June 13th, 2021
VMware SD-WAN Orchestrator Version R340-20200218-GA
Check regularly for additions and updates to these release notes.
What's in the Release NotesThe release notes cover the following topics:
- Recommended Use
- Important Notes
- New Features
- Feature Enhancements
- Integration Enhancements
- Behavioral Changes on the VMware SD-WAN Orchestrator
- Orchestrator API Changes from Release 3.3.2
- Revision History
- Resolved Issues
- Known Issues
This release is no longer recommended for use and customers are encouraged to upgrade to Release 3.4.5 or newer as soon as possible.
Release 3.4.0 Orchestrators, Gateways, and Hub Edges supports all previous VMware SD-WAN Edge versions greater than or equal to Release 3.0.0 (Note: this means releases prior to 3.0.0 are not supported, please consult the warning below for additional details).
The following interoperability combinations were explicitly tested:
Warning: VMware SD-WAN Release 2.x (e.g. 2.4.4, 2.5.2, etc.) is no longer supported.
For more information regarding Release 2.x, including next steps, please consult the following KB article:
Deprecation of “Management IP”
In Release 2.x., before VMware SD-WAN supported network segmentation, the "Management IP" was introduced as a secondary virtual IP address on a VLAN. This was introduced due to underlying system limitations that prevented initiating traffic from LAN IP addresses or reaching the LAN IP address from across the VPN (e.g. for ping or SNMP).
In Release 3.x., the Management IP was de-coupled from the VLANs to support using all routed interfaces. This is now the recommended configuration on all platforms except VMware SD-WAN Edge models 500, 520, and 540—which have an integrated hardware switch.
In Release 4.x., the Management IP will be fully removed from the system and replaced with a flexible mechanism for choosing the source interface for locally originated traffic. As an interim step, we must eliminate reliance on the Management IP so that it can be safely removed completely.
As a result, Release 3.4.0 Edges will no longer source any traffic from the Management IP by default. Instead, the Edge will choose the first "up and advertised" interface on a segment to initiate traffic. If no such LAN interfaces are found, traffic will egress directly to the Internet using a NAT-enabled WAN link.
Cautionary Note: This means that customers who are currently sending traffic sourced from the Management IP (e.g. Radius, DNS) via VPN in the global segment and do not have any up and advertised LAN interfaces in the global segment will see this stop working upon upgrade. The VMware SD-WAN Support Team can assist these users in restoring the pre-3.4.0 behavior, if required, as they prepare to transition away from the Management IP. We will introduce "loopback interfaces" in an upcoming 4.x release to address this transition seamlessly.
VMware SD-WAN Edge Software Images:
Previously, VMware SD-WAN delivered a separate software package for each VMware SD-WAN Edge hardware model. In Release 3.4.0, Edge upgrade images have been consolidated to work across product families. There are now only two software packages for hardware Edges:
The “edge5x0” package now supports installation on: Edge 500, Edge 510, Edge 520, Edge 520-V, Edge 540, Edge 610, Edge 620, Edge 640, Edge 680
The “edge1000” package now supports installation on: Edge 840, Edge 1000, Edge 2000, Edge 3400, Edge 3800, Edge 3810
Note: There is no change to software images for virtual Edges.
Upgrading sites with High Availability:
VMware SD-WAN Edges running version 2.x (either as a factory version or as the currently installed version) and deployed in High Availability topologies cannot be upgraded directly to Release 3.4.0 due to required changes in the protocol used for inter-Edge communication. Users should first install an intermediate Release (e.g. Release 3.3.x) before upgrading to Release 3.4.0.
Change in VMware SD-WAN Edge switch port naming and a change in the Edge 520/540 switch port MAC address
On a VMware SD-WAN Edge using release 3.3.x or lower, the internal port naming (as seen when querying SNMP) was a logical name such as "sw1p0". In Release 3.4.0, this is improved to assign proper logical names (e.g. lan1") so that users can easily map them to the actual connected ports.
In addition, when an Edge 520 or 540 is upgraded to 3.4.0 or higher, not only does the port naming change, the switchports sw1p0 - sw1p3 will have their MAC address changed as well. For an Edge 520/540, the switchports sw1p0 -sw1p3 correspond to LAN ports LAN1-LAN4.
Any downstream device which filters for a specific source MAC exiting from an Edge 520/540’s LAN1-LAN4 interfaces must be made aware of this MAC address change. The new MAC address upon upgrade to 3.4.0 or higher will only differ in the final character of the address. The eth1 MAC change to eth0 MAC will be the current MAC address with the final character one lower value. For example, if the MAC address ends in 1, the new MAC will end in 0. If the MAC ends in B, the new MAC will end in A.
Support for New Hardware Platforms
Three new hardware models are supported: the VMware SD-WAN Edge 620, Edge 640, and Edge 680.
Please contact your sales team for further details about these new hardware models.
Remote Diagnostics – Clustering Enhancements
When a VMware SD-WAN Edge is deployed as a Hub in a Cluster, a new Remote Diagnostics option will appear called “Rebalance Hub Cluster” and which offers users two choices.
- Redistribute Spokes in Hub Cluster
- This will attempt to evenly re-distribute Spoke Edges among all Hub Edges in the Cluster.
- This may cause a brief traffic interruption to any Spokes which have their Hubs reassigned.
- Redistribute Spokes excluding this Hub
- This will attempt to evenly re-distribute Spokes among Hubs in the Cluster, excluding the Hub Edge from which you are running the Redistribute Spokes utility.
- This can be used for troubleshooting or maintenance to gracefully remove all Spokes from this Hub Edge.
- This may cause a brief traffic interruption to any Spokes which have their Hubs reassigned.
Object Groups simplify policy management by allowing the creation of object groups (logical groupings of multiple addresses or ports) and allowing reuse of these object groups in Business Policies and Firewall rules, rather than creating multiple individual rules.
For hybrid branches (i.e. those with both public Internet and private MPLS), it is now possible to have internet traffic egress directly to the internet but dynamically failover to backhauling through a Hub over the MPLS link when Internet is down. This feature may be enabled for a VMware SD-WAN Edge and disabled on a per-Business Policy basis.
Enterprise Reporting is a new service provided under the “Monitor” subsection of the VMware SD-WAN Orchestrator. This service provides Enterprise-wide reports that aggregate data from all Edges within the enterprise and provide graphical reports matching pre-defined templates.
In Release 3.4.0, two reports are added to this service: Transport Distribution and Traffic Distribution. These reports provide a better illustration of how applications are being steered by the SD-WAN network. Additional customization and report templates will be added in future releases.
This feature enables Operator and Managed Service Provider (Partner) users to create new customers by cloning an existing customer that does not have customer-specific configuration already, such as VMware SD-WAN Edges, Third-party tunnels, and Authentication Services. This allows providers to create a “template” customer that will be used to pre-populate the profiles, network services, and customer capabilities that they would like each new customer to inherit.
“Stateful Firewall” functionality can now be enabled under the Configure > Customer page. The Stateful Firewall will perform state checks for TCP and UDP and reject non-compliant packets (e.g. TCP LAND attacks, ICMP echo reply without request).
Firewall logging can now be enabled using Syslog Forwarding from the VMware SD-WAN Edge, and firewall log messages include session state details and rejection reasons for denied connections.
There are two new Remote Diagnostic utilities:
“List Active Firewall Sessions” shows session state and the firewall rule matched.
“Flush Firewall Sessions” allows the user to flush established sessions from the firewall, which will actively end those sessions (i.e. send a TCP RST for TCP sessions). The user may use source and destination IP address filters to flush specific flows.
Users can now restrict LAN-side source NAT to a specific set of destination subnets and can apply source and destination NAT to the same packet.
Overlay Flow Control
Previously, the VMware SD-WAN Orchestrator was “in path” for the learning of dynamic routes. VMware SD-WAN Edges relied on the Orchestrator to calculate initial route preferences and return them to the Edge. This meant that new dynamic routes learned while the Orchestrator was unreachable would not be advertised until the Orchestrator became reachable again.
The Orchestrator will now send all the information required for initial route calculations to the Edge and VMware SD-WAN Gateway, who will both now perform this calculation inline and advertise routes immediately without requiring Orchestrator involvement. This allows routes to be learned even when the Orchestrator is unreachable and reduces route convergence from minutes to seconds in large networks with thousands of dynamic routes.
Remote Diagnostics – Ping Test
Users can now select any valid source IP (VLAN, Routed Interface, Subinterface or Secondary IP Address) as the source address for a Remote Diagnostic ping. This allows use cases that were previously unsupported, such as pinging an external device in the DMZ from a routed interface.
MPLS Classes of Service
In previous releases, configuring MPLS Classes of Service could actually lead to degraded performance under contention. This was because a single sequence number for the VMware SD-WAN path could be reordered when passing through underlay queuing.
In Release 3.4.0, each MPLS class is given its own unique set of sequence numbers. This facilitates measuring the loss, latency, and jitter of each class of service independently and prevents out of ordering from happening due to intermediate queueing.
A template for tunnel statistics has been added to the IPFIX data that is exported from the VMware SD-WAN Edge. With this additional metadata, a collector will be able to provide path visibility between any two SD-WAN sites and show metrics including end-to-end metrics (e.g. loss, latency, jitter), data volume, top applications and top users.
In addition to email, SMS, and SNMP traps, the VMware SD-WAN Orchestrator now supports delivery of Customer Alerts via “Webhooks” (HTTP callbacks) to user-specified recipient web servers or services. An example recipient server implementation is available here via the Sample Exchange on code.vmware.com.
Dynamic Bandwidth Adjustment
Dynamic Bandwidth Adjustment no longer misinterprets routine packet loss as congestion which previously caused WAN links with unrelated packet loss to collapse to a "2 Mbps" bandwidth setting.
Support has been added for the Intel® Ethernet Controller X710 card on both the VMware SD-WAN Edge and Gateway, both with and without DPDK enabled.
ADSL and VDSL SFP Support
Support has been added for the Metanoia SFP-V5311-T-R xDSL SFP adapter which operates according to VDSL2 and ADSL2/2+ specifications.
Virtual Edge Support
Support has been added for running the VMware SD-WAN Edge on the Google Cloud Platform. SD-WAN Hub Clustering can be enabled with the assistance of third-party Layer 3 router.
Note: This applies to Operator users and Partner Administrators only.
The following behavioral changes are included in the Release 3.4.0 Orchestrator:
Under Configure > Customer
- The following features are enabled by default for all customers, and removed as configurable options: BGP, OSPF, PKI, and LAN-side NAT rules.
- “Enable VQM” is removed as an option because the Voice Quality Monitoring feature is no longer available.
- New customers will have Stateful Firewall enabled by default.
- Enable Segmentation remains visible but is enabled by default for all customers.
Under Configure > Firewall at both the Profile and Edge level, the feature "Syslog Forwarding" is enabled by default for all customers.
The complete 3.4.0 API reference is available via code.vmware.com.
Notable changes include:
- Addition of support for a token-based authentication mechanism based on the HTTP Authorization header. Users may provision and download long-lived API tokens via the Orchestrator UI (or API) and can thereafter compose API requests using an HTTP Authorization header (e.g. Authorization: Token <token>) to authenticate to the Orchestrator. This does not impact the existing cookie-based authentication mechanism.
- Introduction of new CRUD API methods for managing API tokens.
- Deprecation of the following Customer Capabilities: enableOSPF, enableVQM, enableNAT, enableBGP, enablePKI. Apart from enableVQM, where the underlying feature is no longer supported, each of these capabilities is now effectively considered to be enabled for all customers.
- Introduction of a fix (issue ID = 30518) which causes the Orchestrator API to throw validation errors on attempted update of immutable configuration module attributes on calls to the following API methods:
- Introduction of segment-specific nat options in deviceSettings configuration module data, as required to configure LAN-side NAT rules (see device_settings_nat definition).
- Introduction of support for cellular settings on routed interface configurations for device models where cellular interfaces are supported (see device_settings_routed_interface definition).
- Updated routed interface validation logic which enforces that the natDirect option is required.
- Introduction of two ordered lists in segment-specific deviceSettings VPN configuration entities (see device_settings_vpn definition):
- edgeToEdgeHub > vpnHubs: Determines routing precedence for Edge hubs/clusters.
- backhaulEdges: Determines routing precedence of Edge hubs/clusters.
- Introduction of conditionalBackhaul property in segment-specific deviceSettings VPN configuration entities which may be used to enable the Conditional Backhaul feature.
- Introduction of CRUD API methods for managing Object Groups.
- Addition of support for Object Group references on match predicates for QOS and firewall rules (see QOS_business_rules and firewall_rule_match definitions).
- Introduction of a Boolean option stateful_firewall_enabled in firewall configuration module entities which may be used to enable or disable Edge stateful firewall functionality.
- Introduction of a Boolean option syslog_forwarding in firewall configuration module entities which may be used to enable forwarding of firewall logs to a configured collector.
- Introduction of API methods for cloning Customers:
- network/getNetworkCloneableEnterprises (Operator-only)
- enterpriseProxy/getEntepriseProxyCloneableEnterprises (Partner-only)
- Introduction of a new API method that may be used to fire test alerts to prospective Webhook alert recipients: alert/sendEnterpriseAlertTestWebhook
- Introduction of new Operator/Partner-only API methods that govern new distributed Overlay Flow Control route calculation behavior:
- Miscellaneous usability fixes.
June 13th. First Edition. (From a previously published edition at original time of GA).
The resolved issues are grouped as follows.Edge/Gateway Resolved Issues
Resolved in R340-20200218-GA
The below issues have been resolved since 3.3.2 Edge and Gateway version R332-20191219-GA P1.
- Fixed Issue 19043:
The Ping utility on Remote Diagnostics does not work if there are no clients or Wi-Fi networks connected to a VLAN.
- Fixed Issue 22971:
VMware SD-WAN Edges with names and addresses using UTF-8 non-ASCII characters will cause device settings failures.
- Fixed Issue 23343:
The VMware SD-WAN Partner Gateway experiences a dataplane service failure while handling Partner Gateway Handoff configuration updates from the VMware SD-WAN Orchestrator.
- Fixed Issue 23570:
User is unable to perform a packet capture on a sub-interface when using the VMware SD-WAN Orchestrator.
- Fixed Issue 24147:
When a VMware SD-WAN Azure Edge is rebooted, the network interfaces may appear in the wrong order and network communication would fail.
- Fixed Issue 25949:
If the Profile Isolation check box under Branch to Branch VPN is toggled repeatedly the isolated routes are not removed from the route table.
- Fixed Issue 26541:
Repeatedly enabling/disabling BGP to OSPF redistribution may cause routes to no longer be redistributed for some time and can be corrected by disabling and re-enabling again.
- Fixed Issue 26706:
If a VMware SD-WAN Edge is connected to a Partner Gateway and is given a route table that includes 0.0.0.0/0 as a "Non-Secure" BGP route, the Edge will not honor a business policy configured to send Internet traffic via a direct path.
- Fixed Issue 28114:
When a business policy is configured with a hostname for which there is no matching DNS cache entry, the policy is not honored, and the flow will be matched to another rule instead.
- Fixed Issue 29493:
When a VMware SD-WAN Spoke Edge’s routed interface subnet is configured with the WAN overlay setting enabled, the interface’s subnet is not advertised to the Hub. This route is also not advertised to the peering switch through BGP.
- Fixed Issue 29553:
A ping from a LAN-connected device to the VMware SD-WAN Edge’s subinterface IP address is dropped when the Edge service restarts.
- Fixed Issue 31039:
The Remote Diagnostic “VPN Test” fails when the VMware SD-WAN Edge includes a /32 static or dynamic route even though a ping will succeed to the same Edge.
- Fixed Issue 31110:
VMware SD-WAN Cluster Hub routes are not reachable when the Spoke is configured with branch-to- branch VPN using the Cloud Gateway.
- Fixed Issue 31298:
For the Remote Diagnostic “Troubleshoot BGP - Show BGP Routes per Prefix”, the test includes the BGP routes for the prefixes of only one segment and not for all segments.
- Fixed Issue 31330:
In very rare instances, a VMware SD-WAN Spoke Edge may have all its Edge to Edge via Hub routes set to false with the result that this Edge cannot be reached by other Spoke Edges.
- Fixed Issue 31844:
When disabling and then reenabling NetFlow or restarting the VMware SD-WAN Edge service, some NetFlow packets may be lost.
- Fixed Issue 32100:
When a VMware SD-WAN Hub Edge has a lower MTU than a connected Spoke Edge, the Spoke Edge may not adjust its MTU on the path towards the Hub Edge to the lower Hub MTU value resulting in packet fragmentation between the Hub and Spoke.
- Fixed Issue 32283:
When the order of a BGP route that was learned on a VMware SD-WAN Hub cluster is manually changed in Overlay Flow Control, the route order may not be updated properly in the VMware SD-WAN Gateway routing table.
- Fixed Issue 32346:
NetFlow records for port-forwarded flows have incorrect values.
- Fixed Issue 32349:
Changing the time on the VMware SD-WAN Edge may cause the Edge to stop sending NetFlow packets for up to 120 minutes.
- Fixed Issue 32416:
When two VMware SD-WAN Edges establish Dynamic Edge-to-Edge paths and their MTUs differ, the Edges do not exchange MTU values to ensure that packets are not fragmented on those paths.
- Fixed Issue 32687:
On a site configured for Enhanced High Availability, a DHCP interface may lose its IP address and reset to 0.0.0.0 after a configuration update.
- Fixed Issue 32737:
The NetFlow record for a Non-VeloCloud Site’s backhaul traffic displays the incorrect OutputInt/DestinationID.
- Fixed Issue 32848:
Underlay traffic from a VMware SD-WAN Edge does not honor MPLS Class of Service (CoS) values configured under the Private Link properties.
- Fixed Issue 32892:
In non-Partner Gateway topologies, user traffic from a routed client may be dropped if there are only cloud routes matching the source, even if RPF (Reverse Path Filter) is disabled.
- Fixed Issue 32907:
On a site configured for Enhanced High Availability, a PPPoE link cannot process traffic as the default route on the Standby VMware SD-WAN Edge is not synchronized to the Active Edge.
- Fixed Issue 32933:
User is unable to configure multiple BGP communities by enabling " Community Additive" option.
- Fixed Issue 32992:
In rare instances, the VeloCloud Management Control Protocol (VCMP) packet data structure, which stores out-of-order packets may become corrupted and this leads to a Dataplane Service Failure on the VMware SD-WAN Gateway.
- Fixed Issue 33019:
A memory leak may occur when performing LAN-side Destination NAT, which can eventually cause NAT to stop functioning after an extended period.
- Fixed Issue 33022:
ICMP probe marks an interface as up during an Edge service restart even if the physical state of the interface is down.
- Fixed Issue 33155:
BGP community additive applies all routes including non-matching prefixes configured in route map.
- Fixed Issue 33260:
VMware SD-WAN Edge copies the inner DSCP tag to the VeloCloud Management Protocol (VCMP) outer packet despite there being no business policy configured specifying this action.
- Fixed Issue 33488:
The Remote Diagnostic “Route Table Dump” is unable to display several thousand routes and the test times out.
- Fixed Issue 33579:
On a site configured for Enhanced High Availability, VLAN tagged WAN links on the Standby Edge may fail to form tunnels to the VMware SD-WAN Gateways and show as down when DHCP is used to acquire the IP address for that link.
- Fixed Issue 33601:
When LAN side NAT rules are modified (e.g. add/modify/delete), NAT leaks (the leaking of internal IP addresses to the public WAN) are seen for existing flows.
- Fixed Issue 33641:
Local and remote OSPF routes (O and IA) are sorted by metric type and not preference.
- Fixed Issue 33735:
On a site configured for High Availability, the Active VMware SD-WAN Edge’s attempt to detect a heartbeat from the Standby Edge may time out early—resulting in a split-brain (active/active) state.
- Fixed Issue 33805:
A global BGP timer change on a VMware SD-WAN Edge would interrupt the Edge’s BGP sessions if MD5 authentication is enabled.
- Fixed Issue 33852:
There is a significant discrepancy between the Transport and Application statistics shown on the VMware SD-WAN Orchestrator monitoring page.
- Fixed Issue 33884:
When the VMware SD-WAN Edge is flooded with a great number of flows which have random source/destination IPs and ports for a long period of time, the Edge may run out of memory and trigger a service restart.
- Fixed Issue 33936:
A VMWare SD-WAN Edge may experience a service restart while capturing flow dump details as part of gathering diagnostic bundle.
- Fixed Issue 33940:
On a site configured for Enhanced High Availability, WAN-side heartbeats are exchanged between the Active and Standby Edges even though this is not needed for this HA topology.
- Fixed Issue 34233:
When there are redundant outbound 1:1 NAT rules configured to provide resiliency across interfaces, traffic does not failover as expected when one of the interfaces goes down.
- Fixed Issue 34442:
A VMware SD-WAN Gateway which receives IP fragments out of order may suffer memory corruption which results in a Gateway service restart.
- Fixed Issue 34505:
The VMware SD-WAN Edge does not cache DNS queries routed through it when the Edge is not configured as the client's DNS server.
- Fixed Issue 34615:
When a VMware SD-WAN Spoke Edge initiates a bandwidth test to a Hub Edge, the Spoke may receive a BW_UNMEASURABLE message from the Hub, in which case the Spoke does not retry the test.
- Fixed Issue 34636:
If the VMware SD-WAN Spoke-to-Hub Edge paths are marked as BW_UNMEASURABLE, the bandwidth measurement method does not change to Burst Mode.
- Fixed Issue 34730:
On a VMware SD-WAN Spoke Edge, the bandwidth of a private link is not set as the maximum of the bandwidth measured for the Hub-Spoke and the local VMware SD-WAN Gateway path.
- Fixed Issue 34794:
On a site configured for High Availability, when one VMware SD-WAN Edge restarts, the Edge which restarted may fail to receive the heartbeats from the Active Edge and this Edge acting as the Standby transitions to active earlier than expected which results in a split-brain (active/active) state.
- Fixed Issue 34872:
The VMware SD-WAN Edge does not refresh OSPF default routes after the max-age is reached.
- Fixed Issue 35205:
Some BGP routes may not be installed in the forwarding information base (FIB) because the VMware SD-WAN Edge is preferring a BGP peer route over a locally connected route.
- Fixed Issue 35345:
After a BGP neighbor configuration change, the default route was not advertised to the peer.
- Fixed Issue 35370:
Traffic may fail when it is configured to backhaul through hierarchical VMware SD-WAN Hubs (e.g. traffic backhauls to Hub1, which then backhauls to Hub2).
- Fixed Issue 35453:
Cloud Security Service will not work if ‘NAT Direct Traffic’ is disabled on the WAN interface.
- Fixed Issue 35650:
Private links with Service Reachable configured will schedule bandwidth tests even though these links should not be measured.
- Fixed Issue 35762:
GRE tunnels to Zscaler do not work on WAN links that require PPPoE.
- Fixed Issue 35804:
On a site configured for Enhanced High Availability, pinging the WAN interface of the VMware SD-WAN Standby Edge from the internet does not work.
- Fixed Issue 35836:
Directly connected clients (on a routed port) are not able to receive a DNS response from a remote private DNS server.
- Fixed Issue 35931:
On a VMware SD-WAN Edge configured to use a Stateful Firewall, an ICMP echo reply as the first packet of a flow is allowed by the Edge, instead of dropping.
- Fixed Issue 35996:
Older VMware SD-WAN Edges whose factory image is version Release 1.8.2 or earlier cannot be directly activated to Release 3.3.0 or later.
- Fixed Issue 36032:
In rare instances, a VMware SD-WAN Hub Edge using 4 or more WAN links may suffer a Dataplane Service Failure.
- Fixed Issue 36303:
In some interoperability instances where the VMware SD-WAN Gateway uses a later software version from the VMware SD-WAN Edge, the Gateway may fail to push routes to that Edge.
- Fixed Issue 36689:
VMware SD-WAN Partner Gateway that is handling a BGP session reset with a peering switch may suffer a service restart.
- Fixed Issue 36968:
When configuring multiple non-redundant static routes with the same prefix and ICMP probe enabled, the backup route is not advertised if the ICMP probe fails on the master route.
- Fixed Issue 37003:
A VMware SD-WAN Gateway may have the incorrect serial numbers for a site’s Active and Standby VMware SD-WAN Edges which results in the Gateway dropping traffic between the HA Edge and the Orchestrator.
- Fixed Issue 37031:
When a VMware SD-WAN Edge acts as a DHCP relay, the dest_ip and dest_mac addresses were unicast even if the broadcast flag was configured.
- Fixed Issue 37081:
The Remote Diagnostic “Clear ARP Cache” lists sub-interfaces but returns the error "Invalid interface for clearing ARP" when running this diagnostic on a sub-interface.
- Fixed Issue 37146:
USB modems that use ModemManager are not detected on Model 6x0 Edges running Release 3.3.2.
- Fixed Issue 37351:
If a customer enterprise has two Non-VeloCloud Sites which each use the same VMware SD-WAN Gateway but are on different profiles, one of the NVS sites will have missing routes to their Gateway.
- Fixed Issue 37413:
A customer enterprise with a Non-VeloCloud Site configured under both global and non-global segments will only send the global segment routes to the VMware SD-WAN Gateway and not the non-global segment routes.
- Fixed Issue 37467:
When a VMware SD-WAN Edge has an unstable link there is the potential for the Quick Assist (QAT) cryptographic rekey and the IPSEC Security Association rekey to get into a race condition which would cause the Edge service to restart.
- Fixed Issue 37507:
When a VMware SD-WAN Edge is configured with Source Network Address Translation (SNAT) for LAN side NAT, NAT leaks (the leaking of internal IP addresses to the public WAN) may occur when a flow is initiated from other branch sites to the inside source IP address.
- Fixed Issue 37510:
When a VMware SD-WAN Edge is configured with Destination Network Address Translation (DNAT) for LAN side NAT, NAT leaks (the leaking of internal IP addresses to the public WAN) may occur when a flow is initiated locally to an outside destination IP address.
- Fixed Issue 37517:
On a site configured for Enhanced High Availability, internal communication between the Active and Standby VMware SD-WAN Edges uses the same source MAC address.
- Fixed Issue 37717:
Ping to a sub-interface with a DHCP addressing type fails after the VMware SD-WAN Edge has a service restart or is rebooted.
- Fixed Issue 37746:
Duplicate NAT entries on a VMware SD-WAN Partner Gateway will cause voice calls to drop for all VMware SD-WAN Edges connected to that Gateway.
- Fixed Issue 37752:
The VMware SD-WAN Edge will not validate a VNF administrator password change made using the VMware SD-WAN Orchestrator and the original password remains unchanged.
- Fixed Issue 37965:
VMware SD-WAN Gateway which is configured to connect to a secondary Non-VeloCloud Site fails to build tunnels towards this site because the Gateway never receives the configuration.
- Fixed Issue 38139:
When a secondary datacenter configuration is added, the data center routes would be missing on the VMware SD-Edge.
- Fixed Issue 38641:
When a Non-VeloCloud Site is configured, the 0.0.0.0/32 route added to the VMware SD-WAN Edge is also redistributed to the Edge’s OSPF neighbors instead of the default route despite Default Route being enabled under Redistribution Settings.
- Fixed Issue 38717:
A PPPoE link flap on a VMware SD-WAN Edge may cause an exception in the Edge’s kernel with the result being an Edge service restart.
- Fixed Issue 39028:
A VMware SD-WAN Edge that uses an AWS C5/M5 instance cannot be software-upgraded.
- Fixed Issue 39127:
After many disconnect/reconnect cycles, USB modems and cellular interfaces may no longer form overlay tunnels.
- Fixed Issue 39127:
In certain cases, a VMware SD-WAN Gateway may not correctly NAT the outgoing traffic when a Many-to-One Policy Based NAT rule is configured on a VMware SD-WAN Edge.
- Fixed Issue 39206:
VCMP tunnel fails to form for an auto-discovered WAN overlay when the underlying interface is VLAN tagged.
- Fixed Issue 39360:
The Configure TACACS utility does not update the service/protocol in the configuration and if non-default service/protocol values were used, user authentication would fail.
- Fixed Issue 39491:
On a VMware SD-WAN Azure-based Edge, the cloud-init will fail if password authentication was specified during the VM launch and renders the system inaccessible.
- Fixed Issue 39658:
The output of a Nmap security scan on VMware SD-WAN Edge WAN ports may show some explicit TCP ports (even if it they are in a closed state), when the expected output is no explicit TCP ports.
- Fixed Issue 39876:
A Dataplane Service Failure may occur if the VMware SD-WAN Gateway erroneously receives a VCMP INIT ACK packet.
Resolved in R340-20200218-GA
The below issues have been resolved since Orchestrator version 3.3.2 GA-20191218.
- Fixed Issue 20569:
When a Cloud Security Service is in use, an API call attempting to delete that CSS is not blocked from doing so, nor does that attempt return an error.
- Fixed Issue 27736:
If a name is manually configured for an auto-detected WAN overlay, that name does not persist across link outages.
- Fixed Issue 29990:
When a DNS service is being used by a profile, an API attempting to delete that DNS service is not blocked from doing so, nor does that attempt return an error.
- Fixed Issue 30115:
The VMware SD-WAN Orchestrator allows all VMware SD-WAN Gateways to be removed from a Gateway Pool even when they are assigned to an enterprise.
- Fixed Issue 30678:
The order in which VMware SD-WAN Hubs (and Clusters) are configured in the “Branch to VeloCloud Hubs” section of VPN-enabled profiles may not be consistent with the order in which those Hubs are dispatched to VMware SD-WAN Edges assigned that profile. This can result in an incorrect routing precedence when route attributes are otherwise equal.
- Fixed Issue 31291:
The only way to update an application map is to assign a customer enterprise a different operator profile that includes the updated application map; updating Office 365 endpoints may only be done manually.
- Fixed Issue 31388:
The VMware SD-WAN Orchestrator will appear to save changes made to a Non-VeloCloud Site configuration page, but no actual changes are applied to the NVS configuration.
- Fixed Issue 31493:
The VMware SD-WAN Edge OS shown is not correct on the Devices tab for the Monitor > Sources page.
- Fixed Issue 31649:
Sorting by MAC addresses does not work for the Monitor > Sources page.
- Fixed Issues 31798:
When running the Remote Diagnostic “List Active Flows”, the rows and columns do not align properly.
- Fixed Issues 31869:
An Operator with a Customer Support role is unable to view Cloud Security Services on the VMware SD-WAN Orchestrator.
- Fixed Issues 32027:
The VMware SD-WAN Orchestrator displays the message: "The changes you made will be lost if you navigate away from this page." immediately after creating a new customer enterprise administrator.
- Fixed Issues 32196:
The .csv file downloaded when using the CSV Export feature on the Monitor > Edges page does not show an accurate real-time status of the VMware SD-WAN Edge in the Edge list view.
- Fixed Issues 32497:
On the System tab of the Monitor > Edge page, the VMware SD-WAN Edge health statistics time series plot shows incorrect data.
- Fixed Issues 32811:
When a segment property is modified and this change is saved, the previous configuration property may still be present post-modification.
- Fixed Issues 32968:
The VMware SD-WAN Orchestrator allows for the configuration of more than one BGP community per filter.
- Fixed Issues 33231:
The VMware SD-WAN Orchestrator accepts the same RADIUS server IP in both primary and secondary server fields when configuring the RADIUS authentication scheme for Operators.
- Fixed Issues 33454:
VMware SD-WAN Orchestrator does not show the proper error message when trying to create an Azure Virtual Hub Non-VeloCloud Site using an IaaS subscription which has an expired or invalid client secret.
- Fixed Issues 33670:
When a VMware SD-WAN Orchestrator is upgraded from Release 3.2.1 to Release 3.3.1, the Alternate Super Gateway is selected from the same region where the Primary Super Gateway is located even though there is a valid Alternate Super Gateway candidate available in a different region.
- Fixed Issues 33767:
During an upgrade, the VMware SD-WAN Orchestrator initiates a server reboot before the schema changes can be applied to the database.
- Fixed Issues 33979:
A user looking at the Local UI for a VMware SD-WAN Edge is not able to see any interface status information under the Details tab.
- Fixed Issues 34035:
The VMware SD-WAN Orchestrator does not perform validation checks to ensure the NAT Direct Traffic field is mandatory on both routed interfaces and subinterfaces for any new configuration changes.
- Fixed Issues 34301:
When Certificate Optional mode is selected for a VMware SD-WAN Azure Edge, a new certificate is generated every minute and never stops.
- Fixed Issues 34477:
A Partner Administrator with a Business Specialist role can modify customer configurations.
- Fixed Issues 34592:
Static IP addresses assigned to a VLAN are not restricted by the DHCP subnet and instead follow the values configured for the static reservation which may be outside of the DHCP dynamic ranges.
- Fixed Issues 34657:
Operator user is not able to configure a System Property’s “Read Only” setting to ‘No’ on the VMware SD-WAN Orchestrator.
- Fixed Issues 34880:
In some cases, when a customer enables LAN-side “Visibility by IP address” the VMware SD-WAN Orchestrator erroneously displays the hostname for the wrong VMware SD-WAN Edge when viewing flow metrics using the Monitor > Edge tabs.
- Fixed Issues 35226:
Updating the VMware SD-WAN Partner Gateway handoff information in the VMware SD WAN Orchestrator may throw an error.
- Fixed Issues 35264:
In some cases, a user may be unable to designate a “Preferred VPN Exit” for a VMware SD-WAN Partner Gateway.
- Fixed Issues 35362:
When updating Device Settings via API, validation may reject valid JSON configurations due to "invalid multicast settings".
- Fixed Issues 35376:
A non-standard error message is thrown when sending an API request with an invalid user ID to configuration/cloneConfiguration.
- Fixed Issues 35380:
On the Network Overview page, the correct link status is not displayed for up to 10 minutes from the time a link has gone down.
- Fixed Issues 35383:
On a customer’s Administration > Administrators page, the text is not aligned correctly when creating a new customer administrator.
- Fixed Issues 35427:
When attempting to filter for IP address on the Sources, Applications, and Destination tabs of the Monitor > Edge page, the page may not load and displays an “unexpected error message has occurred” message.
- Fixed Issues 35550:
The VMware SD-WAN does not check for missing IP addresses and ports when validating the LAN Side NAT rules in Edge/Profile Device Settings.
- Fixed Issues 35554:
The VMware SD-WAN Orchestrator does not throw an error for invalid combinations of CIDR for inside and outside addresses in LAN Side NAT rules.
- Fixed Issues 35563:
The VMware SD-WAN Orchestrator permits a user to add duplicate LAN-side NAT rules.
- Fixed Issues 35671:
The Edge Overview UI screen will fail to load on a VMware SD-WAN Edge 510 when no segment is “in use” (i.e. associated with a VLAN which is in use).
- Fixed Issue 35774:
The VMware SD-WAN Orchestrator allows a user to configure a NAT rule with only an inside port/outside port.
- Fixed Issue 35973:
Edge Monitor > Transport incorrectly offers the option to display data intervals of 5-minutes, when this time interval cannot be displayed.
- Fixed Issue 35973:
On the Edge Monitor > Transport page, when Average Throughput is selected, Downstream (bps) and Upstream (bps) are incorrectly reported as 0 bps.
- Fixed Issue 36060:
The WAN Overlay Interface is not automatically detected when changed from switched to routed.
- Fixed Issue 36100:
For 1:1 NAT and Port forwarding rules under firewall, the number of rules is restricted to 128 to match the rule limit on Edges.
- Fixed Issue 36406:
A user logged onto the VMWare SD-WAN Orchestrator with a Customer Support role will observe invalid characters on the static routes settings section of the Configure > Device page.
- Fixed Issue 36461:
When a site configured for Enhanced High Availability uses dissimilar WAN links and the HA link is cut, the VMware SD-WAN Orchestrator will still show HA status as green (up).
- Fixed Issue 36494:
A VMware SD-WAN Orchestrator upgraded from 3.2.2 to 3.3.2 may be missing Edge monitoring data recorded before the upgrade.
- Fixed Issue 36506:
Non-VeloCloud site action menu items are disabled unintentionally.
- Fixed Issue 36955:
On the Configure > Firewall page, a user may not configure the same port forwarding rule with a different outside IP address.
- Fixed Issue 37152:
The VMWare SD-WAN Orchestrator allows an administrator with a customer support role to add new NetFlow collectors or filters.
- Fixed Issue 37153:
The VMWare SD WAN Orchestrator allows an administrator with a customer support role to edit syslog settings on both the Edge and Profile level.
- Fixed Issue 37178:
The "Cloud VPN Hubs" table on the Configure > Network Services page does not load when a Cluster is used in an internet backhaul business policy.
- Fixed Issue 37303:
The VMware SD-WAN Orchestrator is not displaying Packet Capture option under the Test and Troubleshoot section for a user logged in through SSO as a Partner Administrator with a Superuser role.
- Fixed Issue 37332:
A customer administrator with a superuser role can use an API call to download a VMware SD-WAN Gateway diagnostic bundle via the VMware SD WAN Orchestrator.
- Fixed Issue 37415:
The Gateways page on the VMware SD-WAN Orchestrator displays the wrong count for secure VPN Gateways when there are Non-VeloCloud Sites assigned on different segments in the same customer profile.
- Fixed Issue 37494:
VMware SD-WAN Orchestrator should not enable the delete button under Network Settings when switching from one unused network service to another service which is in use.
- Fixed Issue 37755:
When making an API call to getEnterpriseEdges, the response does not indicate Edge-specific device settings overrides were configured if the VMware SD-WAN Edge's Management IP is overridden.
- Fixed Issue 37775:
The VMware SD-WAN Orchestrator does not generate an Edge Up alert is there is a pending Link Up alert.
- Fixed Issue 38264:
The VMware SD-WAN Orchestrator shows a disabled NVS tunnel as online on the Monitor > Network Services page.
- Fixed Issue 38500:
When selecting a Business Policy rule to edit at the Profile level, the screen takes 3-4 seconds to load.
- Fixed Issue 38502:
Error details are not displayed for some VMware SD-WAN Azure Virtual Hub Non-VeloCloud Site provisioning failures on the VMware SD-WAN Orchestrator.
- Fixed Issue 38546:
The VMware SD-WAN Orchestrator API call for updating a VMware SD-WAN Edge configuration does not validate configurations related to radio settings.
- Fixed Issue 38677:
Some Azure Virtual Hub Non-VeloCloud Site provisioning failures are not correctly reflected with a recorded event in the Non-VeloCloud Site section of Monitor > Network Services.
- Fixed Issue 38987:
The VMware SD-WAN Orchestrator allows a VMware SD-WAN Edge to be configured to have the same value for both the Management IP and a VLAN IP.
- Fixed Issue 39158:
When using Internet Explorer 11, a user may not be able to successfully log onto a Release 3.3.2 version of the VMware SD-WAN Orchestrator.
- Fixed Issue 39190:
When a user has a filtered list and then clicks the "Select All" checkbox in the upper corner on the UI, all items in that list are selected instead of selecting only the filtered items. Users can delete VMware SD-WAN Edges in an active state (i.e. Connected or Degraded).
- Fixed Issue 39537:
Partner users are unable to mix Enterprise and Premium VMware SD-WAN Edge licenses within a customer enterprise; Edge licensing does not include 350 Mbps and 750 Mbps bandwidth licenses.
Open Issues in Release 3.4.0
The known issues are grouped as follows.Edge/Gateway Known Issues
- Issue 08744:
Passive FTP and TFTP will not work via 1:1 NAT
Workaround: Please consult https://kb.vmware.com/s/article/2913337
- Issue 14655:
Plugging or unplugging an SFP adapter may cause the device to stop responding on the Edge 540, Edge 840, and Edge 1000 and require a physical reboot.
Workaround: The Edge must be physically rebooted. This may be done either on the Orchestrator using Remote Actions > Reboot Edge, or by power-cycling the Edge.
- Issue 17411:
1:1 NAT fails if a rule is created on a routed interface that has a subinterface, and the subinterface has a different IP than the 1:1 NAT rule.
- Issue 25302:
If the dataplane service is disabled on the VMware SD-WAN Edge, a "Restart Services" does not work properly and a "Reboot" must be triggered to recover the Edge.
- Issue 25855:
A large configuration update on the Partner Gateway (e.g. 200 BGP-enabled VRFs) may cause latency to increase for approximately 2-3 seconds for some traffic via the VMware SD-WAN Gateway.
Workaround: No workaround available.
- Issue 26392:
Flows traversing a VPN waypoint (Gateway or Hub) may not switch to a newly established Dynamic Branch-to-Branch VPN tunnel until the next new flow to that destination is created.
- Issue 36970:
VMware SD-WAN Edge Firewall logging may incorrectly list the incoming interface as “VLAN-1” for traffic that was received from the cloud via 1:1 NAT.
- Issue 37308:
If a user deletes all the links configured to build GRE tunnels to Zscaler (but does not disable Cloud Security Service), then changes the Zscaler IP addresses and re-configures the links, the Edge must be restarted to route traffic over the GRE tunnels.
- Issue 37664:
When Edge-to-Edge via VMware SD-WAN Gateway is configured on the spoke, the routes of the cluster Hub remain unreachable for a few seconds.
- Issue 37955:
NetFlow Exporter may export the wrong flow path for peer-initiated flows sent directly between VMware SD-WAN Edges.
- Issue 38682:
A VMware SD-WAN Edge acting as a DHCP server on a DPDK-enabled interface may not properly generate “New Client Device" events for all connected clients.
- Issue 38925:
VPN flows are not synchronized properly between VMware SD-WAN Edges in a High Availability pair, which may cause stateful firewall sessions via VPN to stall on an HA failover.
- Issue 39014:
A VMware SD-WAN Edge service restart may be required when changing established Zscaler tunnels from IPsec to GRE to the same Zscaler IP address.
- Issue 39134:
The System health statistic “CPU Percentage” may not be reported correctly on Monitor > Edge > System for the VMware SD-WAN Edge, and on Monitor > Gateways for the VMware SD-WAN Gateway.
Workaround: Users should use handoff queue drops for monitoring Edge capacity not CPU percentage.
- Issue 39374:
Changing the order of VMware SD-WAN Partner Gateways assigned to a VMware SD-WAN Edge may not properly set Gateway 1 as the local Gateway to be used for bandwidth testing.
- Issue 39659:
On a site configured for Enhanced High Availability, with one WAN link on each VMware SD-WAN Edge, when the standby Edge has only PPPoE connected and the active has only non-PPPoE connected, a split brain state (active/active) may be possible if the HA cable fails.
- Issue 39384:
Traffic initiated on a WAN-overlay enabled interface may be double counted in NetFlow statistics.
- Issue 39464:
When an SNMP agent is configured to listen on a non-default port, the SNMP Access firewall rule is not updated to that configured port.
- Issue 39609:
Incorrect packet loss may be reported when MPLS Classes of Service are enabled on one VMware SD-WAN Edge but not the peer Edge and link steering via business policy is configured.
- Issue 40360:
A default route learned through a VMware SD-WAN Hub Edge may not be removed on all Spoke Edges after deleting the route at the Hub.
- Issue 40421:
Traceroute is not showing the path when passing through a VMware SD-WAN Edge with an interface configured as a switched port.
- Issue 40425:
Direct Internet traffic from non-Global segments will fail if it matches a route that was learned in the Global segment.
- Issue 40442:
Enabling LAN-side NAT rules may reduce the maximum throughput possible through the VMware SD-WAN Edge by up to 10% (depending on the Edge model).
Workaround: There is no workaround for this issue.
- Issue 40565:
The NetFlow record for direct internet traffic matching a default business policy or underlay routed traffic on a WAN overlay enabled interface gets exported in the 256 template ID instead of the expected 259 template ID.
- Issue 40696:
Disabling BGP on a VMware SD-WAN Hub Edge that is active in a Cluster does not set the BGP route count for this Hub Edge to 0 and trigger an automatic failover as expected.
- Issue 40777:
Syslog export of VMware SD-WAN Edge events does not work to a server that is reachable over VPN only via a default (0.0.0.0/0) route.
- Issue 40972:
When a VMware SD-WAN Edge Spoke has only tunnels to the Hub Edge (all Gateway tunnels down) and a Hub tunnel towards a Gateway also goes down, the Spoke routes are erroneously retracted.
- Issue 46137:
A VMware SD-WAN Edge running 3.4.x software does not initiate a tunnel with AES-GCM encryption even if the Edge is configured for GCM.
- Issue 47355:
When the same route is learned via local underlay BGP, Hub BGP and/or statically configured on the Partner Gateway, the sorting order of the routes is incorrect with the Hub BGP being preferred over the underlay BGP.
- Issue 47681:
When a host on the LAN side of a VMware SD-WAN Edge uses the same IP as that Edge’s WAN interface, the connection from the LAN host to the WAN does not work.
- Issue 48175:
A VMware SD-WAN Edge running Release 3.4.2 will form an OSPF adjacency on a non-global segment if the non-global segment has an interface configured in the same IP range as an interface configured on the global segment
- Issue 48502:
In some scenarios, a VMware SD-WAN Hub Edge being used to backhaul internet traffic may experience a Dataplane Service Failure due the improper handling of backhaul return packets.
- Issue 19566:
After High Availability failover, the serial number of the standby VMware SD-WAN Edge may be shown as the active serial number in the Orchestrator.
- Issue 20900:
If the MaxMind geolocation service is enabled and cannot reach the MaxMind server, new VMware SD-WAN Edge activations will not work.
- Issue 24269:
Monitor > Transport > Loss not graphing observed WAN link loss while QoE graphs do reflect this loss.
- Issue 32335:
The ‘End User Service Agreement’ (EUSA) page throws an error when a user is trying to accept the agreement.
Workaround: Ensure no leading or trailing spaces are found in Enterprise Name.
- Issue 33026:
The ‘End User Service Agreement’ (EUSA) page does not reload properly after deleting the agreement.
- Issue 35658:
When a VMware SD-WAN Edge is moved from one profile to another which has a different CSS setting (e.g. IPsec in profile1 to GRE in profile2), the Edge level CSS settings will continue to use the previous CSS settings (e.g. IPsec versus GRE).
Workaround: Disable and then reenable GRE at the Edge level to resolve the issue.
- Issue 35667:
When a VMware SD-WAN Edge is moved from one profile to another profile which has the same CSS setting but a different GRE CSS name (the same endpoints), some GRE tunnels will not show in monitoring.
Workaround: Disable and then reenable GRE at the Edge level to resolve the issue.
- Issue 38843:
When pushing an application map, there is no Operator event, and the Edge event is of limited utility.
- Issue 39790:
The VMware SD-WAN Orchestrator allows a user to configure a VMware SD-WAN Edge’s routed interface to have greater than the supported 32 subinterfaces, creating the risk that a user can configure 33 or more subinterfaces on an interface which would cause a Dataplane Service Failure for the Edge.
- Issue 40341:
Though the Skype application is properly categorized on the backend as Real Time traffic, when editing the Skype Business Policy on the VMware SD-WAN Orchestrator, the Service Class may erroneously display “Transactional”.
- Issue 40567:
A user is able to clone a customer enterprise even though the customer's profile includes partner gateways (which cannot be cloned) and there is no clear error message about why attempting this will not work.
- Issue 40746:
Connected subnets and static routes associated with subinterfaces may not show up as expected on the Configure > Overlay Flow Control screen of the VMware SD-WAN Orchestrator.
Workaround: Ignore the duplicate event.
- Issue 41691:
User cannot change the 'Number of addresses' field although the DHCP pool is not exhausted on the Configure > Edge > Device page.
- Issue 43276:
User cannot change the Segment type when a VMware SD-WAN Edge or Profile has a VMware SD-WAN Partner Gateway configured.