Patch release notes 1908m
Release notes for Vyatta NOS 1908m, released April 26, 2021.
Issues resolved
Issues resolved in release 1908m.
| Issue number | Priority | Summary |
|---|---|---|
| VRVDR-54591 | Blocker | TACACS authentications fails when TACACS accounting has a large backlog |
| VRVDR-54144 | Blocker | Marvell FAL plugin should drop backplane packets with RX Errors |
| VRVDR-53324 | Blocker | ADI XS uCPE: InDiscards seen in the switch backplane at 1G |
| VRVDR-52877 | Blocker | ADI QoS Performance Issue with specific packet sizes |
| VRVDR-52568 | Blocker | Revert SIAD kernel panic defaults |
| VRVDR-52447 | Blocker | PTP: switching between the same master on multiple ports does not work if chosen port is down |
| VRVDR-50002 | Blocker | Cannot commit a confirmed commit |
| VRVDR-53302 | Critical | Boundary Clock lost sync and is unable to re-acquire lock |
| VRVDR-53517 | Critical | PTP de-referencing bad interface pointer |
| VRVDR-53372 | Critical | PTP: Data plane crash in ptp_peer_resolver_cb |
| VRVDR-53014 | Critical | commit-confirm not working via VCLI scripts |
| VRVDR-52995 | Critical | GRUB update during image upgrade is broken |
| VRVDR-52912 | Critical | Service-user creation fails due to moved SSSD databases |
| VRVDR-52877 | Critical | ADI QoS performance issue with specific packet sizes |
| VRVDR-52855 | Critical | Creating service-users fails |
| VRVDR-52401 | Critical | Degradation of throughput by 10%-40% on v150 with 100M physical interface and QoS |
| VRVDR-51953 | Critical | IPv4 over IPv6 Remote Access (RA) VPN session not working |
| VRVDR-51072 | Critical | L3 SIAD router not fragmenting packet size above MTU |
| VRVDR-50125 | Critical | No logging showing NETCONF confirmed-commit |
| VRVDR-50028 | Critical | cancel confirmed-commit CLI command missing |
| VRVDR-49982 | Critical | NETCONF confirm commit timeout not honored |
| VRVDR-49960 | Critical | show confirmed-commits CLI command missing |
| VRVDR-49828 | Critical | RA VPN: L2TP-Server: tunnel fails to come to up state |
| VRVDR-48094 | Critical | IPsec RA VPN client/server: v4 traffic not working with a concrete remote traffic-selector |
| VRVDR-54090 | Major | NETCONF copy-config allows the same source and target datastore to be set |
| VRVDR-53833 | Major | Handle multiple errors in configd: session/load.go merge_tree() |
| VRVDR-53195 | Major | When forwarding traffic in the DPDK, we do not break the loop frequently enough |
| VRVDR-53099 | Major | TACACS+ starts only when service is restarted manually |
| VRVDR-52997 | Major | tacplusd get_tty_login_addr() may overflow buffer |
| VRVDR-52730 | Major | SSSD should not run as root |
| VRVDR-52424 | Major | NETCONF edit-config applies changes with the none default-operation, and no specified operation |
| VRVDR-52404 | Major | ICMP error returned with a corrupted inner header causes segmentation fault when passed through a FW/NAT44/PBR rule with logging enabled |
| VRVDR-52241 | Major | Sanity test command authorization fails due to TACACS+ D-Bus daemon restart |
| VRVDR-52120 | Major | Hostname may be sent instead of IP address in TACACS+ accounting requests |
| VRVDR-52091 | Major | tacplusd should not run as root |
| VRVDR-51809 | Major | TACACS+ session accounting: task_id in stop record differs from task_id in start record |
| VRVDR-51238 | Major | After Broadcast storm, TACACS doesn't recover |
| VRVDR-50884 | Major | GRUB password printed in plain-text in installer logs |
| VRVDR-50803 | Major | tacplusd logs are very chatty by default |
| VRVDR-50775 | Major | Data plane PANIC in bond_mode_8023ad_ext_periodic_cb with locally sourced and terminated GRE traffic |
| VRVDR-50659 | Major | PTP: Do not delete master if still in use |
| VRVDR-50036 | Major | Add TACACS+/SSSD information to tech support output |
| VRVDR-49860 | Major | Untyped opd:option nodes break CLI |
| VRVDR-49836 | Major | IPsec: Fails to be able to ping from tunnel endpoint to tunnel endpoint with ping size 1419 using default MTU with site-2-site. Tunnel MTU discovery not working |
| VRVDR-49630 | Major | IPsec received the Warning: unable to [VPN toggle net.ipv6.conf.intf.disable_xfrm], received error code 65280 warning on committing site-to-site tunnel configuration |
| VRVDR-49354 | Major | Failed to set new admin user account password during live CD image installation |
| VRVDR-47705 | Major | BGP BFD error leads to repeated BGP session flap |
| VRVDR-42098 | Major | TACACS+ server connection timeout |
| VRVDR-47187 | Minor | show arp is expected to display string under Dataplane & Controller column, but displays 0xc0 |
| VRVDR-43453 | Minor | show l2tpeth/ show l2tpeth <interface> returns Use of uninitialized value in printf at /opt/vyatta/bin/vplane-l2tpeth-show.pl line 41 with the output |
| VRVDR-42094 | Minor | TACACS+ server enable/disable |
Security vulnerabilities resolved
Security vulnerabilities resolved in release 1908m.
| Issue number | CVSS | Advisory | Summary |
|---|---|---|---|
| VRVDR-52618 | 9.8 | DLA-2323-1 | CVE-2019-18814, CVE-2019-18885, CVE-2019-20810, CVE-2020-10766, CVE-2020-10767, CVE-2020-10768, CVE-2020-12655, CVE-2020-12771, CVE-2020-13974, CVE-2020-15393: Debian DLA-2323-1: linux-4.19 – new package |
| VRVDR-53016 | 9.1 | DLA-2369-1 | CVE-2017-18258, CVE-2017-8872, CVE-2018-14404, CVE-2018-14567, CVE-2019-19956, CVE-2019-20388, CVE-2020-24977, CVE-2020-7595: Debian DLA-2369-1: libxml2 – security update |
| VRVDR-54499 | 8.8 | DLA-2557-1 | CVE-2020-27815, CVE-2020-27825, CVE-2020-27830, CVE-2020-28374, CVE-2020-29568, CVE-2020-29569, CVE-2020-29660, CVE-2020-29661, CVE-2020-36158, CVE-2021-20177, CVE-2021-3347: Debian DLA-2557-1: linux-4.19 – security update |
| VRVDR-53272 | 8.8 | DLA-2388-1 | CVE-2018-12404, CVE-2018-18508, CVE-2019-11719, CVE-2019-11729, CVE-2019-11745, CVE-2019-17006, CVE-2019-17007, CVE-2020-6829, CVE-2020-12399, CVE-2020-12400, CVE-2020-12401, CVE-2020-12402, CVE-2020-12403: Debian DLA-2388-1: nss – security update |
| VRVDR-52457 | 7.8 | DLA-2301-1 | CVE-2020-12762: Debian DLA-2301-1: json-c – security update |
| VRVDR-54039 | 7.5 | DLA-2116-1 | CVE-2015-9542: Debian DLA-2116-1: libpam-radius-auth – security update |
| VRVDR-53231 | 7.5 | DLA-2382-1 | CVE-2020-8231: Debian DLA-2382-1: curl – security update |
| VRVDR-52844 | 7.5 | DLA-2355-1 | CVE-2020-8622, CVE-2020-8623: Debian DLA-2355-1: bind9 – security update |
| VRVDR-52454 | 7.1 | DLA-2295-1 | CVE-2020-8177: Debian DLA-2295-1: curl – security update |
| VRVDR-52456 | 6.7 | DLA-2290-1 | CVE-2019-5188: Debian DLA-2290-1: e2fsprogs – security update |
| VRVDR-52273 | 6.7 | DSA-4728-1 | CVE-2020-10756, CVE-2020-13361, CVE-2020-13362, CVE-2020-13754, CVE-2020-13659: Debian DSA 4728-1: qemu – security update |
| VRVDR-52817 | 6.4 | N/A | CVE-2020-15705: GRUB2 fails to validate kernel signature when booted directly without shim, allowing secure boot to be bypassed |
| VRVDR-52476 | 5.9 | DLA-2303-1 | CVE-2020-16135: Debian DLA-2303-1: libssh security – update |
| VRVDR-52357 | 5.6 | DSA-4733-1 | CVE-2020-8608: Debian DSA-4733-1: qemu – security update |
| VRVDR-53230 | 3.7 | DLA-2378-1 | CVE-2020-1968: Debian DLA-2378-1: openssl1.0 – security update |
| VRVDR-52197 | N/A | N/A | Privilege escalation in reset ipv6 neighbors and reset ip arp commands |
Kernel panic behavior
VRVDR-49991 modified kernel panic defaults, introducing additional panic events for the SIAD S9500s in 1912b.
Specifically, the following additional events are modified:
- panic-on-io-nmi
- panic-on-unrecovered-nmi
The reboot delay time following a kernel panic was also modified from 60 seconds to 30 seconds:
- reboot-wait-after-panic = 30
VRVDR-52568 reverts the defaults in 1912f such that the system no longer panics on the additional events. The reboot wait timer is also reverted to 60 seconds. The CLI to change the behavior through configuration remains; only the default behavior has changed. No change is made to the panic-of-oops default – it remains set.
NETCONF support for confirmed commit
1908m now contains NETCONF support for confirmed commit. Commit confirm is a feature which is currently available on the vRouter CLI.
Confirmed commit helps guard against committing configurations which can cause loss of connection to the system being managed, or perhaps the configuration being committed causes system instability or crashes. Such scenarios are automatically recovered from if the configuration is not confirmed, reverting back to the last working configuration. The confirmed commit capability is the NETCONF equivalent feature, which has the same goals, but slightly different way of operating. The confirmed commit features and functionality are described in RFC 6241, Section 8.4:
"The :confirmed-commit:1.1 capability indicates that the server will support the cancel-commit operation and the confirmed, confirm-timeout, persist, and persist-id parameters for the commit operation. See Section 8.3 for further details on the commit operation.
A confirmed commit operation MUST be reverted if a confirming commit is not issued within the timeout period (by default 600 seconds = 10 minutes). The confirming commit is a commit operation without the confirmed parameter. The timeout period can be adjusted with the confirm-timeout parameter. If a follow-up confirmed commit operation is issued before the timer expires, the timer is reset to the new value (600 seconds by default). Both the confirming commit and a follow-up confirmed commit operation MAY introduce additional changes to the configuration.
If the persist element is not given in the confirmed commit operation, any follow-up commit and the confirming commit MUST be issued on the same session that issued the confirmed commit. If the persist element is given in the confirmed commit operation, a follow-up commit and the confirming commit can be given on any session, and they MUST include a persist-id element with a value equal to the given value of the persist element.
If the server also advertises the :startup capability, a copy-config from running to startup is also necessary to save the changes to startup."
Confirmed-commit
<rpc message-id="1234" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<commit>
<confirmed/>
</commit>
</rpc>Confirm-timeout
A confirmed-commit is reverted if it is not confirmed within 10 minutes. An alternative timeout can be specified using the confirm-timeout parameter. The confirm-timeout specifies the number of seconds, after which a confirmed-commit is reverted. The confirm-timeout accepts the values 1 through 4294967295 seconds. Other values are rejected as an error. The confirm-timeout is canceled once the commit is confirmed.
<rpc message-id="1993" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<commit>
<confirmed/>
<confirm-timeout>900</confirm-timeout>
</commit>
</rpc> Revert on session termination
If the session on which a confirmed-commit is issued terminates before the confirm-timeout expires, the configuration is restored to the state before the confirmed-commit was issued. This behavior can be over-ridden by specifying a persist parameter in the confirmed-commit.
Persistent confirmed-commit
The behavior specified in the previous requirement can be overridden to allow the confirmed-commit to survive the termination of the session by specifying a persist parameter. When present, the confirmed-commit is persistent, surviving the termination of the session on which the confirmed-commit was issued. The persist value must then be used when confirming the confirmed-commit. It is simply a string value.
<rpc message-id="2371" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<commit>
<confirmed/>
<confirm-timeout>300</confirm-timeout>
<persist>NCC-74656</persist>
</commit>
</rpc> Follow-up confirmed-commit
If a confirmed-commit is received, while another confirmed commit is ongoing, that is it has not yet been confirmed, the confirmed commit is considered a follow-up commit. For a follow-up confirmed-commit, the confirm-timeout is restarted, using the confirm-timeout value derived from the follow-up commit operation. Any configuration changes are regarded as additional changes on top of any preceding confirmed commit. If no confirming-commit happens before the expiry of the last confirm-timeout, the configuration is reverted back to the state before the initial confirmed-commit.
A follow-up confirmed-commit must have a persist-id value which matches the persist value of the initial confirmed-commit, if the persist-id does not match an ongoing confirmed-commit, the follow-up confirmed commit is rejected with an invalid-value error. If no persist value was present in the initial confirmed-commit, no persist-id parameter should be present in the follow-up, and the follow-up commit must be received on the same session.
<!-- Initial confirmed-commit -->
<rpc message-id="2371" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<commit>
<confirmed/>
<confirm-timeout>300</confirm-timeout>
<persist>NCC-74656</persist>
</commit>
</rpc>
<!-- Follow-up confirmed-commit, with new timeout value and uses persist-id matching persist of initial commit -->
<rpc message-id="2375" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<commit>
<confirmed/>
<confirm-timeout>500</confirm-timeout>
<persist-id>NCC-74656</persist-id>
</commit>
</rpc>
<!-- Final confirming-commit, which confirms the sequence of commits identified by persist-id NCC-74656 -->
<rpc message-id="2378" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<commit>
<persist-id>NCC-74656</persist-id>
</commit>
</rpc> Confirming-commit
A confirming-commit is any commit operation without the confirmed parameter, that is issued before the confirm-timeout expires. When received, the confirmed-commit is confirmed, and the confirm-timeout is canceled. The confirming-commit must be issued on the same session as the commit being confirmed, unless the confirmed-commit has a persist parameter.
At present, if a NETCONF commit operation is issued, and there are no configuration changes to commit, an error is reported, specifying that there are no changes to commit. This error is not reported, if it is determined that the commit operation is a confirming-commit. If there are no outstanding confirmed-commits, the error is reported as usual. If there are any configuration changes which can be committed when a confirming-commit is received, these are committed as normal. If the confirming-commit is a valid confirmed-commit, the new confirmed-commit is considered as a new independent confirmed-commit, even if identified by the same persist parameter as the confirmed commit being confirmed.
<!-- Confirming a confirmed-commit, on same session. There may or may not be additional changes being committed. -->
<rpc message-id="2001" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<commit/>
</rpc>
<!-- Confirming a confirmed-commit which had a <persist> parameter of "NX-01". This can be issued on the same session or a different session to the original confirmed-commit. Any additional changes are committed as normal, i.e. not as a confirmed-commit -->
<rpc message-id="2151" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<commit>
<persist-id>NX-01</persist-id>
</commit>
</rpcPersist-id
The persist-id parameter must be used to confirm a confirmed-commit that had a persist parameter. It also allows a confirmed-commit to be confirmed on any session, not just the session on which the confirmed-commit was issued. The persist-id must equal the persist parameter specified in the confirmed-commit, if it does not match an outstanding confirmed-commit, the confirming-commit fails with an invalid-value error.
Cancel a persistent confirmed-commit
The cancel-commit operation can cancel a persistent confirmed commit by specifying the confirmed-commits persist value in the persist-id parameter. A persistent confirmed-commit can be canceled from any session.
If an ongoing confirmed commit cannot be identified that matches the persist-id parameter, the cancel-commit operation fails with an invalid-value error.
<rpc message-id="2266" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<cancel-commit>
<persist-id>NCC-1701</persist-id>
</cancel-commit>
</rpc>Show system confirmed-commits
A show system confirmed-commits command is available, to show the status of any confirmed-commits. If possible, it shows the session on which the confirmed-commit was issued, any persist value and the confirm-timeout outstanding at the time the command was invoked.
vyatta@vm-fl3-1:~$ show system confirmed-commit Session Revert Time Persist-Id 2865 2020-03-23 09:25:00 ABDpersist123 vyatta@vm-fl3-1:~$
Cancel confirmed-commit
There is a cancel confirmed-commit command to allow a confirmed-commit, with an associated persist value to be canceled from the CLI. This command is available in configuration mode.
The syntax of the command is as follows:
cancel-commit [ force | persist-id <persist-id> ] [ comment <comment-text> ]
Multiple session interaction
RFC 6241 talks about using the lock operations to avoid undesirable consequences of multiple sessions updating the configuration. vRouter's current lock implementation only supports locking of the candidate datastore, which does not seem to offer any useful utility. Each session maintains its own independent candidate datastore and locking the candidate by using NETCONF still allows other CLI sessions to make and commit configuration changes. Supporting a lock on the running configuration is required to allow useful confirmed-commit operation without other sessions changing the configuration.
Improved lock support
The NETCONF lock operation supports locking of the running configuration. This allows a client to safely lock the running configuration until it has completed a series of edit-config, commit.
A NETCONF client can only lock the running configuration if the following criteria are satisfied:
-
The lock is not currently held by another session. On vRouter, the running configuration is implicitly locked when committing.
-
Another session has an ongoing confirmed-commit, that is one which has not yet been confirmed.
CLI confirmation of a NETCONF confirmed-commit
<!-- A NETCONF confirmed commit -->
<rpc message-id="2364" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<commit>
<confirmed/>
<confirm-timeout>300</confirm-timeout>
<persist>NCC-1701-D</persist>
</commit>
</rpc>
<!-- Can be confirmed by the CLI -->
vyatta@vm-commit-1# confirm persist-id "NCC-1701-D"Advertise confirmed-commit capability
To inform NETCONF clients that the vRouter supports the confirmed-commit capability, the confirmed-commit capability should be advertised as part of the NETCONF hello message.
The capability string used to indicate this, as specified in RFC 6241; Sec 8.4.3, is:
urn:ietf:params:netconf:capability:confirmed-commit:1.1
<?xml version="1.0" encoding="UTF-8"?>
<hello xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
<capabilities>
<capability>urn:ietf:params:netconf:base:1.0</capability>
<capability>urn:ietf:params:netconf:base:1.1</capability>
<capability>urn:ietf:params:netconf:capability:with-defaults:1.0?basic-mode=explicit&also-supported=report-all,explicit</capability>
<capability>urn:ietf:params:netconf:capability:candidate:1.0</capability>
<capability>urn:ietf:params:netconf:capability:startup:1.0</capability>
<capability>urn:ietf:params:netconf:capability:rollback-on-error:1.0</capability>
<capability>urn:ietf:params:netconf:capability:confirmed-commit:1.1</capability>
<capability>urn:ietf:params:netconf:capability:validate:1.1</capability>
<capability>urn:ietf:params:netconf:capability:validate:1.0</capability>
</capabilities>
<session-id>1</session-id>
</hello> Include persist-id
The NETCONF confirmed-commit feature uses the same infrastructure as confirm-commit and rollback. Any logs which are currently generated are enhanced to include the persist-id, and indicate that the commit is a confirmed-commit originating from a NETCONF session.
TACACS+ enhancements
Patch 1908m includes the following enhancements for TACACS+.
Command accounting start records
Support for generating start records for TACACS+ command accounting have been added, supplementing the existing stop record support. Start records are not enabled by default, but can be enabled by configuration. As with the existing stop record support, only modeled Vyatta commands generate start records, with exceptions because of the following YANG backwards compatibility constraints:
- The default connection timeout value of 10 seconds required by 01.01.18. The default value is 3 seconds.
- The minimum key length of 8 characters required by 01.01.13. The minimum length is 1 character.
TACACS+ command accounting start records are sent as soon as possible after a command is entered, and before it is executed. Stop records are sent as soon as possible after the command has finished execution. Command accounting start records are only issued following successful TACACS+ command authorization local ACM authorization.
Existing stop record attributes
- Attribute
- Function
- task_id
- a unique identifier of the record
- stop_time
- time at which the command execution finished
- service
- currently always shell
- protocol
- op-mode or conf-mode to indicate context
- cmd
- first command argument, for example, set, delete, show
- cmd-arg
- issued for each remaining command argument
Start record attributes
The TAC_PLUS_ACCT_FLAG_START flag identifies a start record which includes the same attributes as a stop record apart from stop_time which is substituted for start_time, indicating the time at which the command was executed.
The task_id is the unique identifier tying the start and stop records of a given command execution together.
New stop record attributes
All stop records now also include the start_time attribute, indicating the time at which command execution started. This attribute is included regardless of whether start records are enabled or disabled. Where start records are enabled, the start_time value is identical to that sent in the corresponding start record.
Offline timer
The TACACS+ component on Vyatta has an existing offline mode which, when triggered, prevents any TACACS+ transactions from being performed by the system.
Since no transactions are performed while the TACACS+ component is offline, all TACACS+ based AAA is unavailable. When the TACACS+ component goes offline:
- If TACACS+ login is enforced (tacplus is the only auth-chain method), the last resort local user login immediately becomes available
- When command authorization is enabled, TACACS+ users already logged in are unable to run modeled NOS commands (they must re-login with a local account)
Until Vyatta 2012 and 1908m, offline mode was only triggered when all TACACS+ servers were configured with a hold down timer and all timers were activated; TACACS+ would remain offline until the soonest expiring hold down timer expired.
In Vyatta 2012 and 1908m, additional configuration is introduced to control the minimum length of the offline period, and also allow the TACACS+ component to enter offline mode when one or more TACACS+ servers have not been configured with a hold down timer.
Collectively we can refer to the hold-down-timer and offline-timer functionality as the TACACS+ suppression timers.
All servers have hold down timers
The configured offline timer defines the minimum time that the TACACS+ component is offline. Offline mode is entered when hold down timers are active for all servers. TACACS+ remains offline until either the offline-timer period expires, or the soonest expiring hold down timer expires – whichever is longer.
No servers have hold down timers
TACACS+ goes offline for the configured offline-timer period immediately following a failure to establish a connection to any configured TACACS+ server.
Some servers have hold down timers
Similar to when no servers have hold down timers, except that we do not attempt a connection to any server with an active hold down timer.
New and updated operational mode commands
The existing show system tacplus status command used to display statistics and hold down state of all configured TACACS+ servers. In Vyatta 2012 and 1908m, the command is enhanced to display the offline timer state:
Routing-instance: default
Offline timer active, expiring in: 45s
Server address: 192.168.252.250
Server port: 49
Authentication requests/replies: 1/1
Authorization requests/replies: 5/5
Accounting requests/replies: 4/4
Failed connects: 0
Server address: 192.168.252.251
Server port: 49
Authentication requests/replies: 0/0
Authorization requests/replies: 0/0
Accounting requests/replies: 0/0
Failed connects: 0
Server address: 192.168.252.252 Server port: 49
Authentication requests/replies: 0/0
Authorization requests/replies: 0/0
Accounting requests/replies: 0/0
Failed connects: 0The TACACS+ is offline line is displayed when the TACACS+ component is offline. During this period no TACACS+ AAA functionality is available.
No server is shown as being active when the offline timer is running. This is normally indicated as follows:
...
Server address: 192.168.252.250 (active)
Server port: 49
...New and updated configuration commands
Patch 1908m includes the following new and updated configuration commands.
set system tacplus-options accounting command-start-records
Use the set system tacplus-options accounting command-start-records command to enable support for TACACS+ command accounting start records. When enabled, a TACACS+ command accounting record is issued, with a start_time attribute, prior to a modeled Vyatta NOS command being executed. Start records are disabled by default.
This command does not affect the generation of session accounting start records. These are always generated by the system upon user login.
set system tacplus-options offline-timer <0-3600>
Use the set system tacplus-options offline-timer <0-3600> command to define the minimum period during which the system does not perform any TACACS+ transactions following failure.
<0-3600> indicates the period during which the system does not perform any TACACS+ transactions. The default value is 0 (disabled).
The offline period is triggered following a failure to connect to all TACACS+ servers. This can be due to either failed connection attempts, or because all configured servers have an active hold down timer, while attempting to connect to a server, or a combination.
When the running offline timer expires, the system attempts to perform TACACS+ transactions again. In most cases, the TACACS+ login provider requests a connection check immediately after the timer expires. If this succeeds, the local fallback user login is locked for TACACS+ logins enforced by the auth-chain configuration. Otherwise, a failure causes the offline timer to be restarted and the TACACS+ component enters offline mode again.
During the offline period, all authorization transactions result in a locally generated FAILED result, preventing TACACS+ users already logged in from executing any modeled Vyatta commands. Local login, that is local user fallback, is permitted when TACACS+ is in the offline state.
If an offline-timer greater than zero is configured, any changes to hold-down-timer values do not cause changes to any offline period which may be in effect.
set system tacplus-options server secret <key>
Use the set system tacplus-options server secret <key> command to define the secret key used to encrypt communications with all configured TACACS+ servers.
key indicates the secret key used to encrypt TACACS+ communications. The value may consist of any printable ASCII character, that is [[:print:]]
The value configured here can be overridden on a per-server basis using the existing system login tacplus-server <address> secret <key> configuration.
set system tacplus-options server port <1-65535>
Use the set system tacplus-options server port <1-65535> command to define the TCP port used for communications with all configured TACACS+ servers.
1-65535 indicates the TCP port to use for communications with TACACS+ servers. The default value is 49.
The value configured here can be overridden on a per-server basis using the existing system login tacplus-server <address> port <port> configuration.
set system tacplus-options server timeout <1-120>
Use the set system tacplus-options server timeout <1-120> command to define the timeout to be used for communications with all configured TACACS+ servers.
1-120 indicates the number of seconds the system waits for a connection to be opened with a TACACS+ server, or for a response to be received. The default value is 3.
The value configured here can be overridden on a per-server basis using the existing system login tacplus-server <address> timeout <timeout> configuration.
Long timeouts should generally not be used, to avoid slow system response for users. If long timeouts are used, it is strongly recommended to also use hold-down timers and/or the offline-timer.
set system login tacplus-server <address> disable
Use the set system login tacplus-server <address> disable command to prevent the use of a given TACACS+ server for any TACACS+ transaction.
disabled indicates the server is not used for TACACS+ transactions.
A server which has been disabled does not appear in the output of the show system tacplus status operational mode command.
set system login tacplus-server <address> secret <key>
set system tacplus login tacplus-server <address> timeout <1-120>
Add copy-config to candidate support in NETCONF
In previous releases, there was no way to completely replace a candidate configuration database through NETCONF, as Vyatta did not support candidate databases as targets. This affects the config-sync operation, as replacing the whole configuration in the remote is the most reliable way to achieve synchronization. Config-sync may be worked around to use multiple edit-config operations with the delete method, but copy-config is much simpler and easier to maintain.