Release Notes for Cisco vEdge Device, Cisco SD-WAN Release 20.1.x
 Note |
The documentation set for this product strives to use bias-free language. For purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. |
These release notes accompany the Cisco SD-WAN Release 20.1.x, which provides Cisco SD-WAN capabilities. They include release-specific information for Cisco vSmart Controllers, Cisco vBond Orchestrators, Cisco vManage as applicable to Cisco vEdge devices.
For release information about Cisco IOS XE SD-WAN devices, refer to Release Notes for Cisco IOS XE SD-WAN Devices, Cisco IOS XE Release Amsterdam 17.2.x
For release information about Cisco NFVIS SD-Branch, refer to Release Notes for Cisco NFVIS SD-Branch, NFVIS Release 4.1.1 and vManage Release 20.1.1.1
For release information about Cisco SD-WAN Cloud OnRamp for Colocation Solution, refer to Release Notes for Cisco SD-WAN Cloud OnRamp for Colocation Solution, Release 20.1.1
What's New for Cisco SD-WAN Release 20
This section applies to Cisco vEdge devices.
Cisco is constantly enhancing the SD-WAN solution with every release and we try and keep the content in line with the latest enhancements. The following table lists new and modified features we documented in the Configuration, Command Reference, and Hardware Installation guides. For information on additional features and fixes that were committed to the SD-WAN solution, see the Resolved and Open Bugs section in the Release Notes.
| Feature | Description |
|---|---|
|
Systems and Interfaces |
|
|
A default device template provides basic information that you can use to bring up devices in a deployment quickly. This feature is supported on the Cisco Cloud Services Router 1000V Series, Cisco C1111-8PLTELA Integrated Services Routers, and Cisco 4331 Integrated Services Routers. |
|
|
Forwarding and QoS |
|
|
This feature lets you apply a Quality of Service (QoS) policy on individual tunnels, ensuring that branch offices with smaller throughput are not overwhelmed by larger aggregation sites. This feature is only supported for hub-to-spoke network topologies. |
|
|
Policies |
|
|
This feature defines the rules that traffic must meet to pass through an interface. When you define rules for incoming traffic, they are applied to the traffic before any other policies are applied. The control plane of Cisco SD-WAN processes the data traffic for local services (like SSH and SNMP) from a set of sources in a VPN. Routing packets are required to form the overlay. |
|
|
This feature allows you to configure upto a maximum of eight SLA classes on Cisco vSmart Controller. In previous releases, you could only configure upto four SLA classes. This allows for additional options to be configured in an application-aware routing policy. |
|
|
Security |
|
|
Additional Cryptographic Algorithmic Support for IPSec Tunnels |
This feature adds support for HMAC_SHA256, HMAC_SHA384, and HMAC_SHA512 algorithms for enhanced security. |
|
This feature allows you to integrate your routers with a Secure Internet Gateway to perform security processing and ensure that your device's performance is not affected by processing security rules. |
|
|
This feature lets you manually configure a GRE tunnel by using the VPN Interface GRE template or an IPSec tunnel by using the VPN Interface IPSec template. For example, use this feature to manually configure a tunnel to a SIG. |
|
|
Network Optimization and High Availability |
|
|
This feature displays the cluster activation progress at each step and shows any failures that may occur during the process. The process of activating a cluster takes approximately 30 minutes or longer, and you can monitor the progress using the vManage task view window and events from the Monitoring page. |
|
|
This feature classifies the network traffic based on the Layer 2 virtual local-area network (VLAN) identification number. The QoS policy allows you to limit the bandwidth available for each service chain by applying traffic policing on bidirectional traffic. The bidirectional traffic is the ingress side that connects Catalyst 9500-40X switches to the consumer and egress side that connects to the provider. |
|
|
This feature allows you to determine the state of a deployed VM using color codes, which you can view on the Monitor > Network page. These color codes help you make decisions on creating service chains based on the state of the VM. |
|
|
Network Utilization Charts for SR-IOV Enabled NICs and OVS Switch |
This feature allows you to view network utilization charts of VM VNICs connected to both SR-IOV enabled NICs and OVS switch. These charts help you determine if the VM utilization is optimal to create service chains. |
|
Monitor and Maintain Guide |
|
|
This feature enables monitoring and controlling the event trace function for a specified SD-WAN subsystem. Event trace provides the functionality to capture the SD-WAN traces between the SD-WAN daemons and SD-WAN subsystems. |
|
|
This feature enhances admin tech file to include show tech-support memory, show policy-firewall stats platform and show sdwan confd-log netconf-trace commands in the admin-tech logs. The admin-tech tar file includes memory, platform, and operation details. |
|
Important Notes, Known Behavior, and Workaround
When you complete a Cisco SD-WAN software downgrade procedure on a device, the device goes into the configuration mode that it was in when you last upgraded the Cisco SD-WAN software on the device. If the device is in a different configuration mode when you start the downgrade than it was when you last upgraded, the device and Cisco vManage show different configuration modes after the downgrade completes. To put the configuration modes back in sync, reattach the device to a device template. After you reattach the device, both the device and Cisco vManage show that the device is in the vManage configuration mode.
Cisco vManage Upgrade Paths
| Starting Cisco vManage Version | Destination Version | ||
|---|---|---|---|
|
19.2.x |
20.1.x |
||
|
18.x/19.2.x |
Direct Upgrade |
Direct Upgrade |
|
|
20.1.x |
Not Supported |
Direct Upgrade |
|
|
20.3.x |
Not Supported |
Not Supported |
|
|
20.4.x |
Not Supported |
Not Supported |
|
Supported Devices
|
Device Family |
Device Name |
|---|---|
|
vEdge Routers |
|
Resolved and Open Bugs
About the Cisco Bug Search Tool
Use the Cisco Bug Search Tool to access open and resolved bugs for a release.
The tool allows you to search for a specific bug ID, or for all bugs specific to a product and a release.
You can filter the search results by last modified date, bug status (open, resolved), severity, rating, and support cases.
Bugs for Cisco SD-WAN Release 20.1.2
This section details all fixed and open bugs for this release. These are available in the Cisco Bug Search Tool through the Resolved Bug Search.
Resolved Bugs for Cisco SD-WAN Release 20.1.2
|
Bug ID |
Description |
|---|---|
|
Upload of a corrupted serial file can lead to DOS situation |
|
|
vE5K performance drops significantly using loopback TLOC without 'bind' configuration |
|
|
vManage: SSO authentication may not be possible after upgrade/reboot |
|
|
Error in sending device list for Push vSmart List to vBond |
|
|
Cisco PKI Root Certificates not installed in recent images - - Polaris Side commit |
|
|
Redistribution from OSPF to BGP is failing in vEdge when policy is being applied |
|
|
Insecure Product Design exposes sensitive information to non-admin user |
|
|
vManage - no stats for IRB interfaces |
|
|
%IPSEC-3-REPLAY_ERROR: + BFD down and drops IN_CD_COPROC_ANTI_REPLAY_FAIL |
|
|
vEdge1000 do not get ping reply via GUI if select source interface |
|
|
SDWAN 19.2.1: IPv6 vBond not reachable/UP from vManage when DNS name |
|
|
SFTP to vManage is not working after upgrade to 20.1, 19.2 |
|
|
DR replication time always given in PST |
|
|
QoS policy is applied to both Dialer and Ethernet PPPoE WAN interface |
|
|
Slash symbol cannot be used in a variable value of any device specific parameter scope in templates |
|
|
ZBFW + IRB show severe packet loss |
|
|
Nat over IPsec not working with ZBFW |
|
|
Misleading logout event |
|
|
vedge-cloud with SRIOV interfaces unable to receive IP packets more than 1496 bytes |
|
|
Top applications UI : Y axis (usage) not shown properly |
|
|
vEdge SDWAN IPsec tunnel flapping due IKE packet drops |
|
|
show system status shows CPU allocation is 3 when deployed with 2 |
|
|
Traffic stop sending across WAN when WAN link got unplugged and packet duplication is on :ISR1100-4G |
|
|
Inconsistency between "show app dpi flows" output and Current flows count in show app dpi summary |
|
|
vedge frequently establishing control connections to the vBond even though it is in equilibrium |
|
|
Disaster Recovery: Arbitrator causing failover every 30 minutes without any failures- Revert track |
|
|
default templates can't be copied |
|
|
Can't assign default router distance on sub-interface via vManage |
|
|
Need to increase Smart account username character limit to more than 32 characters |
|
|
Cannot ssh into vsmart, vbond with GCM ciphers |
|
|
"show ip route vpn " output not showing specific routes for omp routes |
|
|
isr1100 unable to communicate with vbond due to Board ID Signature Verify Failure |
|
|
Unable to push localized policy to SDWAN CSR1000v deployed on cloud |
|
|
vManage misleading error regarding multitenancy in singe tenant environment cluster |
|
|
vEdge 5k crashing on 18.4.4 with fp-um crash files when using GRE SDWAN tunnels |
|
|
Umbrella Registration Token: Not able to delete the token for Legacy devices |
|
|
Need new JKS file for 19.x+ versions |
|
|
Optional field is not considered as optional. |
|
|
Email address including some characters cannot be entered for Email notification |
|
|
DC1 vmanage template attachment disappear after a switchover |
|
|
Template update :Request time out:Client timed out waiting for request taking longer than 90 secs |
|
|
vEdge running 20.1 does not come up as spoke in per-tunnel QoS due to bandwidth "not set" |
|
|
NCS shows down, all vbond connections fail |
|
|
out of memory error on app-server wildfly |
|
|
SSO SAMLResponse redirect points to loginError.html unexpectedly |
|
|
Critical customer with 19.2.2, 4 vManage cluster is running into Full GC allocation failure |
|
|
VManage alarms Control TLOC Down and BFD TLOC Down are not raised on the GUI all the time |
|
|
vbond information is lost during replication after multiple failovers |
|
|
Disable support for weak encryption ciphers on vManage and vSmart. |
|
|
vManage should prompt for new password without asking for default password if default password used |
|
|
Vmanage displays error when "+:=@!'" is used in template variable |
|
|
Manual Disaster Recovery: Primary vmanage is in read-only mode when secondary vmanage is down |
|
|
Shared vSmart may fail to get upgraded from 20.1.1 to 20.1.12 |
|
|
vManage spends 60+ seconds to parse the device template with 500+ variables |
|
|
Neo4j password retrieve during config-db restore is broken |
|
|
Vedge end of line for the banner in 20.1 is not working as it did in 19.2 |
|
|
Vmanage 20.1.12 when selecting "Mark as optional" under radius will fail with an error |
|
|
vEdge control connections goes down after CSR generation |
|
|
Device is unreachble, interfaces are showing as up |
|
|
CoR probes working for O365 but failing for every other SaaS application |
|
|
vManage revokes devices enterprise cert after hitting "Send to Controllers" |
|
|
vEdge5000: control connection stuck in "Challenge" phase - Failed to create IdentityReqBlob |
|
|
fpmd crashes on vEdge1k, 2k with 19.2.1, 18.4.302 |
|
|
vEdge crashes with dbgd failed message when running speed test |
|
|
vManage GUI down due to GC Allocation Failure on 19.2.3 |
|
|
vManage API call showed error message "Exceeded possible number of hits to the API". |
|
|
Error occurred while generating inputs for device templates after adding 2 new rules to sec policy |
|
|
Cisco SD-WAN Software Arbitrary File Creation Vulnerability |
|
|
Cisco SD-WAN vManage Software Privilege Escalation Vulnerability |
|
|
Cisco SD-WAN vManage Software Directory Traversal Vulnerability |
|
|
Cisco SD-WAN Software Privilege Escalation Vulnerability |
|
|
Cisco SD-WAN Software Privilege Escalation Vulnerability |
|
|
Cisco SD-WAN Software Privilege Escalation Vulnerability |
|
|
Cisco SD-WAN Software Privilege Escalation Vulnerability |
|
|
Cisco SD-WAN vManage Cross-Site Scripting Vulnerability |
|
|
Cisco SD-WAN vManage Software XML External Entity Vulnerability |
|
|
Cisco SD-WAN vManage Software Authorization Bypass Vulnerability |
|
|
Cisco SD-WAN vManage Software Path Traversal Vulnerability |
|
|
Cisco SD-WAN vManage Software Arbitrary File Creation Vulnerability |
|
|
Cisco SD-WAN vManage Cypher Query Language Injection Vulnerability |
|
|
Cisco SD-WAN vManage Cypher Query Language Injection Vulnerability |
Open Bugs for Cisco SD-WAN Release 20.1.2
|
Bug ID |
Description |
|---|---|
|
vManage is sending wrong interface name in LI template for standard GRE tunnel |
|
|
Cloud onRamp for IaaS on AWS: default route to null0 blackholes traffic sent to Internet |
|
| CSCvv69614 |
CSR's launched by basic template going "Out of Sync" |
|
ConfigDB not updating username/password |
Bugs for Cisco SD-WAN Release 20.1.12
This section details all fixed and open bugs for this release. These are available in the Cisco Bug Search Tool through the Resolved Bug Search.
Resolved Bugs for Cisco SD-WAN Release 20.1.12
|
Bug ID |
Description |
|---|---|
|
PPP auth type not able to select none for no password |
|
|
Enforce Software Version : Device already has image error |
|
|
ISR1100-4G, ISR1100-6G Fixed speed 100/10 full duplex config are not supported on RJ45 ports. |
|
|
Can not create vManage user to access disaster recovery other than admin user |
|
|
Ip route template admin distance not configurable |
|
|
Missing "switchport access vlan name XYZ" from cedge CLI - remove from vManage |
|
|
Disaster Recovery: Arbitrator causing failover every 30 minutes without any failures |
|
|
vManage (Cli Template): NAT DIA config is missing with CLI template push |
|
|
vManage UI should make IKE1 pre-shared key mandatory, default value is causing template push failure |
|
|
vManage Cluster: crash seen during vmanage uprade while system is going down |
|
|
SNMP not working on tunnel interface and to loopback interface in vpn 0. |
|
|
CDP true/false mapping is missing from the config preview . |
|
|
"no ip redirects" is not applied to sub interface or Loopback interface during intf template attach |
|
|
When a failed vBond recovers after vManages recover the vBond does not move to new active |
|
|
Vmanage does not generate and push "aaa authentication dot1x" 802.1x command in cli template |
|
|
Dhcp helper option not available in static mode in feature template for vedge and xe-sdwan |
|
|
Per Tenant Backup Export Failed on multi tenant vManage |
|
|
vmanage dr standby cluster not replicating feature templates even config-db replication is success |
|
|
Edited Description field is not updated when template copy option is used |
|
|
previously shared feature template cannot be edited post upgrade to 20.1 |
|
|
isr1100 unable to communicate with vbond due to Board ID Signature Verify Failure |
|
|
Secondary vmanages not able to shutdown tunnel interface when in config template before failover |
|
|
Device attached to Integration Management page on vmanage does not show up on DNA-C |
|
|
CSR service vpn dropdown on Azure CSR |
|
|
Cisco SD-WAN vManage SQL Injection Vulnerabilities |
Open Bugs for Cisco SD-WAN Release 20.1.12
|
Caveat ID Number |
Description |
|---|---|
|
tcpd crash seen while running system-test regression |
|
|
tcpd crash seen while running system-test regression |
|
|
vbond information is lost during replication after multiple failovers |
|
|
DC1 vmanage template attachment disappears after a switchover |
|
|
vE5K performance drops significantly using loopback TLOC without 'bind' configuration |
|
|
admin tech request prints some back end commands in vManage 20.1.924-56 |
|
|
admin tech logs some back end path in vEdge 20.1.924-54 |
|
|
Vmanage cluster sync failed message seen "Restart of wildfly timed out " |
|
|
C5 - Device bootstrap template is not attached for vEdge-Cloud deployed on AWS using cloud init |
Bugs for Cisco SD-WAN Release 20.1.1
This section details all fixed and open bugs for this release. These are available in the Cisco Bug Search Tool through the Resolved Bug Search.
Resolved Bugs for Cisco SD-WAN Release 20.1.1
|
Bug ID |
Description |
|---|---|
|
SVM: server config file is empty |
|
|
Unable to see class-map configs on the cedge/vEdge device if used in only QoS map |
|
|
Missing mapping for vrrp timer under vpn interface ethernet template |
|
|
Cannot use bootstrap configuration with URL-F block page content requires SU access to remove |
|
|
vManage web server fails after SSO SAML buildup |
|
|
Unable to create a template for vEdge with loopback interface number greater than 1000 with tunnel |
|
|
cedge stuck in "Sync Pending - Control connection UP after ZTP" on vmanage |
|
|
vManage should not push "media-type rj45" when user configures speed or duplex |
|
|
Template update pushing wrong interface with UTD NAT statement on Dialer interface |
|
|
vmanage should push "no config-exchange request" via ipsec template for zscalar (cedge template) |
|
|
Cisco SD-WAN Software Buffer Overflow Vulnerability |
|
|
CLI template push fails on vEdge if it contains special character "&" in the template |
|
|
vSmart hosted on vContainer - Software install fails |
|
|
No TLOC color options present in template post upgrade to 19.3.0 |
|
|
regression: can't configure dhcp default route in vManage 19.3.0 |
|
|
vManage templates are NOT available on the Secondary cluster. |
|
|
vmanage gui not accessible as /opt/data is 100% full. App server down |
|
|
Vmanage goes OOM after upgrade to 19.2.1 java.lang.OutOfMemoryError: Java heap space |
|
|
16.12.3 ZBFW:When attached policy is deleted & new policy created, old policy still shows on vmanage |
|
|
vManage is pushing additional slash '\' with the banner line breaker |
|
|
vManage config preview is timing out on large config. |
|
|
multi-tenant vmanage install UTD LXC failed via security policy through templates at tenant level |
|
|
redistribution from ospf to bgp in vpn 0 is not mapped |
|
|
Cannot make TACACs group interface device specific |
|
|
Huge FW config (20k lines) ZBFW:Template push fails with message "Waiting for device response" |
|
|
vedge SRIOV networks are unreachable after remote interface flap |
|
|
Signature Update Failed after container upgrade/template push |
|
|
vmanage performance slowdown with large configuration (acl's) |
|
|
vmanage application timeout while pushing template to ISR1K with large number of ZBFW policy |
|
|
Bring down ge0/0 is not causing ipsec interface to report down |
|
|
SD-WAN router may delete newly created SA in a specific case |
|
|
UT:basic template push failing for DUT on omp- while creating preview. |
|
|
vManage cluster activate gets stuck in scheduled state |
|
|
Cedge : advertise ipv6 lisp, eigrp and isis should be default to off in OMP template |
|
|
Variables in CLI Add-On do not get populated on variable preview pop up |
|
|
CLI Device template: Config Preview fails with server error |
|
|
SSL proxy: upload certificate is not working with enterprise as CA |
|
|
Cisco SD-WAN vManage SQL Injection Vulnerabilities |
|
|
Cisco SD-WAN Information Disclosure Vulnerability |
|
|
Cisco SD-WAN vManage Software Path Traversal Vulnerability |
|
|
Cisco SD-WAN vManage SQL Injection Vulnerabilities |
|
|
Cisco SD-WAN vManage SQL Injection Vulnerabilities |
|
|
Cisco SD-WAN vManage SQL Injection Vulnerabilities |
|
|
Cisco SD-WAN vManage Information Disclosure Vulnerability |
|
|
Cisco SD-WAN vManage Software Path Traversal Vulnerability |
Open Bugs for Cisco SD-WAN Release 20.1.1
|
Bug ID |
Description |
|---|---|
|
MTCVM: tasks icon does not report a task in progress |
|
|
Deleting vManage Disaster Recovery should not remove the software image from the software repository |
|
|
vManage not cleared control connections alarm |
|
|
vEdge changes the source address on the radius calls |
|
|
QoS map can't be assigned to sub-interface without Shaping rate - hit error |
|
|
vManage doesn't show number of CPU allocated in CLI and GUI |
|
|
Notification not present while entering inappropriate information in ipsec int under ipsec route |
|
|
vManage periodic cfgmgr crash |
|
|
Doing "simulate flows" from vManage running 20.1 causes FTMD crash on ASR1002-HX running 16.12.01e |
|
|
Eye icon in vManage password field disappears during next login when provided with wrong password |
|
|
Page gets refreshed when a user tries to login to vManage UI after changing the user password |
|
|
VEDGE 100M VZ LTE last resort circuit came UP randomly |
|
|
[vManage-UI] Password unmasking icon is not working |
|
|
Device attached to Integration Management page on vmanage does not show up on DNA-C |
|
|
Resume Disaster Recovery not working after upgrade |
|
|
Missing "switchport access vlan name XYZ" from cedge CLI - remove from vManage |
|
|
LLDP global settings feature template has no effect |
|
|
ip nat inside source list nat-dia-vpn-hop-access is not being pushed down from vmanage to cedge |
|
|
After attaching a device to partner, notifications not seen for serverlongpollevent |
|
|
NAT field is missing the device specific option in 20.1 |
|
|
vManage UI should make IKE1 pre-shared key mandatory, default value is causing template push failure |
|
|
vManage Cluster: crash seen during vmanage uprade while system is going down |
|
|
CDP true/false mapping is missing from the config preview . |
|
|
"no ip redirects" is not applied to sub interface or Loopback interface during intf template attach |
|
|
'Cisco Logging' template under Disk section is missing the Priority option |
|
|
Vedge 1k running 19.2.1 constantly reboots with the reason "USB controller disabled or enabled" |
|
|
vManage: SSO authentication may not be possible after upgrade/reboot |
|
|
No date and time info in the syslog payload |
|
|
vEdge system buffer pool depletion and data plane stops forwarding with device-access-policy config |
|
|
Changing Config-DB ID/Password from default to non-default on a cluster of more than 3 members |
Compatibility Matrix and Server Recommendations
For compatibility information and server recommendations, see Cisco SD-WAN Compatibility Matrix and Server Recommendations.
Feedback