Read Me First
Note |
To achieve simplification and consistency, the Cisco SD-WAN solution has been rebranded as Cisco Catalyst SD-WAN. In addition, from Cisco IOS XE SD-WAN Release 17.12.1a and Cisco Catalyst SD-WAN Release 20.12.1, the following component changes are applicable: Cisco vManage to Cisco Catalyst SD-WAN Manager, Cisco vAnalytics to Cisco Catalyst SD-WAN Analytics, Cisco vBond to Cisco Catalyst SD-WAN Validator, Cisco vSmart to Cisco Catalyst SD-WAN Controller, and Cisco Controllers to Cisco Catalyst SD-WAN Control Components. See the latest Release Notes for a comprehensive list of all the component brand name changes. While we transition to the new names, some inconsistencies might be present in the documentation set because of a phased approach to the user interface updates of the software product. |
Related References
User Documentation
Communications, Services, and Additional Information
-
Sign up for Cisco email newsletters and other communications at: Cisco Profile Manager.
-
For information on the latest technical, advanced, and remote services to increase the operational reliability of your network visit Cisco Services.
-
To browse and discover secure, validated enterprise-class apps, products, solutions, and services, visit Cisco Devnet.
-
To obtain general networking, training, and certification titles from Cisco Press Publishers, visit Cisco Press.
-
To find warranty information for a specific product or product family, visit Cisco Warranty Finder.
-
To view open and resolved bugs for a release, access the Cisco Bug Search Tool.
-
To submit a service request, visit Cisco Support.
Documentation Feedback
To provide feedback about Cisco technical documentation use the feedback form available in the right pane of every online document.
Release Notes for Cisco IOS XE Catalyst SD-WAN Devices, Cisco IOS XE Catalyst SD-WAN Release 17.9.1a
Note |
To achieve simplification and consistency, the Cisco SD-WAN solution has been rebranded as Cisco Catalyst SD-WAN. In addition, from Cisco IOS XE SD-WAN Release 17.12.1a and Cisco Catalyst SD-WAN Release 20.12.1, the following component changes are applicable: Cisco vManage to Cisco Catalyst SD-WAN Manager, Cisco vAnalytics to Cisco Catalyst SD-WAN Analytics, Cisco vBond to Cisco Catalyst SD-WAN Validator, Cisco vSmart to Cisco Catalyst SD-WAN Controller, and Cisco Controllers to Cisco Catalyst SD-WAN Control Components. See the latest Release Notes for a comprehensive list of all the component brand name changes. While we transition to the new names, some inconsistencies might be present in the documentation set because of a phased approach to the user interface updates of the software product. |
These release notes accompany the Cisco IOS XE Catalyst SD-WAN Release 17.9.1a, which provides Cisco Catalyst SD-WAN capabilities. They include release-specific information for Cisco Catalyst SD-WAN Controllers, Cisco Catalyst SD-WAN Validators, Cisco SD-WAN Manager, as applicable to Cisco IOS XE Catalyst SD-WAN devices.
Related Releases
For release information about Cisco vEdge Devices, refer to Release Notes for Cisco vEdge Devices, Cisco SD-WAN Release 20.9.x.
For release information about Cisco Catalyst SD-WAN Control Components, refer to Release Notes for Cisco Catalyst SD-WAN Control Components, Cisco Catalyst SD-WAN Control Components Release 20.9.x
What's New for Cisco IOS XE Catalyst SD-WAN Release 17.9.x
This section applies to Cisco IOS XE Catalyst SD-WAN devices.
Cisco is constantly enhancing the Cisco Catalyst SD-WAN solution with every release and we try and keep the content in line with the latest enhancements. The following table lists new and modified features we documented in the Configuration, Command Reference, and Hardware Installation guides. For information on additional features and fixes that were committed to the Cisco Catalyst SD-WAN solution, see the Resolved and Open Bugs section in the Release Notes.
Feature | Description |
---|---|
Cisco Catalyst SD-WAN Analytics | |
Easy Onboarding of Cisco SD-WAN Analytics into Cisco Catalyst SD-WAN Manager |
This feature enables you to easily onboard Cisco SD-WAN Analytics into Cisco Catalyst SD-WAN Manager. |
Feature | Description |
---|---|
Cisco Catalyst SD-WAN Systems and Interfaces |
|
Changes in the Add Feature and Edit Feature Forms |
The following enhancements are introduced in the Add Feature and Edit Feature forms.
|
Cisco Catalyst SD-WAN Monitor and Maintain | |
The Monitor > Devices page displays the devices that are newly added or synced to Cisco SD-WAN Manager using the options available on the Configuration > Devices page. |
|
Cisco Catalyst SD-WAN Multi-Region Fabric (also Hierarchical SD-WAN) |
|
Migrate a BGP-Based Hierarchical Core Network to Multi-Region Fabric |
This feature facilitates migrating a BGP-based hierarchical core network into a Cisco Catalyst SD-WAN Multi-Region Fabric-based topology by alleviating the need of complex control policy definitions and the existence of a BGP core. |
Cisco Catalyst SD-WAN Getting Started Guide |
|
This feature enables you to install high security (HSEC) licenses on devices managed by Cisco SD-WAN Manager. An HSEC license is required to enable devices to support encrypted traffic throughput of 250 Mbps or higher. |
Feature | Description |
---|---|
Cisco Catalyst SD-WAN Getting Started |
|
If you configure Cisco SD-WAN Manager to use a proxy server for internet access, Cisco SD-WAN Manager uses the proxy server to connect to Cisco SSM or an on-premises SSM. |
|
Support for Managing Licenses Using Cisco Smart Software Manager On-Prem |
Cisco SD-WAN Manager supports management of device licenses, using a Cisco SSM On-Prem license server. This is useful for organizations that use Cisco SSM On-Prem to accommodate a strict security policy that does not permit devices to communicate with Cisco SSM over a direct internet connection. |
This feature allows you to reset the RSA private and public keys, and generate a CSR that uses a new key pair. In earlier releases, the generation of CSR used the existing key pair. |
|
This feature enables support for Software Maintenance Upgrade (SMU) package that can be installed on Cisco IOS XE Catalyst SD-WAN devices. The SMU package provides a patch fix or a security resolution to a released Cisco IOS XE image. Developers can build this package that provides a fix for a reported issue without waiting to make the fix available in the next release. |
|
Cisco Catalyst SD-WAN Systems and Interfaces |
|
This feature lets you configure Cisco SD-WAN Manager to enforce predefined medium-security or high-security password criteria. |
|
The following enhancements are introduced for the Configuration Group feature.
|
|
Create Configuration Group Workflow for a Single-Router Site |
This feature introduces the Create Configuration Group workflow. The simplified workflow consolidates the various settings pages into a single page so that you can easily review your configuration at once. It also enables you to set up the WAN and LAN routing, in addition to the basic settings, at the time of creating a configuration group. As a result, any configuration created from the workflow is now immediately deployable. |
This feature enables you to create a network hierarchy in Cisco SD-WAN Manager to represent the geographical locations of your network. The network hierarchy and the associated resource IDs, including region IDs and site IDs, help you apply configuration settings to a device. In addition, the introduction of the resource manager in Cisco SD-WAN Manager automatically manages these resource IDs, thereby simplifying the overall user experience of Cisco Catalyst SD-WAN. You can create a region only if you enable the Multi-Region Fabric option in Cisco SD-WAN Manager. |
|
Wireless Management on Cisco 1000 Series Integrated Services Routers supporting WIFI6 WLAN module |
This feature enables you to configure the wireless LAN settings on WiFi6-capable Cisco 1000 Series Integrated Services Routers using Cisco SD-WAN Manager. The Embedded Wireless Controller on Cisco 1000 Series Integrated Services Routers helps you provide wireless connectivity without the need for another external controller to configure and manage the wireless settings on the routers using Cisco SD-WAN Manager. |
Co-Management: Improved Granular Configuration Task Permissions |
To provide a user with the ability to self-manage specific configuration tasks, you can assign the user permissions to configure specific features while excluding others. This feature introduces numerous new permission options, enabling fine granularity in determining which configuration task permissions to provide to a user. |
RBAC for Security Operations and Network Operations Default User Groups |
This feature provides the following default user groups:
RBAC for policies allows you to create users and user groups with the required read and write permissions for security and non-security policies. Users can perform configuration and monitoring actions only for the authorized policy type. |
Flexible Tenant Placement on Multitenant Cisco vSmart Controllers |
With this feature, while onboarding a tenant to a multitenant deployment, you can choose the pair of multitenant Cisco SD-WAN Controller that serve the tenant. After onboarding a tenant, you can migrate the tenant to a different pair of multitenant Cisco SD-WAN Controller to allow for more tenant WAN edge devices than was forecast during onboarding. |
Cisco Catalyst SD-WAN Routing |
|
This feature allows you to leak routes between service VPNs on the same edge device. Route leaking feature allows redistribution of replicated routes between the inter-service VPN for Connected, Static, BGP, OSPF, and EIGRP protocols on Cisco IOS XE Catalyst SD-WAN devices. |
|
Cisco Catalyst SD-WAN Policies |
|
This feature adds support for ranking of Application Aware Routing (AAR) preferred and backup preferred colors. You can configure up to three levels of priority based on the color or path preference on a Cisco IOS XE Catalyst SD-WAN device. |
|
This feature enables you to configure application-aware routing (AAR) policies to operate with IPv6 application traffic. |
|
This feature enables export spreading to prevent export storms that occur when a burst of packets are sent to external collector. The export of the previous interval is spread during the current interval to prevent export storms. When Deep Packet Inspection (DPI) or netflow packets are sent over a low-bandwidth circuit, the export spreading functionality is enabled to avoid packet drops. |
|
Support for Cisco SD-WAN Policy Configuration Tagging Using the Cisco vSmart Controller CLI Template |
This feature allows you to group multiple policy objects under a tag. The tag mechanism when used in Cisco Catalyst SD-WAN centralized or localized policies:
|
This feature enhances the support for Lawful Intercept in Cisco Catalyst SD-WAN. Cisco Catalyst SD-WAN's Lawful Intercept feature enables Cisco SD-WAN Manager and Cisco SD-WAN Controller to provide the key information to LEA so they can decrypt the Cisco Catalyst SD-WAN IPsec traffic captured by the MSP. |
|
Cisco Catalyst SD-WAN Security |
|
This feature allows you to configure user-identity-based firewall policies for unified security policies. Cisco Identity Services Engine and Microsoft Active Directory Services are identity providers to authenticate and authorize device users in the network. When Cisco SD-WAN Manager and a Cisco SD-WAN Controller establish a connection to the Cisco Identity Services Engine, information about user and user groups—that is, identity-mapping information—is retrieved from the Cisco Identity Services Engine. Identity-based policies are then distributed to Cisco IOS XE Catalyst SD-WAN devices. This identity mapping information is used while creating firewall policies. |
|
With this feature, use the Secure Internet Gateway (SIG) feature template to provision automatic GRE tunnels to Zscaler SIGs. In earlier releases, the SIG template only supported the provisioning of automatic IPSec tunnels to Zscaler SIGs. |
|
With this feature, create a single global Cisco SD-WAN Manager SIG Credentials template for each SIG provider (Cisco Umbrella or Zscaler). When you attach a Cisco SD-WAN ManagerSIG template to a device template, Cisco SD-WAN Manager automatically attaches the applicable global Cisco SIG Credentials template to the device template. |
|
Monitor security events related to automatic SIG tunnels using the Security Events pane on the page, and the Events dashboard on the page. Monitor automatic SIG tunnel status using the SIG Tunnel Status pane on the page, and the SIG Tunnels dashboard on the page. |
|
This feature allows you to disable weaker SSH algorithms that may not comply with certain data security standards. |
|
Cisco Catalyst SD-WAN Cloud OnRamp |
|
This feature provides improved visibility to allow you to monitor the details of Microsoft 365 traffic processed by Cloud OnRamp for SaaS. |
|
Configure the Traffic Category and Service Area for Specific Policies |
You can edit AAR policies individually to change the specified Microsoft 365 traffic category and service area for specific AAR policies. |
Enable Cloud OnRamp for SaaS Operation for Specific Applications at Specific Sites |
This feature allows you to selectively delete AAR policy sequences to exclude Cloud OnRamp for SaaS operation on specific applications at specific sites. |
This feature allows you to choose whether Cloud OnRamp for SaaS should factor in the Microsoft telemetry data in the best path decision. If you disable this option, you can still view the Microsoft telemetry data in the Cisco SD-WAN Analytics dashboard, but it does not affect the best path decision. |
|
Support for AWS GovCloud (US) with Cisco SD-WAN Cloud OnRamp for Multicloud |
With the integration of Amazon Web Services (AWS) GovCloud (US) with Cisco Catalyst SD-WAN Cloud OnRamp for Multicloud, you can store your highly sensitive workloads in an isolated cloud that meets the Federal Risk and Authorization Management Program (FedRAMP) requirements of the U.S. government and its customers. The same features that are available with the AWS integration with Cisco Catalyst SD-WAN Cloud OnRamp for Multicloud are also available with Amazon GovCloud (US). Use the AWS Transit Gateway to connect your branch devices to the AWS GovCloud (US). |
Support for the Azure for US Government Cloud with Cisco SD-WAN Cloud OnRamp for Multicloud |
With the integration of the Azure for US Government cloud with Cisco Catalyst SD-WAN Cloud OnRamp for Multicloud, you can move and store your highly sensitive workloads in an isolated cloud that meets the Federal Risk and Authorization Management Program (FedRAMP) requirements of the U.S. government and its customers. All of the same features that are available for the Azure integration with Virtual WAN are also available with the Azure for US Government cloud. |
You can extend the SD-WAN fabric from the Interconnect gateway in Megaport into the AWS, Google Cloud and Microsoft Azure Cloud Service Providers. |
|
You can extend the SD-WAN fabric from the Interconnect gateway in Equinix into the AWS, Google Cloud and Microsoft Azure Cloud Service Providers. |
|
License Management for Cisco SD-WAN Cloud Interconnect with Megaport |
To create Interconnect Gateways and Interconnect Connections in the Megaport fabric, you must purchase required licenses on Cisco Commerce Workspace. With this feature, Cisco SD-WAN Manager operates together with Megaport and enables you to monitor your licenses while Cisco and Megaport jointly enforce the license requirements when you create Interconnect Gateways or Interconnect Connections. |
Decoupled Site-to-Site and Site-to-Cloud Connectivity Configuration for Cloud Gateways |
With this feature, you can configure some cloud gateways to support site-to-site and site-to-cloud connectivity, and other cloud gateways to support only site-to-cloud connectivity. This configuration flexibility is particularly beneficial in some Google Cloud regions that do not yet support site-to-site connectivity. In earlier releases, connectivity type is a global configuration. You configure all the cloud gateways to support site-to-site and site-to-cloud connectivity, or to support only site-to-cloud connectivity. |
Horizontal Scaling of Cisco Catalyst 8000V Instances in a Cloud Gateway |
With this feature, you can deploy between two and eight Cisco Catalyst 8000V instances as part of a cloud gateway in a particular region. In earlier releases, you can deploy only two Cisco Catalyst 8000V instances as part of a cloud gateway, with each instance deployed in a different zone of a region. |
Cisco Catalyst SD-WAN AppQoE |
|
Starting from Cisco IOS XE Catalyst SD-WAN Release 17.9.1a, the HTTP Connect method handling is supported in AppQoE that enables services like SSL Proxy and DRE to optimize the HTTP Connect encrypted traffic. |
|
Cisco SD-WAN Monitor and Maintain |
|
This feature allows you to access Support Case Manager (SCM) wizard using Cisco SD-WAN Manager. You can create, view, or edit the support cases directly from Cisco SD-WAN Manager without having to go to a different Case Manager portal. |
|
Analyze the Health of the Cisco SD-WAN Manager Cluster and Cluster Services Using the CLI |
With this feature, you can analyze the health of the Cisco SD-WAN Manager cluster and the status of the cluster services using the request nms cluster diagnostics CLI command. |
Additional Real Time Monitoring Support for AppQoE and Other Configuration Options |
This feature adds support for real-time monitoring for AppQoE and other device configuration details. Real-time monitoring in Cisco SD-WAN Manager is similar to using show commands in the CLI of a device. |
Customizable Monitor Overview Dashboard in Cisco SD-WAN Manager |
This feature adds customizability to the Monitor Overview dashboard. It gives you the flexibility to specify which dashlets to view and sort them based on your personal preferences. |
Site Topology Visualization in Cisco SD-WAN Manager (Phase II) |
This feature supports an enhanced, interactive visualization of site topology, providing information about the health of devices and tunnels in the topology. It provides you with an improved monitoring and troubleshooting experience. |
Network-Wide Path Insight in Cisco SD-WAN Manager Enhancements |
This feature provides enhancements to the network-wide path insight feature, including the collection and display of insight information, trace-level insight information, path insight information, and detailed application trace information. |
IPv6 Support for Bidirectional Packet Capture on Cisco IOS XE SD-WAN Devices |
This feature adds support for bidirectional capture of IPv6 traffic data to troubleshoot connectivity issues using CLI commands. As part of this feature, the following command is introduced to capture traffic details: monitor capture match ipv6 |
This feature introduces a Config Diff option for audit logs of device templates and feature templates. The Config Diff option shows configuration changes made to the template, comparing the current configuration and previous configuration. The Config Diff option is available for audit logs to view the configuration changes when a template is not attached to a device. |
|
This feature introduces an option to schedule software upgrades for edge devices using Cisco SD-WAN Manager. |
|
Added support for Cisco Enterprise NFV Infrastructure Software (NFVIS) and Cisco Catalyst Cellular Gateways. |
|
Cisco Catalyst SD-WAN NAT |
|
This feature adds support for the following Point-to-Point Protocol (PPP) dialer interfaces: PPP over Ethernet (PPPoE), PPP over Asynchronous Transfer Mode (PPPoA), and PPP over Ethernet Asynchronous Transfer Mode (PPPoEoA). You can use the PPP dialer interfaces to access IPv4 services and sites. |
|
With this feature, if both the Hot Standby Router Protocol (HSRP) routers are configured with the same static NAT mapping, only the active device responds to the Address Resolution Protocol (ARP) request for a static NAT mapping entry. Traffic that fails over from the HSRP active device to the standby device does not have to wait for the ARP request to time out before failing over. |
|
This feature provides support for an application-level gateway (ALG) that translates the IP address inside the payload of an application packet. Specific protocols such as Domain Name System (DNS), FTP, and Session Initiation Protocol (SIP) require a NAT ALG for translation of the IP addresses and port numbers in the packet payload. |
|
With this feature, you can define one or more port-forwarding rules to send packets received on a particular port from an external network to reach devices on an internal network. Prior to Cisco IOS XE Catalyst SD-WAN Release 17.9.1a and Cisco SD-WAN Manager, port forwarding was available for service-side NAT only. |
|
This feature provides the ability to enable or disable high-speed logging (HSL) of all translations by NAT. The new ip nat log translations flow-export command is introduced. You can configure NAT HSL using a device CLI or a CLI add-on template. |
|
Cisco Catalyst SD-WAN Multi-Region Fabric (also Hierarchical SD-WAN) |
|
In networks experiencing instability, TLOCs and bidirectional forwarding detection (BFD) tunnels may cycle repeatedly between being available and unavailable. This causes the overlay management protocol (OMP) to repeatedly withdraw and re-originate routes. This churn adversely affects Cisco vSmart controller performance. Adding a delay before re-originating routes that have gone down repeatedly prevents excessive churn, and prevents this type of network instability from diminishing Cisco SD-WAN Controller performance. |
|
Cisco Catalyst SD-WAN Multi-Region Fabric provides a migration mode to facilitate migrating an enterprise network to Cisco Catalyst SD-WAN. Migration mode enables a stepwise transition of devices from Cisco Catalyst SD-WANs that are not part of a Multi-Region Fabric network to Cisco Catalyst SD-WANs operating in a Multi-Region Fabric architecture. The migration mode is useful for migrating complex networks that function similarly to a Multi-Region Fabric architecture—that is, they have multiple network segments, and have a control policy that directs inter-segmental traffic through network hubs. |
|
When creating an application route policy or data policy, you can match traffic according to its destination region. The destination may be a device in the same primary region, the same secondary region, or neither of these. |
|
When configuring a centralized policy, you can create a preferred color group list, which specifies three levels of route preference, called primary, secondary and tertiary. The route preferences are based on TLOC color and, optionally, on the path type—direct tunnel, multi-hop path, or all paths. Path type is relevant to networks using Multi-Region Fabric. |
|
High Availability |
|
This feature provides support for configuring Cisco SD-WAN Manager alerts to generate an alarm and a syslog message for any disaster recovery workflow failure or event that occurs. |
New and Enhanced Hardware Features
New Features
-
Support for Cisco IR8140 Heavy Duty Router: Cisco Catalyst SD-WAN capability can now be enabled on Cisco IR8140H and Cisco IR8140H-P Heavy Duty Routers.
-
Support for Cisco DSL SFP Module: Cisco SD-WAN Manager CLI device templates now support the Cisco DSL SFP Module SFP-VADSL2+-I= for use with Cisco IR1101 Integrated Services Routers.
-
Cisco Catalyst IR1800 Rugged Series Router support for Automotive Dead Reckoning (ADR): Cisco SD-WAN Manager now supports the configuration of ADR-GPS FRU for the Cisco Catalyst IR1800 Rugged Series Router platform using a CLI template. See GPS/Dead Reckoning module (IRM-GNSS-ADR).
-
Cisco Catalyst IR1800 Rugged Series Router support for Ignition Power Management: Cisco SD-WAN Manager now supports the configuration of Ignition Power Management for the Cisco Catalyst IR1800 Rugged Series Router platform using a CLI template. See Ignition Power Management.
-
Cisco Catalyst IR1835 Rugged Series Router support for General-Purpose Input or Output ports (GPIO): Cisco SD-WAN Manager now supports the configuration of GPIO for the Cisco Catalyst IR1835 Rugged Series Router platform using a CLI template. See Digital IO and Configuring Digital IO.
Software and Hardware Behavior Changes in Cisco IOS XE Catalyst SD-WAN Release 17.9.x
Software and Hardware Behavior Changes in Cisco IOS XE Catalyst SD-WAN Release 17.9.3a
Behavior Change |
Description |
---|---|
Organizational Unit Field Not Required in Certificates for Edge Devices or Controllers |
The signed digital certificates that you install on edge devices and controllers in the Cisco Catalyst SD-WAN overlay do not require the Organizational Unit field to be defined. However, if a signed certificate includes the Organizational Unit field, the field must match the organization name configured on the device. This is described in the Configure Enterprise Certificates section. |
Software and Hardware Behavior Changes in Cisco IOS XE Catalyst SD-WAN Release 17.9.2a
Behavior Change |
Description |
---|---|
A show sdwan from-vsmart commit-history command is added for verifying policy-related commit events and for analyzing the average time required for the policy commit. |
A new command, show sdwan from-vsmart commit-history, is added. |
The snmp-server subagent fetch count command is used to fetch the entry count if an SNMP MIB table includes a large number of table entries. |
A note is added in the Supported SNMP MIBs section. |
The Community Name field has been removed from the SNMP feature. In its place, the User Label field has been added that helps you distinguish or update a community name when there are multiple community names for an SNMP target. |
The new User Label field is described in the SNMP section. Similarly, a note is added for the Community Name field. |
An Internet Outages option is added to the Analytics menu in Cisco SD-WAN Manager. |
The Internet Outages option is described in the Internet Outages section. |
Software and Hardware Behavior Changes in Cisco IOS XE Catalyst SD-WAN Release 17.9.1a
Behavior Change |
Description |
---|---|
Support is added for adjusting the TCP maximum segment size (MSS) for a service VPN or for Network Address Translation (NAT) Direct Internet Access (DIA) use cases. Adjusting the TCP MSS value helps prevent TCP sessions from being dropped. |
A note is added in the Configure TCP MSS and Clear Dont Fragment section. A note is added in the Information About Using a Dialer Interface with NAT DIA section. |
A link is added from the Cisco SD-WAN Manager menu to the Cisco Catalyst SD-WAN Portal. From the Cisco Catalyst SD-WAN menu, click SD-WAN Portal to access the Cisco Catalyst SD-WAN Portal for provisioning, monitoring, and maintaining Cisco Catalyst SD-WAN controllers using public cloud providers. |
A note is added in the Cisco Catalyst SD-WAN Solution section. |
Support is added for configuration of a device access policy having only a default action and with no policy sequences. You can now create a device access policy with only a default action and with no policy sequences for creation of a device configuration or a Cisco SD-WAN Manager configuration for both protocols, Secure Shell (SSH) and Simple Network Management Protocol (SNMP). |
A note is added in the Configure Device Access Policy Using Cisco vManage section. |
A list of valid characters is added. These characters must be used in the user ID, password, and the URL name or path when downloading an image from a remote server manually. |
A note is added in the Upgrade the Software Image on a Device section. |
Support is added to configure unique local IPv6 addresses for Cisco SD-WAN Controller, Cisco SD-WAN Validator, and Cisco SD-WAN Manager controllers. |
A note is added in the Configure the Cisco vSmart Controller section. |
Support is added to calculate 8 bytes overhead based on the specified IP MTU value, to ensure that the configuration is pushed to the device. |
A note is added in the Configure PPPoE using Cisco vManage section. |
Support is added to manually enable or disable the unified logging fields in flexible netflow (FNF) using the policy ip visibility features enable command. |
A note is added in the Unified Logging Security Connection Events and On-Demand Troubleshooting sections. A new command policy ip visibility features enable is added in Policy commands. |
The show sdwan omp routes command now includes tenant-id and verify keywords. |
The show sdwan omp routes command is updated. |
We recommend that the Cisco SD-WAN Manager cluster interface should not be the same as the transport interface. Beginning with Cisco vManage Release 20.9.1, this is enforced. If you attempt to configure this, Cisco SD-WAN Manager displays an error message. |
A note is added in the Guidelines for a Cisco vManage Cluster section. |
With the Enable telemetry pull from and push to Microsoft option enabled in Cisco SD-WAN Manager, the telemetry data that Cisco vAnalytics pulls from Microsoft to display in the Cisco vAnalytics dashboard now consists of the service area interface scores (1-100) and weight percentage for the score instead of the status (OK/NOT-OK/INIT). |
A note is added in the Enable Application Feedback Metrics for Office 365 Traffic section. |
A new option Traffic Steering is available in Cisco SD-WAN Manager to aid Cisco IOS XE SD-WAN devices to determine the best path based on the telemetry data that Cisco vAnalytics pulls from Microsoft. |
The new option Traffic Steering is updated in the Enable Application Feedback Metrics for Office 365 Traffic section. |
A new option Umbrella DNS Certificate is available in Cisco SD-WAN Manager to upload and push to appropriate devices Umbrella root certificates for Umbrella DNS security. |
The new Umbrella DNS Certificate option is described in the Upload Umbrella Root Certificates section. |
The IP address of an NTP server cannot be a broadcast or a multicast address. |
A note is added in the Configure NTP section. |
Cisco vManage Release 20.9.1 does not inadvertently change the transport mode of a device, which could interfere with the manual installation of HSEC licenses. |
A note is added in the Restrictions for Managing Licenses for Smart Licensing Using Policy section. |
Use the implicit-acl-on-bind-intf command to enable implicit ACL protection on a physical interface in cases where a physical interface is not configured with a TLOC and bound to the loopback TLOC interface. |
A note is added in the Loopback TLOC Interface Bound to a Physical WAN Interface section in Information About Implicit ACL on Loopback Interfaces. |
The Cisco SD-WAN Controller software version must be the same or be higher that the WAN edge device software version. If the WAN edge device software version is higher than the Controller software version, policy download to the device fails. |
A note is added in Cisco SD-WAN Controller Compatibility Matrix and Recommended Computing Resources. |
Use the new tags for authentication and accounting.
|
A note is added in the Configure the Authentication Order. |
Important Notes, Known Behaviors, and Workarounds
-
Cisco IOS XE Catalyst SD-WAN devices with the SFP-10G-SR module do not support online insertion and removal (OIR) of this module.
-
Hardened security posture
Cisco vManage Release 20.3.1 implements a hardened security posture to comply with FedRamp guidelines. As a result, your Cisco SD-WAN Analytics login credentials that are stored locally get erased on upgrading the software, and you cannot access the vAnalytics service directly through Cisco SD-WAN Manager. In this case, log in to Cisco SD-WAN Analytics using this URL: https://analytics.viptela.com. If you can’t find your Cisco SD-WAN Analytics login credentials, open a case with Cisco TAC support.
-
Keyword for commands with output in tabular format
Starting from Cisco IOS XE Catalyst SD-WAN Release 17.5.1a, the table keyword is added to all show sdwan commands for which the output needs to be displayed in a tabular format. Using | tab is restricted for all Cisco Catalyst SD-WAN commands starting from Cisco IOS XE Catalyst SD-WAN Release 16.11.x.
-
Feature template support for network interface modules
Starting from Cisco IOS XE Catalyst SD-WAN Release 17.9.1a, feature templates support the following network interface modules for Layer 3 features:
-
Cisco 2-port 100-Mbps/1-Gbps WAN Network Interface Module with 256-bit WAN MACsec (C-NIM-2T)
-
Cisco 1-port 2.5-Gbps/1-Gbps WAN Network Interface Module with Cisco UPoE (C-NIM-1M)
-
-
Switch Port feature template
Starting from Cisco IOS XE Catalyst SD-WAN Release 17.9.1a, the Switch Port feature template supports an interface speed of 2500 Mbps when configuring a 2-Gigabit Ethernet interface for the following modules:
-
Cisco SM-X-16G4M2X and Cisco SM-X-40G8M2X EtherSwitch Service Modules on Cisco ISR 4000 Series Routers
-
Cisco C-SM-16P4M2X and Cisco C-SM-40P8M2X EtherSwitch Service Modules on Cisco Catalyst 8300 Series Edge Platforms
-
-
Cloud OnRamp for IaaS
Beginning with Cisco vManage Release 20.9.1, we recommend setting up your cloud infrastructure using Cloud OnRamp for Multicloud. Cloud OnRamp for IaaS will be phased out in a future release.
-
Route-target CLIs
Beginning with Cisco vManage Release 20.9.1, you can add the route-target CLIs through the CLI add-on profile of a configuration group:
vrf definition Mgmt-intf address-family ipv4 route-target export 119:512 route-target import 119:512
-
Minimum supported release for software maintenance upgrade (SMU)
The minimum supported release for software maintenance upgrade is Cisco IOS XE Catalyst SD-WAN Release 17.9.5a. It was previously described as Cisco IOS XE Catalyst SD-WAN Release 17.9.1a. See Supported Devices for Software Maintenance Upgrade.
Resolved and Open Bugs
About the Cisco Bug Search Tool
Use the Cisco Bug Search Tool to access open and resolved bugs for a release.
The tool allows you to search for a specific bug ID, or for all bugs specific to a product and a release.
You can filter the search results by last modified date, bug status (open, resolved), severity, rating, and support cases.
Bugs for Cisco IOS XE Catalyst SD-WAN Release 17.9.6
Resolved Bugs for Cisco IOS XE Catalyst SD-WAN Release 17.9.6
Identifier |
Headline |
---|---|
[17.9-17.11] C1111-8P Inventory mismatch is seen after upgrading to 17.11 |
|
Some duplicated packets are dropped when there are frequent BFD flaps on primary path transport. |
|
C1117-4PLTEEA platform crashed with sh pl hard qfp ac feat cef-mpls prefix ip 10.40.201.10/32 vrf 2 |
|
Certificate expiry on Sept 2024 for DNS Security registration to Umbrella cloud. |
|
%PMAN-0-PROCFAILCRIT: R0/0: pvp: A critical process vip_confd_startup_sh has failed (rc 6) |
|
Cisco Catalyst 8000V Edge router crash after changing NAT HSL configuration. |
|
Cisco IOS XE Catalyst SD-WAN device : Traceroute not working with NAT pool configuration. |
|
Cisco IOS XE Catalyst SD-WAN device crashed when issuing "show sdwan ftm next-hop chain all" . |
|
The snmpwalk for OID ifOperStatus gives different output before & after upgrade for serial interface. |
|
EPBR FIA is not enabled on port-channel sub-interface. |
|
Multicast drops seen due to IpsecOutput drops - OUT_IPV4_SA_NOT_FOUND. |
|
Crash on Cisco 1000 Series Integrated Services Routers (double free or corruption). |
|
Cisco IOS XE Catalyst SD-WAN device is incorrectly consuming icmp reply packets. |
|
Cisco IOS XE Catalyst SD-WAN device crashed twice with critical process linux_iosd_image fault on rp_0_0 |
|
The snmpbulkget cannot get loss, latency and jitter for ProbeClassTable & ClassIntervalTable OIDs. |
|
"dmidecode: command not found" error seen executing "show sdwan certificate validity" |
|
Cisco IOS XE Catalyst SD-WAN device router crashing due to ftmd. |
|
High CPU utilisation for confd_cli |
|
IPsec PWK SPI mismatch causes Cisco IOS XE Catalyst SD-WAN device bfd tunnels to remain in down state. |
|
Cisco IOS XE Catalyst SD-WAN device: confd_cli may cause high cpu. Parent PID of "confd_cli" containing "show ip fib". |
|
Cisco IOS XE Catalyst SD-WAN device - High memory utilization due to "ftmd" process. |
|
The 'show sdwan policy service-path' command gives inconsistent results with app name specified. |
|
Cisco IOS XE Catalyst SD-WAN device does not install OMP route with high preference using service chaning. |
|
Cisco IOS XE Catalyst SD-WAN device might reboot due to vip_confg_startup_sh process failure. |
|
Unexpected reboot due cpp ucode on a Cisco Catalyst 8000V Edge router. |
|
Cisco IOS XE Catalyst SD-WAN device URLF is unable to detect TLS SNI with "TLS1.3 hybridized Kyber support" enabled on the browser. |
|
The cxpd crash seen on IOS-XE platform. |
|
Disabling PMTU-Discovery with MTU change and BFD flap breaks packet duplication. |
|
The VFR enablement difference with NAT interface vs NAT pool configuration. |
|
Fragmented Radius Access-Request packets are dropped when NWPI is running. |
|
Cisco IOS XE Catalyst SD-WAN device performing NAT for directly connected traffic. |
|
The ftmd crash observed while running PWK suite. |
|
One of IPSEC IKE tunnel goes down when second IPSEC IKE tunnel has been shut with same source interface. |
|
Add FNF cache limit for show sdwan app-fwd flows for CSCwj02401. |
|
[SIT]: SSE tunnels don't come up with Dialer interface. Relax check in IKE. |
|
20.12-ISR4431 ftmd crash @sig while removing IPv6 DNS server configuration. |
|
Cisco IOS XE Catalyst SD-WAN device: Unexpected reboot fman_fp_image fault on fp_0_0 (rc=134). |
|
The dns-snoop-agent has TCAM entry with all zeros for some regex patterns. |
|
The snmpbulkget/snmpwalk can't get loss latency jitter for ProbeClassTable & ClassIntervalTable OIDs. |
Open Bugs for Cisco IOS XE Catalyst SD-WAN Release 17.9.6
Identifier |
Headline |
---|---|
The show sdwan appqoe aoim-statistics - APPQOE services restart. |
|
Cisco IOS XE Catalyst SD-WAN device may unexpectedly reload due to SIGABRT. |
|
DPDK RX buffer is getting corrupted on both Radium and Fugazi and causing crash. |
|
Cisco IOS XE Catalyst SD-WAN device: Unexpected behavior due to unstable power source. |
|
After Upgrade to 17.9.4a, Cellular Interface IP ADDRESS NEGOTIATED Mismatching. |
|
OMP route is being advertised although the route is not available (network statement + NAT DIA VPN). |
|
Certificate (ios_core.p7b bundle) update required for umbrella DNS for TOKEN method on 17.6/.9/.12 |
|
Cisco IOS XE Catalyst SD-WAN device: sh sdwan omp routes 0.0.0.0/0 vpn 1 throws CLI error. |
|
Service-side NAT Translation discrepancy. |
|
Cisco IOS XE Catalyst SD-WAN device IPv6: removing "advertise aggregate" configuration does not remove the entry from OMP. |
|
Cisco IOS XE Catalyst SD-WAN device unable to establish Cisco SD-WAN Validator connection on a cellular interface. |
|
Cisco IOS XE Catalyst SD-WAN device: NAT64 prefix is not originated into OMP. |
|
IOS-XE SDWAN: Warning Message when customer configures allow-service all. |
|
SPA_SETUP_FAILURE traceback seen after a reboot. |
|
In snmpbulkwalk request on Cisco IOS XE Catalyst SD-WAN device, each snmp get bulk retrieves data from backend instead of cache. |
|
Unexpected reboots on Cisco IOS XE Catalyst SD-WAN device due to QFP exception. |
|
TrapOID of ciscoSdwanBfdStateChange is different from MIB file. |
|
AAR BOW is not choosing the best tunnel; it is load balancing among the tunnels. |
|
Cisco IOS XE Catalyst SD-WAN device unexpectedly reloads due to a crash in 'vdaemon' process. |
|
Cisco IOS XE Catalyst SD-WAN device advertises component routes temporarily even if omp aggregate-only is configured. |
|
NAT DIA traffic getting dropped due to port allocation failure. |
|
Speed test download issue on C8200 platform seen with IPSEC Zscaler. |
|
Router crash with stuck threads. |
|
Cisco IOS XE Catalyst SD-WAN device with enterprise certificates not forming control connections with controllers after upgrade. |
|
Centralized Policy Policer worked per PC on the same site not per site/vpn-list. |
|
Enpoint tracker reporting error due to "DNS Querry Error". |
|
OMP to BGP Redistribution Leads to Incorrect AS_Path Installation on Chosen Next-Hop. |
|
Cisco IOS XE Catalyst SD-WAN device: System image file is not set to packages.conf when image expansion fails due to disk space. |
Bugs for Cisco IOS XE Catalyst SD-WAN Release 17.9.5e
Resolved Bugs for Cisco IOS XE Catalyst SD-WAN Release 17.9.5e
Identifier |
Headline |
---|---|
IPsec PWK SPI mismatch causes Cisco IOS XE Catalyst SD-WAN device bfd tunnels to remain in down state. |
|
After applying security ipsec integrity-type Cisco IOS XE Catalyst SD-WAN device not recover BFD with CD_IN_PKT_OUT_OF_WINDOW drop. |
|
Cisco IOS XE Catalyst SD-WAN device : confd_cli may cause high cpu. Parent PID of "confd_cli" containing "show ip fib". |
|
The ftmd crash observed while running PWK suite. |
|
[SITLite]Observing BFD down issue between Cisco IOS XE Catalyst SD-WAN device boxes. |
|
After pairwise key enabling and reboot, there is a bfd mismatch on device. |
|
The add FNF cache limit for show sdwan app-fwd flows for CSCwj02401. |
|
17.17.1 After change integrity-type twice, all bfd sessions will be down. |
|
VRRP switchover with TLOC preference change is generating rekey and crypto add/delete events. |
|
Cisco IOS XE Catalyst SD-WAN device: Unexpected reboot fman_fp_image fault on fp_0_0 (rc=134) |
|
Cisco IOS XE Catalyst SD-WAN device unexpected reload due to ftmd process after tloc flap |
|
Software crash with Critical process vip_confd_startup_sh fault on rp_0_0 (rc=6) |
|
Cisco IOS XE Catalyst SD-WAN device crashed when issuing "show sdwan ftm next-hop chain all". |
Bugs for Cisco IOS XE Catalyst SD-WAN Release 17.9.5a
Resolved Bugs for Cisco IOS XE Catalyst SD-WAN Release 17.9.5a
Identifier |
Headline |
---|---|
Same label is assigned to different VRFs. |
|
Environmental syslog is not appearing when power cord is disconnected from the redundant PS |
|
Enterprise Certificate status displayed as "Not Applicable" post rollback from viptela to ios-xe. |
|
17.11: Issues/discrepancies around CPU alarms generated and sent to Cisco SD-WAN Manager from Cisco IOS XE Catalyst SD-WAN device. |
|
Flooding of HSL packets |
|
OMPD crash while withdrawing routes |
|
Misprograming during vpn-list change under data policy. |
|
The SNMP unable to poll SDWAN Tunnel Data after a minute. |
|
FNF ucode crash when add or remove interface. |
|
Device requested SLAC without customer issuing command. |
|
BFD going down for newly onboarded Cisco IOS XE Catalyst SD-WAN device. |
|
SDWAN-NAT Device ICMP replies should not be natted. |
|
Dialer interface is blocking SIG Auto Tunnel workflow |
|
While upgrading ISR4451 device generates fman fp core file. |
|
Traffic is getting dropped with "SdwanDataPolicyDrop" with TunnelReason:MATCHED_NONE |
|
Cisco IOS XE Catalyst SD-WAN device might reload during overlay session entry removal. |
|
Traffic blackhole seen after few hours of soak due to Extra Key. |
|
Cisco IOS XE Catalyst SD-WAN device: confd_cli high CPU utilization after executing "show sdwan app-route stats". |
|
Device replying with NAT pool IP address instead of the WAN IP address. |
|
PMTUD incorrectly converging without attempting to learn a higher MTU. |
|
Intermittent BFD session flaps on Cisco IOS XE Catalyst SD-WAN device service side interface . |
|
The AppQoE DRE shows the optimized traffic is more than the original traffic on the data center SCs. |
|
There is fpmd crash on device after Power ON when trying to sync the config. |
|
The custom-app based policy triggering protocol deactivation and cpp traceback with traffic failure |
|
Tunnels behind Sym-nat does not come up or flap after "clear omp all" trigger on HUB. |
|
17.10: PPPoA dialer doesnt come up and randomly test case are failing when ran 174_aldi_script. |
|
[SIT]:When firewall is enabled , speedtest with iperf server configured on vpn 0 fails. |
|
Cisco Catalyst SD-WAN BFD sessions keeps flapping intermittently. |
|
Issues seen due to race conditions between sdwan policy and og-mgr on config-change. |
Open Bugs for Cisco IOS XE Catalyst SD-WAN Release 17.9.5a
Identifier |
Headline |
---|---|
[17.9-17.11] C1111-8P Inventory mismatch is seen after upgrading to 17.11. |
|
The show sdwan appqoe aoim-statistics - APPQOE services restart |
|
Cisco IOS XE Catalyst SD-WAN device: unexpected behavior due to unstable power source. |
|
Post-upgrade checks didn't detected weak crypto config command esp-null leading to network outage. |
|
EPBR FIA is not enabled on Port-channel sub-interface. |
|
Service-side NAT Translation discrepancy |
|
Static NAT DIA inside static routes being advertised over OMP to remote sites. |
|
Cisco IOS XE Catalyst SD-WAN device IPv6: removing "advertise aggregate" configuration does not remove the entry from OMP. |
|
Encryption supported still shows AES_256_CBC in security info of Cisco IOS XE Catalyst SD-WAN device. |
|
Fragmeneted packets getting dropped unexpectedly when second fragment packet no translate. |
|
Cisco IOS XE Catalyst SD-WAN device: NAT64 prefix is not originated into OMP |
|
Crash when traffic is sent to UTD |
|
Cisco IOS XE Catalyst SD-WAN Device : Tracker not working after software upgrade |
|
BFD timers reverting back to default value after negotiating correctly |
|
Cisco IOS XE Catalyst SD-WAN device: confd_cli may cause high cpu. Parent PID of "confd_cli" containing "show ip fib" |
|
'show sdwan policy service-path' command gives inconsistent results with app name specified. |
|
Unexpected Reboots on Cisco IOS XE Catalyst SD-WAN device due to QFP exception |
|
TrapOID of ciscoSdwanBfdStateChange is different from MIB file. |
|
Device reboot due to "Critical process vip_confd_startup_sh" |
|
Unexpected NAT translation occurs in a specific network. |
|
Tracker group is down if one of the tracker elements is not reachable. |
|
Cisco IOS XE Catalyst SD-WAN device with enterprise certificates not forming control connections with controllers after upgrade |
|
SIG tunnel: 'SIG STATEâ is showing blank value. |
|
Cisco SD-WAN Manager is reporting abnormal latency & jitter parameters |
|
Cisco IOS XE Catalyst SD-WAN device is unable to process hidden characters in a file while trying to use bootstrap method |
Bugs for Cisco IOS XE Catalyst SD-WAN Release 17.9.4a
Resolved Bugs for Cisco IOS XE Catalyst SD-WAN Release 17.9.4a
Bug ID |
Description |
---|---|
Cisco IOS XE Software Web UI Privilege Escalation Vulnerability |
Bugs for Cisco IOS XE Catalyst SD-WAN Release 17.9.4
Resolved Bugs for Cisco IOS XE Catalyst SD-WAN Release 17.9.4
Identifier |
Headline |
---|---|
Cisco IOS XE Catalyst SD-WAN device does not form BFD across Serial link when upgrading from 17.3.3 to 17.6.x |
|
On C8200-1N-4T, sh version points to /harddisk/core dir, but file is present in /bootflash/core dir |
|
NAT ALG is changing the Call-ID within SIP message header causing calls to fail |
|
Catlayst 8500L: Control connection over L3 Tloc extension failing as no NAT table entry created |
|
TLS control-connections down, traffic from controller dropped with SdwanImplicitAclDrop |
|
17.6: Route-map not getting effect when its applied in OMP for BGP routes |
|
CPP Ucode crash when Multicast traffic and UTD is enabled together on the same Cisco IOS XE Catalyst SD-WAN device device |
|
Zscaler SIG: Tunnels don't come up with Custom Data Center IP |
|
NAT configuration with redundancy, mapping id and match-in-vrf options with no-alias support. |
|
TLOC down post ios-xe to viptela Nutella migration when enterprise cert used |
|
NAT configuration with no-alias option is not preserved after reload |
|
fugazi crash with qfp-ucode-fugazi in C8500L at @posix_mempool_prime_cache |
|
Change in the IPsec integrity parameters breaks the connectivity |
|
17.10: ucode crash seen on Thorium with traffic pointing to segfault in coff handler |
|
Segmentation fault in SDWAN PB rx when per-tunnel qos config withdraw |
|
Cisco IOS XE Catalyst SD-WAN device Router Crashes in "ftmd" Process When Configuring Tunnel "mode" or "route-via" |
|
c8300/85000 platform punt-policer is not configurable |
|
Unexpected reload with IPS configured on 17.6.3a |
|
Cisco IOS XE Catalyst SD-WAN device router crashing due to memory leak in ftmd |
|
Traffic blackhole seen after few hrs of soak due to Extra Key |
|
Cisco IOS XE Catalyst SD-WAN device BFD Session Down with interface flap |
|
Restrict option does not work when traffic match both Data policy and AAR policy |
|
Cisco IOS XE Catalyst SD-WAN device:After the vpn list change, the DP, AAR and CLFOWD polices stopped working on the routers. |
|
C8300-2N2S + UCSE: Kernel crash on C8300-2N2S with UCSE module. |
|
AAR overlay actions are applied to DIA traffic |
|
Cisco IOS XE Catalyst SD-WAN device unexpected reload when doing ips test with UTD ips engine |
|
TLOC down post viptela to ios-xe Nutella migration when enterprise cert used |
|
Cisco IOS XE Catalyst SD-WAN device configured with 10G BDI might reload when running NWPI Trace with QoS Insight enabled |
|
Invalid L4 Header drop due to multiple encap |
|
FW policy with app-family rule with FQDN causes traffic drop for other sequences |
|
Cisco IOS XE Catalyst SD-WAN device Packet Duplication: Duplicate packets are counted on Primary Tunnel Interface Statistics. |
Open Bugs for Cisco IOS XE Catalyst SD-WAN Release 17.9.4
Identifier |
Headline |
---|---|
Zombie confd_cli processes hanging around are maxing out CPU |
|
Static NAT DIA inside static routes being advertised over OMP to remote sites |
|
Cisco IOS XE Catalyst SD-WAN device IPv6: removing "advertise aggregate" configuration does not remove the entry from OMP |
|
OMPD crash while withdrawing routes |
|
17.10: PPPoA dialer doesnt come up and randomly test case are failing when ran 174_aldi_script |
|
17.10 - Crash seen when umbrella/zscaler template pushed to device when name_lookup takes > 30 sec |
|
OMP to BGP Redistribution Leads to Incorrect AS_Path Installation on Chosen Next-Hop |
|
Device replying with NAT pool IP address instead of the WAN IP address |
|
Encryption supported still shows AES_256_CBC in security info of Cisco IOS XE Catalyst SD-WAN device |
|
Cisco IOS XE Catalyst SD-WAN device: NAT64 prefix is not originated into OMP |
|
[SIT]:When firewall is enabled , speedtest with iperf server configured on vpn 0 fails. |
|
Device requested SLAC without customer issuing command |
|
c1121-4P / 17.6.2 / "ip nat settings central-policy" dropping service side NAT traffic after reboot |
Bugs for Cisco IOS XE Catalyst SD-WAN Release 17.9.3a
Resolved Bugs for Cisco IOS XE Catalyst SD-WAN Release 17.9.3a
Identifier |
Headline |
---|---|
RTP packets not forwarded when packet duplication enabled, no issue without duplication feature |
|
check_sig_ipsec_ike_sessions fails with could not find entry for Tunnel100001 |
|
Cisco Catalyst SD-WAN | System crash after disabling endpoint-tracker on tunnel interfaces |
|
[SITLite] BFD issues with clear_omp -> non-PWK + non-VRRP scenario only |
|
With 2 sequences, should not skip if the match is different and action is same |
|
17.10 Auto GRE- After reboot, no ip address assigned to destination address for 1 tunnel |
|
NAT translation is not correctly sent to hub router from branch when SSNAT and UTD are configured |
|
17.10: uCode crash seen on Curie 2RU after stopping NWPI trace |
|
Cisco IOS XE Catalyst SD-WAN device: PMTU Discovery is not working after interface flap |
|
17.6.2 IOS XE SD-WAN - tech files are incomplete when running admin-tech |
|
[SIT] ISR4221X/K9 : Critical process fpmd fault on rp_0_0 (rc=134) |
|
Sparrow crashed: fman_fp_image: QFP0.0 CPP Driver LOCKDOWN encountered due to previous fatal error |
|
Cisco IOS XE Catalyst SD-WAN device upgrade fails and can't change template due to "advertise aggregate" config w/o prefix-list |
|
Prefix through hub not intalled in FIB, with OD Tunnels, seeing drops due to FirewallPolicy |
|
Cisco IOS XE Catalyst SD-WAN device drops packets with reason 55 (Forus) when port forwarding is enabled from outside to inside |
|
Control Connection on Cisco IOS XE Catalyst SD-WAN device doesn't come-up with reverse proxy using Enterprise Certificate |
|
BFD sessions flapping on an interface with SYMNAT may lead to IPSec crash |
|
ASR and c8500 crashing at fman_sdwan_nh_indirect_delete_from_hash_table |
|
FTM is shooting up high and stuck in loop with the function ftm_sa_add(). |
|
Cisco IOS XE Catalyst SD-WAN device - Login banner config is changed after upgrade to 17.6.3a |
|
Catalyst 8500L - qfp-ucode-fugazi crashes with SIGABRT within cio infra under heavy load |
Open Bugs for Cisco IOS XE Catalyst SD-WAN Release 17.9.3a
Identifier |
Headline |
---|---|
Same label is assigned to different VRFs |
|
Cisco IOS XE Catalyst SD-WAN device does not form BFD across Serial link when upgrading from 17.3.3 to 17.6.x |
|
Cisco IOS XE Catalyst SD-WAN device crash with imgr_n2_ipsec_sa_ctx_register |
|
Change in the IPsec integrity parameters breaks the connectivity |
|
Cisco IOS XE Catalyst SD-WAN device did not created a crash file after Critical software exception |
|
Unexpected reload with IPS configured on 17.6.3a |
|
Cisco Catalyst 8500L: Control connection over L3 Tloc extension failing as no NAT table entry created |
|
C8500-12X4QC P2MP WAN MACSEC does not allow traffic to pass on the link |
|
Cisco IOS XE Catalyst SD-WAN device: device may boot up into prev_packages.conf due to power outage |
|
nbar classification error with custom app-aware routing policy |
|
17.10 - Crash seen when umbrella/zscaler template pushed to device when name_lookup takes > 30 sec |
|
Nutella Cisco IOS XE Catalyst SD-WAN device do not accept the password via netconf |
|
TLOC down post viptela to ios-xe Nutella migration when enterprise cert used |
|
FW policy with app-family rule with FQDN causes traffic drop for other sequences |
|
Cisco IOS XE Catalyst SD-WAN device crashes due to OMP process |
|
Inconsistent behavior found when adding tunnel source config to virtual-template interface |
|
Cisco IOS XE Catalyst SD-WAN device app-route Stats Show 100 percent loss but tunnel was up |
|
NAT configuration with no-alias option is not preserved after reload |
|
CFLOWD egress INFT shows NULL when tunnel is sourced with loopback |
Bugs for Cisco IOS XE Catalyst SD-WAN Release 17.9.2a
Resolved Bugs for Cisco IOS XE Catalyst SD-WAN Release 17.9.2a
Identifier |
Headline |
---|---|
C1116-4P: CLI template push fails with error: 'Error: on line 48: line-mode single-wire line 0' |
|
Firewall drop seen stating “FirewallL4” seen on Cisco IOS XE Catalyst SD-WAN Device |
|
Cellular interface tracker down but NAT route persists in the Service VPN Routing Table |
|
Bootstrap failing on c8300 on 17.9 |
|
Cisco IOS XE Catalyst SD-WAN Device router is not programming correct next-hop for unicast prefix with multicast config present |
|
Multiple C8500s on Cisco SD-WAN experienced crashes every 4-5min |
|
IKEv2 Cert-based IPSEC not working between Cisco IOS-XE and AWS |
|
Packet duplication is causing drops in payment transactions with Cisco SD-WAN GenericDrop code. |
|
C8500 cEdgeCisco IOS XE Catalyst SD-WAN Device Reloads Unexpectedly due to Critical FTMD Fault when VRF Configuration is Pushed |
|
Cisco Catalyst SD-WAN ACL TCAM not in sync with configuration |
|
Cisco SD-WAN flows are not distributed and load-balanced evenly and consistently |
|
ZBFW self zone policy drops ssh session on Mgmt-intf 512 ports |
|
Automatically freeing up filesystems stale image or recovered folder (lost+found) |
|
Throughput degrades when local TLOC specified in Data Policy goes down |
|
BFD sessions remains down if interface flap form up/down/up |
|
Cisco IOS XE Catalyst SD-WAN Device speed test failing with "Device Error: Speed test in progress" |
|
Needs cert update - Azure CGW creation fails due to NVA provisioning failure |
|
C8300 with 5G module P-5GS6-GL is losing cellular config at each boot after upgrading to 17.9.1 |
|
C8300 : Crashed without generating any core (Critical process plogd fault on rp_0_0 (rc=75) |
|
SSH from Cisco SD-WAN Manager vshell to Cisco IOS XE Catalyst SD-WAN Device getting closed after Cisco IOS XE Catalyst SD-WAN Device update. |
|
BFD and control packets are dropped when ACL is applied on gigi to which loopback is bind |
|
SIG tunnel tracker packets are dropped by firewall with self zone policy |
|
The IPSLA udp-jitter V3 (optimize timestamp+precision microseconds) does not work on C8500 |
Open Bugs for Cisco IOS XE Catalyst SD-WAN Release 17.9.2a
Identifier |
Headline |
---|---|
Cisco IOS XE Catalyst SD-WAN Device does not form BFD across Serial link when upgrading from 17.3.3 to 17.6.x |
|
Unable to configure the local BGP as-path-list via Cisco SD-WAN Manager. |
|
Cisco IOS XE Catalyst SD-WAN Device stopped forwarding traffic. Suspect OMPD is busy |
|
With 2 sequences, should not skip if the match is different and action is same |
|
After upgrade to Cisco Cisco SD-WAN Manager Release 20.6.3, Cisco IOS XE Catalyst SD-WAN Device moved into Out of Sync status on Cisco SD-WAN Manager. |
|
NAT translation is not correctly sent to hub router from branch when SSNAT and UTD are configured |
|
0365 and MS Teams applications access issues when using DIA with app-list match in data-policy |
|
Cisco IOS XE Catalyst SD-WAN Device: CERM may kick in due to IPSec sessions initiated for on-demand tunnels |
|
Cisco SDWAN Cisco IOS XE Catalyst SD-WAN Device - Login banner config is changed after upgrade to 17.6.3a |
|
Control Connection on Cisco IOS XE Catalyst SD-WAN Device doesn't come-up with reverse proxy using Enterprise Certificate |
|
Upgrade failures due to inability to establish netconf connection from Cisco SD-WAN Manager to upgrade-confirm |
|
NAT configuration with no-alias option is not preserved after reload |
Bugs for Cisco IOS XE Catalyst SD-WAN Release 17.9.1a
This section details all fixed and open bugs for this release. These bugs are available in the Cisco Bug Search Tool
Resolved Bugs for Cisco IOS XE Catalyst SD-WAN Release 17.9.1a
Identifier |
Headline |
---|---|
Cisco IOS XE Catalyst SD-WAN Device image installation fails |
|
Traceroute not working on Cisco IOS XE Catalyst SD-WAN Device with NAT |
|
UDP based DNS resolution doesn't work with IS-IS EMCP on Cisco IOS XE Catalyst SD-WAN Device |
|
Cisco Cisco SD-WAN Manager failed to display active flows when flow count is high on the device. |
|
Destination prefix packets getting dropped because forwarding plane is not programming the next hop. |
|
CSR BFD tunnel are zero with Cisco Catalyst SD-WAN version 17.03.03.0.7 |
|
Simulated flows with PPPoE with NAT DIA result in crash consistently |
|
Incorrect reload reason - Last reload reason: LocalSoft for Netconf Initiated request |
|
Missing IOS config (voice translation rule) on upgrade from 17.3 to 17.6 |
|
Umbrella DNS security policy doesn't work with Cloud onRamp with SIG tunnels |
|
Cisco Catalyst SD-WAN HUB with firewall configured incorrectly dropping return packets when routing between VRFs |
|
SNMP v2 community name encryption problem |
|
Router crashed after new IPv6 address assigned when router use specific configuration |
Open Bugs for Cisco IOS XE Catalyst SD-WAN Release 17.9.1a
Identifier |
Headline |
---|---|
bfd sessions remains down if interface flap form up/down/up |
|
Unable to switch the technology from 4g to 3g |
|
[17.6] Traffic seems not inspected by UTD when umbrella is set |
|
BFD Tunnel on Cisco SDWAN router is not staying up, 1 out of 40 tunnels. |
|
C8500 Cisco IOS XE Catalyst SD-WAN Device reloads unexpectedly due to critical FTMd fault when VRF configuration is pushed |
|
Static NAT configuration in CLI with the no-alias keyword cannot be retrieved via NETCONF/YANG |
|
BFD sessions not coming UP because of ANTI-REPLAY-FAILURES |
|
Cisco Catalyst SD-WAN tunnel keeps on flapping on dialer interface with 17.3.6 throttle image for TSN platform |
|
Destination not reachable if configured as a next for a static route resolvable via non /32 OMP |
|
Cisco Catalyst SD-WAN flows are not distributed and load-balanced evenly and consistently |
|
Firewall drop seen stating “FirewallL4” seen on Cisco IOS XE Catalyst SD-WAN Device |
|
Yang-management process confd is not running, controller mode 17.6.2a |
|
The IPSLA udp-jitter V3 (optimize timestamp+precision microseconds) does not work on C8500 |
|
Cisco IOS XE Catalyst SD-WAN Device "no ip nat" config is allowed to be committed and removes nat routes among other nat config |
|
show sdwan app-fwd cflowd flows vpn X format tabled does not show all flows for vpn X |
|
Bootstrap failing on c8300 on 17.9 |
|
Cisco Catalyst SD-WAN SIG GRE: Layer 7 Health check doesn't work on Loopback interfaces |
|
ISR1100-4G looses all BFD sessions with Invalid SPI |
|
Cisco IOS XE Catalyst SD-WAN Device C1121x-8P LAN Module is down when high CPU noticed |
|
Cisco Catalyst SD-WAN - Memory leak due to FTMd process |
Cisco Catalyst SD-WAN Control Components Compatibility Matrix and Server Recommendations
For compatibility information and server recommendations, see Cisco Catalyst SD-WAN Control Components Compatibility Matrix and Server Recommendations.
Supported Devices
For device compatibility information, see Cisco Catalyst SD-WAN Device Compatibility.
Cisco SD-WAN Manager GUI Changes
This section presents a comparative summary of the significant changes between Cisco vManage 20.8.x and Cisco vManage Release 20.9.1.
Workflows Menu
In Cisco vManage Release 20.9.1, the following changes have been made to the Workflows menu:
-
The Launch Workflows submenu is renamed as Workflow Library.
-
The Popular Workflows section is introduced for easy and quick access to the workflows.
-
The Rapid Site Configuration Group and Custom Configuration Group workflows are removed, and the Create Configuration Group workflow is introduced.
-
The Provision WAN Sites and Devices workflow is renamed as Deploy Configuration Group.
SD-WAN Portal Menu
In Cisco vManage Release 20.9.1, SD-WAN Portal is added to the Cisco SD-WAN Manager menu. Choose SD-WAN Portal to access the Cisco SD-WAN Self-Service Portal.
Monitor Overview Page
In Cisco vManage Release 20.9.1, the labels of the following UI elements have changed:
-
Devices to WAN Edges
-
Device Health to WAN Edge Health
-
Device Inventory to WAN Edge Inventory
Monitor VPN Page
In Cisco vManage Release 20.9.1, the labels of the following UI elements have changed:
-
Device Status to WAN Edge Reachability
-
Device Health to WAN Edge Health
Configuration Groups Edit Page
In Cisco vManage Release 20.9.1, the feature profiles are presented in a tabular format, thereby enabling you to scan all the profiles at once. In Cisco vManage Release 20.8.x, the feature profiles were organized in a card-based presentation.
Related Documentation
Full Cisco Trademarks with Software License
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB's public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS" WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
All printed copies and duplicate soft copies of this document are considered uncontrolled. See the current online version for the latest version.
Cisco has more than 200 offices worldwide. Addresses and phone numbers are listed on the Cisco website at www.cisco.com/go/offices.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: https://www.cisco.com/c/en/us/about/legal/trademarks.html. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1721R)