Vyatta NOS documentation

Learn how to install, configure, and operate Vyatta Network Operating System (Vyatta NOS), which helps to drive our virtual networking and physical platforms portfolio.

Show Page Sections


The defects that have been resolved in this release are detailed in this section.

Security vulnerabilities

Security issues have been resolved in this release.

CVE-2013-5211Network Time Protocol (NTP) Mode 6 Scanner (VRVDR-37993)
CVE-2017-5754Debian DSA-4078-1: linux - security update (Meltdown) (VRVDR-39891)
CVE-2017-5753Debian DSA-4187-1, DSA-4188-1: Spectre aka. variant #1: (VRVDR-39909)
CVE-2017-3145Debian DSA-4089-1: bind9 - security update (VRVDR-40087)
CVE-2018-1000005, CVE-2018-1000007Debian DSA-4098-1 : curl - security update (VRVDR-40327)
CVE-2018-5334, CVE-2018-5335, CVE-2018-5336Debian DSA-4101-1: wireshark - security update (VRVDR-40398)
CVE-2017-10790, CVE-2018-6003 Debian DSA-4106-1: libtasn1-6 - security update (VRVDR-40555)
CVE-2017-17563, CVE-2017-17564, CVE-2017-17565, CVE-2017-17566Debian DSA 4112-1: xen security update (VRVDR-40782)
CVE-2017-14632, CVE-2017-14633Debian DSA 4113-1: libvorbis security update (VRVDR-40783)
CVE-2018-6459Strongswan 5.6.x: denial-of-service vulnerability in the parser for RSASSA-PSS signatures (VRVDR-40821)
CVE-2018-7540, CVE-2018-7541, CVE-2018-7542Debian DSA 4131-1: xen security update (VRVDR-40991)
CVE-2017-3144, CVE-2018-5732, CVE-2018-5733Debian DSA 4133-1: isc-dhcp security update (VRVDR-41041)
CVE-2018-7738Debian DSA-4134-1: util-linux - security update (VRVDR-41096)
CVE-2018-1000120 CVE-2018-1000121 CVE-2018-1000122Debian DSA-4136-1: curl - security update (VRVDR-41137)
CVE-2018-1064 CVE-2018-5748 CVE-2018-6764Debian DSA 4137-1: libvirt security update (VRVDR-41139)
CVE-2018-5146Debian DSA 4140-1: libvorbis security update (VRVDR-41172)
CVE-2018-6797, CVE-2018-6798, CVE-2018-6913Debian DSA-4172-1: perl - security update (VRVDR-41512)
CVE-2018-0494Debian DSA-4195-1: wget - security update (VRVDR-41795)
CVE-2018-1087, CVE-2018-8897Debian DSA-4196-1: linux - security update (VRVDR-41797)
CVE-2018-8897, CVE-2018-10471, CVE-2018-10472, CVE-2018-10981, CVE-2018-10982xen security update (VRVDR-41924)
CVE-2018-1000301Debian DSA-4202-1: curl - security update (VRVDR-41946)
CVE-2018-1122, CVE-2018-1123, CVE-2018-1124, CVE-2018-1125, CVE-2018-1126Debian DSA-4208-1: procps - security update (VRVDR-42006)
CVE-2018-3639speculative execution, variant 4: speculative store bypass / Specture v4 / Spectre-NG (VRVDR-42013)
CVE-2018-3639xen security update (VRVDR-42088)
CVE-2017-5715, CVE-2017-15038, CVE-2017-15119, CVE-2017-15124, CVE-2017-15268, CVE-2017-15289, CVE-2017-16845, CVE-2017-17381, CVE-2017-18043, CVE-2018-5683, CVE-2018-7550DSA 4213-1: qemu security update (VRVDR-42112)
CVE-2018-12020Debian DSA-4222-1: gnupg2 - security update (VRVDR-42284)
CVE-2018-0495Debian DSA-4231-1: Debian DLA-1405-1: libgcrypt20 - security update (VRVDR-42383)
CVE-2018-3665 DSA 4232-1: xen security update (VRVDR-42427)
CVE-2018-5390, CVE-2018-13405DSA 4266-1: linux security update (VRVDR-43111)

Resolved issues

Customer issues have been resolved in this release.

Component Key Summary
RA_VPN VRVDR-36378 Client behind NAT is unable to connect to L2TP server
Firewall VRVDR-38978 ZBF doesn't allow stateful tracking for locally sourced traffic
Interfaces VRVDR-39271 Once a week dp0bond0 and dp0bond1 interfaces goes down on their Master
DHCP VRVDR-39529 DHCP server failover is not synchronizing databases
VRRP VRVDR-39710 When rfc-compatibility is enabled in a VRRP instance, Vyatta does not respond to icmp requests
NAT VRVDR-39729 dataplane crashes when NAT resource group address has /31 mask
Bonding VRVDR-39750 The show interface dataplane <bond-vif> CLI shows interface statistics but is not a tab completion option under show interface dataplane
Firewall VRVDR-39772 The show log and show log firewall name <FW-RULE> command no longer displays firewall logs
VRRP VRVDR-39802 Mastership roles back from backup to primary with preempt false
Bonding VRVDR-39829 Bond fails after packet duplication is observed intermittently in production
Bonding VRVDR-39854 Bond interface down after DATAPLANE: ESP: Head room inc failed
QinQ VRVDR-39860 Commit doesn't complete  and  Rollback doesn't complete properly
VRRP/GRE VRVDR-39863 VRRP fails over when customer removes routing-instance with GRE associated and tunnel local-address is part of VRRP
NAT VRVDR-39864 Solution needed: SNAT for internally sourced traffic while externally sourced traffic must pass without translation
Firewall VRVDR-39865 non-unique ICMP states for pings between windows hosts
Dataplane VRVDR-39871 Ping RTT regression
Config Infrastructure VRVDR-39922 When deleting a subnet from resource group, the compare  command shows incorrect information/output
NAT VRVDR-39985 TCP DF Packets larger than GRE tunnel MTU are dropped with no ICMP fragmentation needed returned
Firewall VRVDR-39991 Stateful firewall drops packets between 2 subnets on the same interface
IPsec/VPN VRVDR-40085 PB-IPsec is not working when pinging between loopback interfaces on the Vyatta NOS themselves. 
NAT VRVDR-40210 NAT ICMP error handling for checksum disabled UDP is wrong
NAT VRVDR-40211 delete session-table source <IP-address:port> and delete session-table destination <IP-address:port> do not work on 17.2.0
Installer VRVDR-40281 After upgrading from 5.2 to more recent version error -vbash: show: command not found in operation mode
System VRVDR-40328 cloud-init images takes a long time to boot
Bonding VRVDR-40497 ARP doesn't work over bonded SR-IOV interface
IPsec/VPN VRVDR-40644 IKEv1: QUICK_MODE re-transmits are not handled correctly
Bridging VRVDR-40857 vhost-bridge does not come up for tagged vlan with interface names of a certain length.
IPsec/VPN VRVDR-40858 VTI interface showing MTU 1428 causing TCP PMTU issues
Firewall VRVDR-40886 Combining icmp name <value> with a number of other configuration for the rule will cause FW to not load
SNMP VRVDR-40920 With as listen-address snmpd does not start
ALG VRVDR-40927 DNAT: SDP in SIP 200 OK not translated when it follows a 183 Response
NAT VRVDR-40940 dataplane crash related to NAT/Firewall
IPsec/VPN VRVDR-40967 disabling IPv6 forwarding prevents routing of vti sourced IPv4 packets
Bridging VRVDR-40988 vhost not starting when vSRX image is used with certain number of interfaces
NAT VRVDR-41074 PBR is not working correctly in SNAT and DNAT setup where customer wants to hide ip add
BGP VRVDR-41088 Extended (4 byte) ASN not represented internally as unsigned type
Interfaces VRVDR-41225 When configuring interface description, every white space is treated as a new line
Firewall VRVDR-41252 With unbound VTI in zone-policy, drop rule is bypassed depending on commit order of zone rules.
GRE VRVDR-41266 Static route leaking to VRF does not transit traffic across mGRE tunnel after reboot
Bonding VRVDR-41469 One interface link down - bond is not carrying traffic
VRRP VRVDR-41481 VRRP on bond interface does not send VRRP advertisement
DNS VRVDR-41536 dnsmasq service start-init limit hit when adding more than 4 static host entries if dns forwarding is enabled
Dataplane VRVDR-41558 The reported timestamps in packet traces are not consistent with the actual time and system clock
IPv6 VRVDR-41628 Route/prefix from router-advertisement active in kernel and dataplane but ignored by RIB
ALG VRVDR-41834 NAT: SIP BYE not translated/forwarded if send by called party
IPsec/VPN/VRRP VRVDR-41906 PMTU discovery fails as ICMP Type 3 code 4 messages are sent out from wrong source ip
IPsec/VPN/VRRP VRVDR-41944 After VRRP fail-over some VTI tunnels fail to re-establish until a 'vpn restart' or peer reset is issued
NAT VRVDR-41957 Bi-Directional NAT'd packets too large for GRE fail to return ICMP Type 3 Code 4
sFlow VRVDR-42027 SFLOW using incorrect input ifIndex
IPsec/VPN VRVDR-42084 vfp interface marked as non-dataplane interface in show dataplane route when nat/ipsec config is re-applied
SSH VRVDR-42108 After 25s ssh login delay systemctl --user status fails with Failed to connect to bus: No such file or directory
Flow Accounting VRVDR-42244 Flow-monitoring only exports 1000 samples to collector
VRRP VRVDR-42283 VRRP state changes to FAULT  for all interfaces when a vif interface ip is deleted
IPsec/VPN VRVDR-42335 IPSEC: remote-id hostname behavior changes from 5400 to 5600
OSPF VRVDR-42362 OSPF route reset from remote end once standby Vyatta device reboot
TACACS VRVDR-42483 TACACS authentication failing
BGP VRVDR-42635 bgp redistribute route-map policy change does not take effect
System VRVDR-42718 Config-sync incorrect sync status
System VRVDR-42774 x710 (i40e) driver sending flow control frames at very high rates
IPsec/VPN VRVDR-42826 With remote-id peer negotiation fails due to pre-shared-key mismatch
SNMP VRVDR-43157 When tunnel bounces SNMP trap is not properly generated.

Known issues

The known issues in this release have been identified.

Component Key Summary
IPsec/VPN VRVDR-42135 dead-peer-detection hold not functional / XFRM acquire handling missing (was: IPsec tunnel UP but not passing data)
VRRP VRVDR-42692 VRRP configurations under switch group not supported
OSPF VRVDR-42820 Trying to get ROUTE-MAPS to work correctly.
Hypervisor VRVDR-43145 VM management improvements - run VM start/stop script asynchronously and provide CLI to force shutdown a VM
IPsec/VPN VRVDR-43174 show vpn ike sa peer command does not work
IPsec/VPN VRVDR-43186 RAC Failover not working - source IP not selected correctly
IPsec/VPN VRVDR-43193 WIth RAC traceroute does not work for traffic destined over the tunnel