These release notes accompany the IOS XE SD-WAN Software Release 16.10, which provides SD-WAN capabilities for Cisco IOS XE routers, and the compatible SD-WAN Software Release 18.4 for Viptela controller devices—including vSmart controllers, vBond orchestrators, and vManage NMSs—and vEdge routers. These Release Notes include IOS XE SD-WAN Releases 16.10 through 16.10.3 and corresponding Releases 18.4 through 18.4.3.
IOS XE SD-WAN Software Release 16.10 and SD-WAN Software Release 18.4
August 14, 2019
Cisco IOS XE Devices
Cisco IOS XE SD-WAN software runs on the following devices:
- Cisco ASR 1000 Series Aggregation Services Routers:
- ASR 1001-HX and ASR 1001-X
- ASR 1002-HX and ASR 1002-X
- Cisco ISR 1000 Series Integrated Services Routers:
- C1111-8P, C1111-8P LTE EA, and C1111-8P LTE LA
- C1117-4P LTE EA, C1117-4P LTE LA
- C1111-4P LTE EA, C1111-4P LTE LA, C1116-4P LTE EA, C1117-4P MLTE EA
- C1111-4P, C1116-4P, C1117-4P, C1117-4PM, C1101-4P, C1111X-8P (8GB RAM)
Cisco ISR 1000 Series Integrated Services Routers, with wireless services (WLanGigabitEthernet configuration required from vManage):
C1111-8PWY (WiFi domain WY; Y = A, B, E, F, H, N, Q, R, Z)
C1111-8PLTEEAWX^*^ ( WiFi domain WX; X = A, B, E, R)
- Cisco ISR 4000 Series Integrated Services Routers:
- ISR 4221
- ISR 4321
- ISR 4331
- ISR 4351
- ISR 4431
- ISR 4451
- Cisco CSR 1000v Series Cloud Services Routers:
- CSR 1000v
Cisco Enterprise Network Compute System
- Cisco 5000 Series Enterprise Network Compute System
- ENCS 5104, ENCS 5406, ENCS 5408
- ENCS 5412 with T1/E1 and 4G NIM modules
- vEdge 100 Router
- vEdge 100b Router
- vEdge 100m Router
- vEdge 100wm Router
- vEdge 1000 Router
- vEdge 2000 Router
- vEdge 5000 Router
Below are the main product features added in SD-WAN Software Release 18.4 and IOS XE SD-WAN Release 16.10.
For Cisco IOS XE devices:
Cisco IOS XE routers support all the following SD-WAN software features. For more information, see Software Installation and Upgrade for Cisco IOS XE Routers.
- Cisco SD-WAN security features
- Enterprise Firewall with Application Awareness
- Intrusion Prevention System
- URL Filtering
- DNS/Web-Layer Security
- Umbrella auto-registration
- Cloud: Local domain bypass for umbrella
- Onsite bootstrap process for SD-WAN edge routers
- Template improvements: Network Design Builder, Device Profile Builder
- vManage common template for multiple C1100 wireless SKUs
- IPv6 on the service side + dual-stack
- Dual-stack interfaces (Gig, sub-Interface, SVI, and loopback) on service side.
- v6 routing protocols on service side: Static, BGP, route maps, inbound filtering, outbound filtering, v4 and v6 OMP redistribute, v4 and v6 redistribute between service VPN's
- IPv6 services features on service side: QOS, QOS policer on service side, QOS dscp re-write rule for inbound and outbound, ip name-server, ICMP redirects, VRRP, ACL, DHCP relay agent, SSH, traceroute, SNMP, logging server, MIB
- IPv6 addressing: Unicast (link-local, unique-local, and global), Anycast
- Device life cycle (Monitoring Security Policies by Device)
For vEdge routers:
- Adaptive FEC for optimizing TCP retransmits.
- ALG support for FTP client side with NAT—Cisco IOS XE SD-WAN router provides FTP ALG support with network address translation – Direct Internet Access (NAT-DIA), SERVICE NAT, and Zone-Based Firewall (ZBFW).
- Template improvements: Network Design Builder, Device Profile Builder.
- Packet duplication for loss correction
- SR-IOV vEdgeCloud support
SD-WAN Features Not Supported on IOS XE Devices
- Cloud Express service
- Cloud onRamp service
- Standard IPsec with IKE version 1 or IKE version 2 for service-side connections
- IPsec/GRE cloud proxy
- IPv6 on transport connections
- NAT pools on service-side connections
- Nat pools for DIA
- Service side NAT
- Reverse proxy
- Interface level policer (however, policer is supported through the interface ACL)
- Policy actions: local-tloc, local-tloc-list, remote-tloc (CSCvn67980), remote-tloc-list , mirror, log, service
|18.3.5||16.9.4||16.9.4 with NFVIS 3.9.1FC1 or NFVIS 3.9.2-FC4||17.2 or higher|
|18.4.0||16.10.1||16.10.1 with NFVIS 3.9.1FC1 or NFVIS 3.9.2-FC4||17.2 or higher|
ROMmon Requirements Matrix
Only the ROMmon versions shown in this matrix are supported on the corresponding devices.
|ROMmon Version for 16.9 Devices||ROMmon Version for 16.10 Devices|
The ISRv router is running the minimum required version of the CIMC and NFVIS software, as shown in the table below:
New and Modified Configuration Commands
|log-translations||vpn interface nat||X|
|natpool||vpn interface nat||X|
|rewrite-rule||policy||X||Add layer-2-cos command.|
|static||vpn interface nat||X|
|tloc-extension-gre-from||sdwan interface tunnel-interface||X||On IOS XE routers.|
|tloc-extension-gre-to||sdwan interface tunnel-interface||X||On IOS XE routers.|
New and Modified vManage Screens
|All||Configuration ► Network Design||X|
|Controller Version||Maintenance ► Software Repository||X|
|DSL PPPoA configuration||Configuration ► Templates ► Feature||X||For Cisco IOS XE routers.|
|DSL PPPoE configuration||Configuration ► Templates ► Feature||X||For Cisco IOS XE routers.|
|Multilink configuration||Configuration ► Templates ► Feature||X||For Cisco IOS XE routers.|
|SVI configuration||Configuration ► Templates ► Feature||X||For Cisco IOS XE routers.|
|Switch Port configuration||Configuration ► Templates ► Feature||X||For Cisco IOS XE routers.|
Upgrade to SD-WAN Software Release from IOS-XE SD-WAN Release 18.3 to IOS-XE SD-WAN Release 18.4
For details on upgrading the Cisco IOS XE software, see Software Installation and Upgrade for Cisco IOS XE Routers.
For details on upgrading the Viptela software, see Software Installation and Upgrade for vEdge Routers.
Note: You cannot install a Release 17.2 or earlier image on a vEdge router that is running Release 18.2.0 or later. This is the result of security enhancements implemented in Release 18.2.0. Note that if a Release 17.2 or earlier image is already present on the router, you can activate it.
Note: When the vManage NMS is running Release 18.4.x, all IOS XE routers in the overlay network must run Release 16.10.1 or later.
To upgrade your vEdge router to SD-WAN Software Release 18.4:
- In vManage NMS, select the Maintenance ► Software Upgrade screen.
- Upgrade the controller devices to Release 18.4 in the following order:
- Upgrade the vManage NMSs in the overlay network.
- Upgrade the vBond orchestrators.
- Upgrade the vSmart controllers.
- Select the Monitor ► Network screen.
- Select the devices you just upgraded, click the Control Connections tab, and verify that control connections are established.
- Select the Maintenance ► Software Upgrade screen, and upgrade the vEdge routers.
Note: After you upgrade software on a vManage NMS to any major release, you can never downgrade it to a previous major release. For example, if you upgrade the vManage NMS to Release 18.4, you can never downgrade it to Release 18.3 or to any earlier software release.
The major release number consists of the first two numbers in the software release number. For IOS XE SD-WAN software, 16.10 is a major release, and 16.10.1 denotes the initial release of 16.10. For SD-WAN software, 18.4 and 18.3 are examples of major releases. Releases 18.4.0 and 18.3.0 denote the initial releases, and Releases 18.3.1 and 18.2.1 are maintenance releases.
Note: When you upgrade from 16.9.x to 16.10.x, bootflash for 4GB platforms in 16.10.3 needs free space of 400MB besides having up to 3 images. Keeping space in bootflash is recommended beyond 400 MB for error free install/upgrades. The software reset command is not supported when the image is downloaded through USB and TFTP. Support of software reset is available only through bootflash.
Upgrade from IOS-XE SD-WAN Release 16.2 and Earlier Software Releases
Because of software changes in Release 16.3, you must modify the router configuration as follows before you upgrade from Release 16.2 or earlier to Release 18.3:
- Use max-control-connections 0 instead of the no control-connections command in tunnel-interface configuration mode. The no control-connections command has been deprecated and has no effect on releases 17.2 and later.
- You can no longer configure RED drops on low-latency queuing (LLQ; queue 0). That is, if you include the policy qos-scheduler scheduling llq command in the configuration, you cannot configure drops red-drop in the same QoS scheduler. If your vEdge router has this configuration, remove it before upgrading to Release 17.2. If you do not remove the RED drop configuration, the configuration process (confd) fails after you perform the software upgrade, and the Viptela devices roll back to their previous configuration.
- For vEdge 2000 routers, you can no longer configure interfaces that are not present in the router. That is, the interface names in the configuration must match the type of PIM installed in the router. For example, if the PIM module in slot 1 is a 10-Gigabit Ethernet PIM, the configuration must refer to the proper interface name, for example,10ge1/0, and not ge1/0. If the interface name does not match the PIM type, the software upgrade fails. Before you upgrade from Release 16.2 or earlier to Release 17.2, ensure that the interface names in the router configurations are correct.
The following are known behaviors of the hardware:
- On vEdge 1000 routers, support for USB controllers is disabled by default. To attach an LTE USB dongle to a vEdge 1000 router, first attach the dongle, and then enable support for USB controllers on the vEdge router by adding the system usb-controller command to the configuration. When you enter this command in the configuration, the router immediately reboots. Then, when the router comes back up, continue with the router configuration. Also for vEdge 1000 routers, if you plug in an LTE USB dongle after you enable the USB controller, or if you hot swap an LTE USB dongle after you enable the USB controller, you must reboot the router in order for the USB dongle to be recognized. For information about enabling the USB controller, see USB Dongle for Cellular Connection.
- For vEdge 2000 routers, if you change the PIM type from a 1-Gigabit Ethernet to a 10-Gigabit Ethernet PIM, or vice versa, possibly as part of an RMA process, follow these steps:
1. Delete the configuration for the old PIM (the PIM you are returning as part of the RMA process).
2. Remove the old PIM, and return it as part of the RMA process.
3. Insert the new PIM (the PIM you received as part of the RMA process).
4. Reboot the vEdge 2000 router.
5. Configure the interfaces for the new PIM.
- On a vEdge 5000 router, you cannot enable TCP optimization by configuring the tcp-optimization-enabled command.
The following are known behaviors of the software:
On a vEdge 100m-NA and 100m-GB routers, when you configure profile 1 for a wireless WAN, you might see the error "Aborted: 'vpn 0 interface cellular0 profile': Invalid profile 1 : APN missing". [VIP-31721]
- When configuring cellular attach-profile and data-profile on Cisco IOS XE routers running the XE SD-WAN software, you must use the default profile ID.
- The vEdge 100wm router United States certification allows operation only on non-DFS channels.
- When you are configuring primary and last-resort cellular interfaces with high control hello interval and tolerance values, note the following caveats:
- When you configure two interfaces, one as the primary interface and the other as the last-resort interface, and when you configure a high control hello interval or tolerance values on the last-resort interface (using the hello-interval and hello-tolerance commands, respectively, the OMP state indicates init-in-gr even though it shows that the control connections and BFD are both Up. This issue was resolved in Release 16.2.3. However, the following caveats exist:
— You can configure only one interface with a high hello interval and tolerance value. This interface can be either the primary or the last-resort interface.
— In certain cases, such as when you reboot the router or when you issue shutdown and no shutdown commands on the interfaces, the control connections might take longer than expected to establish. In this case, it is recommended that you issue the request port-hop command for the desired color. You can also choose to wait for the vEdge router to initiate an implicit port-hop operation. The request port-hop command or the implicit port hop initiates the control connection on a new port. When the new connection is established, the stale entry is flushed from the vSmart controllers.
- If the primary interface is Up, as indicated by the presence of a control connection and a BFD session, and if you configure a last-resort interface with higher values of hello interval and tolerance than the primary interface, if you issue a shutdown command, followed by a no shutdown command on the last-resort interface, the last-resort interface comes up and continuously tries to establish control connections. Several minutes can elapse before the operational status of the last-resort interfaces changes to Down. If this situation occurs, it is recommended that you issue a request port-hop command for the desired color.
- If you have configured a primary interface and a last-resort interface that has higher hello interval and tolerance values than the primary interface, and if the last-resort interface has control connections to two vSmart controllers, if you issue a shutdown command, followed by a no shutdown command on the last-resort interface, a control connection comes up within a reasonable amount of time with only one of the vSmart controllers. The control connection with the second vSmart controller might not come up until the timer value configured in the hello tolerance has passed. If this situation occurs, it is recommended that you issue a request port-hop command for the desired color.
- When you configure two interfaces, one as the primary interface and the other as the last-resort interface, and when you configure a high control hello interval or tolerance values on the last-resort interface (using the hello-interval and hello-tolerance commands, respectively, the OMP state indicates init-in-gr even though it shows that the control connections and BFD are both Up. This issue was resolved in Release 16.2.3. However, the following caveats exist:
- When you activate the configuration on a router with cellular interfaces, the primary interfaces (that is, those interfaces not configured as circuits of last resort) and the circuit of last resort come up. In this process, all the interfaces begin the process of establishing control and BFD connections. When one or more of the primary interfaces establishes a TLOC connection, the circuit of last resort shuts itself down because it is not needed. During this shutdown process, the circuit of last resort triggers a BFD TLOC Down alarm and a Control TLOC Down alarm on the vEdge router. These two alarms are cleared only when all the primary interfaces lose their BFD connections to remote nodes and the circuit of last resort activates itself. This generation and clearing of alarms is expected behavior.
- For cellular interface profile, the profile number can be 0 through 15. Profile number 16 is reserved, and you cannot modify it.
Configuration and Command-Line Interface
- When you upgrade to Release 17.2 from any prior Viptela software release, the CLI history on the Viptela device is lost. The CLI history is the list of commands previously entered at the CLI prompt. You typically access the history using the up and down arrows on the keyboard or by typing Ctrl-P and Ctrl-N. When you upgrade from Release 17.2 to a later software release, the CLI history is maintained.
- When you issue the request reset configuration command on a vEdge Cloud router, a vManage NMS, or a vSmart controller, the software pointer to the device's certificate might be cleared even though the certificate itself is not deleted. When the device reboots and comes back up, installation of a new certificate fails, because the certificate is already present. To recover from this situation, issue the request software reset command.
Control and BFD Connections
- When a vBond orchestrator, vManage NMS, or vSmart controller goes down for any reason and the vEdge routers remain up, when the controller device comes back up, the connection between it and the vEdge router might shut down and restart, and in some cases the BFD sessions on the vEdge router might shut down and restart. This behavior occurs because of port hopping: when one device loses its control connection to another device, it port hops to another port in an attempt to reestablish the connection. For more information, see the Firewall Ports for Viptela Deployments article. Two examples illustrate when this might occur:
- When a vBond orchestrator goes down for any reason, the vManage NMS might take down all connections to the vEdge routers. The sequence of events that occurs is as follows: when the vBond orchestrator crashes, the vManage NMS might lose or close all its control connections. The vManage NMS then port hops, to try to establish connections to the vSmart controllers on a different port. This port hopping on the vManage NMS shuts down and then restarts all its control connections, including those to the vEdge routers.
- All control sessions on all vSmart controllers go down, and BFD sessions on the vEdge routers remain up. When any one of the vSmart controllers comes back up, the BFD sessions on the routers go down and then come back up because the vEdge routers have port hopped to a different port in an attempt to reconnect to the vSmart controllers.
- When a vEdge router running Release 16.2 or later is behind a symmetric NAT device, it can establish BFD sessions with remote vEdge routers only if the remote routers are running Release 16.2 or later. These routers cannot establish BFD sessions with a remote vEdge router that is running a software release earlier than Release 16.2.0.
- When you add or remove an IPv4 address on a tunnel interface (TLOC) that already has an IPv6 address, or when you add or remove an IPv6 address on a TLOC that already has an IPv4 address, the control and data plane connections for that interface go down and then come back up.
- Release 16.3 introduces a feature that you can use to configure the preferred tunnel interface to use to exchange traffic with the vManage NMS. In the vManage NMS, you configure this on cellular, Ethernet, and PPP Interface feature templates, in the vManage Connection Preference field under Tunnel Interface. In the CLI, you configure this with the vmanage-connection-preference command. The preference value can be from 0 through 8, with a lower number more preferable. The default value is 5. If you set the preference value to 0, that tunnel interface is never used to exchange traffic with the vManage NMS, and it is never able to send or receive any overlay network control traffic.
With this configuration option, there is one situation in which you can accidentally configure a device such that it loses all its control connections to all Viptela controller devices (the vManage NMSs and the vSmart controllers). If you create feature templates and then consolidate them into a device template for the first time, the NMS software checks whether each device has at least one tunnel interface. If not, a software error is displayed. However, when a device template is already attached to a device, if you modify one of its feature templates such that the connection preference on all tunnel interfaces is 0, when you update the device with the changes, no software check is performed, because only the configuration changes are pushed to the device, not the entire device template. As a result, these devices lose all their control connections. To avoid this issue, ensure that the vManage connection preference on at least one tunnel interface is set either to the default or to a non-0 preference value.
- On virtual interfaces, such as IRB, loopback, and system interfaces, the duplex and speed attributes do not apply, and you cannot configure these properties on the interfaces.
- When a vEdge router has two or more NAT interfaces, and hence two or more DIA connections to the internet, by default, data traffic is forwarding on the NAT interfaces using ECMP. To direct data traffic to a specific DIA interface, configure a centralized data policy on the vSmart controller that sets two actions—nat and local-tloc color. In the local-tloc color action, specify the color of the TLOC that connects to the desired DIA connection.
- When configuring interfaces for an IOS XE router using one of the VPN Interface feature configuration templates, you must spell out the interface names completely. For example, you must type GigabitEthernet0/0/0. Also, you must define all the interfaces in the router even if you are not using them so that they are configured in the shutdown state and so that all default values for them are configured.
- For IOS XE routers that have a DSLAM module plugged in, you must include the VPN Interface DSL PPPoA or the VPN Interface DSL PPPoE feature configuration template in the device configuration template to successfully configure the routers from vManage NMS.
- You can configure IPv6 only on physical interfaces (ge and eth interfaces), loopback interfaces (loopback0, loopback1, and so on), and on subinterfaces (such as ge0/1.1).
- For IPv6 WAN interfaces in VPN 0, you cannot configure more than two TLOCs on the vEdge router. If you configure more than two, control connections between the router and the Viptela controllers might not come up.
- IPv6 transport is supported over IPsec encapsulation. GRE encapsulation is not supported.
- You cannot configure NAT and TLOC extensions on IPv6 interfaces.
- HMAC failure due to incorrect stale nat fixup entry for the ipsec session after symnat session flap.
- DHCPv6 returns only an IPv6 address. No default information is accepted. IPv6 router solicitation and router advertisement messages are not processed.
- On integrated routing and bridging (IRB) interfaces, you cannot configure autonegotiation.
- When you reboot a vSmart controller, the BFD sessions for all symmetric NAT devices go down and come back up. This is expected behavior.
- In policy definitions, any application list or application family list that you define with an app-list option cannot have more than 10 items per list.
- When a vEdge router transport interface is using an old IPv6 SLAAC address for control connections or BFD sessions, or both, the IP address used for control connections and BFD might become out of sync with the actual IPv6 address. This situation can happen when the IPv6 address that SLAAC advertises from the gateway router changes suddenly and the old IPv6 address has not first been invalidated. As a workaround, if the router has no mechanism to invalidate older prefixes when the IPv6 prefix changes, first remove the router-advertisement configuration on the default gateway router and then change the IPv6 address. To resolve this problem when it occurs on a vEdge router, shut down the interface and then restart it; that is, issue a shutdown command, followed by a no shutdown command.
- When you configure OSPF using a vManage NMS device configuration template, the configuration of an NSSA area or a stub area and the configuration of an area range are not pushed to the router when you attach the device configuration template to the router. As a workaround, configure these parameters in CLI mode on the router, from the vManage Tools ► SSH Terminal screen, using the OSPF area and range configuration commands.
- It is recommended that you use IKE Version 2 only with Palo Alto Networks and Ubuntu strongSwan systems. Viptela has not tested IKE Version 2 with other systems.
- When you configure an SNMP trap target address, you must use an IPv4 address.
- The Viptela interface MIB supports both 32-bit and 64-bit counters, and by default sends 64-bit counters. If you are using an SNMP monitoring tool that does not recognize 64-bit counters, configure it to read 32-bit MIB counters.
- On a vEdge router, if you perform an snmpwalk getnext request for an OID for which there is no information, the response that is returned is the next available instance of that OID. This is the expected behavior.
- If you wish to change the card and controller type on the device, you must first remove the previously configured card and controller and reboot the device.
- You cannot configure rollback or load override features on a multilink interface.
- PPP multilink QoS is currently not supported in the VPN Interface Multilink template.
- PPP multilink NAT is currently not supported in the VPN Interface Multilink template.
For a vEdge Cloud VM instance on the KVM hypervisor, for Viptela Releases 16.2.2 and later, it is recommended that you use virtio interfaces. For software versions earlier than Release 16.2.2, if you are using the Ubuntu 14.04 or 16.04 LTS operating system, you can use IDE, virtio, or virtio-scsi interfaces.
- On a Viptela device that is being managed by a vManage NMS system, if you edit the device's configuration from the CLI, when you issue the commit command, you are prompted to confirm the commit operation. For example:
The following warnings were generated:
'system is-vmanaged': This device is being managed by the vManage. Any configuration changes to this device will be overwritten by the vManage.
You must enter either yes or no in response to this prompt.
During the period of time between when you type commit and when you type either yes or no, the device's configuration database is locked. When the configuration database on a device is locked, the vManage NMS is not able to push a configuration to the device, and from the vManage NMS, you are not able to switch the device to CLI mode.
- The members of a vManage cluster rely on timestamps to synchronize data and to track device uptime. For this time-dependent data to remain accurate, do not change the clock time on any one of the vManage servers of the cluster after you create the cluster.
When you use the vManage Maintenance ► Software Upgrade screen to set the default software version for a network device, that device must be running Release 16.1 or later at the time you set the default software version. If the network device is running Release 15.4 or earlier, use the CLI request software set-default command to set the default software version for that device.
When you are using a vManage cluster, when you are bring up a new vManage NMS in the cluster, use an existing vManage NMS to install the certificate on the new vManage NMS.
In vManage feature configuration templates, for the passwords listed below, you cannot enter a cleartext password that starts with $6 or $8. You can, however, use such passwords when you are configuring from the CLI.
Neighbor password, in the BGP feature configuration template
User password, in the Cellular Profile feature configuration template
Authentication type password and privacy type password, in the SNMP feature configuration template
RADIUS secret key and TACACS+ secret key, in the System feature configuration template
IEEE 802.1X secret key, in the VPN Interface Ethernet feature configuration template
IPsec IKE authentication preshared key, in the VPN Interface IPsec feature configuration template
CHAP and PAP passwords, in the VPN Interface PPP Ethernet feature configuration template
Wireless LAN WPA key, in the WiFi SSID feature configuration template
- PPP CHAP is currently not supported in the VPN Interface Multilink template.
- PPP multilink fragmentation is currently not supported in the VPN Interface Multilink template.
- If a serial interface is bundled into a multilink interface, you cannot remove it from the vManage NMS.
- After you attach the VPN Interface Multilink template to a device, you cannot detach it from the device.
- The maximum aggregated cyrpto throughput for the ISR 1000 series routers is 250 Mbps. HSECK9 license is required to achieve IPSec tunnel scale greater than 100 on ISR1000 series routers.
- Base licensing package of AX needs to be enabled for IOS-XE SDWAN ISRv during VM deployment on the ENCS portal.
The following are outstanding issues in XE-SDWAN Software Release 16.10 and SD-WAN Software Release 18.4. The CSC number following each issue is the bug number in the Cisco Defect Tracking System. The VIP number following each issue is the bug number in the Viptela bug-tracking database.
- When you configure cellular interfaces on an IOS XE router, the cellular profile may not be written to the modem. [CSCvk08395]
- On an IOS XE router, you cannot delete the VDSL controller configuration. [CSCvk27232]
- On an ISR 4331 router, when you remove the last-resort configuration from an interface, the router might crash. [CSCvm26371]
Configuration and Command-Line Interface
- When the vManage AAA feature template is used to configure TACACS authentication, vManage does not generate the correct configuration for IOS-XE SD-WAN routers. As a result, TACACS authentication is not working for those routers. [CSCvn38487/VIP-47732]
- With the ping source ip-address command, if you type it as ping so ip-address, the CLI does not autocomplete so and the command fails. You must type out the keyword source. [CSCvi46383/VIP-36087]
If a physical interface is part of a bridge, you cannot adjust the MTU on the interface. As a result, the 802.1Q interface's MTU has to be lowered to 1496. If the interface needs to also run OSPF, this MTU size can cause an MTU mismatch with other interfaces that have an MTU of 1500. [CSCvi59620/VIP-26759]
On an IOS XE router, the file generated by the request admin-tech command might not include DSL-related information or ATM/dialer-related information. [CSCvj43195, CSCvj54679]
- On IOS XE routers, when you configure users to be in different AAA user groups, both groups might have the same privilege level. [CSCvj29165/VIP-39683]
- The show omp routes command output might display the incorrect tag for OMP routes. [CSCvj82776/VIP-39722]
- When you attempt to activate a vEdge cloud router on which the organization name is not configured, the router is not activated and no error message is displayed. [CSCvk10038/VIP-40503]
- A template push from the vSmart controller might fail with an application communication error. [CSCvk31357/VIP-41576]
- When two routes exist to the same neighbor, if you specify a single IP address in the show ip routes command, the command might return only one of the routes, but if you specify an IPv4 prefix and prefix length, the command returns both routes. [VIP-32736]
- IOS-XE SD-WAN routers: username and password are not in default config on the device. [CSCvm55048]
- Update statistics from Oecteon viptela code to platform [CSCvj26197]
- VRRP for Cisco vEdge cloud is not supported on E1000 and VMXNET3 I/O types from 18.3 version onwards. [CSCvn53200/VIP-48217]
- If you disable deep packet inspection (DPI) on a vEdge router, traffic directed towards queue 0 (LLQ) might become bursty or might be dropped. [CSCvi35220/VIP-34211]
- When you configure a cellular interface as a last-resort interface, the cellular interface might remain up at all times. [CSCvi49913/VIP-34495]
- Routes might be installed in the routing table with the incorrect color. [CSCvi59626/VIP-35088]
- When you switch data traffic from one tunnel to another (for example, from a biz-ethernet to an lte tunnel), a small amount of traffic might be lost. [CSCvi66931/VIP-27992]
On an IOS XE router, VPN 0 traffic might not be NATed over interfaces configured as TLOC extensions. [CSCvk34856/VIP-41673]
On a vEdge 100 router with an IPv6 underlay, the throughput speed might decrease noticeably. [CSCvk52771/VIP-42167]
For IEEE 802.1X, you cannot configure a RADIUS server for MAC authentication bypass (MAB). [VIP-18492]
- In application-aware routing policy, the salesforce_chatter, oracle_rac, and google_photos applications might not be classified properly. [VIP-21866]
- The Admin-tech request through vManage fails on multiple platforms; ISR4331, ISR4351, ASRs, and CSRs. [CSCvk48972]
- IOS-XE SD-WAN: Remove symnat and priv color from bfd capabilities and add to bfd flags [CSCvo26884]
- On IOS XE routers, when you issue the show control local-properties command, the output might show that a subinterface's state is up even though its administrative state is down. [CSCvk72903/VIP-42864]
- The output of the show interface command might not display sub interfaces. [CSCvk77546/VIP-43214]
- The output of the show interface queue command might not correctly report the number of dropped packets. [CSCvm39500/VIP-43970]
- On IOS XE routers, the load override of configs having Loopback interface as part of VRF and OSPF passive interface fails. [CSCvk01958]
- vEdge irb: interface queue showing tx-packets > 0 but queued packets = 0. [CSCvn67669]
On a vEdge router, for normal data packets without Forward Error Correction/ Packet Duplication (fec/pkt_dup), the MSS is set to 1361 and maximum MTU is 1441. However, for data with fec/pkt_dup enabled, the MTU is set to 1430. MSS should adjust the header size to 1361-11 bytes. [CSCvn25392/VIP-47223]
On an IOS XE router, when you configure a centralized data policy with no sequences and with the default action (drop), the from-service or from-tunnel apply options might not work. [CSCvh94044]
In the vManage Centralized Policy UI Builder, the Membership has no options to accept or reject and no way to change the default action. These options are all available in CLI and need to be added to the UI builder for the same capabilities. [CSCvj43085/VIP-38730]
- You cannot match ICMP in a policy that you associate with the source and destination zones in a zone pair, because ICMP is not a transport layer protocol and zone pair policies match only TCP protocols. [CSCvk03248]
- In vManage NMS, when you use the policy configuration wizard to create policies for a mesh topology, you might need to create an additional policy using a CLI template for the mesh policy to work. This situation is known to occur in a network that has two regions, where each region is mesh that is a subset of the entire network, where each region has its own data center, and where the branch vEdge routers in one region communicate with branch routers in the other region through the data centers. We will call these Region 1 and Region 2. Assume that Region 1 has a control policy that advertises its TLOCs to the data center in Region 2, and Region 2 has a control policy that prevents the spokes and data center in Region 2 from advertising TLOCs to the spokes in Region 1. The result is that the data center in Region 2 repeatedly attempts to form control tunnels to the data center in Region 1, but these attempts fail. As a workaround, you must create a policy using a CLI template that allows the data center in Region 2 to exchange TLOCs with the data center in Region 1 and then attach that policy to the vEdge routers. [VIP-29933]
- Regression testcase test_static_rt_redist_policy failing while deleting metric from route map. [CSCvo04039]
- In the BGP feature template, the BGP neighbor route policy variable name is displayed as the default name (bgp_neighbor_policer_out_pol_name) rather than the name you enter. However, the name you enter does show up when you are attaching the template to the device. [CSCvj17396/VIP-37988]
- Control connections to vBond fail to come up when vbond name is configured. [CSCvo34489]
- When you configure IPS/URLF, qfp ucode crashes as SD-WAN control plane flaps or manually cleared frequently with high traffic. [CSCvn67937/VIP-48638]
- If you are upgrading from IOS XE 18.3 to IOS XE 18.4 router, the supported devices field is not visible in vManage. This is because the supported devices field is introduced in 18.4 vManage and cannot be associated with the policy created in IOS XE 18.3 release. [CSCvn69434/VIP-48679]
- In an overlay network with three vSmart controllers, if a controller group list configured on a 100 vEdge router contains two vSmart controllers, the maximum number of controllers that the router can connect to is set to two, and the maximum number of OMP sessions on the router is set to two, 50 routers connect to each of two vSmart controllers. If you bring these two controllers down, all 100 connections then move to the third vSmart controller. However, if you then bring up one of the other vSmart controllers, 50 connections move to that controller, but the third controller might still have 100 connections. [VIP-27955]
- IN_US_V4_PKT_SA_NOT_FOUND_SPI drops after rekey. [CSCvj71846]
- When you poll the VIPTELA-OPER-VPN MIB, interface descriptions are limited to 32 characters. [CSCvi37645/VIP-35787]
- When you change the negotiated interface speed in a vEdge router, the buffer allocation also changes. [CSCvi80775/VIP-37238]
- When control connections are coming on on an ISR 11000 router, you might see kernel traceback error message on the console. These messages have no effect on router functionality. [CSCvi88112]
- The gzip process on a router might consume a lot of CPU. [CSCvj58797/VIP-39228]
- You might not be able to open an SSH connection from a vEdge router to a vManage NMS. [CSCvk61571/VIP-42465]
- A vEdge 1000 router might silently reboot with reboot reason "Soft Reset (Watchdog)". [CSCvk78682/VIP-43640]
- When you change the speed on a Finisar FCLF-8521-P2BTL transceiver from 1000 Mbps to 100 Mbps, packets might be dropped. [CSCvk78638/VIP-43617]
- With AWS, you might not be able to upgrade the vBond orchestrator software, because the AWS region might throttle the rate of transferring the software image file from the vManage NMS to the vBond controller. As a workaround, perform the software upgrade from the CLI. [CSCvk79267/VIP-43918]
- On vEdge routers, when you issue an nping command for IPv6, the command might fail, and a core file might be created on the router. From vManage NMS, you issue this command from the Monitor ► Network ► Troubleshooting ► Ping pane. From the CLI, you use the tools nping command, specifying options "--ipv6". [VIP-31924]
- Memory leak in SMAND. [CSCvo34208]
- kernel.rp_RP crash on 4221x. [CSCvn71889]
- Failed to install or or remove hseck9 license on TSN cEdge 16.10. [CSCvo23345]
- linux_iosd memory goes up on ISR1100 over extended soak. [CSCvo40967]
- Seeing error when performing software reset on 16.10 branch. [CSCvo56293]
- ISR1100 not booting up after power cycle and gets stuck in boot loop - cdb itself gets corrupted. [CSCvq84015]
- NTP issue on Cisco XE SD-WAN Router - cannot specify source interface in service VPN. [CSCvp09156]
When you upgrade to 16.10.1 release, boot variable is empty. [CSCvn29173]
Passive FTP connection fails when connections are routed through DIA link of VEdge. [CSCvq62764]
- When you push a policy that contains an error to the vSmart controller, the error message might not correctly indicate the cause of the error. [CSCvi32788/VIP-32253]
- In the vManage AAA feature template, you might not be able to enter the RADIUS secret key even though you can enter that same key in the CLI. [CSCvi34649/VIP-31856]
- If NMS services are down on one of the servers in a vManage cluster, you might not be able to perform CLI operations from the vManage NMS. [CSCvj00848/VIP-37672]
- In a vManage cluster with two servers, if both servers go down, you might need to manually restart the vManage services to return the vManage servers to an operational state. To do this, issue the request nms configuration-db restart command from the vManage server. One way to determine whether you need to restart the services is to check the /var/log/nms/debug.log file on the vManage server for a message indicating that neo4j needs to be restarted. [CSCvj29075/VIP-38228]
On a vEdge router, a packet capture/speed test might fail with the error, "Device Error: Failed to read server configuration" after the router reboots after power is added and the router is then re-added to the overlay network. This problem occurs because the data stream collection setting on the vManage NMS might become out of sync while the vEdge router is temporally disconnected from the network. As a workaround, disable the data stream collection on the vManage Administration ► Settings screen and then re-enable it. [CSCvk11112/VIP-40569]
- On an IOS XE router, you might not be able to delete a dialer interface in no shut state from the vManage NMS. [CSCvk27129/VIP-41680]
- When a ZTP Software Install task starts while a Software Install task is in progress, the installation task might fail. [CSCvk40360/VIP-41873]
- When under a heavy load, the vManage NMS might become slow to respond, and control connections might go down and come back up. [CSCvk59440/VIP-42319]
- On a vEdge Cloud VM instance on Azure, the public IP address might be bound to the management NIC instead of to the transport NIC. [CSCvk77997/VIP-43406]
- In Release 18.3.0, when you attach a template to a newly RMAed router, you might receive a connection refused message even though the router has control connections to the vManage NMS. [CSCvm62440/VIP-44653]
- If you try to configure a vEdge router using vManage configuration templates, you might see errors related to lock-denied problems. As a workaround, reboot the router. [VIP-23826]
- When you use the vManage NMS and the CLI show system status command, the reboot reason is incorrect; it is shown as unknown. The /var/log/tmplog/vdebug logs shows that the system reboot happened because of a user-initiated upgrade to Release 17.1.3. [VIP-31222]
- source-interface mapping is missing in vmanage for tacacs and radius server group. [CSCvn76615]
Config Diffs not aligned properly in vManage due to line spacing. [CSCvo88281]
Network > Device > Real Time options wont be displayed if we login with SSO. [CSCvp50832]
Issues Fixed in Releases 16.10.3 and 18.4.3
The following issues have been fixed in XE-SDWAN Software Release 16.10.3 and SD-WAN Software Release 18.4.3 The CSC number following each issue is the bug number in the Cisco Defect Tracking System.
- vQos - Packets buffered too long in the interface queue. [CSCvk06180]
- Admin-tech failure via vManage for multiple Cisco XE SD-WAN Router platforms. [CSCvk48972]
- SSO Requires browser cache to sign in after first login. [CSCvk79079]
- 'default-information originate' not disabled in VPN0 [CSCvm56707]
- config commit operation fails on ISRv on 5406 with error ext2_lookup:deleted inode referenced. [CSCvm97332]
- qos: can't change bandwidth allocation for the class in the qos-map. [CSCvn18683]
- vManage needs to adjust memory threshold for warnings on Cisco XE SD-WAN Router platform. [CSCvn22546]
- "Factory reset all" makes the Cisco XE SD-WAN Router inaccessible. Cant boot image fr bootflash. [CSCvn32354]
- Cloudexpress Errors - Failed to enable sites for CloudExpress. [CSCvn38443]
- vManage does not generate proper AAA configuration for Cisco XE SD-WAN Router. [CSCvn38487]
- Login banner does accept banners over 238 characters. [CSCvn44400]
- Device crashing if we unconfigure the NTP on the device. [CSCvn45732]
- Cisco XE SD-WAN Router: Locally sourced packets using wrong interface with ECMP. [CSCvn55971]
- After swapping tunnel-destination among 2 gre-intfs, one of the gre-intf does not get programmed. [CSCvn56474]
- NTP template attach fails with a non default vrf and source interface configured. [CSCvn59626]
- vManage - VMAN does not gen proper config for DHCP static binding w/ hostname specified. [CSCvn66750]
- Cisco XE SD-WAN Router cli_template: Unable to move interface from global vpn. [CSCvo00790]
- class-queue mappings are never pushed until there are class references in local policy. [CSCvo02422]
- 'SNMP has locked CDB' error while trying to edit a user group in vManage. [CSCvo02433]
- SVM: transaction log can grow up to 25 GB in size. [CSCvo02607]
- packets sourced with loopback interface and that are exceeding mtu on the service side are not fragm. [CSCvo02748]
- vEdge-1000 reboot with 18.4.0 (FP core watchdog fail). [CSCvo26474]
- Not able to push CLI template due to kafka error (Too many open files). [CSCvo26926]
- fman_fp crash after upgrading to build 201. [CSCvo31413]
- WAN Interface stays down after an upgrade or reload of a vEdge 5000. [CSCvo48927]
- 'show system statistics diff' does not work. [CSCvo61990]
- 'allow-service bgp' on vEdge Cloud not working as expected. [CSCvo68150]
- sdwan: vManage should not push ip nbar protocol-discovery on loopback0. [CSCvo68788]
- Google applications access issues when using DIA with app-list match in data-policy. [CSCvo68842]
- SVM: server config file is empty. [CSCvo69041]
- vManage does not handle chassis id in uppercase when activating vEdge Cloud. [CSCvo69105]
- Device may show out of sync after a control connection flap. [CSCvo70767]
- Cisco IOS-XE SD-WAN router with factory 16.9.2 software is shown as vEdgeCloud on vManage. [CSCvo74585]
- UTD: Server response is leaked if URL verdict response is late. [CSCvo77664]
- template push failure on ISR4331(16.10) due to discrepancy in setting \"weight\" (tunnel) parameter. [CSCvo79535]
- vManage in 18.4.1 is unable to push banner to Cisco XE SD-WAN Router 16.10.2. [CSCvo94092]
- vEdge5000: control connection stuck in \"Challenge\" phase with TPM lockup. [CSCvp13167]
- ssnmp-server trap-source configuration is not generated for Cisco XE SD-WAN Router by vManage. [CSCvp13833]
- sdwan isr receiving any SOO changes AD to 252. [CSCvp16606]
- DHCP relay not forwarding dhcp request packets. [CSCvp18231]
- vManage generates incorrect Cisco XE SD-WAN Router config for DHCP excluded-address ranges. [CSCvp19188]
- vEdge FTMD crash. [CSCvp21016]
- CVM: First American, OOM. [CSCvp25994]
- Option to display real time ip route information for Cisco XE SD-WAN Router is missing. [CSCvp29824]
- site gets isolated and traffic is lost after flapping remote tlocs. [CSCvp32212]
- Unable to import Database with TACACS login details. [CSCvp34862]
- vManage is not sending filtered queries while displaying real time cflowd data from the vEdge. [CSCvp37418]
- ZTP: All production ztp servers vdaemon cored at the same time. [CSCvp38066]
- vEdge dropping DHCP offer when source ip and dhcp-helper does not match. [CSCvp46023]
- DHCP ip pool config get removed after upgrade from 188.8.131.52 to 18.4.1. [CSCvp51861]
- Ping intermittently fails because vEdge sends wrong ICMP ident in the header. [CSCvp51863]
- FTMD crash seen on a vE1K node. [CSCvp52217]
- After reload of v5k with cloud-qos-service-side configured throughput drops and RED drops seen. [CSCvp61972]
- Cellular modem is rebooting frequently. [CSCvp63629]
- \"default-information originate\" stays in the config even if \"originate\" is disabled in the template. [CSCvp65817]
- Tunnel group-id does not work as expected causing traffic loss. [CSCvp65969]
- Can't update existing Localized Policy with new Access Control List. [CSCvp67098]
- Unable to push policy to the vSmart after upgrade of the vManage from 18.3.5 to 18.4.101. [CSCvp68381]
- vManage not processing statistics from device when vAnalytics is enabled for large deployments. [CSCvp77191]
- Template failure results in 'Failed to finish the task' after 30 min. [CSCvp77533]
- Stuck 'Send to Controllers' task on vManage blocking other tasks. [CSCvp78025]
- Template fails due to physical interface removal after upgrade. [CSCvp78629]
- ZBFW policy sequences not displayed in vManage UI after upgrade to 18.4 or higher from 18.3. [CSCvp79222]
- Cisco XE SD-WAN Router unable to inject packets when traffic is destined to it. [CSCvp86310]
- Failed to attach template to Cisco XE SDWAN Rtr if qos-map name changed after policy-map is attached. [CSCvp96887]
- BFD sessions not forming between a Cisco XE SD-WAN Router behind symmetric NAT & a vEdge with NO NAT. [CSCvq02087]
- Control connection drops even with high timeout with low-bandwidth-link on vEdge. [CSCvq07823]
- tracker doesn't work for DIA in case of centralised data-policy used. [CSCvq12443]
- SDWAN utd engine not send logs to external server via service vpn. [CSCvq12682]
- packet loss seen with rapid pings on nat interface, drop reason showing as map-db add failures. [CSCvq13368]
- < ip name-server vrf 1 > configuration not saved upon upgrade from 16.9 to 16.10 [CSCvq22687]
- BFD goes down on a Cisco XE SDWAN Router if it is behind symmetric NAT & the ports change frequently. [CSCvq46984]
- BFD session not coming up on tloc-extension interface due to wrong UID. [CSCvq50896]
- continuous nat-pool exhausted failure leads to map-db leak. [CSCvq54726]
- vSmart allowing 5 SLA classes under policy causing problem pushing that to vEdges. [CSCvq56813]
- ISR1100 not booting up after power cycle and gets stuck in boot loop - replaystore file corruption [CSCvq61992]
- vManage cluster loosing entity ownership every couple of days causing email notifications not sent [CSCvq70770]
- Cisco vEdge : DIA Traffic Policy restrict doesn't work as expected [CSCvq42802]
Issues Fixed in Releases 16.10.2 and 18.4.1
The following issues have been fixed in XE-SDWAN Software Release 16.10.2 and SD-WAN Software Release 18.4.1 The CSC number following each issue is the bug number in the Cisco Defect Tracking System. The VIP number following each issue is the bug number in the Viptela bug-tracking database.
Configuration and Command-Line Interface
- You might not be able to access vAnalytics from 18.4 vManage. Error saying, 'Invaild credentials' appears. [CSCvn81424/VIP-49034: This issue has been resolved.]
- From Release 18.4 onwards, vManage interface of dashboard widgets zooms in every time you navigate away and the interface comes back to the main dashboard and then refreshes the browser. [CSCvn80356/VIP-49002: This issue has been resolved.]
- After upgrdaing from Release 18.3.4 to 18.4.0, you might not be able to push policy to vSmart. [CSCvn78404/VIP-48948: This issue has been resolved.]
- After upgrading to SD-WAN Release18.4.0, you may not be able to update centralized data policy. The error "invalid value" for hostname appears, when you use special characters in the host name like, underscore. [CSCvn82819/VIP-49069: This issue has been resolved.]
- On an IOS XE router, when you push a configuration template in which the interface to the vManage NMS is configured as down, it might take 15 minutes to roll back the configuration instead of the usual 5 minutes. [CSCvj88473]
- On an IOS XE router, when you issue the show platform software trace command from the CLI, the router might reboot unexpectedly. As a workaround, use the request admin-tech command to collect the trace information. [CSCvj90293]
- On an IOS XE router, EEM-related configurations on Confd are not supported. [CSCvj95656]
- On an IOS XE router, you might not be able to configure a static route from the configuration templates. [CSCvm55390/VIP-44437]
- On an IOS XE router, you might not be able to delete BFD from an interface using Netconf. [CSCvm60350/VIP-44577]
- When you try to push the default templates that include cflowd policies to an IOS XE router, the template push might fail with the error "Bad CLI source Loopback0, location 16". [CSCvm61034/VIP-44614]
- For IOS XE routers, the vManage NMS might not generate an NTP source interface configuration. [CSCvm68397/VIP-44901]
- The vManage DPI screen might display a DIA graph for a vEdge router on which local internet exit is not configured. [CSCvj50058/VIP-38987]
On cflowd template packets, the DF bit might get set. [CSCvk77142/VIP-43032]
On an IOS XE router, ECMP might not work. [CSCvm26391/VIP-43788]
- When you upgrade a vEdge 5000 router from Release 18.3.0 to Release 18.3.1, the router performance might decrease. [CSCvm60731/VIP-44603]
- On ISR 4351 router, FTMD crashes when you run clear control connections and clear omp all on remote vEdges. [CSCvk77168]
- When you use Auto IP to assign the tunnel interface IP address. the vEdge router is assigned an address, but statically configuring that same address might not work, which results in the control connection on the tunnel interface going down. As a workaround, remove the configured IP address from the CLI and configure the static IP address again. [CSCvm40434/VIP-43987]
- On a vEdge router, when packet-duplication is enabled for a flow and if the original and chosen duplicate tunnels have different MTUs, then the packet duplication for that flow is skipped. [CSCvk78980/VIP-43780]
- In IOS XE 16.10.1 release, when you upload the same virtual image file twice, the virtual image file is deleted from the storage. You need to re-upload the virtual image. [CSCvn71894/VIP-48771]
- When you configure Umbrella DNS Redirect with custom VPN, DNS Crypt is always enabled irrespective of vManage configuration. [CSCvn62511/VIP-48478]
- Device status of UTD container does not reflect immediately after removing UTD from the attached template. The status is updated when you rediscover the network. [CSCvn64543/VIP-48536]
- On an IOS XE router, PnP might configure a static IP address instead of a DHCP address during the PnP workflow. [CSCvk16663/VIP-41261]
- On a vEdge 2000 router, weighted round-robin queues might favor queues with larger packets. [CSCvk40521/VIP-41883]
- You might not be able to upgrade an vEdge 1000 router from Release 18.2.0 to Release 18.3.0 from the vManage GUI. As a workaround, upgrade from the CLI. [CSCvk44649/VIP-41972]
- On a vEdge 5000 router, if you enable cloud-qos, the forwarding performance might drop significantly. [CSCvm57183/VIP-44494]
- In Forwarding Class/QoS in the Localized Policy wizard, if you create a class map, assign a queue to that class map, successfully add the queue, and then delete the class from the class map list, the Forwarding Class column might be empty instead of displaying the class name. [CSCvj41271/VIP-38690]
- On a vManage NMS running Release 18.2.0, the information on the Config Diff might not align properly, which makes it hard to compare the two configurations. [CSCvk12352/VIP-40589]
- After a router becomes unreachable and then comes back online, device configuration templates might never be pushed to the router. [CSCvk72985/VIP-42869]
- You might be unable to instantiate a new Azure vEdge Cloud instance on an existing resource group. [CSCvk77999/VIP-43408]
- When you use SSO login for the second time on a vManage server, the Cisco login banner continues to spin because of browser caching, As a workaround, either close the browser or clear the cache. [CSCvk79079/VIP-43802]
- If the organization name or SP orgranization name contains an ampersand (&), the vManage NMS might not sign the CSR and so the vEdge router is unable to join the overlay network. [CSCvk78273/VIP-43484]
- A software upgrade from Release 16.2.10 to Release 16.10 might fail with the message "/usr/bin/vconfd_script_upgrade.sh: line 129: sw: command not found". [CSCvm46901/VIP-44168]
- When you upgrade an AWS-hosted instance from Release 17.x to Release 18.3.0, a large number of Java garbage collection (GC) allocation errors might occur, causing the GUI to become unresponsive. [CSCvm70027/VIP-44947]
- You might not be able to edit configuration templates, with the vManage server reporting that multiple users are trying to edit the template at the same time. [VIP-27615]
- NMS configuration-db may run into an issue where a partial corruption can occur. This situation can occur when the disk gets full. This is an issue in the software of a third-party that the vendor has already fixed. [VIP-49259]
- In vManage 18.4, when you try to access device page, static error message occurs. [CSCvn77852/VIP-48936: This issue has been resolved.]
- In vManage 18.4, Dashboard help interface does not point to 18.4 product documentation. [CSCvn74500/VIP-48815: This issue has been resolved.]
- GPS location coordinates that you configure on an IOS XE router might not take effect. [CSCvk65202/VIP-42609: This issue has been resolved.]
- GUI unresponsive after upgrade to 18.3.4. [CSCvo08423/VIP-49641: This issue has been resolved.]
Issues Fixed in Releases 16.10.1 and 18.4.0
The following issues have been fixed in XE-SDWAN Software Release 16.10.1 and SD-WAN Software Release 18.4. The CSC number following each issue is the bug number in the Cisco Defect Tracking System. The VIP number following each issue is the bug number in the Viptela bug-tracking database.
Configuration and Command-Line Interface
- Hostname with special characters like hypen (-) and underscore (_) are supported on some of the vManage systems. [CSCvn82819/VIP-49069: This issue has been resolved].
- When you configure a hostname with special characters other than hyphen (-) and underscore (_), the system fails. As a workaround, do not use special characters in the host name. [CSCvi44499/VIP-35898: as per the RFC1123 https://tools.ietf.org/html/rfc1123.]
- After you upgrade from Release 17.2.x to Release 18.3.0, if you modify a policy on the vManage NMS, the policy might
no longer push to the vSmart controller. [CSCvk77901/VIP-43376: This issue has been resolved.]
- When MTU is changed on a vEdge 5000 10Gig interface, the interface will flap to take the modified MTU into effect. [CSCvn16681/VIP-46716: This issue has been resolved.]
- GPS location coordinates that you configure on an IOS XE router might not take effect. [CSCvk65202/VIP-42609: This issue has been resolved.]
- Attaching a configuration template to a IOS XE 5000 router might fail with the error message "Null". [CSCvm46954/VIP-44173: This issue has been resolved.]
- On an IOS XE router, when you attach a NTP feature template that contains a VRF other than VPN 0, the vManage server might push the incorrect VRF name. [CSCvm68056/VIP-44887: This issue has been resolved.]
- On an IOS XE router, when you issue the commit and-quit command to exit configuration mode, you might be placed into router exec mode instead of SD-WAN exec mode. [CSCvm72402/VIP-45042: This issue has been resolved.]
- When you issue the show vrrp interfaces command from the router's CLI, the CLI might not recognize the command and might show a "syntax error: unknown argument" error message. [VIP-23918: This issue has been resolved.]
- In Releases 18.2.0 and later, if an interface description contains a special character, such as an ampersand, the
template push might fail with the error message "null". [CSCvm51340/VIP-44295: This issue has been resolved.]
- On IOS XE routers, when you configure TACACS using feature templates, the vManage NMS might include ip vrf forwarding 0 in the configuration even though "vrf 0" does not exist on these routers. [CSCvm53683/VIP-44394: This issue has been resolved.]
- On an IOS XE router, if you define the VPN in the logging template as anything other than the default, the VRF might
always be configured as Mgmt-intf, which belongs to GigabitEthernet0. This occurs for any VPN other than VPN 0.
[CSCvm57126/VIP-44490: This issue has been resolved.]
- When you create an SVI template for an ISR 1000 router, if the VLAN interface name might be defined with the
incorrect syntax, the result is that the vManage NMS generates an invalid interface (for example, GigabitEthernet2).
[CSCvm64908/VIP-44778: This issue has been resolved.]
- A vEdge 100m router might crash when a workstation connected to it on the service side requests a DHCP address. [CSCvm42884/VIP-44045: This issue has been resolved.]
- When you configure a vEdge router for service-side NAT with overload, identical source ports might be assigned during the translation process. [CSCvm66521/VIP-44841: This issue has been resolved.]
- If you configure centralized data policy to accept protocol 112 (VRRP), VRRP data traffic might not be accepted.
[CSCvk75135/VIP-42953: This issue has been resolved.]
- ZTP allows a IOS XE router that is running an earlier release, such as Release 15.4.x, to join an overlay network that is
running a later release, such as Release 17.2.x, which might cause the overlay network to go down. [CSCvk14637/
VIP-40662: This issue has been resolved.]
- On an IOS XE 100m router, the Forwarding Table Management process (ftmd) might crash. [CSCvj88249/VIP-39984: This issue has been resolved.]
- Traffic might be blackholed because of stale BFD sessions. This happens in a scenario when there are two IOS XE routers at a site, both configured with TLOC extension between them, and the circuit that they are connected to goes down. One router clears all its BFD sessions, but the second one does not, so all traffic is sent to the uncleared BFD sessions and is blackholed. [CSCvi45659/VIP-35113: This issue has been resolved.]
- A IOS XE router might crash with the error message, "FTMD-3-ERRO-1000011: FP Core 1 Died. Core file recorded at /var/crash/core.fp1.5310". [CSCvj63407/VIP-39318: This issue has been resolved.]
- When you use VLAN tagged interfaces for transport interfaces, the interface throughput might drop. [CSCvj79568/VIP-39647: This issue has been resolved.]
- On an IOS XE router, the default template configuration pushed by the vManage NMS might include the no exec, which disables console access. [CSCvm63759/VIP-44731: This issue has been resolved.]
- If you misconfigure the target VPN for NAT, the ICMP unreachable messages might contain the inside IP address. [CSCvm73980/VIP-43947: This issue has been resolved.]
- When VRRP failover occurs twice, a ping from the host to the virtual IP address might fail. [CSCvm47232/VIP-44187: This issue has been resolved.]
- When you are running on release vEdge IOS XE router, IOS XE100M-VZ crashes when you enable DPI and cflowd. [CSCvn22423/VIP-47040: This issue has been resolved.]
- On IOS XE routers, you might not be able to configure WAN transport VPN extension using TLOC extensions.
[CSCvm65707/VIP-44788: This issue has been resolved.]
- In vManage NMS, removing a DSL configuration from a router might fail with the errors "Failed to process device request" and "inconsistent value: Device refused one or more commands". [CSCvk29514/VIP-41479: This issue has been resolved.]
- On an IOS XE router, you cannot configure an MTU greater than 1500 bytes on an interface or subinterface when you
are using a vManage interface configuration template. As a workaround, from the CLI, issue the no mtu command and commit the configuration. Then, set the desired MTU in the vManage templates. [CSCvk77283/VIP-43098: This issue has been resolved.]
- A centralized policy that is pushed from the vSmart controller to the vEdge routers might not be applied on the routers. [CSCvi54347/VIP-27046: This issue has been resolved.]
- For zone-based firewalls, you can configure a VPN to be in only one zone. [CSCvi97773/VIP-37609: This issue has been resolved.]
- If you enable NAT and apply a localized data policy on a transport interface, the control connection on that interface might not come up. [CSCvk44405/VIP-41968: This issue has been resolved.]
- When you are configuring a localized data policy (access list) in vManage NMS, you might encounter errors with entering port numbers and number ranges. [CSCvk76181/VIP-42981: This issue has been resolved.]
- When you apply a QoS policy to a IOS XE router, the router's interface throughput might slow considerably. As a workaround, remove the configuration and reboot the router. [CSCvm49899/VIP-44272: This issue has been resolved.]
- If you configure a set tloc-list action in a control policy on a vSmart controller and push the policy to a vEdge router, when you change the AS path configuration on that router, the OMP process (ompd) might crash on the vSmart controller. [CSCvk78896/VIP-43724: This issue has been resolved.]
- On an IOS XE router, if you configure both the bgp ha-mode sso prefer and neighbor additional-paths send receive commands, you might not be able to configure the bgp ha-mode sso prefer command. [CSCuy24258/VIP-44685: This issue has been resolved.]
- On vEdge routers, OSPF version 2 ELL private TLVs might not map properly to the IANA code points on point-to-point and unnumbered interfaces. [CSCvh22300/VIP-42020: This issue has been resolved.]
- The show omp tlocs advertised command might not properly filter TLOC-advertised routes. [CSCvj67940/VIP-39400: This issue has been resolved.]
- OSPF NSSA external1 and external2 prefixs might not be advertised into OMP. [CSCvk78335/VIP-43505: This issue has been resolved.]
- A IOS XE router might crash when you issue a show ospf command. [CSCvk78359/VIP-43519: This issue has been resolved.]
- On an IOS XE router, if you modify the MD5 key on an OSPF interface and then if you configure MD5 from an OSPF interface, the Linux IOS process (linux_iosd) might crash and the router might reboot. [CSCvm37501/VIP-43933: This issue has been resolved.]
- The Viptela process (vdaemon) might crash when booting up an IOS XE router. [CSCvk67889/VIP-42701: This issue has been resolved.]
- An SNMP query might not display the flow-sampling interval (.184.108.40.206.4.1.419220.127.116.11.2). [CSCvm48892/VIP-44239: This issue has been resolved.]
- On an AWS vManage C5 VM instance, disk I/O errors might occur continuously, and as a result the vManage NMS
cannot operate properly. [CSCvk77731/VIP-43292: This issue has been resolved.]
- After you upgrade a vEdge 2000 router to Release 18.3.0, the output of the show hardware environment command
might indicate that the temperature sensors board has failed. [CSCvk77127/VIP-43030: This issue has been resolved.]
- After you reboot an ISR 4000 router, OpenDNS local-domain bypass might stop working. [CSCvf27566/VIP-43025: This issue has been resolved.]
- If you disable deep packet inspection (DPI) on a vEdge router, traffic directed towards queue 0 (LLQ) might become bursty or might be dropped. [CSCvk77270/VIP-43088: This issue has been resolved.]
- A vEdge 5000 router running Release 17.2.7 might not be able to form control connections with a vBond orchestrator. [CSCvm62586/VIP-44670: This issue has been resolved.]
- vEdge 1000 and vEdge 2000 routers might experience high CPU usage. [CSCvk29013/VIP-41438: This issue has been resolved.]
- After you upgrade from Release 17.2.7 to Release 18.3.0, the vManage NMS might report that all vEdge 2000 routers are in Hardware Error state. [CSCvk77198/VIP-43053: This issue has been resolved.]
- A vEdge 5000 router might reboot multiple times with the error message "Software initiated FP core Watch dog failure". [CSCvk79322/VIP-43937: This issue has been resolved.]
- In Release 18.3.0, GE0/4 on vEdge 100M does not accept packets with size greater than default MTU(1500). [CSCvm94862/VIP-45795: This issue has been resolved.]
- VRRP is not supported on x86 devices that do not have driver support to add virtual MAC address. [CSCvn05827/VIP-46225: This issue has been resolved.]
You might not be able to push configuration templates to vEdge routers. [VIP-34886: This issue has been resolved.]
When you are using API data service to get the information on the TLOCs in the network, vManage returns the TLOCs for the deleted vEdge. It should stop returning the value of the deleted vEdge. [CSCvm74019/VIP-45120: This issue has been resolved.]
- When you configure an IOS XE router, you can not to access the vManage via HTTPs, but can access through SSH. [CSCvm79118/VIP-45275: This issue has been resolved.]
- In Release 18.3.0, when you push a vEdge feature template in to a hardware vEdge router that is running Release 18.3.0, if you have configured allow-service https to be off, it might be pushed as allow-service https. [CSCvm68469/VIP-44908: This issue has been resolved.]
- You cannot perform user group operations on a multitenant vManage NMS. You can perform user group operations only on a single-tenant vManage NMS. [CSCvk24738/VIP-41264: This issue has been resolved.]
- vManage NMS might not report router alarms. [CSCvk45960/VIP-42026: This issue has been resolved.]
- When you configure VLAN range, vManage might not be able to send individual VLAN configuration during (CSCvm70375) template push. [CSCvm79174/VIP-45278: This issue has been resolved.]
- You might not be able to generate the route for DIA using templates from vManage. The default route for DIA use case doesn't show up on the edge in service VPN. [CSCvm57163/VIP-44493: This issue has been resolved.]
- When a vManage NMS has generated a self-signed root CA that it then uses to sign vEdge Cloud certificates automatically, when the vEdge Cloud router comes up and receives and installs the signed certificate, vBond validation of the router might fail because the O field in the certificate contains a string other than the expected string, which is "Viptela". [CSCvm60099/VIP-44572: This issue has been resolved.]
- You might not be able to reset an interface on an IOS XE router from the vManage NMS. [CSCvi42655/VIP-34418: This issue has been resolved.]
- After a vManage NMS silently reboots, it might be out of sync with the vManage cluster. [CSCvi43327/VIP-35891: This issue has been resolved.]
- The vManage GUI might not start, and the vmanage-server.log file might contain a lot of exceptions. [CSCvj79456/VIP-39644: This issue has been resolved.]
- You might not be able to change the AWS instance from C3 to C4. [CSCvj94072/VIP-40092: This issue has been resolved.]
- On a vEdge router, a packet capture/speed test might fail with the error, "Device Error: Failed to read server configuration" after the router reboots after power is added and the router is then re-added to the overlay network. This problem occurs because the data stream collection setting on the vManage NMS might become out of sync while the vEdge router is temporally disconnected from the network. As a workaround, disable the data stream collection on the vManage Administration ► Settings screen and then re-enable it. [CSCvk11112/VIP-40569: This issue has been resolved.]
- If you configure optional parameters in a feature configuration template, the vManage NMS might not be able to push the configuration to the router. [CSCvk15467/VIP-40720: This issue has been resolved.]
- On an IOS XE router, pushing a configuration template might fail with the error "failed to publish task on message bus". As a workaround, restart all the NMS servers from the vManage NMS. [CSCvk23051/VIP-41240: This issue has been resolved.]
- When you temporarily disconnect a vEdge router from the network, data stream settings might go out of sync and vManage NMS might report an error. If this happens, disable and then re-enable the data stream. [CSCvk27493/VIP-41369: This issue has been resolved.]
- Upgrading a vEdge router using ZTP might fail for routers that use MIPS images. [CSCvk32990/VIP-41621: This issue has been resolved.]
- If ZTP is enabled on a vManage NMS running Release 18.2, you must enable ZTP again after you upgrade the vManage NMS to Release 18.3. [CSCvk33216/VIP-41637: This issue has been resolved.]
- For a vManage NMS running in multitenant mode, connecting to a vEdge router using SSH from the vManage NMS, might not work. [CSCvk38122/VIP-41772: This issue has been resolved.]
- You might not be able to remove a vManage NMS from a vManage cluster. [CSCvk40435/VIP-41880: This issue has been resolved.]
- After you upgrade the vManage NMS from Release 17.2.6 to Release 18.3.0, configuration database entries might be missing. [CSCvk53396/VIP-42181: This issue has been resolved.]
- You might not be able to reboot a vEdge 1000 router by issuing reboot commands from the CLI. [CSCvk57214/VIP-42283: This issue has been resolved.]
- Email alerts about alarms might not be generated consistently. [CSCvk58084/VIP-42305: This issue has been resolved.]
- When you push the vEdge router list from the vManage NMS, some vEdge routers might become unreachable. [CSCvk63612/VIP-42567: This issue has been resolved.]
- When you upgrade from Release 17.2 to Release 18.2, template migration might fail. [CSCvk65125/VIP-42603: This issue has been resolved.]
- To activate a vEdge Cloud router, entering the UUID of the device in upper case letters might not work. As a workaround, enter the UUID in lower case letters. [CSCvk67084/VIP-42660: This issue has been resolved.]
- When you upgrade the vManage NMS software from Release 18.2.0 to Release 18.3.0, the vManage software might fail to activate. [CSCvk69670/VIP-42783: This issue has been resolved.]
- In Release 18.3, the vManage Maintenance ► Settings ► Statistics Setting tab still lists Cflowd even though the vManage NMS no longer collects cflowd statistics. [CSCvk72673/VIP-42857: This issue has been resolved.]
- While a device template is being pushed to a router, you might see template out-of-sync messages and duplicate system IP addresses. [CSCvk73077/VIP-42880: This issue has been resolved.]
- In Release 18.3, configuration variables cannot contain slashes (/) or ampersands (&). [CSCvk77234/VIP-43065: This issue has been resolved.]
- If the SP organization name contains an ampersand (&), a template push might fail, and the message returned to the vManage screen is "null". [CSCvk77480/VIP-43188: This issue has been resolved.]
- For a vEdge 100m router, you might not be able to save the VPN Interface Cellular template. [CSCvk77696/VIP-43289: This issue has been resolved.]
- In Release 18.3, you might not be able to copy the built-in Google_Apps or Microsoft_Apps application lists in the vManage NMS. [CSCvk77988/VIP-43404: This issue has been resolved.]
- When you activate a vEdge cloud chassis-id that is generated on PnP, a duplicate device entry might be created. [CSCvm38184/VIP-43962: This issue has been resolved.]
- The vManage Configuration ► Templates screen might report that some feature templates have a status of "out of sync," but the devices do not report this same status. [CSCvm42410/VIP-44013: This issue has been resolved.]
- Users in some user groups might not be able to view the vManage geography map. [CSCvm62262/VIP-44648: This issue has been resolved.]
- In vManage Policies ► Custom Options ► List ► TLOC, the scroll bar might not be able to scroll down to display all the TLOCs in the list.[CSCvk38067/VIP-41770: This issue has been resolved.]
- Cellular profile configuration does not support username and password on the AT&T SKUs 100m-AT and 100wm-AT.
[CSCvk36354/VIP-41718: This issue has been resolved.]
YANG Files for Netconf and Enterprise MIB Files
Netconf uses YANG files to install, manipulate, and delete device configurations, and Viptela supports a number of enterprise MIBs. Both are provided in a single tar file. Click the filename below to download the file.
Using the Product Documentation
The SD-WAN product documentation is organized into seven modules:
|Getting Started||Release notes for Viptela software releases, information on bringing up the Viptela overlay network for the first time, quick starts for vEdge and IOS XE routers, software download and installation, and an overview of the Viptela solution.|
How to install, maintain, and troubleshoot vEdge routers and their components. Provides hardware server recommendations for the controller devices—vManage NMS, vSmart controller, and vBond orchestrator servers.
Overview and configuration information for software features, organized by software release.
|vManage How-Tos||Short step-by-step articles on how to configure, monitor, maintain, and troubleshoot Viptela devices using the vManage NMS.|
Reference pages for CLI commands used to configure, monitor, and manage the Viptela devices. Includes reference pages for Viptela software REST API, a programmatic interface for controlling, configuring, and monitoring the Viptela devices in an overlay network.
|vManage Help||Help pages for the vManage screens. These pages are also accessible from the vManage GUI.|
- To create a PDF of an article or a guide, click the PDF icon located at the top of the left navigation bar.
- To find information related to an article, see the Additional Information section at the end of each article.
- To help us improve the documentation, click the Feedback button located in the upper right corner of each article page and submit your comments.
Using the Search Engine
- To search for information in the documentation, use the TechLibrary Search box located at the top of each page.
- On the Help results page, you can narrow down your search by selecting the appropriate documentation module at the top of the page. If, for example, you are searching for power supply information for your vEdge router model, select the Hardware module and then select your vEdge router model.
- When a search returns multiple entries with the same title, check the URL to select the article for your hardware platform or software release.
- When the search string is a phrase, the search engine prioritizes the individual words in a phrase before returning results for the entire phrase. For example, the search phrase full-cone NAT places links to "NAT" at the top of the search results. If such a search request does not return relevant results, enclose the entire search string in quotation marks (here, for example, "full-cone NAT").
Revision 1: 2018-12-20. IOS XE SD-WAN Release 16.10 and SD-WAN Release 18.4
Revision 2: 2019-01. Updates
Revision 3: 2019-01. Updates
Revision 4: 2019-01. Updates
Revision 5: 2019-01. Updates
Revision 6: 2019-01-16. Updates
Revision 7: 2019-01-21. Updates
Revision 8 2019-01-28. IOS XE SD-WAN Release 16.10 and SD-WAN Release 18.104.22.168
Revision 9: 2019-02-15. Updates
Revision 10: 2019-02-17. Updates
Revision 11: 2019-04-13. Updates
Revision 12: 2019-05-17. Updates
Revision 13: 2019-06-20. IOS XE SD-WAN Release 16.10 and SD-WAN Release 18.4.1