home

Release notes

Getting startedOverviewArchitectureSupported platformsRelease notesWhite papers
Getting startedOverviewArchitectureSupported platformsRelease notesWhite papers

Vyatta NOS documentation

Learn how to install, configure, and operate Vyatta Network Operating System (Vyatta NOS), which helps to drive our virtual networking and physical platforms portfolio.

Show Contents

Show Page Sections

thumbnailRelease notes

VNOS release notes 2204

Patch release notes 2204a

Vyatta NOS patch release notes 2204a.

Released May 5, 2022

Issues resolved

Issues resolved in 2204a.

Issue number

Priority

Summary

VRVDR-57467

Critical

Banner with newline prevents loading configuration after upgrade from 1903j to 1908n

VRVDR-56938

Critical

Failed to change MTU on QAX

VRVDR-56563

Critical

Frequent flapping of all BGP peers due BFD failure

VRVDR-57491

Major

Version shows empty last reboot info if snmp service is not enabled

VRVDR-57440

Major

SIAD Boundary Clock becomes unlocked after Grand Master ports bounced

VRVDR-57266

Major

show mpls incomplete command broken in 2204

VRVDR-57256

Major

vyatta-ptp-mib-subagent log is seen constantly on SIAD when PTP is configured

VRVDR-57133

Major

IPsec RA-VPN Clients : charon-systemd querying SAD entry with SPI index failed: Operation not permitted

VRVDR-56872

Minor

delete system image <version> logs deletion as a warning

Security vulnerabilities resolved

Security vulnerabilities resolved in 2204a.

Issue number

CVSS score

Advisory

Summary

VRVDR-57493

7.5

DSA-5123-1

CVE-2022-1271: Debian DSA-5123-1 : xz-utils - security update

VRVDR-57353

7.5

DSA-5111-1

CVE-2018-25032: Debian DSA-5111-1 : zlib - security update

VRVDR-57243

7.5

DSA-5103-1

CVE-2021-4160, CVE-2022-0778: Debian DSA-5103-1 : openssl - security update

VRVDR-57317

7.1

DSA-5108-1

CVE-2022-0561, CVE-2022-0562, CVE-2022-0865, CVE-2022-0891, CVE-2022-0907, CVE-2022-0908, CVE-2022-0909, CVE-2022-0924, CVE-2022-22844: Debian DSA-5108-1 : tiff - security update

BFD dataplane CPU affinity

Bidirectional Forwarding Detection (BFD) is a protocol used to monitor liveness of forwarding engines in order to enable quicker control plane convergence in the event of failure of a node. The original offload design did not consider the fact that the BFD thread in the dataplane either needs to execute on a dedicated CPU or have some other means of always being scheduled in a timely manner in order to avoid timing out sessions. This has resulted in issues when the CPU load on the main thread can result in erratic scheduling of the BFD thread. This patch adds a new command that can dedicate a CPU for BFD in the dataplane using affinity configuration.

set protocols bfd dataplane cpu-affinity <cpu-id>

cpu-id is in the range 1 to 255. It is customized per platform to reflect the actual number of CPUs available on the platform.

When this command is issued, the BFD thread is moved to or started on the specified CPU. All existing BFD sessions experience a flap during this activity due to the temporary teardown and re-instantiation of the BFD thread.

The CPU specified must conform to the following restrictions:

  1. It must not be the CPU used to host the main thread of the dataplane.
    • If no affinity is configured for the dataplane as a whole, the main thread is hosted by CPU 0.
    • If the dataplane CPU affinity is configured using set system default dataplane cpu-affinity, the main thread is hosted on the cpu with the lowest id in the list specified.
  2. It must not be a CPU configured for control, forwarding or any other feature.
    • The other existing commands dealing with dataplane cpu affinity are as follows:
      • set system default dataplane control cpu-affinity <cpu-list>
      • set interfaces dataplane <interface> < cpu-affinity | transmit-cpu-affinity | receive-cpu-affinity > <list>
      • set security vpn ipsec dataplane < crypto | crypto-fwd > cpu-affinity <list>
      • set service nat cgnat cpu-affinity event session <cpu>

The above restrictions are validated at the time of committing the configuration and the configuration commit fails if the user specifies an invalid configuration.

If the CPU specified by the user does not exist on the system, the configuration is still accepted in order to handle scenarios of VM re-provisioning. However an error message of severity CRITICAL will be emitted indicating that the configuration was not honored. If this happens, BFD runs in a degraded mode on the same CPU as the main thread.

GNSS events

The GNSS (Global Navigation Satellite System) can be in an unexpected state, or be in a temporary state for too long. Therefore, when such issues are detected, an SNMP GNSS failure trap is sent, with a reason for the failure. When the failure event ends, an SNMP GNSS recovery trap is sent. They are also resent periodically when in a failure condition.

The GnssFailure trap is sent for any of the GNSS failure conditions. The failure reason message indicates the cause for the failure. While in a failure condition the trap is sent every 60 minutes. When leaving the failure condition, the GnssRecovery trap is sent.

Note:

Timings for the traps sent are approximate, as polling for GNSS status is done about every 10 to 15 seconds.

The following table describes the possible reasons for GNSS failures. These are in the order that is reported if more than one issue occurs.

Failure reason

Text of reason sent in trap

The GNSS module has not been detected.

Module not detected

The GNSS module has been disabled by the administrator.

Module disabled by admin

The GNSS module has reported a failure.

Hardware failure

The antenna of the GNSS module has failed.

Antenna failure

The GNSS module has not been able to enter the tracking state for at least the time specified by the Holdover time limit configuration value.

Holdover exceeded configured duration

The GNSS module has taken longer than the time specified by the Tracking time limit configuration value to enter the tracking state for the satellites.

Too long in entering tracking state

This patch adds the following configuration commands:

set service gnss instance [number] tracking-time-limit [seconds]

number is the instance number of the GNSS receiver in the system. Most systems have at most one GNSS receiver with an instance number of 0.

seconds is how long to wait, in seconds, until a GNSS failure trap indicates that it has taken too long to enter the tracking state. This value must be as follows:

  • Has a minimum value of 10
  • Is a multiple of 10
  • Less than the holdover-time-limit configuration variable
  • Defaults to a value of 900 (15 minutes)

If the tracking state has not transitioned to tracking by the time specified in this configuration value, then a trap is sent with the reason Too long in entering tracking state.

set service gnss instance [number] holdover-time-limit [seconds]

number is the instance number of the GNSS receiver in the system. Most systems have at most one GNSS receiver with an instance number of 0.

seconds is how long to wait, in seconds, until a GNSS failure trap indicates that the holdover time has been exceeded. This value must be as follows:

  • Has a minimum value of 20
  • Is a multiple of 10
  • More than the tracking-time-limit configuration variable
  • Defaults to a value of 7200 (2 hours)

If the tracking state has not transitioned to tracking by the time given in this configuration value, then a trap is sent with the reason Holdover exceeded configured duration.

Dataplane IP and ICMP statistics added to tech-support

The show tech-support command now includes output from the following commands:

show dataplane statistics ip
show dataplane statistics icmp

Last updated: July 13, 2022