source-na - **I95-53288 Fetching detailed bond info from the conductor for routers fails:** The conductor was incorrectly posting a `JSONDecodeError` when trying to parse bond information that was missing from the router response. This issue has been resolved. ------ - **I95-53321 Syslog datamodel is limited:** Added the following configurable syslog facility values `auth`, `authpriv`, `cron`, `daemon`, `kern`, `lpr`, `mail`, `news`, `syslog`, `user`, and `uucp`. ------ +------ - **I95-53344 Exception on device interface tear down terminates process:** Resolved a rare case where Highway process can terminate and core during config changes if there is an underlying exception to a device-interface on removal. ------ - **I95-53393 Empty password attempts not counting towards user lockout:** The SSR counts login attempts with an empty password as failed login attempts. These contribute to locking a user account if they reach the threshold (the value configured in `configure authority password-policy deny`,) within a short time window. @@ -927,11 +927,11 @@ This issue has been resolved; the LTE IP change is now handled it as a source-na ------ - **I95-53894 DNS cache-service does not start:** Resolved a race condition that causes the DNS process to fail to start. The log message `No TimeoutQueue:` can be seen in the logs during this condition. ------ -- **I95-53916 Stale Teams interfaces conflict with HA interfaces:** In some cases a stale teams interface could conflict with a new configuration pushed down from MIST. Resolved an issue where the use of non-standard HA ports could result in non-functional HA after a factory reset. +- **I95-53916 Pre-existing teams interfaces conflict with HA interfaces:** In a Mist-managed HA configuration where an HA node has been configured with non-default HA interfaces, performing a release operation on a node in an HA pair leaves the pre-configured HA interfaces in place, and creates a conflict when a new configuration is pushed down from Mist. This would prevent the HA node from operating correctly and forming its HA connections again. This issue has been resolved, and the release operation now removes any pre-existing HA interfaces. ------ - **I95-54030 Node sending ARP requests to the wrong MAC:** After an SFP hot swap, node1 was sending ARP requests to the wrong MAC. An issue where E810 interfaces with default MTU configuration could potentially transmit corrupt ARP response packets has been resolved. ------ -- **I95-54086 Conductor memory exceeded:** In certain cases the salt master on the conductor could grow indefinitely in memory. This may be related to situations with both poor connectivity and the use of the `asset-connection-resiliency` feature. An update to the salt package has been made to resolve this issue. +- **I95-54086 Conductor memory exceeded:** In certain cases, the salt master on the conductor could grow indefinitely in memory. This may be related to situations with both poor connectivity and the use of the asset-connection-resiliency feature. An update to the salt package has been made to resolve this issue. ------ - **WAN-1323 Remove bootstrapper interfaces after Mist Onboarding:** The bridge interface used for bootstrapping in the default linux environment is now removed. ------ @@ -941,7 +941,7 @@ This issue has been resolved; the LTE IP change is now handled it as a source-na - **I95-52426 Alerts not issued when decreasing the action type on an IDP custom rule definition:** In a case where a user is modifying a rule to **decrease** the action type to an `alert`, alerts for that vulnerability will not be reported. The attack will be allowed to pass through undetected. For example, if the action `close-tcp-connection` is downgraded to `alert`, the attacks will pass through undetected. ------ -- **I95-53274 PIM scaling above 1500 (Source,Group) sessions:** The SSR cannot maintain more than 1400 active (Source,Group) sessions. Juniper recommends a limit of 1400 (Source,Group) sessions to prevent a loss of traffic. +- **I95-53274 PIM multicast routes unable to maintain more than 1,400 concurrent (Source, Group) sessions:** The SSR cannot maintain more than 1400 active (Source,Group) sessions. This scaling limitation has been addressed. ------ - **I95-53777 Multicast traffic not passing after HA Failover:** High Availability with Multicast is not fully supported. Drop or complete loss of traffic may be seen when the primary node resumes traffic after a node failure and failover. ------ diff --git a/docs/release_notes_128t_6.3.md b/docs/release_notes_128t_6.3.md index 585b7bbf2d3..9be2b7db106 100644 --- a/docs/release_notes_128t_6.3.md +++ b/docs/release_notes_128t_6.3.md @@ -65,14 +65,14 @@ Beginning with SSR-6.3.5, conductor-managed **routers** running SSR-6.3.5 must b ### Resolved Issues: - **The following CVEs have been identified and resolved in this release:** CVE-2024-56326, CVE-2023-26604, CVE-2025-47273, CVE-2025-6965, CVE-2025-6020, CVE-2025-4802, CVE-2025-30749, CVE-2025-30754, CVE-2025-30761, CVE-2025-50106, CVE-2025-32414, CVE-2025-49794, CVE-2025-49796, CVE-2025-6021, CVE-2025-7425, CVE-2025-32415, CVE-2025-49844, CVE-2025-58060, CVE-2025-54389, CVE-2025-8194, CVE-2025-32462, CVE-2018-10906, CVE-2018-14468, CVE-2021-42574, CVE-2022-24407, CVE-2019-12749, CVE-2021-20277, CVE-2021-4034, CVE-2021-3621, CVE-2024-28956, CVE-2025-53057, CVE-2025-53066, CVE-2025-62168, CVE-2025-11561, CVE-2024-12087, CVE-2025-40778. ------- -- **I95-58007 Add ability to set PIM graceful restart-time:** The routing default-instance pim restart-time command has been added to allow users to define the number of seconds that the PIM protocol will perform graceful-restart after a node failure. For more information, see [PIM Graceful Restart Timer](config_multicast.md#pim-graceful-restart-timer). +------ +- **I95-58007 Add ability to set PIM graceful restart-time:** The `routing default-instance pim restart-time` command has been added to allow users to define the number of seconds that the PIM protocol will perform `graceful-restart` after a node failure. This resolution addresses all the listed issues. For more information, see [PIM Graceful Restart Timer](config_multicast.md#pim-graceful-restart-timer). This also addresses I95-57702, I95-57906, I95-60637, and I95-60731. ------ - **I95-60545 Attempting network interface lookup with invalid ID:** Resolved an issue where errors due to an invalid ID were flooding the logs. Error logs in highway regarding a failed interface lookup for an invalid interface are now suppressed. ------ - **I95-60799 Tenant prefix use within a VRF:** The SSR allows the configuration of tenant-prefixes without giving an error, and correctly handles interfaces with tenant-prefixes within the protocol code. ------ -- **I95-61588 Console access failures post-migration:** Resolved an issue where a lower baud rate was being used by the serial console. The check / enforcement for the 115200 baud rate has been improved. +- **I95-61588 Console access failures post-migration:** Resolved an issue where a lower baud rate was being used by the serial console, resulting in unreadable output. The check and enforcement for the 115200 baud rate has been improved. ------ - **I95-62011 Stats from adjacency traffic engineering throw an exception when a hostname is used:** Resolved an issue where dynamic reconfiguration when adding neighbors/adjacencies that use an FQDN and have adjacency Traffic Engineering enabled, caused the device interface to reach a failure state. ------ @@ -86,31 +86,31 @@ Beginning with SSR-6.3.5, conductor-managed **routers** running SSR-6.3.5 must b ------ - **I95-62668 Routers disconnected following conductor upgrade:** Resolved an issue where SSH keys were erroneously written to the authorized-keys file. ------ -- **I95-62703 Highway process crashes when BGP over SVR is activated:** Resolved an issue where the unicast code path was incorrectly invoking multicast variant of a function call. +- **I95-62703 Highway process crashed when BGP over SVR is activated:** Resolved an issue where the unicast code path was incorrectly calling the multicast variant of getBestMultiHomedPathIndex() and causing a highway crash. ------ - **I95-62742 Cannot see sync errors for nodes that are stuck synchronizing:** Resolved an issue where errors in show assets disappeared when the synchronizing state retries. ------ - **I95-62859 Duplicate alarms created for duplicate asset IDs:** Resolved an issue where the Conductor created a duplicate asset ID alarm each time an asset with a duplicate ID tried to authenticate. ------ -- **I95-62860 250 max connection limit not respected by the web interface:** Resolved an issue where requesting too much data over graphql with a large config led to missing data. +- **I95-62860 Web server connection limit not enforced:** Resolved an issue where the 250 maximum connection limit was not being properly enforced by the web server. ------ - **I95-62877 SSR continues to forward traffic to external MAC after failover:** Resolved an issue where the SSR was continuing to forward traffic for an existing session to the original next-hop after failover. A new configuration field has been added to the service policy configuration; `reverse-gateway-change-detection`. When enabled, this feature will identify a failover/MAC change, trigger a flow-move, and update the reverse next-hop accordingly. For additional details see [`reverse-gateway-change-detection`](config_command_guide.md#configure-authority-service-policy-reverse-gateway-change-detection). ------ - **I95-62956 Configuration failure due to service definition expecting subnet mask:** Resolved an issue where the Anti-Virus and IDP configuration expected a subnet mask as part of the Service Address. The subnet mask has been added. ------ -- **I95-62957 Configuration failure due to invalid name:** Anti-Virus and IDP do not allow policynames using a dot (.). This has been resolved - configurations will use an underscore for policyname creation. +- **I95-62957 Configuration failure due to invalid name:** Anti-Virus and IDP do not allow policy names using a dot (.). This has been resolved — configurations will use an underscore for policy name creation. ------ - **I95-62982 SSR limits the number of supported network-interfaces:** Resolved an issue where the limit on the number of network-interfaces was low. Improved implementation of data structure storing network-interface objects, resulting in an increase of 7x the current capacity. ------ -- **I95-63018 memory corruption after reading VSA:** Resolved a rare issue where in remote authentication through Radius server, pam_radius was causing memory corruption after VSA is read. +- **I95-63018 Memory corruption after reading VSA:** Resolved a rare issue where in remote authentication through a RADIUS server, pam_radius was causing memory corruption after a Vendor Specific Attribute (VSA) is read. ------ - **I95-63036 Web interface auto-refresh:** Auto Refresh in the GUI is now a user setting and is persisted across user sessions. It is disabled by default. ------ - **I95-63084 Web interface refreshes alarms status too often:** Resolved an issue where the web interface would repeatedly request all alarms when alarm flapping occurred. This placed an unnecessarily high load on the GUI refresh process. ------ -- **I95-63190 Router intermittently disconnects from conductor:** Resolved an issue where process errors were filling the buffer queue, dropping messages, and causing node disconnections. +- **I95-63190 Router intermittently disconnects from conductor:** Resolved an issue where process errors were filling the buffer queue, dropping messages, and causing node disconnections from the Conductor. ------ -- **I95-63228 Premature route installation complete notification:** In some cases an internal notification that the route installation was complete was being transmitted, causing the Graceful Restart process to terminate early. This issue has been resolved. +- **I95-63228 Premature route installation complete notification:** In some cases a premature internal notification that the route installation was complete was being transmitted, causing the Graceful Restart process to terminate early. This issue has been resolved. ------ - **I95-63241 Prevent GUI resource exhaustion:** Resolved an issue where a single client consumed all resources by improving the internal API requests and preventing resource exhaustion. ------ @@ -130,7 +130,7 @@ Beginning with SSR-6.3.5, conductor-managed **routers** running SSR-6.3.5 must b ------ - **I95-63675 Node page in the GUI appears to load indefinitely:** Resolved an issue where the GUI Node page would load infinitely. ------ -- **I95-63676 Waypoints fail to allocate when the `service-path peer next-hop gateway` is off the subnet:** Resolved an issue where the first network-interface IP was selected as the local IP for waypoint allocation, even if that IP was not a valid waypoint. +- **I95-63676 Waypoints fail to allocate when the `service-path peer next-hop gateway` is off the subnet:** Resolved an issue where the first network-interface IP was selected as the local IP for waypoint allocation, even if that IP is not a valid waypoint. ------ - **I95-63976 Waypoints fail to allocate when service-path peer next-hop gateway is off the subnet:** Resolved an issue with waypoint allocation failures when using BGP over SVR with multiple IP addresses on the egress SVR interface. ------ @@ -146,7 +146,7 @@ Beginning with SSR-6.3.5, conductor-managed **routers** running SSR-6.3.5 must b - **The following CVEs have been identified and resolved in this release:** CVE-2024-3651, CVE-2024-24806, CVE-2024-6232, CVE-2023-48161, CVE-2024-21208, CVE-2024-21210, CVE-2024-21217, CVE-2024-21235, CVE-2024-56326, CVE-2022-1304, CVE-2023-26604, CVE-2025-27363, CVE-2025-0624, CVE-2024-55549, CVE-2025-24855, CVE-2024-7347, CVE-2025-23419, CVE-2022-49011, CVE-2024-40906, CVE-2024-43842, CVE-2024-44970, CVE-2024-53141, CVE-2025-21756, CVE-2025-21587, CVE-2025-30691, CVE-2025-30698, CVE-2024-0727, CVE-2023-5678, CVE-2024-5535, CVE-2024-9143, CVE-2024-13176, CVE-2016-9840. ------ -- **I95-39653 Negative duration in session table after applying filter:** Resolved an issue where applying a filter to the session table resulted in sessions displaying a negative duration. This issue has been resolved. +- **I95-39653 Negative duration in session table after applying filter:** Resolved an issue where applying a filter to the session table resulted in sessions displaying a negative duration. ------ - **I95-57584 IGMP ingress packets not being accepted after defining tenant prefixes on LAN subnet:** Resolved an issue when using `tenant-prefix` on the interface, all PIM/IGMP messages were blocked. This issue has been resolved. In addition, the ability to only allow igmp messages sent from specific source-addresses has been added. For more information, see [`source-address-prefix-list`](config_command_guide.md#configure-authority-router-routing-igmp-interface-source-address-prefix-list) ------ @@ -172,7 +172,7 @@ Beginning with SSR-6.3.5, conductor-managed **routers** running SSR-6.3.5 must b ------ - **I95-60768 Rare race condition between packet processing and configuration update:** Resolved a rare race condition where invalid memory was accessed during packet processing if the configuration was being loaded at the same time. ------ -- **I95-60924 Adopt command error message is misleading:** Resolved an issue where username/password login failures are not clear. The `adopt` PCLI command now interactively prompts for `mist-instance` if it is not specified on the command line. This helps avoid confusion when trying to associate using username/password which fails if connecting to the wrong instance. Also resolved a related issue that prevented adoption using a Mist account with Multi Factor Authentication (MFA/2FA) enabled. +- **I95-60924 Adopt command error message is misleading:** Resolved an issue where username/password login failures are not clear. The `adopt` PCLI command now interactively prompts for `mist-instance` if it is not specified on the command line. This helps avoid confusion when trying to associate using username/password which fails if connecting to the wrong instance. Also resolved a related issue that prevented adopting using a Mist account with Multi Factor Authentication (MFA/2FA) enabled. ------ - **I95-60948 RADIUS secret length limited to 16 characters:** The RADIUS secret size was erroneously set to 16 octets. The allowable RADIUS secret size has been updated from 1 to 255. ------ @@ -192,13 +192,13 @@ Beginning with SSR-6.3.5, conductor-managed **routers** running SSR-6.3.5 must b ------ - **I95-61276 Modifying Alarm Shelves does not correctly propagate the change:** Modifying the shelving criteria of an alarm shelf will now correctly shelve alarms according to the new criteria. ------ -- **I95-61458 BGP-VRF Conductor in `Connected` state instead of Running state:** Resolved an issue where salt modules fell out of sync, causing unexpected exceptions and preventing the system from picking up configuration changes. +- **I95-61458 BGP-VRF Conductor in `Connected` state instead of `Running` state:** Resolved an issue where salt modules fell out of sync, causing unexpected exceptions and preventing the system from picking up configuration changes. ------ - **I95-61483 Remove outdated CA certificates:** Improved security posture by removing outdated and untrusted certificates. ------ - **I95-61579 Highway crashes when executing command show device-interface name `` registers on an i40e network port:** Resolved an issue with the registers sub option that caused the crash on the i40e network port. The sub option has been removed. ------ -- **I95-61580 CLI does not prompt for required router restart:** Resolved an issue where making a configuration change requiring a restart only generates a warning for the router that the PCLI is running on. Committing a configuration change that requires a restart now results in a warning even when the change is on a different router. +- **I95-61580 CLI does not prompt for required router restart:** Resolved an issue where making a configuration change requiring a restart only generates a warning only for the router that the PCLI is running on. Committing a configuration change that requires a restart now results in a warning even when the change is on a different router. ------ - **I95-61866 Unnecessary events sync:** Resolved an issue where data is unintentionally sync'ed between HA nodes. ------ @@ -227,7 +227,7 @@ Beginning with SSR-6.3.5, conductor-managed **routers** running SSR-6.3.5 must b - **I95-57145 Unable to change the default security policy for MSDP:** The configured security policy for MSDP SVR generated services can now be changed using `bgp-service-generation`. ------ - **I95-57265 Highway crash when generating TSI on Azure instance:** An Azure instance can crash while accessing an uninitialized RX queue. This invalid access has been prevented and the issue resolved. -------- +------ - **I95-57508 `icmp-probe-manager` not running:** When an HA interface becomes non-redundant (reconfigured as non-HA), state updates were not showing on the active-interface path. This led to the icmp-probe-manager not running. This issue has been resolved. ------ - **I95-58017 `show fib` output incomplete on routers:** Resolved an issue with `show fib` stalling and not returning complete data where the next hop entries are in excess of 200. The `show fib` output now correctly handles larger output. @@ -242,7 +242,7 @@ Beginning with SSR-6.3.5, conductor-managed **routers** running SSR-6.3.5 must b ------ - **I95-59521 Local Config Override not working in the GUI:** Added support for the local configuration override mode to the GUI. For more information, see [Local Configuration Override](howto_local_config_override.md#using-the-gui). ------ -- **I95-59634 Allow Highway lockup detection to be disabled:** Added a `local.init` override for disabling datapath lockup detector mechanism. +- **I95-59634 Allow Highway lockup detection to be disabled:** Added a `local.init` override for disabling datapath lockup detector mechanism ``` "datapath": { "lockupDetectionEnabled": true/false @@ -253,21 +253,21 @@ Beginning with SSR-6.3.5, conductor-managed **routers** running SSR-6.3.5 must b ------ - **I95-59745 Routers are stuck in the connected state and not transitioning to running:** Resolved an issue where the router repeatedly sent the same incorrect values to the config during startup, resulting in a race condition. ------ -- **I95-59758 Prompt for password change:** The user is now prompted to change the `admin`, `t128`, and `root` passwords during installation. The password is changed to the same value for all three users. +- **I95-59758 Interactive Initializer updates all system account passwords:** Interactive initialization now changes the `admin`, `t128` and `root` user passwords to the same value. The initialization preference file has the fields, `t128-password`, `root-password`, and `admin-password`, to set password hashes for each user, respectively. ------ - **I95-59855 The hardware bootstrapper created bridge is not removed during initialization:** During installation, the hardware bootstrapper creates a bridge in Linux and binds all of the designated LAN NICs to the bridge to allow SSH. This bridge is removed during initialization of the conductor, and Mist managed routers, but is not removed from conductor managed routers. This has been addressed and the issue resolved. ------ - **I95-59860 Incorrect timestamps shown on IDP startup:** The `Engine started` and `Last Commit` timestamps have been updated to provide accurate readings when the engine has not yet started, or the values are not available. ------- -- **I95-59996 Force password change in GUI:** Steps have been added during the initialization workflow in the GUI to require that the user change the default password. +------ +- **I95-59996 GUI Initialization sets passwords for all system accounts:** GUI initialization now changes the `admin`, `t128` and `root` user passwords to the same value. See [Password Security](config_password_security.md) for additional information. ------ - **I95-60038 `show fib` lookup fails for IPv6 addresses:** Parsing IPv6 addresses was not performed properly, resulting in an invalid query. The code has been updated to properly parse the request before processing. ------ -- **I95-60041 Force password change in the CLI:** Steps have been added during the initialization workflow in the CLI to require that the user change the default password. +- **I95-60041 `initialize conductor` command sets password for all system accounts:** The system accounts `admin`, `t128` and `root` are simultaneously set to the provided password hash, ensuring default passwords are not used. ------ - **I95-60180 Installation screen displays incorrect SSR OS:** After the OS rebranding to SSR OS, the option to install erroneously shows on the install screen. This has been removed. ------ -- **I95-60282 Disk space usage growing to more than 90%:** DNF logs were increasing in size and not being rotated, causing a significant increase in size. A `log rotate` configuration file for DNF has been added to limit the size of DNF log files to prevent them from filling the hard drive. When this fix is installed on the conductor, it is automatically propagated to all managed routers. +- **I95-60282 Disk space usage growing to more than 90%:** DNF logs were increasing in size and not being rotated, causing a significant increase in size. A `logrotate` configuration file for DNF has been added to limit the size of DNF log files to prevent them from filling the hard drive. When this fix is installed on the conductor, it is automatically propagated to all managed routers. ------ - **I95-60287 Add option to disable Kernel Metric SLA Calculation:** In rare cases on a heavily loaded system, the kernel metric calculation process can sometimes hang for a period of time, causing an internal watchdog to fire. This results in a system restart. Setting `routing default-instance > service-metric-use-lsa > false` will prevent the kernel flap that causes this issue. See [`service-metric-use-lsa`](config_command_guide.md#configure-authority-router-routing-service-metric-use-sla) for additional information. ------ @@ -293,7 +293,7 @@ Beginning with SSR-6.3.5, conductor-managed **routers** running SSR-6.3.5 must b ------ - **I95-60750 Password Confirmation missing:** When onboarding an SSR using the web interface, users are now required to confirm the password change. ------ -- **I95-60768 Rare race condition between packet processing and configuration update:** Resolved a rare race condition where invalid memory was accessed during packet processing if config was being loaded at the same time. +- **I95-60768 Rare race condition between packet processing and configuration update:** Resolved a rare race condition where invalid memory was accessed during packet processing if the configuration was being loaded at the same time. ------ - **I95-60924 Adopt command error message is misleading:** Resolved an issue where username/password login failures are not clear. The `adopt` PCLI command now interactively prompts for `mist-instance` if it is not specified on the command line. This helps avoid confusion when trying to associate using username/password which fails if connecting to the wrong instance. Also resolved a related issue that prevented adopting using a Mist account with Multi Factor Authentication (MFA/2FA) enabled. ------ @@ -335,7 +335,7 @@ Beginning with SSR-6.3.5, conductor-managed **routers** running SSR-6.3.5 must b ------ - **I95-56936 OS Hardening:** To provide greater security on the SSR devices, the ability to disable USB booting and storage, as well as disable the console output has been implemented. For additional details, please see [USB Boot and Storage Security](sec-usb-security.md) and [Disable Console Output](sec-disable-console-output.md). ------ -- **I95-57305 Add flow timeout value to Associated Paths:** The Associated Paths window accessed from the Session view of the SSR GUI now displays a Flow Timeout column, providing a way to determine where the session is activity is focused. +- **I95-57305 Add flow timeout value to Associated Paths:** The Associated Paths window accessed from the Session view of the SSR GUI now displays a Flow Timeout column, providing a way to determine when the session will expire following inactivity. ------ - **I95-57471 Allow RADIUS configuration per router:** RADIUS servers can now be configured at the router level. The servers can continue to be configured at the Authority level. If a radius server is configured at the Authority level but not the router, then the Authority value will be used. If it is configured at the Authority and the router level, the router value will be used. @@ -347,7 +347,7 @@ Beginning with SSR-6.3.5, conductor-managed **routers** running SSR-6.3.5 must b ------ - **I95-54366 Unable to assign an SNMP view name via the GUI:** Resolved an issue that prevented configuring SNMP (v3) Access Policy View in the GUI. ------ -- **I95-57128 Inter-VLAN traffic on the same x710 or x722 port has 8ms delay:** Resolved an issue where devices controlled by i40e driver (x710, x722) were incurring 8ms (8000us) latency due to an incorrect MAX value. This has been resolved and latency reduced to 32us. +- **I95-57128 Inter-VLAN traffic slow:** Identified an issue where devices controlled by the i40e driver (x710, x722) were incurring 8ms latency due to incorrectly setting a device throttling register to a MAX of 8ms. This has been reduced to 32us to resolve the issue. ------ - **I95-57205 Race condition on startup with LTE or PPPoE interfaces configured for DHCP, causing system to crash:** This issue has been resolved. ------ @@ -363,20 +363,20 @@ Beginning with SSR-6.3.5, conductor-managed **routers** running SSR-6.3.5 must b ------ - **I95-58332 Show service-path incorrectly shows the state as `up` in an unreachable next-hop:** In a config where a `service-route next-hop` is pointing to an unreachable address, the show service-path shows the state is being up. This has been resolved by adding a next-hop reachability check to `show service-path`. ------ -- **I95-58427 Capture SNMP configuration in TSI:** The `/etc/snmp` directory is now captured in the TSI, allowing the inspection of the output. +- **I95-58427 Capture SNMP configuration in TSI:** SNMP logs and stats are now captured in the TSI, allowing the inspection of the output for troubleshooting. ------ -- **I95-58428 DSCP Steering Collision on Flow Move:** When IPSec traffic exists on a router and the DSCP steering feature is enabled, upon a flow-move DSCP 0 traffic would collide with the pre-existing tunnel session. This issue has been resolved; the DSCP 0 packet is no longer dropped, and traffic is treated correctly. +- **I95-58428 DSCP Steering Collision on Flow Move, resulting in traffic drops:** When traffic is traversing an IPSec connection and the DSCP steering feature is enabled, upon a flow-move DSCP 0 traffic would collide with the pre-existing tunnel session. This issue has been resolved; the DSCP 0 packet is no longer dropped, and traffic is treated correctly. ------ - **I95-58444 DSCP steering is not correctly using revertible-failover:** Resolved an issue where DSCP Steering on child services were not using learned peer routes from the parent service. DSCP steering child services now properly utilize revertible-failover resiliency policies. ------ -- **I95-58528 SSR OS renaming:** The SSR OS version has been updated from "CentOS" to "Oracle Linux" to accurately reflect its upstream Linux distribution. All internal naming has been updated. +- **I95-58528 SSR OS renaming:** The SSR OS has been renamed/rebranded from "CentOS7" to "SSR OS" to more accurately reflect its customized Linux distribution. All internal naming has been updated. ------ - **I95-58539 The `validate` command does not check or test for router `applies-to` config:** Resolved an issue whereby the DHCP relay inspector rule was not honoring router-based services for interfaces without DHCP relay. Errors from this rule are now warnings. ------ - **I95-58569 OSPF Graceful Restart link missing from GUI:** Resolved an issue that prevented the link to the Graceful Restart page from displaying. ------ -- **I95-58583 Bypass message-authentication in RADIUS:** An option to to bypass the requirement for the Message-Authenticator check in RADIUS requests and responses has been added. Disabling this check is considered unsafe and will allow for vulnerabilities to be exploited for users authenticating. Disabling this check is NOT recommended, but may be necessary for some backwards compatibility scenarios. ------- +- **I95-58583 Bypass message-authentication in RADIUS:** An option to bypass the requirement for the Message-Authenticator check in RADIUS requests and responses has been added. Disabling this check is considered unsafe and will allow for vulnerabilities to be exploited for users authenticating. Disabling this check is NOT recommended, but may be necessary for some backwards compatibility scenarios. +------ - **I95-58637 Relax API RBAC policies for quickstart files:** Users with config-read permissions are now able to generate quickstart files. ------ - **I95-58722 Update allowed Key Exchange Algorithms to add better support for Gov Cloud environments:** Expand the list of supported Key Exchange Algorithms in both FIPS and non-FIPS mode. @@ -404,7 +404,6 @@ Beginning with SSR-6.3.5, conductor-managed **routers** running SSR-6.3.5 must b :::note IDP is not available on the following SSR devices: SSR120, SSR400 and SSR440. ::: - ------ - **I95-58782 `node.js` process may crash on SSR120, SSR130, and other branch router devices while generating Swagger documentation:** The `node.js` process may crash on SSR120, SSR130, and other branch router devices during SSR application startup while generating Swagger documentation. This is due to an internal error, and will generate a `node.js` coredump, but has **no impact** on the SSR. Swagger documentation is generated on a subsequent restart of the SSR. This is not service impacting. ------ @@ -468,8 +467,8 @@ IDP is not available on the following SSR devices: SSR120, SSR400 and SSR440. ------ - **I95-49218 Filter OSPF routes using RIB Policy routes:** Use the `configure authority router routing rib-policy` command from either the routing default-instance (`configure authority router routing`) or inside `configure authority router routing vrf` to provide additional filtering for OSPF routes. For more information see [`configure authority router routing rib-policy`](config_command_guide.md#configure-authority-router-routing-rib-policy) and [`configure authority router routing vrf rib-policy`](config_command_guide.md#configure-authority-router-routing-vrf-rib-policy). ------ -- **I95-49712 Configuration validation error uninformative:** Resolved an issue where invalid configuration parameters were returning errors that were not specific enough to allow the user to locate the invalid configuration. Invalid configuration elements now generate messages that include relevant information for the invalid element, such as an IP address, node name, router name, interface names, etc. ------- +- **I95-49712 Configuration validation error uniformative:** Resolved an issue that when configuring an SSR, invalid configuration parameters were returning errors that were not specific enough to allow the user to locate the invalid configuration. Now when invalid configuration elements are identified during validation, the messages include relevant information for the invalid element, such as an IP address, node name, router name, interface names, etc. +------ - **I95-52337 Uninformative error when STEP is selected for the Conductor:** The error message now clearly states that STEP is not supported on the Conductor. ------ - **I95-54844 Default to Multi-threading for session processing:** New session processing rates are now increased by default when the system has sufficient CPU resources, by using multiple CPU threads. @@ -481,16 +480,16 @@ IDP is not available on the following SSR devices: SSR120, SSR400 and SSR440. - **I95-55982 X722 interface MAC being set to 00:00:00:00:00:00 on SSR1300/SSR1400:** Identified an issue where the MAC address would change during a power cycle. Another power cycle can restore the MAC to its previous value. An upgrade to the X722 firmware addresses this issue. NOTE: A power cycle is required as part of the firmware flashing sequence. All power feeds must be manually disconnected and reconnected to cycle it correctly. ------ - **I95-56013 Automatically created Conductor user accounts show as "LDAP":** Resolved an issue with user authentication where accounts were listed as `LDAP` rather than `Remote`. ------- +------ - **I95-56233 / I95-56546 Relay routers in AWS unresponsive, showing device errors:** Resolved an issue where ENA devices in some environments have shown command queue failures and are no longer able to retrieve device stats, or pass traffic. The device is now reinitialized when the driver watchdog issues a reset event. ------ -- **I95-56236 Quick Start config validation failures not being reported:** Made changes to the initialization process to allow quick start errors to be reported. +- **I95-56236 Routers unable to onboard after upgrading the Conductor:** Resolved an issue where the automated provisioner and the Quickstart processes overlapped, preventing the device state from being reviewed for errors, which stopped the onboarding process. ------ - **I95-56345 Multiple reboots of the same node of a dual node router causes the multicast stream to stop:** Resolved an issue where multiple reboots of an HA node did not allow traffic to pass. Now in this scenario an exception is thrown, which allows the session to rebuild once the internode link comes up. ------ - **I95-56492 Sessions configured for outbound-only with nat-keep-alive enabled experience reverse flow packet drops after flow migration:** A flow move from an inter-router (WAN) peer path to an inter-node (fabric) peer path causes repeated session modifies on the hub side causing reverse traffic packet drops due to NAT keepalives incorrectly testing the failed WAN path for the migrated session. This issue has been resolved. ------ -- **I95-56527 Failure to validate and commit config; system incorrectly expected escape sequence:** Resolved an issue where capture-filter expected an escape sequence for input when it was not necessary. +- **I95-56527 `compare config` returns an `Invalid JSON` error:** Resolved an issue where the use of a backslash (`\`) in a list key or a list element generates an `Invalid JSON` error when `compare config` is run. This error occurred in cases where there is a difference between the configs in a child of the list element with a `\` in its key; Or when the parent list or leaf-list exists in both configs but the list or leaf-list element with the `\` only exists in one; Or if the list element with the `\` is renamed. ------ - **I95-56702 O365/Sharepoint application missing from the Applications list:** Resolved an issue where certain applications and protocols were excluded from automatic updates. ------ diff --git a/docs/release_notes_128t_7.0.md b/docs/release_notes_128t_7.0.md index e87fc18efb5..261f468a0a1 100644 --- a/docs/release_notes_128t_7.0.md +++ b/docs/release_notes_128t_7.0.md @@ -106,7 +106,7 @@ An issue has been identified involving the use of the HA Sync Redundancy Plugin ------ - **I95-55574 Events Sync Improvements:** In the event of broken communication between HA nodes, each node provides access to one hour of peer events leading up to the disconnection. This is reduced from the full history of events to lower storage needs and expedite restoration and troubleshooting. ------ -- **I95-57305 Add flow timeout value to Associated Paths:** The Associated Paths window accessed from the Session view of the SSR GUI now displays a Flow Timeout column, providing a way to determine where the session is activity is focused. +- **I95-57305 Add flow timeout value to Associated Paths:** The Associated Paths window accessed from the Session view of the SSR GUI now displays a Flow Timeout column, providing a way to determine when the session will expire following inactivity. ------ - **I95-57454 Management traffic over SVR (in-band management):** Router to Conductor communication is supported over SVR with the use of [rekey](sec_enhanced_key_mgmt.md#peer-key-and-key-rotation). ------ @@ -122,8 +122,7 @@ An issue has been identified involving the use of the HA Sync Redundancy Plugin | Denied due to URL Filtering | The session was created was blocked once app classification was completed. | | Denied due to Local Service Definition | The session was allowed on another ingress router, but is denied here based on the policy on this router (commonly related to hierarchical services). | ------ -- **I95-59634 Allow Highway lockup detection to be disabled:** Added a `local.init` override for disabling datapath lockup detector mechanism. - +- **I95-59634 Allow Highway lockup detection to be disabled:** Added a `local.init` override for disabling datapath lockup detector mechanism ``` "datapath": { "lockupDetectionEnabled": true/false @@ -146,7 +145,7 @@ An issue has been identified involving the use of the HA Sync Redundancy Plugin - **The following CVEs have been identified and resolved in this release:** CVE-2023-4527, CVE-2023-4806, CVE-2023-4813, CVE-2023-4911, CVE-2024-3651, CVE-2024-24806, CVE-2024-56171, CVE-2025-24928, CVE-2024-6232, CVE-2024-11187, CVE-2024-1737, CVE-2024-1975, CVE-2024-56326, CVE-2024-3596, CVE-2024-37370, CVE-2024-37371, CVE-2025-24528, CVE-2023-46846, CVE-2024-45802, CVE-2024-12085, CVE-2023-48161, CVE-2024-21208, CVE-2024-21210, CVE-2024-21217, CVE-2024-21235, CVE-2022-1304, CVE-2023-26604, CVE-2025-27363, CVE-2025-0624, CVE-2024-55549, CVE-2025-24855, CVE-2024-7347, CVE-2025-23419, CVE-2025-21587, CVE-2025-30691, CVE-2025-30698, CVE-2016-9840, CVE-2024-12718, CVE-2025-4138, CVE-2025-4330, CVE-2025-4435, CVE-2025-4517, CVE-2025-32462, CVE-2025-4802, CVE-2025-5702, CVE-2025-6020, CVE-2025-47268, CVE-2025-25724, CVE-2025-3576, CVE-2025-49794, CVE-2025-49796, CVE-2025-6021, CVE-2023-26916, CVE-2025-47273, CVE-2024-23337, CVE-2025-48060, CVE-2023-52572, CVE-2023-52621, CVE-2023-52757, CVE-2024-26686, CVE-2024-26739, CVE-2024-26952, CVE-2024-27402, CVE-2024-35790, CVE-2024-35866, CVE-2024-35867, CVE-2024-35943, CVE-2024-36350, CVE-2024-36357, CVE-2024-36908, CVE-2024-38540, CVE-2024-38541, CVE-2024-42160, CVE-2024-42322, CVE-2024-44938, CVE-2024-46742, CVE-2024-46751, CVE-2024-46774, CVE-2024-46784, CVE-2024-46816, CVE-2024-49960, CVE-2024-49989, CVE-2024-50047, CVE-2024-50125, CVE-2024-50258, CVE-2024-50272, CVE-2024-50280, CVE-2024-53128, CVE-2024-53185, CVE-2024-53203, CVE-2024-54458, CVE-2024-56551, CVE-2024-56599, CVE-2024-56655, CVE-2024-56658, CVE-2024-56751, CVE-2025-21681, CVE-2025-21839, CVE-2025-21853, CVE-2025-22027, CVE-2025-22062, CVE-2025-23140, CVE-2025-23142, CVE-2025-23144, CVE-2025-23145, CVE-2025-23146, CVE-2025-23147, CVE-2025-23148, CVE-2025-23150, CVE-2025-23151, CVE-2025-23156, CVE-2025-23157, CVE-2025-23158, CVE-2025-23159, CVE-2025-23161, CVE-2025-23163, CVE-2025-37738, CVE-2025-37739, CVE-2025-37740, CVE-2025-37741, CVE-2025-37742, CVE-2025-37749, CVE-2025-37752, CVE-2025-37756, CVE-2025-37757, CVE-2025-37758, CVE-2025-37765, CVE-2025-37766, CVE-2025-37767, CVE-2025-37768, CVE-2025-37770, CVE-2025-37771, CVE-2025-37773, CVE-2025-37780, CVE-2025-37781, CVE-2025-37787, CVE-2025-37788, CVE-2025-37789, CVE-2025-37790, CVE-2025-37792, CVE-2025-37794, CVE-2025-37796, CVE-2025-37797, CVE-2025-37803, CVE-2025-37805, CVE-2025-37808, CVE-2025-37810, CVE-2025-37812, CVE-2025-37817, CVE-2025-37819, CVE-2025-37823, CVE-2025-37824, CVE-2025-37829, CVE-2025-37830, CVE-2025-37836, CVE-2025-37838, CVE-2025-37839, CVE-2025-37840, CVE-2025-37841, CVE-2025-37844, CVE-2025-37850, CVE-2025-37857, CVE-2025-37858, CVE-2025-37859, CVE-2025-37862, CVE-2025-37867, CVE-2025-37875, CVE-2025-37881, CVE-2025-37883, CVE-2025-37885, CVE-2025-37890, CVE-2025-37892, CVE-2025-37905, CVE-2025-37909, CVE-2025-37911, CVE-2025-37913, CVE-2025-37914, CVE-2025-37915, CVE-2025-37923, CVE-2025-37927, CVE-2025-37929, CVE-2025-37930, CVE-2025-37940, CVE-2025-37949, CVE-2025-37967, CVE-2025-37969, CVE-2025-37970, CVE-2025-37982, CVE-2025-37983, CVE-2025-37985, CVE-2025-37989, CVE-2025-37990, CVE-2025-37991, CVE-2025-37992, CVE-2025-37994, CVE-2025-37995, CVE-2025-37997, CVE-2025-37998, CVE-2025-38005, CVE-2025-38009, CVE-2025-38023, CVE-2025-38024, CVE-2025-38031, CVE-2025-38089, CVE-2025-32462, CVE-2025-7425, CVE-2025-32414, CVE-2025-32415, CVE-2025-27151, CVE-2025-32023, CVE-2025-48367, CVE-2025-49133, CVE-2025-6965, CVE-2025-5222, CVE-2025-4373, CVE-2024-52533, CVE-2024-6174, CVE-2025-5994, CVE-2025-40909, CVE-2024-52615, CVE-2022-29458, CVE-2024-47081, CVE-2025-8058, CVE-2025-5914, CVE-2025-54389, CVE-2025-7425, CVE-2025-8194. ------ -- **I95-39653 Negative duration in session table after applying filter:** Resolved an issue where applying a filter to the session table resulted in sessions displaying a negative duration. This issue has been resolved. +- **I95-39653 Negative duration in session table after applying filter:** Resolved an issue where applying a filter to the session table resulted in sessions displaying a negative duration. ------ - **I95-54844 Default to Multi-threading for session processing:** New session processing rates are now increased by default when the system has sufficient CPU resources, by using multiple CPU threads. ------ @@ -163,12 +162,12 @@ An issue has been identified involving the use of the HA Sync Redundancy Plugin - **I95-57145 Unable to change the default security policy for MSDP:** The configured security policy for MSDP SVR generated services can now be changed using `bgp-service-generation`. ------ - **I95-57265 Highway crash when generating TSI on Azure instance:** An Azure instance can crash while accessing an uninitialized RX queue. This invalid access has been prevented and the issue resolved. -------- +------ - **I95-57508 `icmp-probe-manager` not running:** When an HA interface becomes non-redundant (reconfigured as non-HA), state updates were not showing on the active-interface path. This led to the icmp-probe-manager not running. This issue has been resolved. ------ - **I95-57584 IGMP ingress packets not being accepted after defining tenant prefixes on LAN subnet:** Resolved an issue when using `tenant-prefix` on the interface, all PIM/IGMP messages were blocked. This issue has been resolved. In addition, the ability to only allow igmp messages sent from specific source-addresses has been added. For more information, see [`source-address-prefix-list`](config_command_guide.md#configure-authority-router-routing-igmp-interface-source-address-prefix-list) ------ -- **I95-58017 FIB entries on `show fib` not available for all headends:** Resolved an issue with `show fib` stalling and not returning complete data. +- **I95-58017 `show fib` output incomplete on routers:** Resolved an issue with `show fib` stalling and not returning complete data where the next hop entries are in excess of 200. The `show fib` output now correctly handles larger output. ------ - **I95-58999 Packet Processing CPU reads 100% when interface is operationally down:** Resolved an issue where an attempt to transmit packets on an operationally down standby interface resulted in a persistent false report of packet processing activity, which led to an erroneous calculation of 100% CPU utilization. ------ @@ -186,15 +185,15 @@ An issue has been identified involving the use of the HA Sync Redundancy Plugin ------ - **I95-59745 Routers are stuck in the connected state and not transitioning to running:** Resolved an issue where the router repeatedly sent the same incorrect values to the config during startup, resulting in a race condition. ------ -- **I95-59758 Prompt for password change:** The user is now prompted to change the `admin`, `t128`, and `root` passwords during installation. The password is changed to the same value for all three users. +- **I95-59758 Interactive Initializer updates all system account passwords:** Interactive initialization now changes the `admin`, `t128` and `root` user passwords to the same value. The initialization preference file has the fields, `t128-password`, `root-password`, and `admin-password`, to set password hashes for each user, respectively. ------ - **I95-59860 Incorrect timestamps shown on IDP startup:** The `Engine started` and `Last Commit` timestamps have been updated to provide accurate readings when the engine has not yet started, or the values are not available. ------- +------ - **I95-60038 `show fib` lookup fails for IPv6 addresses:** Parsing IPv6 addresses was not performed properly, resulting in an invalid query. The code has been updated to properly parse the request before processing. ------ - **I95-60180 Installation screen displays incorrect SSR OS:** After the OS rebranding to SSR OS, the option to install erroneously shows on the install screen. This has been removed. ------ -- **I95-60282 Disk space usage growing to more than 90%:** DNF logs were increasing in size and not being rotated, causing a significant increase in size. A `log rotate` configuration file for DNF has been added to limit the size of DNF log files to prevent them from filling the hard drive. When this fix is installed on the conductor, it is automatically propagated to all managed routers. +- **I95-60282 Disk space usage growing to more than 90%:** DNF logs were increasing in size and not being rotated, causing a significant increase in size. A `logrotate` configuration file for DNF has been added to limit the size of DNF log files to prevent them from filling the hard drive. When this fix is installed on the conductor, it is automatically propagated to all managed routers. ------ - **I95-60287 Add option to disable Kernel Metric SLA Calculation:** In rare cases on a heavily loaded system, the kernel metric calculation process can sometimes hang for a period of time, causing an internal watchdog to fire. This results in a system restart. Setting `routing default-instance > service-metric-use-lsa > false` will prevent the kernel flap that causes this issue. See [`service-metric-use-lsa`](config_command_guide.md#configure-authority-router-routing-service-metric-use-sla) for additional information. ------ @@ -225,20 +224,20 @@ An issue has been identified involving the use of the HA Sync Redundancy Plugin - **I95-60741 KNI no longer passes traffic when it is operationally down, preventing IPSec from functioning:** Resolved an issue with the KNI interface that prevented transmit-through even when the interface is operationally down. ------ - **I95-60747 TANK thread failure:** Resolved a rare issue where exceptions in the TANK response handling logic resulted in data missing from the GUI and PCLI. This issue has been resolved. ------- +------ - **I95-60750 Password Confirmation missing:** When onboarding an SSR using the web interface, users are now required to confirm the password change. ------ - **I95-60765 Application module does not clear previous entries:** Resolved an issue where if a module has services configured, using the REST API to send the clear command to delete those services from the module does not work. The list may appear empty, but the services still persist on the module. This issue has been resolved and the services list is now cleared properly. ------ -- **I95-60767 ServiceRouteNextHops validation rejects configuration:** Resolved an issue where the rule validator did not consider the `service application-type` as DNS proxy into consideration during the configuration rule validation. This issue has been resolved. +- **I95-60767 `service-route > next-hop` validation rejects configuration:** Resolved an issue where the rule validator did not consider the service application-type as DNS proxy during the configuration rule validation. This issue has been resolved. ------ -- **I95-60768 Rare race condition between packet processing and configuration update:** Resolved a rare race condition where invalid memory was accessed during packet processing if config was being loaded at the same time. +- **I95-60768 Rare race condition between packet processing and configuration update:** Resolved a rare race condition where invalid memory was accessed during packet processing if the configuration was being loaded at the same time. ------ - **I95-60924 Adopt command error message is misleading:** Resolved an issue where username/password login failures are not clear. The `adopt` PCLI command now interactively prompts for `mist-instance` if it is not specified on the command line. This helps avoid confusion when trying to associate using username/password which fails if connecting to the wrong instance. Also resolved a related issue that prevented adopting using a Mist account with Multi Factor Authentication (MFA/2FA) enabled. ------ - **I95-60948 RADIUS secret length limited to 16 characters:** The RADIUS secret size was erroneously set to 16 octets. The allowable RADIUS secret size has been updated from 1 to 255. ------ -- **I95-60960 After reboot, the PIM RP IP address moves to a VRF:** Resolved an issue where after reboot the PIM RP IP moves to a VRF, leaving the base instance without a PIM RP IP address. The VRF is now explicitly added to the config, preventing this issue. +- **I95-60960 The PIM RP moved from the base instance to a VRF after a reboot:** When PIM RPs are configured in different VRF, upon reboot the PIM RP could appear in the wrong VRF. This issue has been resolved by generating the VRF explicitly when configuring Multicast routing. ------ - **I95-61024 Pagination issues when performing `show events`:** Resolved an issue where `show events` fails to produce multiple pages. ------ diff --git a/docs/release_notes_128t_7.1.md b/docs/release_notes_128t_7.1.md index 4b7608c5994..dca0665e685 100644 --- a/docs/release_notes_128t_7.1.md +++ b/docs/release_notes_128t_7.1.md @@ -95,17 +95,17 @@ An issue has been identified when onboarding SSR routers installed with older ve ------ - **I95-63355 Node-level security controls for serial console and USB:** Restored support for configuring node-level security features that disable serial console output and USB boot/mass storage (for example, settings such as `serial-console-enabled` and `usb-mass-storage-enabled`). This allows users to reapply hardened platform settings where supported. ------ -- **I95-63393 Show command displaying status of power supplies in an SSR400/SSR440 (dual AC power supply):** Added a show command to display the status of power supplies in dual AC power supply models. +- **I95-63393 SSR400/SSR440 power supply status visibility:** Added CLI support to display the status of power supplies on dual-AC SSR400/SSR440 platforms. The `show chassis power` command displays power supply status for both single and dual power supply devices. This improves operational visibility into power redundancy and health on SSR400/SSR440 systems. ------ - **I95-63839 SNMP walk failures on Conductors onboarding to NMS:** Resolved an issue where SNMP walks on Conductors could fail with a `genError`, preventing successful onboarding into some network management systems. System MIB walks on Conductors now complete successfully; IF-MIB is no longer exposed on Conductors where it is not supported. ------ -- **I95-63873 DHCP leases and Logs page issues in Conductor UI:** Resolved an issue where attempting to retrieve DHCP v4 leases via the Conductor UI for a specific router resulted in `no leases found`. Also resolved an issue where viewing a router Logs page via the Conductor UI displayed ALL logs rather than using the selected time range. +- **I95-63873 DHCP leases not showing in Conductor UI:** Resolved an issue where attempting to retrieve DHCP v4 leases via the Conductor UI for a specific router results in `no leases found`. Also resolved an issue where viewing a router Logs page via the Conductor UI displayed ALL logs rather than using the selected time range. ------ - **I95-64152 Conductor connectivity blocked by stale SSH control sockets:** Resolved a condition where, after a router reboot (particularly following an unclean shutdown), the router could remain **Disconnected** in the Conductor due to stale SSH control sockets. The SSH coordination logic now cleans up stale control sockets automatically, restoring Conductor–router connectivity. ------ - **I95-64187 Improved handling of TPM Dictionary Attack (DA) lockout:** Improved detection and handling when the TPM is in Dictionary Attack (DA) lockout mode. The integrity handler now detects this condition earlier and fails in a more predictable manner, simplifying troubleshooting of TPM-related integrity issues. ------ -- **I95-64568 Add TPM information to `show platform`:** Added TPM presence and relevant device information to the `show platform` command output. +- **I95-64568 TPM details in platform information:** The `show platform security` command has been added to display TPM information such as TPM family (version number), revision, firmware version, and manufacturer. This allows users to verify TPM availability and configuration for security and compliance workflows. ------ - **I95-64575 Unable to login to SSR routers from conductor in Cloud deployment:** Resolved an issue where the SSH configuration on cloud-deployed routers disabled password authentication, preventing login from the conductor. ------ @@ -168,7 +168,7 @@ If you have an SSR400 or SSR440, it is strongly recommended that you upgrade to ------ - **I95-60545 Attempting network interface lookup with invalid ID:** Resolved an issue where errors due to an invalid ID were flooding the logs. Error logs in highway regarding a failed interface lookup for an invalid interface are now suppressed. ------ -- **I95-61588 Console access failures post-migration:** Resolved an issue where a lower baud rate was being used by the serial console. The check / enforcement for the 115200 baud rate has been improved. +- **I95-61588 Console access failures post-migration:** Resolved an issue where a lower baud rate was being used by the serial console, resulting in unreadable output. The check and enforcement for the 115200 baud rate has been improved. ------ - **I95-61823 Change `ESKM_DISABLED` to `ESKM_STANDBY` for HA router in standby state:** For routers configured as part of an HA Enhanced Security Key Management (ESKM) deployment, the standby state is now correctly identified as `ESKM_STANDBY`. ------ @@ -190,19 +190,19 @@ If you have an SSR400 or SSR440, it is strongly recommended that you upgrade to ------ - **I95-62956 Configuration failure due to service definition expecting subnet mask:** Resolved an issue where the Anti-Virus and IDP configuration expected a subnet mask as part of the Service Address. The subnet mask has been added. ------ -- **I95-62957 Configuration failure due to invalid name:** Anti-Virus and IDP do not allow policynames using a dot (.). This has been resolved - configurations will use an underscore for policyname creation. +- **I95-62957 Configuration failure due to invalid name:** Anti-Virus and IDP do not allow policy names using a dot (.). This has been resolved — configurations will use an underscore for policy name creation. ------ - **I95-62982 SSR limits the number of supported network-interfaces:** Resolved an issue where the limit on the number of network-interfaces was low. Improved implementation of data structure storing network-interface objects, resulting in an increase of 7x the current capacity. ------ -- **I95-63018 memory corruption after reading VSA:** Resolved a rare issue where in remote authentication through Radius server, pam_radius was causing memory corruption after VSA is read. +- **I95-63018 Memory corruption after reading VSA:** Resolved a rare issue where in remote authentication through a RADIUS server, pam_radius was causing memory corruption after a Vendor Specific Attribute (VSA) is read. ------ - **I95-63124 Harden HTTPS security:** HTTPS security has been improved and hardened by following best practices. Security headers and SSL algorithms have been updated so that browsers and external clients are only using strong algorithms. Users on older Windows/IE versions can choose to extend the SSR security using `configure authority router system services webserver ssl ciphers` to allow older ciphers. ------ -- **I95-63190 Router intermittently disconnects from conductor:** Resolved an issue where process errors were filling the buffer queue, dropping messages, and causing node disconnections. +- **I95-63190 Router intermittently disconnects from conductor:** Resolved an issue where process errors were filling the buffer queue, dropping messages, and causing node disconnections from the Conductor. ------ - **I95-63202 Unable to bind interfaces in Azure F8 flavor in West Europe region:** Resolved an issue where driver optimization on lower core count systems required more more memory usage, causing initialization failures. ------ -- **I95-63228 Premature route installation complete notification:** In some cases an internal notification that the route installation was complete was being transmitted, causing the Graceful Restart process to terminate early. This issue has been resolved. +- **I95-63228 Premature route installation complete notification:** In some cases a premature internal notification that the route installation was complete was being transmitted, causing the Graceful Restart process to terminate early. This issue has been resolved. ------ - **I95-63292 Add upgrade timeout and rpm operation timeout:** Added the ability to configure the timeout for upgrades and for rpm download/install operations under `config authority router system software-update`. The defaults are 1 hour for SSR upgrade and 10 minutes for rpm operations. ------ @@ -231,7 +231,7 @@ If you have an SSR400 or SSR440, it is strongly recommended that you upgrade to - **I95-63675 Node page in the GUI appears to load indefinitely:** Resolved an issue where the GUI Node page would load infinitely. ------ - **I95-63676 Waypoints fail to allocate when the `service-path peer next-hop gateway` is off the subnet:** Resolved an issue where the first network-interface IP was selected as the local IP for waypoint allocation, even if that IP is not a valid waypoint. ------- +------ - **I95-63729 Asset state not accurately reported in conductor:** Resolved an issue where issue where the SSH authorized keys from one HA conductor node were deleted after restarting both HA conductor nodes. ------ - **I95-63817 Default peering certificates are unable to use the configured peering-common-name:** Resolved an issue where the default peering certificates were generated before receiving the configuration. The default generated peering certificate now properly uses the `peering-common-name` SSR configuration element. @@ -284,9 +284,9 @@ If you have an SSR400 or SSR440, it is strongly recommended that you upgrade to ------ - **I95-57019 KNI host interfaces erroneously generate LLDP:** Resolved an issue where host KNI interfaces are incrementally generating out-errors in `show device-interface`. ------ -- **I95-58007 Add ability to set PIM graceful restart-time:** The routing default-instance pim restart-time command has been added to allow users to define the number of seconds that the PIM protocol will perform graceful-restart after a node failure. For more information, see [PIM Graceful Restart Timer](config_multicast.md#pim-graceful-restart-timer). +- **I95-58007 Add ability to set PIM graceful restart-time:** The `routing default-instance pim restart-time` command has been added to allow users to define the number of seconds that the PIM protocol will perform `graceful-restart` after a node failure. This resolution addresses all the listed issues. For more information, see [PIM Graceful Restart Timer](config_multicast.md#pim-graceful-restart-timer). This also addresses I95-57702, I95-57906, I95-60637, and I95-60731. ------ -- **I95-60767 `service-route next-hop validation` rejects configuration:** Resolved an issue where the rule validator did not consider the `service application-type` as DNS proxy into consideration during the configuration rule validation. This issue has been resolved. +- **I95-60767 `service-route > next-hop` validation rejects configuration:** Resolved an issue where the rule validator did not consider the service application-type as DNS proxy during the configuration rule validation. This issue has been resolved. ------ - **I95-60799 Tenant prefix use within a VRF:** The SSR allows the configuration of tenant-prefixes without giving an error, and correctly handles interfaces with tenant-prefixes within the protocol code. ------ @@ -310,7 +310,7 @@ If you have an SSR400 or SSR440, it is strongly recommended that you upgrade to ------ - **I95-62011 Stats from adjacency traffic engineering throw an exception when a hostname is used:** Resolved an issue where dynamic reconfiguration when adding neighbors/adjacencies that use an FQDN and have adjacency Traffic Engineering enabled, caused the device interface to reach a failure state. ------ -- **I95-62071 Multicast Traffic contributing to service area resource contention:** The resource contention issue has been resolved. +- **I95-62071 Multicast Traffic contributing to service area resource contention:** Resolved an issue when we have an mroute with no outgoing interfaces. We now use a Detour Path instead of NoServicePaths to prevent resource contention. ------ - **I95-62179 Software Lifecycle History not up to date:** Resolved an issue where the software lifecycle page was not showing any history, or in some cases, the history was outdated. Internal functionality has been updated, and both the GUI and CLI outputs now show the correct information. ------ @@ -330,8 +330,4 @@ If you have an SSR400 or SSR440, it is strongly recommended that you upgrade to ### Caveats -- **I95-63422 Unable to establish peering:** An issue has been identified where the factory reset process or bringing online a new router results in the device getting stuck in a `cert-exchange-init` state when establishing peering using Enhanced Security Key Management. - - _**Workaround:**_ When adding a new router, ensure that the certificate intended for use is installed before onboarding the router to the conductor, or delay adding the router to the neighborhood until after the certificate is installed. - - For factory reset of an existing router, remove the router from the neighborhood before re-onboarding the router. Ensure that the desired certificate is installed before adding the neighborhood back to the router and re-onboarding to the conductor. +- **I95-63422 Factory reset routers not re-onboarding when ESKM enabled:** Resolved an issue where if ESKM was initially started using invalid certificate on one node, it would be unable to onboard until the remote peering relationship is restarted. diff --git a/docs/release_notes_128t_installer_2.7.md b/docs/release_notes_128t_installer_2.7.md index bac3a5b634d..46de745772d 100644 --- a/docs/release_notes_128t_installer_2.7.md +++ b/docs/release_notes_128t_installer_2.7.md @@ -32,7 +32,6 @@ sidebar_label: 2.7 The following message may be logged in `/var/log/install128t/tmux_wrapper.log` : `protocol version mismatch (client 8, server 7)`. _**Corrective Action:**_ Terminate all active tmux sessions/server processes and perform the installation/upgrade operation again. - ------ - **I95-39793 Conductor fails to self-upgrade:** This issue affects only 4.5.6-1 systems performing conductor self-upgrade with Installer version 2.7.0 (or later). Released versions of 128T prior or after 4.5.6-1 are not affected. diff --git a/docs/release_notes_128t_installer_3.0.md b/docs/release_notes_128t_installer_3.0.md index 93b358de920..e7d0ece89c5 100644 --- a/docs/release_notes_128t_installer_3.0.md +++ b/docs/release_notes_128t_installer_3.0.md @@ -14,7 +14,6 @@ sidebar_label: '3.0' - **IN-418 Installer 3.0 first download attempt from conductor fails on router:** _Workaround:_ Initiate the download again. The Installer will download. - ------ - **I95-39793 Conductor fails to self-upgrade:** This issue affects only 4.5.6-1 systems performing Conductor self-upgrade with Installer version 2.7.0 (or later). Released versions of 128T prior or after 4.5.6-1 are not affected. From f7daec4bb34d06d4180b22a2117d0cd8ae4787a3 Mon Sep 17 00:00:00 2001 From: Michael Baj Date: Thu, 4 Jun 2026 18:09:04 -0400 Subject: [PATCH 02/10] reverting some of the removed text --- docs/release_notes_128t_4.1.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/docs/release_notes_128t_4.1.md b/docs/release_notes_128t_4.1.md index 7b2d600bf2a..d002c076464 100644 --- a/docs/release_notes_128t_4.1.md +++ b/docs/release_notes_128t_4.1.md @@ -77,6 +77,10 @@ The 4.1.8 release is a superset of the 4.1.7 release. Features and corrections i _**Corrective Action:**_ This condition is rare and is exacerbated by DNS responses that change for the same request. Typically the order of the A records have changed for load balancing purposes. This can be mitigated by ensuring the DNS responses are consistent, or removing the FQDN from the service configuration. ------ - **I95-33296** Removing a redundant interface and its corresponding redundancy-group within the same commit would terminate the commit + + _**Symptom:**_ Unable to commit configuration changes + + _**Corrective Action:**_ Perform two commit operations. The first commit must be to remove the redundancy-group. ------ - **I95-32843** System can fault when routing loop is created with OSPF and BGP From b450b84dfd083f82a07cd8d324e394dbac73aa9b Mon Sep 17 00:00:00 2001 From: Michael Baj Date: Thu, 4 Jun 2026 18:11:09 -0400 Subject: [PATCH 03/10] replaced removed text Added caveats regarding tenant creation and overlapping DHCP addresses. --- docs/release_notes_128t_4.1.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/docs/release_notes_128t_4.1.md b/docs/release_notes_128t_4.1.md index d002c076464..eddb0bb4f3c 100644 --- a/docs/release_notes_128t_4.1.md +++ b/docs/release_notes_128t_4.1.md @@ -808,6 +808,16 @@ The 4.1.0 release requires the 128T-installer 2.2.0 or greater. By default, this ## Caveats - **I95-30103** Creating tenants using output of `show config running flat` does not work (Entering flat configuration into PCLI does not always create the configuration) + + _**Symptom:**_ - When performing configuration using flat (or cut and paste of the complete flat configuration line) the configuration is not applied + + _**Conditions:**_ - When a configuration object does not previously exist and setting an attribute of that configuration object. For example in the following configuration line: + ``` + configure authority tenant one name one + ``` + + If the "tenant one" configuration object does not exist, the tenant object will not be created. If it does exist then the command will set the attribute "name" to "one" + _**Corrective Action:**_ - On initial creation, do not use flat configuration operations for creating the configuration. ------ - **I95-29842** Nodes with Overlapping DHCP addresses will not be displayed when 'show peers' command is run From bae1e2140248e0538352946ef912ac46e381ce0b Mon Sep 17 00:00:00 2001 From: Michael Baj Date: Thu, 4 Jun 2026 18:12:18 -0400 Subject: [PATCH 04/10] replace removed text --- docs/release_notes_128t_4.1.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/docs/release_notes_128t_4.1.md b/docs/release_notes_128t_4.1.md index eddb0bb4f3c..a5e2058ead6 100644 --- a/docs/release_notes_128t_4.1.md +++ b/docs/release_notes_128t_4.1.md @@ -828,6 +828,12 @@ The 4.1.0 release requires the 128T-installer 2.2.0 or greater. By default, this _**Corrective Action:**_ After upgrading the Conductors perform a commit operation from either the PCLI or the Conductor GUI ------ - **I95-29733** Conductor UI may not provide an indication that a software version check is in progress + + _**Symptom:**_ When selecting the Router to fresh the available versions to upgrade, the flashing blue indicator may not be present + + _**Conditions:**_ Shortly after both HA conductors have been upgraded and the refresh button is selected for a router + + _**Corrective Action:**_ N/A, no user corrective action can be performed. Waiting for a moment will result in the appearance of the solid blue dot if an upgrade is available (Note: Both conductors must be running a version greater than or equal to the target router version) ------ - **I95-29592** Conductor UI and/or PCLI may not update the asset software version correctly From 363ec962e60b34b91cd61089cfffdce4d39e4269 Mon Sep 17 00:00:00 2001 From: Michael Baj Date: Thu, 4 Jun 2026 18:12:58 -0400 Subject: [PATCH 05/10] replace removed text --- docs/release_notes_128t_4.1.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/docs/release_notes_128t_4.1.md b/docs/release_notes_128t_4.1.md index a5e2058ead6..da0b529dbe2 100644 --- a/docs/release_notes_128t_4.1.md +++ b/docs/release_notes_128t_4.1.md @@ -855,6 +855,15 @@ The 4.1.0 release requires the 128T-installer 2.2.0 or greater. By default, this _**Corrective Action:**_ N/A, no user corrective action is required. ------ - **I95-29134** `save tech-support-info` indicates the failure `%Error: Failed to execute the 'save tech-support-info' RPC: Fatal error creating tarball` when files being archived contain spaces; even though the operation completes successfully + + _**Symptom:**_ `save tech-support-info` fails with the following error message: + ``` + "Error: Failed to execute the 'save-tech-support-info' RPC: Fatal error creating tarball" + ``` + + _**Conditions:**_ When configuration exports have been saved with spaces it in the name of the exported configuration file + + _**Corrective Action:**_ Remove the saved configuration files with spaces in the name and avoid using spaces when exporting configuration. Note: Exporting configuration files with spaces in the name may be prevented in a future release. ------ - **I95-28766** Conductor PCLI shows configuration change when no changes have been performed ------ From c3681109a452978ca2b940924c17275dfffc7e67 Mon Sep 17 00:00:00 2001 From: Michael Baj Date: Thu, 4 Jun 2026 18:13:43 -0400 Subject: [PATCH 06/10] replace removed text --- docs/release_notes_128t_4.1.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/docs/release_notes_128t_4.1.md b/docs/release_notes_128t_4.1.md index da0b529dbe2..1585ae8bc86 100644 --- a/docs/release_notes_128t_4.1.md +++ b/docs/release_notes_128t_4.1.md @@ -866,6 +866,12 @@ The 4.1.0 release requires the 128T-installer 2.2.0 or greater. By default, this _**Corrective Action:**_ Remove the saved configuration files with spaces in the name and avoid using spaces when exporting configuration. Note: Exporting configuration files with spaces in the name may be prevented in a future release. ------ - **I95-28766** Conductor PCLI shows configuration change when no changes have been performed + + _**Symptom:**_ Conductor PCLI may incorrectly provide an * that there is a candidate configuration change + + _**Conditions:**_ Unknown + + _**Corrective Action:**_ None, if the configuration has not changed this indicator can be ignored. A comparison can be performed with `compare config running candidate` ------ - **I95-27946** Commit may fail on Conductor when node in router pair is stopped ------ From d7f5eb13d5692be091c29212de2063790c6f3678 Mon Sep 17 00:00:00 2001 From: Michael Baj Date: Thu, 4 Jun 2026 18:14:18 -0400 Subject: [PATCH 07/10] replace removed text --- docs/release_notes_128t_4.1.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/docs/release_notes_128t_4.1.md b/docs/release_notes_128t_4.1.md index 1585ae8bc86..1123cba7a39 100644 --- a/docs/release_notes_128t_4.1.md +++ b/docs/release_notes_128t_4.1.md @@ -874,6 +874,17 @@ The 4.1.0 release requires the 128T-installer 2.2.0 or greater. By default, this _**Corrective Action:**_ None, if the configuration has not changed this indicator can be ignored. A comparison can be performed with `compare config running candidate` ------ - **I95-27946** Commit may fail on Conductor when node in router pair is stopped + + _**Symptom:**_ When performing a commit to a router where one of the nodes is offline, the commit from the Conductor may not respond or may fail. Performing a validate operation a second time may provide the following error response: + + ``` + “✖ Validating... + % Error: Candidate configuration is invalid: + 1. A request of type validate is already in progress” + ``` + _**Conditions:**_ When a node in the router pair is offline. + + _**Corrective Action:**_ The validate operation is sent from the conductor to the nodes to verify that the configuration is correct. The validate will timeout to the node that is offline. Bring the node back online and perform the operation a second time. ------ - **I95-27944** Network error may cause upgrade to fail and not retry. From 0b46b41b04215553d18523b555d2b38d2b14a58e Mon Sep 17 00:00:00 2001 From: Michael Baj Date: Thu, 4 Jun 2026 18:15:18 -0400 Subject: [PATCH 08/10] replace removed text --- docs/release_notes_128t_4.1.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/docs/release_notes_128t_4.1.md b/docs/release_notes_128t_4.1.md index 1123cba7a39..05e6788f8a9 100644 --- a/docs/release_notes_128t_4.1.md +++ b/docs/release_notes_128t_4.1.md @@ -905,6 +905,12 @@ The 4.1.0 release requires the 128T-installer 2.2.0 or greater. By default, this _**Corrective Action:**_ Perform the PCLI command on the router to update the information on the conductor. ------ - **I95-27722** Alarms for "Peer not reachable" may not clear and will persist after nodes are back and operational + + _**Symptom:**_ Alarms for "peer not reachable" provided in on the Conductor + + _**Conditions:**_ Unknown, seen after system upgrade + + _**Corrective Action:**_ NA, The alarms will clear within 15 minutes. ------ - **I95-25947** The upgrade to 4.1 can take upwards of 40 minutes to complete. The increase in installation time is due to the underlying OS upgrade. ------ From cf7f3bb60154b362b1aef8a47312266e3ed9fcca Mon Sep 17 00:00:00 2001 From: Michael Baj Date: Thu, 4 Jun 2026 18:17:13 -0400 Subject: [PATCH 09/10] removing unnecessarily added text --- docs/release_notes_128t_4.1.md | 4 ---- 1 file changed, 4 deletions(-) diff --git a/docs/release_notes_128t_4.1.md b/docs/release_notes_128t_4.1.md index 05e6788f8a9..ef3da963573 100644 --- a/docs/release_notes_128t_4.1.md +++ b/docs/release_notes_128t_4.1.md @@ -136,10 +136,6 @@ The 4.1.6 release is a superset of the 4.1.5 release. Features and corrections i - **I95-30002** Service route generation skipped for generation set to true if another service with the same name is set to generation false ------ - **I95-30078** - HA node communication failure results in two systems both taking control of a shared (redundant) interface - - _**Symptom:**_ Traffic egressing a highly available device may get pinned to the wrong node in a highly available pair. - - _**Mitigation (pre-4.1.5):**_ Manually purge specific traffic flows that are pinned to the wrong node, to allow them to regenerate. ------ - **I95-30315** DHCP Server fails to start after system power failure and power recovery ------ From 4b101d95f46b33beb2267ed7737e2659f62b1afc Mon Sep 17 00:00:00 2001 From: Michael Baj Date: Thu, 4 Jun 2026 18:22:44 -0400 Subject: [PATCH 10/10] replacing removed text --- docs/release_notes_128t_4.2.md | 22 +++++++++++++++++++--- 1 file changed, 19 insertions(+), 3 deletions(-) diff --git a/docs/release_notes_128t_4.2.md b/docs/release_notes_128t_4.2.md index de08ea7e7cf..3b96f5ab6f7 100644 --- a/docs/release_notes_128t_4.2.md +++ b/docs/release_notes_128t_4.2.md @@ -172,6 +172,8 @@ init[5720]: [dh00000001 | dhcp-server-ns-1:1073742075] Command "/usr/sbin/ip net Until the system is upgraded to 4.3.5, the learned MTU value can be directly set within Linux ------ - **I95-35323** BGP over SVR does not work when both sides are using VLAN tags. + + Until the system is upgraded to 4.3.5, configure the outgoing SVR interfaces without vlans. At least one side of the BGP over SVR routers should not utilize VLAN tagging. ------ - **I95-35401** SVR traffic would be dropped as a result of tenant members source type being incorrectly classified. _**Conditions:**_ When the interface has an adjacency and Tenant members are applied via neighborhoods and/or child tenants. The tenant table will show the source type as `PUBLIC` for that entry when it should show as `HYBRID` @@ -206,7 +208,7 @@ The 4.2.6 release is a superset of the 4.2.5 release. Features and corrections i Mar 03 09:25:10.813 [HWMC| – ] WARN (icmpManager ) Base Exception: failed to allocate ports for WayPoint; intf=5.0; local=192.0.2.100; remote=198.51.100.128 ``` - Until the system is upgraded to 4.1.10, this issue can be mitigated by removing the corresponding adjacency configuration and adding it back. + Until the system is upgraded to 4.2.6, this issue can be mitigated by removing the corresponding adjacency configuration and adding it back. ------ - **I95-34164** Load balancer occasionally returns standby paths during packet duplication flow setup ------ @@ -241,15 +243,25 @@ The 4.2.5 release is a superset of the 4.2.4 release. Features and corrections i _**Conditions:**_ Changing the object's key, in this case `device-interface > name` causes secure fields to be incorrectly converted to `(removed)`. - Until the system is upgraded to 4.3.2, this issue can be mitigated by deleting the existing `device-interface` object and recreate it. + Until the system is upgraded to 4.2.5, this issue can be mitigated by deleting the existing `device-interface` object and recreate it. ------ -- **I95-30011** System hostnames that cannot be resolved cause two HA nodes to achieve quorum after DNS lookup times out (approximately 40 seconds) +- **I95-30011** HA router nodes may take upwards of 40 seconds to achieve quorum. + + _**Symptom:**_ SVR traffic may be dropped while a redundant node is restarting. + + _**Conditions:**_ The hostname of the platform cannot be resolved + + Until the system is upgraded to 4.2.5, this issue can be mitigated by setting the hostname of the node to a value that can be resolved or add an address for the system in `/etc/hosts` ------ - **I95-31597** Configuring a static ARP entry within a `neighbor` configuration is not honored _**Symptom:**_ Dynamic ARP entries take precedence over statically configured ARP entries ------ - **I95-32244** Download of software upgrade may fail and not provide feedback + + _**Conditions:**_ Managed router being upgraded via Conductor can intermittently fail due to transient network conditions, 4.2.5 will now perform multiple attempts to verify the download completed. + + Until the system is upgraded to 4.2.5, this issue can be mitigated by performing the Download operation again. ------ - **I95-32509** Generated configuration objects are shown by default in GUI and PCLI ------ @@ -326,6 +338,10 @@ The 4.2.5 release is a superset of the 4.2.4 release. Features and corrections i - **I95-33857, I95-33643** Short OTP QuickStart DHCP server lease time results in an initial OTP QuickStart failure. ------ - **I95-34058** Session setup fails for paths configured as `outbound-only` when first packet of a flow exceeds MTU (typically UDP) + + _**Symptoms:**_ Session setup fails + + _**Conditions:**_ Paths configured as `outbound-only`, and the first packet of the flow exceeds MTU (typically UDP). ------ - **I95-34090** A network-interface configured with multiple neighborhoods, where one of the neighborhoods defines a port range, will result in traffic being dropped on the defined range