Recommended Use

Compatibility

Upgrade Path for Orchestrator

New SD-WAN Feature

Important Notes

Orchestrator API Changes

Available Languages

Document Revision History

Resolved in Orchestrator Version R5302-20231011-GA

• UI Build R5302-20231201-GA, was released on 12-04-2023 and is the 6th UI Build added for Orchestrator Release 5.3.0. 

  The following table lists all the fixes for this UI Build with descriptions of the symptoms for each issue.

  Ticket	Symptom/Description
  Fixed Issue #126695	On the SD-WAN > Settings > Alerts > Webhooks page of the UI, if a user is configuring webhooks for Alerts, when they click on the "Configure Payload Template" button the menu is not displayed.
  Fixed Issue #128921	A partner or enterprise superuser navigating to the SD-WAN > Enterprise > Service Settings page would observe there is no option to view Edge licenses.
  Fixed Issue #131224	On the Configure > Device > VPN Services page of the UI, when configuring a Zscaler service, the Sub-Location Name 'Other' can be edited and results in the Orchestrator marking the configuration as invalid with errors "Zscaler sublocations cannot be named as 0" and "Cannot save changes. There is one more more errors within your configuration". The 'Other' Sub-Location should never be edited and this issue occurs only if the Zscaler service is deactivated and then reactivated.
  Fixed Issue #131631	On the Monitor > Edge > Destinations page, a user cannot filter by Applications as the option is not present on the UI.
  Fixed Issue #132047	On the Configure > Edge > Device > Connectivity > VLAN page of the UI, when the user chooses the VLAN DHCP option 2 (Time Offset), a negative value cannot be entered despite it being an integer. The expected behavior is for the UI to allow both positive and negative integers.
  Fixed Issue #132384	After a configuration change done to a VLAN at the profile level, all data related to DHCP or OSPF on any Edges using that profile is lost if the configuration uses an Edge override.
  Fixed Issue #133008	On the Monitor > Network Overview page of the UI, if the Edges are sorted by link status (for example, Links down, Links stable, or Links degraded), the Auto-Refresh option does not work and all monitoring information disappears from the UI.

• UI Build R5302-20231121-GA, was released on 11-22-2023 and is the 5th UI Build for Release 5.3.0.

  The following table lists all the fixes for this UI Build with descriptions of the symptoms for each issue.

  Ticket	Symptom/Description
  Fixed Issue #128017	A customer may observe that when navigating to the Configure > Edge > Device page, that the page never loads because the UI mistakenly deleted the Edge configuration references from the Orchestrator database. Once these reference are removed, they cannot be restored.
  Fixed Issue #129695	If a Partner User changes an Edge's Wi-Fi password on its WLAN interface and saves changes, an Operator user will see the old Wi-Fi password when they look at the same Edge's WLAN interface.
  Fixed Issue #130810	A user cannot insert a BGP filter rule into a list of these rules, either above or between two or more rules. A BGP filter rule can only be added at the end of the list.
  Fixed Issue #131138	On the Configure > Device > VPN > Cloud VPN page, the UI allows a user to save a change to the Branch to VPN Hubs option if there are no Hubs configured. This results in the UI removing all Cloud VPN configurations because the configuration file is corrupted.
  Fixed Issue #132524	On the Configure > Edge > Device > Routing & NAT > Static Route Settings page of the UI, when a user adds a static route to an Edge where the next hop IP address of the static route is within the same subnet of the VLAN network, the UI displays Edge interfaces when the Interface settings for the Local Routes should change to N/A.

• UI Build R5302-20231115-GA, was released on 11-16-2023 and is the 4th UI Build for Release 5.3.0.

  The following table lists all the fixes for this UI Build with descriptions of the symptoms for each issue.

  Ticket	Symptom/Description
  Fixed Issue #123078	When using the VMware SASE Orchestrator UI and navigating to the Monitor > Edge > Overview page, the columns are not aligned properly as there is no data information available for Device Serial No column, resulting in readability issue.
  Fixed Issue #123640	When a user configures static routes for an Edge and clicks the Add button in the Static Routes section, a new empty row is added to the table, but the UI throws an error message "Cannot save changes" at the bottom of the screen.
  Fixed Issue #126602	A customer cannot add a Gateway Pool to their existing Partner configuration Gateway Pool. The attempt to do so returns an error if the Gateway Pool in the Partner configuration has a managed pool because the existing managed pool IDs are not removed by the UI.
  Fixed Issue #127727	When creating a new Cloud Security Service (CSS), if a user activates the Domestic Preference check box and saves the configuration, the Orchestrator verifies the credentials and displays a message stating that "Changes saved successfully!". But post-save, when the CSS profile is opened again, the user would observe that the Domestic Preference check box is not selected.
  Fixed Issue #128279	On the Configure > Overlay Flow Control > Routes List page, a user can see a maximum of 256 routes with no option to click to an additional page of routes. The hard 256 route limit and lack of pagination impacts customers with large enterprises which contain a number of routes well in excess of the hard 256 limit.
  Fixed Issue #128330	For an enterprise using a Non SD-WAN Destination (NSD) via Gateway network service, the UI permits the user to delete a NSD via Gateway from a Profile which includes a Business Policy rule associated with the global segment. As a result, the Business Policy rule becomes invalid and any traffic matching that rule is not steered as expected.
  Fixed Issue #128765	On the BGP Filters page, the Submit button may be inaccessible when a user changes pages. When a user edits the BGP Filters table and navigates to another page while there is an invalid configuration state on the current page, the UI controls remain grayed out and inaccessible after returning back even though the user now fills in the correct information for that row. On an Orchestrator UI without a fix for this issue, a user needs to stay on the page of the BGP Filters table and ensure all configurations are correct before navigating away from it, or remove the invalid row and add it again later.
  Fixed Issue #129584	On the Configure > Edges > Business Policy page, when a user edits an existing Business Policy rule, the UI does not update the reconfigured value for the Destination field even after saving the changes. For example, for an existing Business Policy rule with Destination set as “IP Address”, if the user changes the value of Destination to “Any” and saves change, the changes made to the Destination field for the rule is not reflecting in the UI. The user would still see the Destination field set to “IP Address” instead of “Any” in the rule.
  Fixed Issue #130153	For an Enterprise user with a Support role, the Restart Service option is not available on the the Monitor > Edges > Select Edge > Shortcuts > Remote Actions page.
  Fixed Issue #130877	When a user adds a static route to an Edge using the Orchestrator UI, client users for that Edge may observe that traffic fails for some local routes. On the UI under Configure > Edge > Device > Routing & NAT > Static Route Settings, if the next hop IP of a static route is within the same subnet of the VLAN network, the Interface settings for the Local Routes are changed to N/A and cannot be edited. Without a configured interface, these routes become unreachable.
  Fixed Issue #131138	On the Configure > Device > VPN > Cloud VPN page, the UI allows a user to save a change to the Branch to VPN Hubs option if there are no Hubs configured. This results in the UI removing all Cloud VPN configurations because that file is corrupted.
  Fixed Issue #131846	On the Global Settings > Customer Configuration > Partner Hand off > Hand Off Interface page, when a user clicks the Add button to add a static route, the UI returns an error message reading "Cannot save changes. There is one or more errors in your configuration". This issue only affects rows where no information is configured.

• UI Build R5302-20231102-GA, was released on 11-06-2023 and is the 3rd UI Build for Release 5.3.0.

  The following table lists all the fixes for this UI Build with descriptions of the symptoms for each issue.

  Ticket	Symptom/Description
  Fixed Issue #123001	After activating High Availability (HA) and saving the configuration, when a user attempts to configure VNF settings for the VMware SD-WAN Edge, the Configure Security VNF window displays fields only for Primary Virtual Machine (VM1) and Secondary Virtual Machine (VM2) fields are not displayed. As a result, users must manually refresh the VNF settings window to add secondary IP address to VNF configuration.
  Fixed Issue #125964	For a customer deploying Non SD-WAN Destinations (NSD) via Gateway, when navigating to the Configure > Network Services > NSD via Gateway > Generic IKEv2 page and clicking on Save after adding custom site subnets, the NSD configuration changes are not getting saved. This issue is result of invalid fields IKE SA Lifetime (min) and IPsec SA Lifetime (min) in the Primary VPN Gateway section.
  Fixed Issue #127904	When a user creates a static route and an ICMP probe in the same line, the Edge does not install the ICMP probe and displays a parsing error because the UI sends the Next Hop IP and Source IP value as null instead of an empty string to the Edge.
  Fixed Issue #128753	When a customer configures a subinterface that uses DHCP for addressing and creates a user-defined WAN overlay, the user is unable to save the configuration without configuring the Source and Next-Hop IP addresses.
  Fixed Issue #129061	For a customer with Partner Hand off activated from the Customer > Global Settings > Customer Configuration > Additional Configuration > Gateway Pool screen, the "Use for Private Tunnels" and "Advertise Local IP Address via BGP" check boxes are not clickable under the IPv6 section of Gateway Hand Off Interface. This prevents the user from deactivating the IPv6 private tunnel for Hand off interface.
  Fixed Issue #129494	On the Customer > Global Settings > Customer Configuration > Service Configuration > SD-WAN page, when a user is editing the service configuration, the user is required to add the domain name every time, even if Single Sign-On (SSO) authentication or Edge Network Intelligence (ENI) is not configured for the customer.
  Fixed Issue #129662	The VMware SASE Orchestrator UI does not have color differentiation between activated and deactivated interfaces, preventing customers from identifying a sub-interface that is deactivated.
  Fixed Issue #129765	When editing a routed interface for a VMware SD-WAN Edge, the UI populates a wrong default value for dhcpServer.options. For example, when a user edits the "GE3" routed interface and saves device settings configuration data, the value of “options” field under “dhcpServer” is sent as null instead of an empty array.
  Fixed Issue #129894	In the Operator portal, when looking at Gateway Management > Gateways > Overview > Customer Usage screen, a user may observe some Edge client tunnel details are missing. This issue can occur if the Edge name, Gateway Pool name, and Gateway type are the same.
  Fixed Issue #129926	When a user provisions an Edge with no serial number, the Edge activation fails.

• UI Build R5302-20231026-GA, was released on 10-26-2023 and is the 2nd UI Build for Release 5.3.0, and the 1st added to Orchestrator Release 5.3.0.2.

  The following table lists all the fixes for this UI Build with descriptions of the symptoms for each issue.

  Ticket	Symptom/Description
  Fixed Issue #120419	A Non SD-WAN Destination via Edge configuration does not appear when configured using an automation API because the automation script experiences a data corruption issue.
  Fixed Issue #123387	On the Monitor > Edges > System page, when a user tries to zoom into the chart there is only black trace and no zoom happens. Chart is still responsive to the time range selector at the top of the page, so it can be used as a workaround.
  Fixed Issue #126421	For Partners using a Partner Gateway, when configuring the Hand Off Details, the Use for Private Tunnels option is always checked no matter what a user does. This is not a cosmetic issue as the Orchestrator will apply the Use for Private Tunnels configuration to the Partner Gateway handoff and can impact customer traffic using the Partner Gateway.
  Fixed Issue #126492	When Edge Override is off, the Edge configuration's VLAN advertise option does not use the advertise value pushed from the profile configuration. Even when the VLAN advertise option is set to false at the profile level, when the override option is off, the Edge advertise option does not use the profile advertise value.
  Fixed Issue #127021	A Non SD-WAN Destination via Edge configuration does not appear on the UI when configured using an automation API because the automation script experiences a data corruption issue.
  Fixed Issue #127035	On the Service Settings > Alerts & Notification page, the Partner and Enterprise users cannot change the Enable Enterprise Alerts setting.
  Fixed Issue #127636	On the Monitor > Edge > Sources page of the VMware SASE Orchestrator UI, a user searching a Source by FQDN does not work as expected when using the New UI which prevents a user from locating a Source using a standard method. This includes not having the option of searching by a partial string.
  Fixed Issue #127774	Under Configure > Edge > Device > Connectivity > Loopback Interfaces, when a user configures a loopback interface for an Edge and saves changes, the configuration is not applied and does not show on the UI page. In addition, the UI does not display an error for this failure which misleads the user about the success of the configuration change.
  Fixed Issue #128070	When a user is configuring OSPFv3 for a VLAN at the Edge level and attempts to add IPv6 Settings to the VLAN, the VMware SASE Orchestrator UI does not save the changes. The option to Save is grayed out and not available when attempting to add IPv6 Settings to a VLAN with OSPF3 at the Edge level.
  Fixed Issue #128357	When configuring an OSPF default route, the Advertise option includes the option: "None". None is not a valid option for this configuration as "Always" and "Conditional" are the only valid options for Advertise.
  Fixed Issue #128706	On the Monitor > Edges > System page, when a user tries to zoom into the chart there is only black trace and no zoom happens. Chart is still responsive to the time range selector at the top of the page, so it can be used as a workaround.
  Fixed Issue #129049	When Edge Override is off, the Edge configuration's VLAN advertise option does not use the advertise value pushed from the profile configuration. Even when the VLAN advertise option is set to false at the profile level, when the override option is off, the Edge advertise option does not use the profile advertise value.
  Fixed Issue #129253	Service Settings > Alerts & Notifications > Alerts > Notifications, a user cannot deactivate SMS as a notification method as the slider button is grayed out.Under
  Fixed Issue #129271	The System Property: vco.enterprise.authentication.passwordPolicy with parameter disallowUsernameCharacters = 3 is not behaving as expected. For example, with username [email protected] the UI will check substrings: vis, ish, ..., t.c, .co, com, all as expected. The problem is that the UI also checks: om, m. This results in the UI throwing an error for what should be a valid password. The workaround is to set disallowUsernameCharacters back to its default value (-1).
  Fixed Issue #129413	When a user is configuring a VLAN at the Edge level and attempts to change the default DHCP start address and saves changes, the DHCP start address is not overwritten and the Orchestrator UI populates the old address again for the VLAN.
  Fixed Issue #129560	On the Service Settings > Alerts & Notification page, the Partner and Enterprise users cannot change the Enable Enterprise Alerts setting.

• Fixed Issue 115433: A user with the role "Enterprise Support" cannot see DHCP configuration details when looking at the VMware SASE Orchestrator's New UI.

  The Enterprise Support user role is expected to see the DHCP configuration details as a read-only user.

• Fixed Issue 119938: For a customer who uses automation for Zscalar tunnels, it may take a long time to create an automated IPsec tunnel from a VMware SD-WAN Edge to Zscaler.If the customer has configured Zscaler sub-locations at Edge > Device Settings, it takes a long time for these configurations to sync with the Zscaler cloud.

  When customers configure Zscaler sub-locations at Edge > Device Settings, it can take a long time for these configurations to sync with the Zscaler cloud. This is because the Zscaler cloud needs to update its records for each sub-location, which can be a time-consuming process.

  This issue is caused by the automation framework on the Orchestrator, which enqueues IPsec tunnel creation and sub-location creation actions in the automation queue. It also enqueues update actions in the automation queue when the Edge WAN IP changes. However, the wait time for items in the queue increases due to the large number of update actions. In some customer deployment environments, the Edge WAN IP can change up to 4000 times in one day (for example, mobile WAN links).

• Fixed Issue 123070: For a customer enterprise with a Hub/Spoke topology, when configuring a Business Policy where Internet Backhaul is selected, a user does not have the option to select Backhaul Hubs and thus backhaul cannot work for that rule.

  On the New UI, when configuring Network Service as Internet Backhaul > Backhaul Hubs, the Backhaul Hubs dropdown list is empty when it should show at least one or more Hub options.

  

• Fixed Issue 127037: When a user navigates to Monitor > Edge > Sources tab, they cannot change the hostname for a Client.

  A user should have the option to change the hostname for a client by clicking the Edit icon and opening the Change Hostname box. While they can enter in the text under the Change Hostname field, when they click Save Changes, the new hostname is not applied.

  

• Fixed Issue 128310: VMware SASE Orchestrator users may experience overall slowness and some API failures due to issues with the Orchestrator's database service. Other side effects include SD-WAN Gateways/Edges appearing offline in the UI, configuration changes made through the Orchestrator UI not being pushed to the target SD-WAN Edges, and a loss of reporting capabilities.

  The issues are all caused by the Orchestrator's database service failing with the error: too many open files. This error can be observed by an Operator user on the VMware SASE Orchestrator via logs. An enterprise or partner user accessing VMware SASE Orchestrator via the UI would experience slowness and intermittent API failures, causing error messages on the UI.

• Fixed Issue 128371: For a customer enterprise configured with a Hub/Spoke topology where a Business Policy with internet backhaul is configured at the Edge level that uses either a Non SD-WAN Destination via Edge or a Cloud Security Service (like Zscaler) at the profile level, if the NSD/CSS is deactivated at the profile level, the Orchestrator does not issue a warning to the user.

  The Orchestrator should warn the user that there is a Business Policy associated with the NSD/CSS so that they can revise the Edge level business policy. Instead, the Orchestrator allows the change without a warning and if the user then navigates to the Edge level and edits the rule, they would observe that the Non SD-WAN Destination via Edge/ Cloud Security Service field is empty.

• Fixed Issue 128620: When looking at Configure > Device > VPN Services, both Profiles and Edges are not showing connected Hubs in the Cloud VPN configuration screen for the New UI.

  Even though Branch Edges are connecting to Hubs (which can be confirmed under Monitor > Paths), the VPN Services > Cloud VPN configuration does not show any Hubs configured when checking at either the Profile or Edge level.

  

• Fixed Issue 128628: On the Manage Partner Customers page, the download CSV export does not work.

  When the user selects Export Customer Edge Inventory under either Manage Customers or Manage Partner Customers the page shows loading but it never loads.

  With this issue, the only way a customer can get the information is to use an API to download the information and convert is to a CSV format.

• Fixed Issue 128667: When there are a large number of customers on the Orchestrator globally, or a large number of customers under a Partner, the "Manage Customers" and "Manage Partner Customers" page takes about a minute to finish loading.

  Loading large numbers of items in the tables in both the described pages is causing the page to take excessive time to display. The issue is resolved by paginating the table so it only has to render a partial amount of the total entries.

• Fixed Issue 128652: For a VMware SASE Orchestrator deployed with a Disaster Recovery (DR) topology, when the Orchestrator is upgraded, DR immediately fails.

  The Standby Orchestrator replication configuration is missing multiple databases critical to synchronizing with the Active Orchestrator and so DR fails after the upgrade.

Resolved in Orchestrator Version R5301-20230921-GA

• UI Build R5301-20230929-1851-GA, was released on 10-03-2023 and is the 1st UI Build added to Orchestrator Release 5.3.0.1.

  The following table lists all the fixes for this UI Build with descriptions of the symptoms for each issue.

  Ticket	Symptom/Description
  Fixed Issue #117923	When a user provisions an Edge and enters text in the Description field, Orchestrator UI saves this to the Custom Info field and and the Description field will show as empty when looking at this newly provisioned Edge.
  Fixed Issue #119890	Standard Operator can add, update, and delete Non SD-WAN Destinations via Gateway after their privileges have been removed. This issue is caused by the UI checking the wrong privilege for whether a user can update NSDs via Gateway.
  Fixed Issue #123619	If an Orchestrator does not have access to the internet (for example, one that is on-premises), the Monitor > Edge > Overview page is empty, displaying no information.
  Fixed Issue #125309	When a user deactivates IPv6 at the Edge level under Configure > Device > IPv6 Settings, the OSPF option for IPv6 can still be edited, activated, and saved.
  Fixed Issue #126257	The top value on the Monitor > Edge > Links page is not visible to users when there are a lot of extreme high values. This is because the chart height was previously summed using lower values, which made the chart inaccurate and unable to be aligned with the scale.
  Fixed Issue #126967	After OSPF is activated on a profile, the routing interface's OSPF Advanced settings Inbound Route Learning and Route Advertisement are not accessible and do not display any fields for entering the required details.
  Fixed Issue #127006	When an Operator user with the Support role navigates to SD-WAN > Network Services page and clicks on a Non SD-WAN Destination via Gateway, they have the option to click +NEW to create and configure a new NSD. An Operator in a Support role should have read-only privileges on the Network Services page and not have the ability to create a new NSD via Gateway. the
  Fixed Issue #127843	The UI does not display correctly when localized to the Italian language resulting in some navigation tabs overlapping with one another.
  Fixed Issue #127849	The View Certificate button is grayed out and not clickable on the Edge > Configuration > Overview screen, preventing users from viewing Edge certificates. Without a UI fix, a user can view an Edge certificate by navigating to the Edge list on the Configuration tab and search for the desired Edge.
  Fixed Issue #127870	On the SD-WAN > Configure > Edges page, for enterprises with a large number of Edges, the Edges list may take more than a minute to load when it is expected to take seconds to do so.
  Fixed Issue #127871	The Network Overview page does not automatically refresh, nor does it offer the option to enable automatic refreshing. As a result, users must manually refresh the page to view the latest data.
  Fixed Issue #128277	When a Partner or Enterprise user using native authentication (one who logs into the Orchestrator with a username and password) attempts to log in with an expired password, the UI enters a loop and displays a blank screen.

• Fixed Issue 104775: When a user configures a previously active WAN link on a VMware SD-WAN Edge to be a backup, the VMware SASE Orchestrator UI does not display the status correctly on Monitor > Edges > Overview.

  The status should display as Standby Idle with a gray colored status dot, but instead does not display the link type or backup status. This is a cosmetic defect as the WAN link is performing its role as a backup.

• Fixed Issue 106191: If an Edge interface is configured with static IP addresses at the Profile level, a user cannot make any additional Edge changes

  If a profile has an interface set to static, the Orchestrator prevents any changes to the Edge, including adding an IP address. Any attempt to make a change will result in the error "invalid probe interval for interface" being thrown. This prevents any changes to existing Edges that use Profiles with static IPs, as well as the configuration of new sites with static IPs.

• Fixed Issue 108125: On the Monitor > Edge > Application page, when a user clicks on a point on the chart to get further details and then clicks on the chart a second time, the details window does not open properly and is functionally unusable.

  When a user clicks on the graph for any random application under the Applications tab, an additional blank tab opens and never closes.

• Fixed Issue 113254: A Partner Administrator with a Superuser or Standard role cannot change the default operator profile for a customer under their management.

  The same Partner Administrator would observe that they could perform this action when using the Classic UI, which is not available on Release 5.3.0.

• Fixed Issue 115981: For a customer enterprise using VMware SASE Orchestrator's APIv2, when running the API for getting Enterprise Events, the Orchestrator returns only a limited set.

  The specific call is https://\{api_host}//api/sdwan/v2/enterprises/{enterpriseLogicalId}/events. When invoked it returns only the top level hierarchy and does include details like the enterpriseName, EdgeName, segmentName, or edgeID. In addition, APIv2 does not support graph traversal.

  On an Orchestrator without a fix for this issue the only workaround is to use APIv1, which forces a customer to maintain two sets of API families. In addition APIv1 does not support Cloud Web Security.

• Fixed Issue 117627: The Monitor > Network Overview page may return empty/null values for "Top Applications by Data Volume" and "Top Edges by Data Volume".

  This issue is caused by a defect in the API getEnterpriseFlowMetrics, which can return an empty response. This results in the views 'Top Apps by Data Volume' and 'Top Edges by Data Volume' not being rendered for some customers.

• Fixed Issue 117923: When a user provisions an Edge and enters text in the Description field, the VMware SASE Orchestrator UI saves this to the Custom Info field insted, and and the Description field will show as empty when looking at this newly provisioned Edge.

  This issue can impact customers who need to use both the Custom Info and Description fields for their Edge inventory management.

• Fixed Issue 117941: The VLAN Advertise checkbox always displays as unchecked on the Orchestrator UI.

  Even when a user selects the VLAN Advertise checkbox and Saves Changes, the VLAN Advertise checkbox on the Orchestrator's UI reverts to being unchecked.

• Fixed Issue 117988: The "Inbound Route Learning" with the "Exact Match" checkbox configured for OSPF under a VMware SD-WAN Interface does not match what is configured on the Edge when comparing the values on the Classic UI and the New UI of the VMware SASE Orchestrator.

  An Exact Match option does not display the correct value even if though it is correctly stored in the Edge's database when looking at the New UI.

• Fixed Issue 117993: When a Partner User managing customer enterprises which use native authentication (in other words, username/password) or an Enterprise User attempts to reset a password for an Enterprise User, the attempt fails.

  The user would observe the error: user does not have privileges required to access [enterpriseUser/sendEnterpriseUserPasswordResetEMail]. This issue is only experienced on the New UI which is the default UI for 5.3.0 and is the result of missing request parameters.

• Fixed Issue 118074: A user may not be able to open some device settings on the Configure > Edge > Device page of the VMware SASE Orchestrator's New UI.

  Settings that may not be accessible include Interfaces, IPv6, Cloud VPN, Non SD-WAN Destination (NSD), and Cloud Security Service (CSS). The issue is traced to the WAN Settings requiring a Public IP Address and if this address is absent, an error is thrown on the New UI and blocks access to those settings.

• Fixed Issue 118544: A user may observe that an Operator Profile does not load and is inaccessible and thus cannot be assigned to a customer enterprise.

  There is an issue with the Orchestrator database where the Operator Profile is present, but an incorrect logical ID is added to a configuration module if a customer enterprise is deleted, and this prevents it from loading.

• Fixed Issue 118728: On a partner portal or a customer enterprise, some users may not be allowed to login to the VMware SASE Orchestrator.

  The user may see the error 'user does not have privilege [READ:PROXY] required to access [enterpriseProxy/getEnterpriseProxy]' even though the user has the correct privileges to log in. This is true of native authentication and two factor authentication. This error actually reflects an expired password even though the Orchestrator is not letting the user know that is the real reason they cannot login and the user cannot reset their password since they cannot login.

  On an Orchestrator without a fix for this issue, a partner or customer administrator with a suitable role can send the password reset email to an affected user to reset their password.

• Fixed Issue 121526: A user with an Enterprise Read Only role is not permitted to view the Monitor > Edges > QoE graphs on the VMware SASE Orchestrator UI.

  An attempt to view the QoE graph results in an error banner that reads 'user does not have privilege [READ:ENTERPRISE_EVENT] required to access [event/getEnterpriseEventsList]'.

  

• Fixed Issue 122113: A user cannot search for the Event 'DNS_CACHE_LIMIT_REACHED' on the Events page of the VMware SASE Orchestrator UI.

  This event will post when it is triggered on the Monitor > Events page for a customer enterprise, but it is not listed as a searchable value when trying to use the search function. As a result, the user cannot see how many times this event posted over any time period.

• Fixed Issue 122347: The Service Permissions feature on the VMware SASE Orchestrator's New UI is not operating as designed. The privileges that were removed as part of Service Permissions for enterprise users were not functioning as expected. Additionally, when a user attempts to create a new service, privileges that are not associated with the module are visible.

  The privileges that were removed as part of Service Permissions for enterprise users were not functioning as expected. For example, Remote Diagnostics > Flush Flows still functions even if the privileges are removed from an enterprise user.

  The second issue is that when a user attempts to create a new service, privileges that do not belong to the module are visible in the UI. For example, when selecting SD-WAN > Global Settings, the user receives almost the same options.

  For the second issue, the user can manually select the permissions they need from the UI.

• Fixed Issue 122977: A user may not have the option to activate the Enhanced Firewall Services on the VMware SASE Orchestrator UI.

  This option should appear in three places:

  • Global Settings > Customer Configuration > SD-WAN Settings > Feature Access right below the Stateful Firewall option.

  • Configure > Profile > Firewall as an option once Firewall Status is set to On.

  • Configure > Edge > Firewall as an option once Firewall Status is set to On.

  The issue is caused by the Orchestrator mistakenly thinking the customer enterprise is not compatible with the Enhanced Firewall Services feature, even though it is.

• Fixed Issue 124073: If a user configures a Non SD-WAN Destination via Gateway using redundant Gateway tunnels with AES-256 encryption, the standby redundant Gateway tunnel continues to use AES-128 encryption.

  Configure > Network Services on the Orchestrator UI and change the encryption algorithm to AES-256 for an NSD with redundant tunnels. Based on the API response the user would observe that the redundant tunnel continues to use AES-128 and this is the result of a defect with the API which handles the tunnel encryption change.A user would go to

• Fixed Issue 124798: A user cannot edit the serial number of a VMware SD-WAN Edge on the VMware SASE Orchestrator UI.

  For an Edge provisioned or RMA'd but not yet activated, the user would be on the SD-WAN > Configure > Edge > Overview screen and under Edge Status, the Serial Number of the Edge is present but is read-only text and not editable. This is an issue because some customers may not know the serial number of the Edge to be activated until it is delivered on site and they need the option to edit this field so it aligns with the delivered Edge.

• Fixed Issue 124801: When an Operator user sets the System Property 'Session.options.enableEdgeLicensing' to False, a user is still required to create an Edge by first selecting an Edge License.

  The System Property Session.options.enableEdgeLicensing can be set to False to allow Partner-controlled Orchestrators to bypass the Edge licensing step if they do not require an Edge license for their Edge Provisioning process. However, with this defect the user must still select a license, even if the property is set to False.

• Fixed Issue 125456: For a customer enterprise where VNF's are used, if a user attempts to modify an Edge Device configuration, the VMware SASE Orchestrator rejects the changes when trying to save them.

  The configuration change can be as minor as adding a comment to an existing static route and the Orchestrator UI does not save the change where a VNF is activated. The user may observe a "Script injection error" banner at the bottom of the UI screen.

  The workaround on an Orchestrator without a fix for this issue is to temporarily deactivate the VNF's and then save the configuration changes. Once these are successfully saved, the user can then reactivate the VNF's.

• Fixed Issue 125710: For an enterprise using a Branch to Hub topology, if an Edge being used in a Cloud VPN is deleted from the enterprise, the user cannot later remove any Hub Edge being used in a Branch to Branch VPN and the editing of Device settings is blocked.

  While the Edge has been deleted, the Orchestrator does not delete all VPN Hub entries of the Edge from all segments and this results in the behavior seen in this issue.

• Fixed Issue 126403: The VMware SASE Orchestrator New UI may fail to load the Partner Overview page.

  The issue is the result of the absence of a module in the Orchestrator software image that corrupted the image.

• Fixed Issue 126503: For an enterprise using a Non SD-WAN Destination (NSD) via Gateway of any type, if a user edits and saves a change to the Pre-shared key (PSK) value for an NSD, the Orchestrator UI ignores the change and reverts to the original default value.

  This impacts customers who want to create and apply their own customer PSK and not simply accept the default PSK generated by the Orchestrator.

• Fixed Issue 127007: For an enterprise using a Hub/Spoke topology, when a user changes any setting on a Profile's Configure > Device page, the Hub order is changed automatically to default, impacting all Edges using this Profile.

  The only setting that does not trigger this issue is configuring the actual Hub Orders, any other Device Settings change will result in the Hub order getting changed, and the result of this change can be significant traffic disruption for the enterprise's client users.

• Fixed Issue 127110: For a VMware SASE Orchestrator deployed with a Disaster Recovery (DR) Active/Standby topology, an Operator user may observe that the Orchestrator does not copy the database for the Cloud Web Security, Secure Access, and Secure Service Edge applications.

  With this issue DR synchronization completes, but if the Standby Orchestrator is promoted to Active, the databases will be out of sync.

Resolved in Orchestrator Version R5300-20230819-GA

• Fixed Issue 65668: A customer who is subscribed to Cloud Web Security, they cannot see which VMware SD-WAN Gateways are being used for Gateways are assigned for Cloud Web Security when looking at the Gateway Assignment page.

  The customer should see what the primary and secondary assignments are for the Gateways (also known as SASE PoPs) handling Cloud Web Security.

• Fixed Issue 111379: Customers who use the Symantec Web Security Service (WSS) and have a business policy configured to match traffic for that application may observe that the policy does not work.

  Prior Orchestrator releases do not include application maps that provided matching criteria for WSS management and agent traffic and thus business policies for this traffic would not be matched. Orchestrator Release 5.3.0 adds a new application map with WSS management and agent types so that business policies now work when their Edges use this application map.

  Note:

  A partner or customer would need to ensure the Operator Profile(s) assigned to their Edges are using includes the updated application map.

• Fixed Issue 118757: When a user is on the Provision an Edge screen of the Orchestrator UI, selecting an Edge License may be difficult because of the use of a dropdown menu where the user cannot filter between the many possible license options.

  When the dropdown menu for the Edge License field contains a substantial number of license options, users encounter challenges efficiently selecting their desired option because the list does not allow users to filter items. Beginning with Orchestrator Release 5.3.0, the dropdown menu is replaced with a complete list of all licenses to ensure the user can efficiently select the correct one.

  

• Fixed Issue 118770: When a user is on the Configure > Edges screen, there is no option to Assign Inventory to Edge.

  This option is not present on the New UI and when restored should not use a drop down menu where there can be 100's or 1000's of possible Edge options. Instead the UI should use a list view where Edges can be filtered.

• Fixed Issue 120398: A Partner User cannot create a new configuration profile for a customer enterprise they are managing.

   When the Partner User tries to create a configuration profile for their customer, the Orchestrator throws an error that reads 'invalid proxy enterprise context for operator profile'. This issue is encountered for any Partner role with configuration privileges.

  

• Fixed Issue 121118: An Enterprise User does not have the option to generate a Diagnostic Bundle or generate and download a Packet Capture on the VMware SASE Orchestrator.

  This is true of all Enterprise User roles (including Superuser). The expectation is that an enterprise user under SD-WAN > Diagnostics should see the option to:

  1. Generate (but not download) a diagnostic bundle.

  2. Generate and download a packet capture.

  However, all they see are options for Remote Diagnostics and Remote Actions.

  

  If experiencing this issue, contact SD-WAN Support for assistance and they can generate the diagnostic bundle for you.

• Fixed Issue 121469: When a user navigates to the Global Settings > User Management page, they may observe that all user accounts show as locked according to a banner on the UI, even though most or possibly all of the accounts are not actually locked.

  The error message banner for any user account would read 'This account has been locked due to too many failed login attempts', even though when looking at the user list page their status shows as Unlocked, and Local UI login remains possible.

   

• Fixed Issue 121993: A user cannot edit a IPv6 type VLAN on the VMware SASE Orchestrator UI.

  On the UI, when a VLAN6 is selected nothing happens. If the user opened up a browser console they would observe 'ERROR TypeError: Cannot read properties of undefined (reading 'get')'. While the Orchestrator back end API was made backward compatible to accept a configuration without IPv6, the front end API throws an error if the IPv6 object is missing and this causes the issue.

• Fixed Issue 122044: A user cannot configure OSPF area ID = 0 on a loopback interface on the VMware SASE Orchestrator UI.

  The only way a user can successfully configure this field is if a user configures the area ID as 0.0.0.0 for the loopback interface. Other methods throw an error and the UI does not save the changes.

   

• Fixed Issue 123053: When a user configures a SNMP v3 name the VMware SASE Orchestrator UI rejects any name that includes a non-alphanumeric character with an error.

  This is done on Configure > Device > Telemetry > SNMP for SNMP Version 3 names and the Orchestrator rejects non-alphanumeric characters like [@\'"/,#%&*(){}_=`:?[]§;|><]. This means a name like User_23 is not accepted with error message "Characters not allowed in this field" and this limits what a user can use for an SNMP v3 name.

   

• Fixed Issue 124073: If a user configures a Non SD-WAN Destination via Gateway using redundant Gateway tunnels with AES-256 encryption, the standby redundant Gateway tunnel continues to use AES-128 encryption.

  A user would go to Configure > Network Services on the Orchestrator UI and change the encryption algorithm to AES-256 for an NSD with redundant tunnels. Based on the API response the user would observe that the redundant tunnel continues to use AES-128 and this is the result of a defect with the API which handles the tunnel encryption change.

• Fixed Issue 124129: If the System Property that controls the availability of the Enhanced Firewall Service (EFS) is set to True, any new customer enterprise added to the VMware SASE Orchestrator has EFS activated by default.

  The System Property enterprise.capability.enableATP is set to True by default on previous 5.2.0 builds. When this property is set to True, a user would observe that when checking the Global Customer settings for a new customer enterprise that EFS is enabled by default. The expected behavior is for every new customer enterprise to have EFS not activated by default, where they would need to have this feature activated as an explicit action.

  This is corrected on the 5.2.0.4 build by having the enterprise.capability.enableATP property set to False by default.

Orchestrator Known Issues

• Issue 21342:

  When assigning Partner Gateways per-segment, the proper list of Gateway Assignments may not show under the Operator option "View" Gateways on the VMware SD-WAN Edge monitoring list.

• Issue 24269:

  Monitor > Transport > Loss not graphing observed WAN link loss while QoE graphs do reflect this loss. 

• Issue 25932:

  The VMware SD-WAN Orchestrator allows VMware SD-WAN Gateways to be removed from the Gateway Pool even when they are in use.

• Issue 32335:

  The ‘End User Service Agreement’ (EUSA) page throws an error when a user is trying to accept the agreement.

  Workaround: Ensure no leading or trailing spaces are found in Enterprise Name.

• Issue 32435:

  A VMware SD-WAN Edge override for a policy-based NAT configuration is permitted for tuples which are already configured at the profile level and vice versa.

• Issue 32856:

  Though a business policy is configured to use the Hub cluster to backhaul internet traffic, the user can unselect the Hub cluster from a profile on a VMware SD-WAN Orchestrator that has been upgraded from Release 3.2.1 to Release 3.3.x.

• Issue 35658:

  When a VMware SD-WAN Edge is moved from one profile to another which has a different CSS setting (e.g. IPsec in profile1 to GRE in profile2), the Edge level CSS settings will continue to use the previous CSS settings (e.g. IPsec versus GRE). 

  Workaround: At the Edge level, deactivate GRE, and then reactivate GRE to resolve the issue.

• Issue 35667:

  When a VMware SD-WAN Edge is moved from one profile to another profile which has the same CSS setting but a different GRE CSS name (the same endpoints), some GRE tunnels will not show in monitoring.

  Workaround: At the Edge level, deactivate GRE and then reactivate GRE to resolve the issue.

• Issue 36665:

  If the VMware SD-WAN Orchestrator cannot reach the internet, user interface pages that require accessing the Google Maps API may fail to load entirely.

• Issue 32913:

  After activating High Availability, multicast details for the VMware SD-WAN Edge are not displayed on the Monitoring Page. A failover resolves the issue.

• Issue 33026:

  The ‘End User Service Agreement’ (EUSA) page does not reload properly after deleting the agreement.

• Issue 38056:

  The Edge-Licensing export.csv file not show region data.

• Issue 38843:

  When pushing an application map, there is no Operator event, and the Edge event is of limited utility.

• Issue 39633:

  The Super Gateway hyperlink does not work after a user assigns the Alternate Gateway as the Super Gateway.

• Issue 39790:

  The VMware SD-WAN Orchestrator allows a user to configure a VMware SD-WAN Edge’s routed interface to have greater than the supported 32 subinterfaces, creating the risk that a user can configure 33 or more subinterfaces on an interface which would cause a Dataplane Service Failure for the Edge.

• Issue 41691:

  User cannot change the 'Number of addresses' field although the DHCP pool is not exhausted on the Configure > Edge > Device page.

• Issue 43276:

  User cannot change the Segment type when a VMware SD-WAN Edge or Profile has a Partner Gateway configured.

  Workaround: Temporarily remove the Partner Gateway configuration from the Profile or Edge so that the Segment can be changed between private and regular. Alternatively, the user can remove the Segment from the profile and make the change from there.

• Issue 47713:

   If a Business Policy Rule is configured while Cloud VPN is toggled off, the NAT configuration must be reconfigured upon turning on Cloud VPN.

• Issue 47820:

  If a VLAN is configured with DHCP toggled off at the Profile level, while also having an Edge Override for this VLAN on that Edge with DHCP activated, and there is an entry for the DNS server field set to none (no IP configured), the user will be unable to make any changed on the Configure > Edge > Device page and will get an error message of ‘invalid IP address []’ that does not explain or point to the actual problem.

• Issue 48085: The VMware SD-WAN Orchestrator allows a user to delete a VLAN which is associated with an interface.

  When encountering this issue, the user would see an error message similar to "VLAN ID [xx] cannot be removed, in use by edge [b1-edge1 (GEx-disabled]".

• Issue 51722: On the VMware SASE Orchestrator, the time range selector is no greater than two weeks for any statistic in the Monitor > Edge tabs.

  The time range selector does not show options greater than "Past 2 Weeks" in Monitor > Edge tabs even if the retention period for a set of statistics is much longer than 2 weeks. For example, flow and link statistics are retained for 365 days by default (which is configurable), while path statistics are retained only for 2 weeks by default (also configurable). This issue is making all monitor tabs conform to the lowest retained type of statistic versus allowing a user to select a time period that is consistent with the retention period for that statistic.

  Workaround: A user may use the "Custom" option in the time range selector to see data for more than 2 weeks.

• Issue 60522: On the VMware SD-WAN Orchestrator UI, the user observes a large number of error messages when they try to remove a segment.

  The issue can be observed when adding a segment to a profile and the associating the segment with multiple VMware SD-WAN Edges. When the user attempts to remove the added segment from the profile, they will see a large number of error messages.

  Workaround: There is no workaround for this issue.

• Issue 82095: User can configure invalid device settings for Edge VLANs that will result in significant connectivity issues for the Edge.

  The Orchestrator is not attempting to validate device configurations. In particular, a VLAN configuration for a switched port with an empty table. Some configurations can be so full of errors that the Edge's management process will fail.

  Workaround: Review all VLAN Device settings and ensure they are valid as the Orchestrator is not checking.

• Issue 82680: For customer using MT-GRE Tunnel Automation, when a user turns off the Cloud-to-Cloud Interconnect (CCI) flag on a VMware SD-WAN Gateway which is configured to use CCI, the Zscaler MT-GRE entries may not get deleted from the Zscaler portal consistently.

  After a CCI site has been deleted from the Gateway, the entries for this site should also be removed. This issue has only been seen during test automation and has not been reproduced manually, but remains a risk.

  Workaround: Manually delete the resource from Zscaler before retrying.

• Issue 82681: For customer using MT-GRE Tunnel Automation, when a user turns off the Cloud-to-Cloud Interconnect (CCI) flag on a VMware SD-WAN Gateway which is configured to use CCI, and the user deactivates the CCI flag from a VMware SD-WAN Edge with CCI configured which is using a Zscaler Cloud Security Service, the Zscaler MT-GRE entries may not get deleted from the Edge or from the Zscaler portal.

  After a CCI site has been deleted from the Gateway, the entries for this site should also be removed. This issue has only been seen during test automation and has not been reproduced manually, but remains a risk.

  Workaround: Manually delete the resource from Zscaler before retrying.

• Issue 103769: An Operator may observe that a VMware SASE Orchestrator in a large scale deployment is experiencing performance issues which include 100% disk utilization and the Orchestrator no longer accumulating logs.

  This issue arises a change in logging behavior for the 5.1.0 Orchestrator that may result in the folders that store logs becoming full and also causing the Orchestrator CPU to reach 100% utilization. This issue arises a change in logging behavior for the 5.1.0 Orchestrator that may result in the folders that store logs becoming full and also causing the Orchestrator CPU to reach 100% utilization.

  Workaround: A Superuser Operator needs to log into the Orchestrator and clean up the pending logs.

• Issue 117699: An Operator attempting to upgrade a 4.2.x VMware SD-WAN Orchestrator to become a Release 5.2.0 SASE Orchestrator may observe that the upgrade fails.

  The upgrade does not succeed, effectively stuck at the "Waiting for the CWS service up...". This issue is limited to 4.2.x Orchestrators.

  Workaround: The workaround for this issue is to upgrade the 4.2.x Orchestrator to 4.5.1 first, and then to Release 5.2.0.0.

• Issue 122866: When a user deletes a BGP hand-off from one Partner Gateway, the VMware SASE Orchestrator also deletes this same BGP hand-off from all other Partner Gateways in the same Gateway Pool.

  This issue occurs whether the user is an Operator or a Partner and only occurs on the New UI, which is the default UI for the Release 5.2.0 Orchestrator.

  Workaround: The workaround is to isolate the Partner Gateway that needs to have the BGP hand-off deleted by temporarily removing it from the Gateway Pool. Doing this prevents other Partner Gateways from being impacted. After the BGP hand-off is deleted, the user could restore that Partner Gateway back to the original Gateway Pool.

• Issue 123619: If an Orchestrator does not have access to the internet (for example, an Orchestrator that is deployed on-premises), the Monitor > Edge > Overview page is empty, displaying no information.

  This issue is the result of the Edge > Overview page being dependent on access to Google services, and if there is no access to the internet this results in an empty page.

  Workaround: There is no workaround for this, you must have internet access for your Orchestrator to avoid this issue.

• Issue 125082: If a user configures a VMware SD-WAN Edge with an overridden DNS Server IP address on a VLAN, and then changes an interface setting for the Profile that Edge is using, the DNS Server IP address is no longer present for the Edge VLAN.

  The New UI does not send the override flag inside of the DHCP section and this causes any Profile changes to trigger an override of the DHCP section.

  Workaround: There is no workaround for this issue.

• Issue 125504: If a static route is configured with next hop as a VLAN with IPv4/IPv6 address at the Profile level and then overridden at the Edge level and add an IPv4/IPv6 address to the VLAN, the static route is not marked as N/A and the VMware SASE Orchestrator asks for the interface in a dropdown menu.

  The expected behavior is where a static route configured with a next hop as a VLAN with IPv4/IPv6 address, the Orchestrator does not ask for the interface and the route is marked as N/A.

  Workaround: There is no workaround for this issue.

• Issue 125663: A user can configure the same IPv4/IPv6 IP address for multiple Edge interfaces.

  The VMware SASE Orchestrator is allowing a user to configure the same IP on multiple WAN, LAN, or Sub Interfaces.

  Workaround: There is no workaround for this issue beyond ensuring you are not configuring the same IP Address for multiple interfaces.

• Issue 126425: When looking at Configure > Device > Routing & NAT page at the Profile level, the OSPF On/Off toggle button is missing.

  The OSPF On/Off toggle button was not migrated to the New UI at the Profile level and only shows at the Edge level.

  Workaround: There is no workaround for this issue on an Orchestrator with only a New User Interface.

• Issue 126465: The VMware SASE Orchestrator UI is not applying changes a user makes to create an Edge Cluster.

  If a user goes to the Configure > Edge > High Availability section of the UI and turns on HA with a Cluster type and creates a Hub Cluster with name xxxx, and saves changes, the user would observe that post-save the Cluster option is not selected under HA section and the created Hub Cluster with name xxxx is not present.

  Workaround: There is no workaround for this issue on an Orchestrator with only a New User Interface.

• Issue 127152: Users cannot save modified Interfaces with OSPF configurations on the VMware SASE Orchestrator UI.

  At the Profile level, when configuring either OSPFv2/OSPFv3, the Edit Interface dialog becomes invalid after changing any OSPF data.

  Workaround: On an Orchestrator without a fix for this issue, a user would need to activate MD5 Authentication and change the Key ID to any number from 1 to 255, and then deactivate MD5 Authentication.

• Issue 127636: On the Monitor > Edge > Sources page of the VMware SASE Orchestrator UI, a user searching a Source by FQDN does not work.

  Search by FQDN functionality is not working as expected when using the New UI which prevents a user from locating a Source using a standard method. This includes not having the option of searching by a partial string.

  Workaround: You can still search by IP address but you must use a full string.

• Issue 128070: When a user is configuring OSPFv3 for a VLAN at the Edge level and attempts to add IPv6 Settings to the VLAN, the VMware SASE Orchestrator UI does not save the changes.

  The option to Save is grayed out and not available when attempting to add IPv6 Settings to a VLAN with OSPF3 at the Edge level.

  Workaround: There is no workaround for this issue on an Orchestrator with only a New User Interface.