128T 4.2 Release Notes

Release 4.2.9

warning

SSH Root Login is not permitted.

Before upgrading, ensure that there is at least one user on each 128T system that has sudo privileges. Failure to do so may result in the loss of remote management connectivity to the 128T Networking Platform. Please see the Installation Overview for additional information.

Resolved Issues

• I95-18807 An error displays in the journal due to imudp module loaded by rsyslog daemon. The error condition has been resolved and the error no longer displays.

---

• I95-32298 KNI interfaces created by the IPsec plugin do not transition to "operationally down" when being set to "administrative down". The KNI interfaces now transition smoothly.

---

• I95-33594 Changing the neighbor-as of an existing bgp neighbor prevents it from connecting. The BGP neighbor now connects correctly.

---

• I95-33989 Incorrect error message reported within PCLI when trying to execute validate after a previous validate was terminated with CTRL+c. Resolved conflicting validation operation messaging.

---

• I95-34649 best-effort path handling for proportional load balancing is not honored by service-policy. Path handling for best effort load balancing is handled correctly.

---

• I95-34650 In a multihop SVR scenario, the system may incorrectly attribute incoming packets as coming from a different peer path. This has been resolved and no longer results in packet loss.

---

• I95-35111 No active NTP server alarm erroneously generated when 128T can successfully reach a provisioned NTP server. The error is no longer thrown when multiple NTP servers are configured and at least one is reachable.

---

• I95-35406 Shutdown race condition may cause improper DHCP server clean up, causing DHCP server to fail on next start of 128T. The shutdown race condition no longer occurs.

---

• I95-35567, I95-37833 Weak Password Policy. New restrictions on password properties have been added to ensure strong passwords.

---

• I95-35694 A service-route of type host results in an invalid service path during session establishment. This issue has been resolved by adding a missing gateway-ip address to the process.

---

• I95-35701 Configuration validation incorrectly rejects valid config when a service-route references a service with both applies-to authority and router-group not matching the router of that service-route. Configration validation no longer rejects the valid configuration.

---

• I95-35781 Rare race condition during rotate logs PCLI command may cause applications to fault. The rotate logs PCLI command no longer causes the race condition.

---

• I95-35799 When a dynamic route is removed that exactly matches the prefix of a configured service, the route is removed from the RIB but it may remain in the FIB and still be used for establishing new sessions. This issue has been resolved.

---

• I95-35927 When deleting a VLAN network interface and simultaneously assigning its VLAN ID to the only other remaining network interface on the same device interface, future operational state changes on that interface may be ignored. This issue has been resolved.

---

• I95-35933 show device-interface displays incorrect values for speed and duplex for PPPoE interfaces. The correct speeds are now displayed for show device-interface.

---

• I95-35935 Configuring the same value for router > conductor-address on different routers will generate invalid configuration. The router-based conductor map has been separated from the global conductor map.

---

• I95-36149 Committing a configuration change to a device-interface capture-filter when actively capturing traffic on that interface can cause the highway process to fault. Updated to verify the order of operations and prevent the fault.

---

• I95-36341 A race condition can occur when receiving a BGP packet destined for the 128T during startup without a fully populated FIB, causing a system fault. The race condition has been resolved.

---

• I95-36356 Loading a configuration that changes the BGP graceful-restart restart-time may cause a highway process fault if a subsequent graceful-restart timeout occurs. Changes to the BGP graceful-restart restart-time no longer cause a process fault.

---

• I95-36394 Auto-generated conductor service names that include a '.' will fail to commit configuration. This issue has been resolved.

---

• I95-36525 TLS 1.0 is no longer supported.

---

• I95-36632 Empty office365 metadata file results in HTTP 400 bad request error. Office365 modules no longer generate bad requests.

---

• I95-37652 SSH Follows Weak Security Practices. Several fixes have been put in place to harden SSH access. Please see the warning regarding SSH Root Login at the top of this page.

  note

  As part of the SSH hardening process, inactive SSH sessions will be logged out after 60 minutes. Please see Access Management for additional information.

---

• I95-36672 Deleting all session-capture filters on a device-interface with active traffic can cause the highway process to restart. Traffic on the device interface is handled before deleting the filters.

---

• I95-36770 Salt minion log file was not being properly rotated. The log file is now rotated correctly.

---

• I95-36841 TCP RST can cause the highway process to fault on a SVR path performing UDP transform. TCP resets generate properly into SVR when UDP transform is enabled.

---

• I95-36873 Alarms generated by a router in an authority are incorrectly sent as SNMP traps from all other routers in the authority. Alarms from other routers are now correctly filtered.

---

• I95-36927 A race condition exists that can cause a fault in the highway process during session setup while applying a configuration change that removes BGP over SVR service-route(s). This race condition has been resolved.

---

• I95-37457 show rib and show bgp do not support more than one pagination session. The routing service agent show commands no longer cache the text output when there are more lines than requested.

---

• I95-37577 LDAP authentication fails for users that contain a '-' in their name. Naming issues causing LDAP authentication failures have been resolved.

---

• I95-37588 Value for configure > authority > router > system > software-update > repository > address uses the first lexigraphically sorted router for all other routers in authority instead of using a unique value per router. Resolved the issue where a managed router had the incorrect IP address.

---

• I95-37642 A user cannot change their password from the 128T GUI. A user can now change their 128T password from the web application GUI.

---

• I95-37644/I95-37809 Analytics backend requests do not adhere to a strict schema. This vulnerability has been addressed, and fixes put in place to prevent SQL injection attacks.

---

• I95-37645 Restriction of excessive authentication attempts. The user is now locked out after six failed login attempts.

---

• I95-37646 Password Change does not require current password. The password change process has been strengthened, and now requires the current password.

---

• I95-37647 Server-Sent-Events pass values in the clear for some internal request URIs. Vulnerabilities identified with server sent events have been resolved.

---

• I95-37650 The 128T web UI incorrectly supports being embedded as an iFrame within another page. The 128T Web UI does not support iFrame embedding.

---

• I95-37651 Unrestricted File Upload. Restrictions are in place that make it impossible to import or upload files that do not match tar.gz format.

---

• I95-37800 Apply MSS Clamping on SYN/SYN+ACK packets. MSS enforcement has been enabled on SYN-ACK packets.

---

• I95-37843 Require username and password when updating environmental configuration. The initializer has been updated to require both a username and password when installing 128T and configuring it as the second peer in an HA configuration.

Release 4.2.8

Resolved Issues

• I95-24681 Grammatical improvements to HA initialization, providing more clarity around the use of specific IP addresses.

---

• I95-30610 RTP is not properly classified for subsequent 128T routers

---

• I95-33842 Race condition on 128T startup, causing DHCP server to fail to start Conditions: DHCP server is not running. The following log message can be seen:

  init[5720]: [dh00000001 | dhcp-server-ns-1:1073742075] Running command ['/usr/sbin/ip', 'netns', 'set', 'dhcp-server-ns-1', '1073742075']
  init[5720]: [dh00000001 | dhcp-server-ns-1:1073742075] Command "/usr/sbin/ip netns set dhcp-server-ns-1 1073742075" failed: RTNETLINK answers: No space left on device

  Until the system is upgraded to 4.2.8, this issue can be mitigated by restarting the 128T process.

---

• I95-34053 When configured to use LDAP, locally created user credentials and access are not honored for those users that already exist in LDAP.

  Until the system is upgraded to 4.2.8, this issue can be mitigated by restarting the 128T.

---

• I95-34629 During the initial window of a router connecting to its HA peer, or its connection to the Conductor while a connection outage occurs, configuration commits may fail silently. Candidate configuration will remain uncommitted.

  Until the system is upgraded to 4.2.8, this issue can be mitigated by attempting the commit again.

---

• I95-34716 Fixed a rare race condition crash on startup of the Automated Provisioner

---

• I95-34744 highway process can fault when a DHCP server assigns the IP address 0.0.0.0 to the 128T router

---

• I95-34790 Dual node HA routers with large numbers of peer paths (>500) may see some flows get blackholed after a node failover occurs.

---

• I95-34842 The configuration attribute authority > router > node > device-interface > vrrp has been removed from configuration in the GUI as the capability does not exist

---

• I95-34961 Using a QuickStart file to provision a router fails if the ZScaler plugin is installed on the Conductor.

---

• I95-34968 Self-signed certificates created during initial installation of 128T are invalid

---

• I95-35062 Non-permanent LTE failures are incorrectly displayed as a failure context in show device-interface

---

• I95-35082 When a 128T is deployed behind a NAT firewall and has path MTU (PMTU) discovery enabled, SVR sessions established for outbound-only connections are set up with the configured interface MTU, not the discovered PMTU.

---

• I95-35093 show asset <asset-id> incorrectly continues to show Currently Upgrading version after completion of an upgrade.

---

• I95-35099 Removing a 128T user does not remove its Linux credentials, allowing the user to still login to Linux.

  Until the system is upgraded to 4.2.8, this issue can be mitigated by disabling rather than deleting the user.

---

• I95-35115 Aggregate bandwidth charts may not display data accurately

---

• I95-35155 show device-interface output did not include duplex mode

---

• I95-35188 Adding a tenant or changing the order of tenants in the configuration can lead to traffic being dropped upon session recovery

  Conditions: Configuration change is made to tenants while one node of a HA pair is offline. After the configuration change, the node that was offline takes over as the primary for existing sessions.

  Until the system is upgraded to 4.2.8, if the tenant configuration has changed and a HA node has taken over as active, the traffic that is being dropped can be cleared by performing a simultaneous reboot of both nodes.

---

• I95-35205 LTE interfaces do not honor MTU settings set in the network

  Until the system is upgraded to 4.3.5, the learned MTU value can be directly set within Linux

---

• I95-35323 BGP over SVR does not work if both sides of the routers have VLAN tagged interfaces

  Until the system is upgraded to 4.3.5, configure the outgoing SVR interfaces without vlans. At least one side of the BGP over SVR routers should not utilize VLAN tagging.

---

• I95-35401 SVR traffic would be dropped as a result of tenant members source type being incorrectly classified. Conditions: When the interface has an adjacency and Tenant members are applied via neighborhoods and/or child tenants. The tenant table will show the source type as PUBLIC for that entry when it should show as HYBRID

---

• I95-35602 The command show network-interface may result in a Unhandled TypeError in the PCLI when a PPPoE interface is down

Release 4.2.7

Resolved Issues

• I95-35138 A vulnerability in the SaltStack code allows for unauthenticated salt-minions to execute any script on the salt-master.

  info

  This fix is required only on the 128T Conductor.

Release 4.2.6

note

The 4.2.6 release is a superset of the 4.2.5 release. Features and corrections in the 4.2.5 release are not provided in these release notes. Please refer to the 4.2.5 release notes for further information.

Resolved Issues

• I95-34068 SVR sessions fail to establish due to waypoint allocation failures after HA node failover. Symptom: The following warning log is generated:

  Mar 03 09:25:10.813 [HWMC| – ] WARN (icmpManager ) Base Exception: failed to allocate ports for WayPoint; intf=5.0; local=172.27.233.47; remote=10.61.55.109

  Until the system is upgraded to 4.2.6, this issue can be mitigated by removing the corresponding adjacency configuration and adding it back.

---

• I95-34164 Load balancer occasionally returns standby paths during packet duplication flow setup

---

• I95-34371 Large FIBs can take excess of 30 seconds to load, causing the highway process to fault and restart

  Symptom: System would appear to take a long time to load its FIB

  Conditions: System running at TRACE log level may induce this problem

  Until the system is upgraded to 4.2.6, this issue can be mitigated by ensuring the system is configured at log level INFO, and if necessary, reduce the size of the service configuration.

---

• I95-34645 Swagger API for "clone" and "move" operations are incorrect. They are /config/{configStore}/authority/district/{district}/clone when they should be /config/{configStore}/authority/district/clone

---

• I95-34577 Interface never becomes active when shared-physical-address is configured to be the same as the physical MAC

Release 4.2.5

note

The 4.2.5 release is a superset of the 4.2.4 release. Features and corrections in the 4.2.4 release are not provided in these release notes. Please refer to the 4.2.4 release notes for further information.

Resolved Issues

• I95-18857 Support for automatic loopback has been added to Sangoma T1 devices

---

• I95-27764 write log snapshot does not work for process highway

---

• I95-28190 Addressed issue causing PPPoE passwords to be incorrectly changed to (removed). Symptom: device-interface > pppoe > password gets converted to (removed) upon changing device-interface > name.

  Conditions: Changing the object's key, in this case device-interface > name causes secure fields to be incorrectly converted to (removed).

  Until the system is upgraded to 4.2.5, this issue can be mitigated by deleting the existing device-interface object and recreate it.

---

• I95-30011 HA router nodes may take upwards of 40 seconds to achieve quorum.

  Symptom: SVR traffic may be dropped while a redundant node is restarting.

  Conditions: The hostname of the platform cannot be resolved

  Until the system is upgraded to 4.2.5, this issue can be mitigated by setting the hostname of the node to a value that can be resolved or add an address for the system in /etc/hosts

---

• I95-31597 Configuring a static ARP entry within a neighbor configuration is not honored

  Symptom: Dynamic ARP entries take precedence over statically configured ARP entries

---

• I95-32244 Cannot upgrade after software download completes

  Conditions: Managed router being upgraded via Conductor can intermittently fail due to transient network conditions, 4.2.5 will now perform multiple attempts to verify the download completed.

  Until the system is upgraded to 4.2.5, this issue can be mitigated by performing the Download operation again.

---

• I95-32509 Generated configuration objects are shown by default in GUI and PCLI

---

• I95-32660 saltMaster.log files rotate once daily with a maximum of 25 rotated files, consuming a large amount of disk space. This has been changed to rotate hourly, with a maximum of 25 rotated files.

---

• I95-33024 Specifying a metric value within advertise-default of OSPF causes advertisements to be withdrawn

  Until the system is upgraded to 4.2.5, this issue can be mitigated by remove metric value from advertise-default configuration

---

• I95-33174 Some LTE cards do not use the correct wireless bands for the AT&T network

---

• I95-33432 Path MTU discovery could be fooled by a (bad acting) network element that fragments large packets in spite of the do-not-fragment (DF) flag

  Symptom: Sessions utilizing large packets (like those in some print jobs) may result in failed attempts

  Conditions: in-path network element fragments packets with DF bit set.

---

• I95-33485 Upgrading a HA node of a 128T router can result in traffic being dropped

  Symptom: Existing traffic for some services are blackholed during upgrade

  Until the system is upgraded to 4.2.5, this issue can be mitigated by completing the upgrade of both nodes or restart non-upgraded 128T

---

• I95-33506 File descriptors can leak upon incorrectly configuring a non-existent namespace within an interface type of host.

  Symptom: 128T application will fail to run network scripts and other applications

  Conditions: Setting network-namespace to a value that does not exist on the host platform after committing configuration

  Until the system is upgraded to 4.2.5, this issue can be mitigated by removing the invalid configuration.

---

• I95-33535 Interface name incorrectly allows for prefixed whitepace in configuration, resulting in failure to create interface.

---

• I95-33556 128T may drop inbound SVR traffic when destination service address and port overlaps with interface (waypoint) address and wayport.

  Conditions: address on a service matches that of the network-interface that participates in SVR AND tenant on the service matches the tenant on the network-interface depending on the service scope AND the port-range defined on the network-interface overlaps with port-range of the service.

  Until the system is upgraded to 4.2.5, this issue can be mitigated by changing the port-range on the neighborhood to a range that does not overlap with the service. In 4.2.5 a configuration validation has been added to detect such overlap and provide user with appropriate error message.

---

• I95-33634 128T unable to bind to device-interface

  Symptom: Interface will be administratively up but operationally down

  Conditions: highway process faults can leave an interface unbound to any driver, resulting in the inability for the system to rebind to the interface.

  Until the system is upgraded to 4.2.5, this issue can be mitigated by issuing a reboot on the impacted system.

---

• I95-33668 Peer path fails to meet (default) SLA, triggering BGP prefix flapping

  Symptom: Advertised routes are withdrawn and subsequently re-advertised with a new route metric.

  Conditions: When a service with no service-policy configured, therefore utilizing system defaults, traverses a path below SLA.

---

• I95-33683, I95-33951 When 128T Networking Platform is configured to use LDAP for authentication, login will fail if the user is a member of both 128t-user and 128t-admin

  Symptom: User is unable to login.

  Until the system is upgraded to 4.2.5, this issue can be mitigated by removing the user from one of the two LDAP groups.

---

• I95-33710 Working configuration fails to validate after upgrade

  Symptom: Validation of the configuration will fail with the message % Error: Candidate configuration is invalid: 1. name is required.

  Conditions: device-interface of type host will fail validation if a management-vector does not exist.

  Until the system is upgraded to 4.2.5, this issue can be mitigated by configuring a management-vector on the network-interfaces that exist within the device-interface.

---

• I95-33793 SVR fails to recover session on multi-hop inter-node failure

  Symptoms: Security lookup failure and packet drops.

  Conditions: This scenario occurs only with multi-hop SVR, where an intermediate node WAN link fails, and the target alternate path is outbound-only. This only affects existing sessions. New sessions will be unaffected.

---

• I95-33857, I95-33643 Short OTP QuickStart DHCP server lease time results in an initial OTP QuickStart failure.

---

• I95-34058 Session setup fails for outbound only when first packet exceeds MTU

  Symptoms: Session setup fails

  Conditions: Paths configured as outbound-only, and the first packet of the flow exceeds MTU (typically UDP).

---

• I95-34090 A network-interface configured with multiple neighborhoods, where one of the neighborhoods defines a port range, will result in traffic being dropped on the defined range

  Symptoms: SVR traffic is dropped when destined for a port range configured on its peer 128T router's neighborhood

---

• I95-34092 rotate log command does not rotate fastLane.log, serviceArea.log and flpp.log.

---

• I95-34113 DHCP lease management in the GUI shows no client leases exist

  Conditions: firewall is running on the host 128T platform

  Until the system is upgraded to 4.2.5, this issue can be mitigated by adding the interface veth to the TRUSTED firewalld zone

---

• I95-34135 CVE-2020-8597: A buffer overflow flaw was found in the ppp package

---

• I95-34158 Modifying a port-range configuration value to include an overlapping range results in a list with an incorrect range.

  Conditions: An existing range list is modified to include an overlapping range

  Until the system is upgraded to 4.2.5, this issue can be mitigated by entering a unique range of values that do not overlap.

---

• I95-34160 Standby node can leak traffic out of its redundant interface when the shared MAC is set to the same MAC as the physical MAC

---

• I95-34173 The loss of power for the routing manager standby node in a HA router configuration may lead to temporary BGP traffic drops on the primary node.

---

• I95-34174 Added configuration negotiate-capabilities for BGP neighbor to optionally suppress sending the Capabilities Optional Parameter in the BGP OPEN message.

---

• I95-34186 PPPoE interface is disconnected upon changing device-interface name

---

• I95-34200 Influx database corruption resulting in show entitlement or displaying Event history from the Conductor UI to produce an error

---

• I95-34209 Incorrect Zscaler plugin installed when installed via the Conductor GUI

---

• I95-34310 Secure fields from the 128T configuration are in the commit audit events from config diff operations.

---

• I95-34328 asset fails to set high-state and provides errors in show asset summary

  Symptoms: show asset summary provides errors for an asset and does not perform high-state operations. The error error: db5 error would be seen in /var/log/salt/minion.log file

  Conditions: When the centos rpmdb has been corrupted.

  Until the system is upgraded to 4.2.5, run the following commands on the target asset mv /var/lib/rpm/__db* /tmp; yum clean all; dnf clean all

---

• I95-34407 Renaming a configuration list item can result in factory default values being populated in the renamed object.

---

• I95-34408 When creating/renaming a device-interface, prefix-delegation configuration was blocked until dhcp is explicitly disabled

Release 4.2.4

note

The 4.2.4 release is a superset of the 4.2.3 release. Features and corrections in the 4.2.3 release are not provided in these release notes. Please refer to the 4.2.3 release notes for further information.

Resolved Issues

• I95-30084 Empty BGP neighbor/transport/local-address prevents configuration from being committed

---

• I95-32449 WayPoint allocation failures resulting in session setup failures

---

• I95-32463 DHCP server rejects packets larger than 500 bytes

---

• I95-32625 service-route/host configuration results in invalid route, dropping packets

---

• I95-32754 DHCP Server can flood the journal with monitoring messages

---

• I95-32843 System can fault when routing loop is created with OSPF

---

• I95-32902 LTE APN name not displayed correctly

---

• I95-32957 The LTE reset command did not handle some error cases resulting in a failure

---

• I95-33122 Configuration now enforces non-forwarding-fabric interfaces must be in the same subnet as its HA pair

---

• I95-33148 Non-forwarding interfaces could not come up if a manually created bridge interface existed with the same IP address with that of another 128T provisioned interface

---

• I95-33149 Changing a HA non-forwarding interface address will fail to reestablish the connection between nodes

  Corrective Action: Restart 128T on the node that did not receive the config change

---

• I95-33161 Interfaces that are DHCP enabled within linux (128T not running), returning it from being managed by 128T will result in the error: dhclient(pid) is already running - exiting. The interface, as a result will not be able to acquire any IP, until the interface is restarted.

  Corrective Action: Invoke ifdown on the interface being converted by 128T

---

• I95-33170 show system connectivity internal incorrectly shows interprocess communication connections status as disconnected

---

• I95-33216 Interfaces that are DHCP enabled that are "returned" to linux after 128T shutdown will result in the dhclient process being killed. This results in the interface being unable to renew its dhcp lease after it expires.

  Corrective Action: Create a oneshot service to be invoked by 128T at ExecStopPost so that the control-group is separate from 128T service.

---

• I95-33277 Traceroute using TCP does not work if udp-transform is enabled.

  Corrective Action: Traceroute over UDP should be used as a workaround

---

• I95-33279 Path MTU discovery unresolvable when no ICMP is generated

---

• I95-33296 Removing a redundant interface and its corresponding redundancy-group within the same commit would terminate the commit

---

• I95-33441 Changing node name can cause the 128T to fault on shutdown due to a rare race condition

---

• I95-33449 128T Application fault on startup of LTE interface and node name change that is taking place during the startup

---

• I95-33474 128T added MLX4 Azure Accelerated networking devices

---

• I95-33486 commit failed when PPPoE interface is set in next-hop interface on service-route

---

• I95-33529 Promiscuous mode on ethernet interfaces is not dynamically reconfigurable

---

• I95-33536 128T fault on shutdown with very large number of peer paths

---

• I95-33586 Using hostnames rather than IP addresses for nat-target or target-address in a service-route would cause config validation to fail and report an Invalid IP when inspector is enabled.

Release 4.2.3

note

The 4.2.3 release is a superset of the 4.2.2 release. Features and corrections in the 4.2.2 release are not provided in these release notes. Please refer to the 4.2.2 release notes for further information.

Resolved Issues

• I95-33264 Secondary HA node reboot may result in traffic no longer flowing through the fabric

---

• I95-33278 Asset/hostname missing from syslog messages

Release 4.2.2

note

The 4.2.2 release is a superset of the 4.2.1 release. Features and corrections in the 4.2.1 release are not provided in these release notes. Please refer to the 4.2.1 release notes for further information.

Resolved Issues

• I95-32521 Packets continuously dropping on HA failover triggered by power outage

---

• I95-32686 BFD packets only sent once a minute on an outbound only link even when the peer is sending once a second

---

• I95-32699 Packets dropped on HA failure with adaptive encryption

Release 4.2.1

note

The 4.2.1 release is a superset of the 4.2.0 release. Features and corrections in the 4.2.0 release are not provided in these release notes. Please refer to the 4.2.0 release notes for further information.

Resolved Issues

• I95-32264 In large deployments Automated provisioner can take an extended amount of time to transition a node to a "RUNNING" state

---

• I95-32335 Access Policy label for tenant displays as "Custom DHCP options"

---

• I95-32444 Highway Manager application may fault if HA node attempts to recover sessions with an app-id service before app-id modules are loaded

---

• I95-32479 access policy table and source tenant table do not increase as more memory is allocated

Release 4.2.0

important

The 4.2.0 software reserves address range 169.254.130.0/24 by default. This is for a DHCP server generated address pool that is needed for the new DHCP server enhancements.

New Features and Improvements

• I95-9057 Service-route visualization

---

• I95-11293 show capacity command displays maximum number of flows, maximum number of fib entries, maximum number of arp entries, and the maximum number of action entries.

---

• I95-12112, I95-23428, I95-23576, I95-25658, I95-28084, I95-28089, I95-28758, I95-28848, I95-28854, I95-29061, I95-29808 GUI has been redesigned, designing for increased usability, and easier access to information

---

• I95-15831, I95-20788, I95-26921 Native Management Interface Configuration (also referred to as non-forwarding interface)

---

• I95-17224 Stateful HA NAT Pool for Source NAT

---

• I95-17457 SNMPv2 128T Traps

---

• I95-18465, I95-25578, I95-25734, I95-29277 DHCP enhancements

---

• I95-19779 Peer Paths are now referenced by object names instead of the internal IDs. The format for a peer path is: peer-name | destination (can be an adjacency IP or a host-name | node-name | device-port | VLAN-id

---

• I95-20413 VLAN support on interface types of KNI

---

• I95-20754 IPFIX DeltaCount Fields

---

• I95-20755 IPFIX Interface Fields

---

• I95-21279 Azure Accelerated Networking Support

---

• I95-21421 Support Multiple paths to Conductor

---

• I95-21605 Multiple IP Addresses supported per network-interface

---

• I95-22853 IPFIX Single Flow Records

---

• I95-23024 QuickStart Zero Touch Provisioning

---

• I95-23317, I95-24667, I95-25214, I95-25596, I95-25621, I95-28788 tech-support-info now includes LDAP debugging information, locally generated configuration files, yum logs, systemd service status, configuration versions

---

• I95-23378 GraphQL API for ping command now indicates which fields are required

---

• I95-23556 User preferences can now be exported and imported across platforms

---

• I95-24301 Native Support for FTP Passive mode

---

• I95-24666 Apply router override for conductor(s) address

---

• I95-25063, I95-27581 BFD Scaling Enhancements

---

• I95-25374 delete sessions command safety measures

---

• I95-25530 Dynamic Peer Update Show Command

---

• I95-25668 Show sessions enhancement - Added flow direction

---

• I95-25724 Power Saver mode now configurable

---

• I95-25793 Handling of inter-router session expiry race conditions

---

• I95-25885 Web-driven Conductor upgrade now displays the version to be upgraded prior to confirmation of the upgrade

---

• I95-26190 Cleared alarms are now overlaid on Custom Reports at the time at which they occurred

---

• I95-26220 Event Manager user-level access

---

• I95-26271 Application to assist in determining appropriate huge pages

---

• I95-26338 DHCP Server per network-interface

---

• I95-26490 DNS feature enhancements

---

• I95-26644 User preference has been added to disable upgrade available notification

---

• I95-26779 GUI-based PCLI can now be "undocked" from within the GUI

---

• I95-26804 Congestion Control fairness flows enhancements

---

• I95-26861 Improved the performance and reduced the memory footprint of time series data collection

---

• I95-26914 IPv6 DHCP release/renew command enhancements

---

• I95-26793 Validation does not exist to prevent provisioning a service-route for a service belonging to another router-group

---

• I95-27024 GUI Log Retrieval page has filtering capabilities and easier navigation

---

• I95-27197 Firewall Detector scaling enhancements

---

• I95-27739 VRRP active/active interface negotiation

---

• I95-27805 Generated configuration is now hidden by default. A toggle exists in Config Explorer to display generated configuration

---

• I95-27886 Session Duplication support for inter-node links

---

• I95-28187 Packet Duplication for non-SVR packets

---

• I95-28339 Host KNI Default Route

---

• I95-28341 Routing Manager Configuration Optimization

---

• I95-28433 Dropped Packets Troubleshooting Tool

---

• I95-28442 Linux command connect has been added to easily reverse SSH into managed routers from Conductor's Linux shell

---

• I95-28461 show asset summary command

---

• I95-28482 device-interface/target-interface does not have input validation, allowing for incorrect configuration

---

• I95-28744 GraphQL API added for service ping

---

• I95-28881, I95-31050 SIP ALG support via plugin

---

• I95-28884 Spotlight search feature within GUI

---

• I95-28896, I95-29707 Configuration commit performance improvements

---

• I95-28912 Removed Session Optimization Limitations on Latency

---

• I95-29149 NIC Flow Control enable/disable support

---

• I95-29273 Node page within GUI offers link to launch PCLI session directly to device

---

• I95-29568 BGP withdrawal of routes if path does not meet SLA

---

• I95-29749 Carrier preferences are now supported for Sierra Wireless cards

---

• I95-29933 Improved system performance for peer path state processing

---

• I95-30884 New Data process CPU Core count mode attribute

---

• I95-31331 lte-info now support JSON output

---

• I95-31454 Notifications have been added for Automated Provisioner events

Resolved Issues

• I95-19549 Configuration Generation will fail to generate a peer configuration if the peer name is not the same as the router name

---

• I95-19779 Peer Path stats use Device Interface ID, in 4.2.0 the name will now be used.

---

• I95-20458 No feedback is provided to the user from the GUI in the event of an upgrade failure on the Conductor

---

• I95-21677 No feedback is provided when refreshing available software versions, either successfully or unsuccessfully

---

• I95-21979 An ethernet interface with DHCP enabled cannot be created from GUI. Validation does not pass and throws the error: "There must be at least one address configured when type is not pppoe and dhcp is disabled".

---

• I95-23758 Sessions established with undefined, experimental or reserved protocols (143-255) can cause a failure to remove all sessions.

---

• I95-23915 A user may be unexpectedly logged out of the GUI. The web server log will contain the message error: Halting application due to error generatedMessage=true, name=AssertionError [ERR_ASSERTION], code=ERR_ASSERTION, actual=false, expected=true, operator===, _worker=3

---

• I95-24380 Configuration validation does not prevent defining the same IP address within tenant/member-of

---

• I95-24739, I95-29517 Persistent alarm when peering adjacency is removed or peer IP address is changed

---

• I95-24759 Delete user button exists for user admin, which should not be allowed to be removed

---

• I95-24777 A privilege violation exists where an account with the role of user, can scp backups from the /etc/128technology/config-exports directory. This functionality should be limited only to accounts with the role of admin.

---

• I95-25217 Installer page "show install log" consumes 100% of CPU on web client

---

• I95-25277 Custom Reports do not indicate the graph point location when routers poll at differing sampling intervals

---

• I95-25329 Nested navigation bars are created when launching the PCLI from within the GUI

---

• I95-25343 API requests for top 10 sessions will return no data if time window does not match the sampling interval

---

• I95-25363 Alarms button in topology info pane is now disabled when no alarms are present

---

• I95-25553 Disabling and re-enabling a service is not real time configurable and required a restart of the 128T service.

---

• I95-25582 Dynamic sampling interval for IPFIX is computed only once when configuration is loaded instead of current bandwidth

---

• I95-25589 Administrators are unable to create a username that contains either numbers or symbols

---

• I95-25681 session-count metrics can decrement less than zero, creating a very large number

---

• I95-25694 Pressing the enter key does not perform the default button operation in a GUI dialog box

---

• I95-25801 auditdReceiver process can fault on 128T shutdown

---

• I95-25815 Virtualized AWS Conductor startup incorrectly requires DPDK interface support

---

• I95-25873 GUI Router page displays Session Count, Session Arrival Rate and Session Departure rate down to 17 digits of precision where it should be rounded down to only 2

---

• I95-25984, I95-32181 Power outage may result in a zero byte global.init file, rendering 128T unable to start

---

• I95-26009 Unable to login to 128T when configured to use LDAP and the user database has over 10,000 entries

---

• I95-26072 Critical message "Failed to restore from backup messages on routers" incorrectly displayed during the upgrade of a node of a HA router pair

---

• I95-26160 Managed 128T router connectivity state not updating properly in show system connectivity

---

• I95-26313, I95-31136 traceroute not supported through 128T routers and TTL is not correctly decremented. With this correction, traceroute is now supported and the TTL will be decremented on each hop.

---

• I95-26412 Interfaces configured for DHCP do not display their learned address on the interface list on the Router page of the GUI

---

• I95-26465 If locale is set to a language other than English, available software versions for upgrade will not be displayed

---

• I95-26634 BGP routes are not updated when VLANed interface is operationally down

---

• I95-26793 service-routes associated with services outside of router-based-services are incorrectly being applied

---

• I95-26996 When synchronizing a new node into a HA pair (RMA), if the new node is on a version older than the existing node, there will not be an option to upgrade the newly added node through the GUI

---

• I95-27150 PCLI piping allows execution of Linux commands that can compromise the integrity of the system

---

• I95-27194 Node health CPU information shows CPU utilization incorrectly

---

• I95-27302 "TRAFFIC" audit events can sometimes report "An unknown traffic event occurred"

---

• I95-27597 "send command upgrade router all <version>" will fail if the version contains the rpmspec field (i.e. '-1' following the version)

---

• I95-27707 128T Router node does not propagate software repository communication failures in the Conductor UI

---

• I95-27711 Metrics on Custom Reports drop during the activation of configuration

---

• I95-27722 Alarms for "Peer not reachable" may not clear and will persist after nodes are back and operational

---

• I95-27881 Enabling ZScaler plugin required restart of 128t-ipsec service, service is not restarted on configuration commit

---

• I95-27946 Commit may fail on Conductor when node in router pair is stopped

---

• I95-28096 Rolled up (average) metrics are incorrectly computed

---

• I95-28103 After a restart of the highway process, any interfaces that were managed by 128T that were not gracefully restored, now provide detailed logging information regarding their state and corresponding transition.

---

• I95-28166 Superfluous analytics log messages when two nodes in a HA pair are unable to peer

---

• I95-28265 Metered metrics, such as session arrival rate, may be slightly inaccurate

---

• I95-28535 Unable to obtain DHCP lease after redundant interface state transitions back to operationally up

---

• I95-28766 Conductor PCLI shows configuration change when no changes have been performed

---

• I95-28770 Session Optimization takes precedence over packet-retransmission feature, disabling packet-retransmission when session optimization is enabled

---

• I95-28776 Retransmitted packets are not acknowledged when both packet-retransmission and tap-multiplex are configured

---

• I95-28806 show config on managed router incorrectly allows option for force

---

• I95-29115 service-route / max-sessions is not real-time configurable and requires a restart of the 128T service

---

• I95-29134 save tech-support-info indicates the failure %Error: Failed to execute the 'save tech-support-info' RPC: Fatal error creating tarball when files being archived contain spaces; even though the operation completes successfully

---

• I95-29139 If a commit or validate operation fails on the GUI, the spinner will spin forever

---

• I95-29177 Alarm "source" extends past the end of the browser for long values

---

• I95-29208 Can not access Configuration Explorer after selecting field within explorer

---

• I95-29517 Peer unreachable alarm can't be cleared when peer becomes reachable after related config changes

---

• I95-29268 VRRP incorrectly is allowed to be configured multiple times on a single device-interface

---

• I95-29595 Permissions of 128T binaries are permissive for all users of the system. This has been changed to only allow binaries to be executed by root and specific groups

---

• I95-29627 Accelerated Network Interfaces are not restored back to Linux when 128T is stopped when running in Azure

---

• I95-29637 GUI Validation could not be completed due to a service error on non visible configuration parameters

---

• I95-29664 netvsc devices on Azure can cause Accelerated Network Interfaces to fail to initialize

---

• I95-29733 Conductor UI may not provide an indication that a software version check is in progress

---

• I95-29741 Salt connection between Router and Conductor may not reestablish on a connection failure

---

• I95-29801, I95-31170, I95-31116 NodeMonitor application fault when sysLimitsOverride parameters are set

---

• I95-29811 Session created with a non-standard protocol (e.g. security audits performing "fuzzing") can cause flows to never be deleted and exhaust the flow table

---

• I95-29812 Service ping does not work with peer-connectivity set to outbound-only between 128T routers

---

• I95-29821 Packet fragmentation for SVR paths is larger than configured MTU by the L4 packet header size

---

• I95-29932 routingManager process can fault on shutdown of the 128T service

---

• I95-29976 Large configurations can cause the router to request the configuration multiple times, causing an unnecessary duplication of effort

---

• I95-29990 When a KNI interface starts as operationally down, either due to oper status or monitoring script or a watched interface down for T1, the state remains the default of unknown and never transition to down.

---

• I95-30002 Service route generation skipped for generation set to true if another service with the same name is set to generation false

---

• I95-30011 System hostnames that cannot be resolved cause two HA nodes to achieve quorum after DNS lookup times out (approximately 40 seconds)

---

• I95-30078, I95-30268 Traffic does not switch to standby interface on management path communication failure

---

• I95-30103 Creating tenants using output of show config running flat does not work (Entering flat configuration into PCLI does not always create the configuration)

---

• I95-30270 show network-interface intermittently displays <unresolved> for a functioning interface

---

• I95-30315 DHCP Server fails to start after system power failure and power recovery

---

• I95-30327 On peer path failure, peer path may remain down if going through a nat to get to the remote peer

---

• I95-30334 Shared interfaces can operate with both interfaces on each HA nodes as active (each acting in standalone mode)

---

• I95-30354, I95-30687 admin user or 128t-admin group missing after upgrade

---

• I95-30383 Connection error to node may result in configuration not being applied

---

• I95-30388 SVR traffic can briefly stop when redundant node reboots

---

• I95-30401 Asset remains in pending state on initialization if the connection is terminated during pending state operations

---

• I95-30448 Application module retry interval takes an extended time after a failure. With this correction, if a failure is encountered the retries will start at 60 minutes and increase exponentially for each subsequence failure after the second failure.

---

• I95-30497, I95-30835 Configuration validate not timing out after time threshold met, preventing additional timeouts.

---

• I95-30457 highway process may incur a system fault when processing a BFD packet at the same time the process is shutting down

---

• I95-30625 Access Policy Table is fixed at 2048 entries and does not scale according to huge pages size

---

• I95-30687 128t-admin group removed from admin user during HA peer upgrade

---

• I95-30695 GUI PCLI Process left running if the connect command is run and user navigates away from the page

---

• I95-30734 "worker-core packet-processing-utilization" would show 100% due to improper handling of unidirectional flows when packet-retransmission feature is enabled

---

• I95-30742 Incorrect packet fragmentation when first packet is a jumbo packet

---

• I95-30777 Node restart in an HA router may result in extended time to resolve active node

---

• I95-30781 Invalid configuration accepted when adjacency or neighborhood port-range does not have end-port configured

---

• I95-30833 BGP over SVR neighbor not connecting due to missing route

---

• I95-30884 DHCP server sends responses out multiple interfaces, with incorrect MAC

---

• I95-30934 Services with matching tenants and protocols with port ranges ending in 65535 may result in services failing.

---

• I95-30962 Fatal Log message not raised when invalid local.init or global.init formatting is detected.

---

• I95-30995 On 128T shutdown, X710 NIC Interfaces do not establish link with kernel message "Rx/Tx is disabled on this device..."

---

• I95-30922, I95-31072 Highway Manager application fault as a result of a small action pool size when sysLimitsOverride parameters are set

---

• I95-31005 128T does not safely handle the case where a DHCP server provides a client lease with an address of 0.0.0.0

---

• I95-31022 traceroute not decrementing TTL for each hop through the 128T router

---

• I95-31089 tenant member-of applied to a neighborhood associated with a network-interface is not dynamically reconfigurable

---

• I95-31136 Incorrect ICMP unreachable source ip address when using IPv4 to IPv6 Interworking

---

• I95-31170 nodeMonitor process can fault on shutdown

---

• I95-31191 proxy-ip not automatically added for SIP ALG Plugin support

---

• I95-31200 BGP timer configuration is not dynamically configurable

---

• I95-31214 ICMP sessions do not fail over to HA node when path SLA is no longer being met for packet loss threshold

---

• I95-31232 Peer router highwayManager faults when pinhole traffic originating from this peer is sent to a remote peer that is restarting.

---

• I95-31244 When a pinhole session is restored upon failover, if the routing table is not up-to-date, the packet will incorrectly be routed to the same interface from which it came from.

---

• I95-31255 Intermittently managed routers may send a "No connectivity" alarm to the Conductor

---

• I95-31330 lte-info erroneously reports "excellent" signal strength when it is not

---

• I95-31333 highwayManager application fault during multiple interface state transitions

---

• I95-31515 highwayManager application faults if no paths are available for session duplication

---

• I95-31570 Changing the order of custom charts can sometimes render the dashboard page inoperable

---

• I95-31672 New version of Chrome does not consider our self signed web certifiate valid

---

• I95-31742 routingManager application can fault when a device interface is removed

---

• I95-31860 shared-phy-address is not dynamically reconfigurable

---

• I95-32065 NAPT translation does not work with for a service-route with a next-hop

---

• I95-32361 Peer path MTU can not be resolved for waypoints that share an overlapping IP address

Feature Deprecation

• I95-28388 Table and Tile display options in the Configuration dialogs are no longer available

---

• I95-25275 atop rpm is no longer a requirement and is not installed with 4.2.0 for new installations. The atop service was previously used to collect statistical information. The service by default was masked and results in daily emails being sent to the root user. If the deployment uses the atop service beyond the requirements of the previous 128T software releases, it can remain. If the deployment does not use the atop service, the rpm can be removed and in so doing emails will no longer be sent to the root user email. An example of the emails sent is: Failed to try-restart atop.service: Unit is masked.

Special Considerations

• Validation has been added to prevent issues when destination service address and port ranges overlap with interface (waypoint) address and wayport ranges. If your configuration has an overlapping port range prior to the upgrade, you will now receive a validation error. The configuration must be remediated in order to make any additional changes. (I95-33556)

• Support has been added to provision management interfaces. Typically, these are Linux interfaces that are not part of the 128T configuration. These interfaces are called non-forwarding interfaces. It is strongly recommended that non-forwarding interfaces now be configured within the 128T. When the Conductors are upgraded to 4.2.X, the configuration validation will provide a warning when non-forwarding interfaces are not configured for 128T routers configured in a HA pair. If non-forwarding interfaces are configured prior to upgrading the Conductors to 4.2.X, the shared or fabric device interface type must be explicitly set. DHCP however is not supported. Note: 4.1.5 does not raise a validation error if the interface had DHCP. (I95-30831)

• When creating non-forwarding interfaces on pre 4.2.0 routers, these interfaces should not be configured with default routes until after upgrading the routers to 4.2.0 or greater. (I95-30940)

• Support has been added to allow the 128T Software to automatically determine the number of CPU forwarding cores that the router will use. In previous releases the "automatic/manual" parameter was not available and the core count was defined in environment config or within the UI. If set within the environment config (local.init), 4.2.X will set core count to automatic and determine the number of cores to use. If set in the UI, this parameter will be set to manual and the existing UI value will be used. Note that if automatic is set and the core count is changed in the PCLI, the change will be accepted as valid configuration but the automatic parameter will override as the automatic parameter takes precedence over the value in the forwarding core count. (I95-30884)

• Prior to 4.1.5, peering with routers that have the same IP addresses was not supported. In 4.1.5 or greater remote peers having the same IP address is now supported in one direction, with the use of "outbound-only". 128T currently does not support ALL routers having the same IP address, the same IP address support is unidirectional. For example:

  The following is supported:

        R1(172.16.1.1) --- peered --- R2 (192.168.1.1)
                  |------- peered --- R3 (192.168.1.1)

  The following is not supported:

        R1(192.168.1.1) --- peered --- R2 (192.168.1.1)
                   |------- peered --- R3 (192.168.1.1)

• On 128T nodes installed after July 1, 2019 on pre 4.2.X versions, Chrome running on MAC OSX Catalina does not consider the 128T self-signed web certificates valid. Apple has put out an advisory: https://support.apple.com/en-us/HT210176 . Once the node is upgraded to 4.2.X, create a new self-signed web cert in the PCLI create certificate self-signed webserver (I95-31672)

Caveats

• I95-29592 Conductor UI and/or PCLI may not update the asset software version correctly

  Symptom: The Conductor UI and/or the PCLI may not correctly reflect the software version running on the asset

  Conditions: After the asset has been upgraded

  Corrective Action: If the asset is not updated after ~5 minutes after an upgrade is performed, the salt-minion will need to be restarted on the respective node. This is done with the following command on the node as the root Linux user:

  systemctl restart salt-minion

---

• I95-27808 sync peer addresses router force from Conductor may not trigger router to send address information from peer

  Symptom: When performing the following command on the Conductor PCLI, sync peer addresses router force the router may not provide the peer address information

  Conditions: Unknown

  Corrective Action: Perform the PCLI command on the router to update the information on the Conductor.