Skip to main content

SSR 5.6 Release Notes

info

Issues resolved in a release are merged into subsequent releases chronologically AND numerically.

If you do not see an issue listed below, it may have been resolved in another recently released version. A link to the Release Notes for the most recent chronological release of SSR Software is provided.

Alternatively, refer to the List of Releases page for release dates and links to all SSR Release Notes; or, if you know the Issue ID Number, enter that into the Search field at the top right of this page.

Upgrade Considerations

important

Before upgrading please review the Upgrade Considerations and the Rolling Back Software pages. Several modifications have been made to the process for verifying configurations, which will impact existing configurations.

  • I95-43243/IN-460 Upgrade and Rollback: Upgrading or rolling back a system (conductor peer or router) with the interactive installer install128t, that is managed by a conductor may result in the system becoming unresponsive. It is highly recommended that upgrades be performed through the conductor UI. Manual upgrades and rollbacks may not be resilient to failures. See Rolling Back Software for more information on these operations.

  • I95-42452 Conductor Upgrade Time: Upgrades to version 5.4 and above can take up to 40 minutes due to the number of rpms being upgraded. Please plan accordingly.

  • I95-42624 Upgrade Installer: Before upgrading to, or installing version 5.4 and above, update the Installer to at least version 3.1.0. Failing to upgrade the installer may result in a rollback failure, should a rollback be necessary at any time. The Installer typically prompts you update when a new version is available. Select Update when prompted.

  • Plugin Upgrades: If you are running with plugins, updates are required for some plugins before upgrading the conductor to SSR version 5.4.0 or higher. Please review the Plugin Configuration Generation Changes for additional information.

Release 5.6.0-44

Release Date: May 20, 2022

New Features

  • I95-10056 RADIUS support for Multi-Factor Authentication: Integration between Radius user access and Role-based Access Control allows the SSR to support Multi-Factor Authentication using Yubikey.

  • I95-200118 Configuration Concurrency at Scale: Support for multiple users concurrently editing the SSR configuration is now supported. For more information, see Candidate Configuration.


  • I95-37417 Additional factory default session-type configuration: Added factory-default session-types for NetBIOS Name Service, NTP, and LDAP over UDP.

  • I95-37648 Configurable Password Policy: The SSR password policies have been updated to provide a more secure experience. See Password Policies for additional information.


  • I95-39712 Hierarchical Service Inheritance For STEP Learned Routes: Child services now inherit routes of their parent services, when the parent route is learned through STEP. For more information see Hierarchical Services.

  • I95-40130 Factory Defaults for Conductor Communication: Added SaltStack, Conductor, and IKE default session-types. For new deployments, SIP, SIPS, and IPSEC-NAT use NAT Keep Alive by default, and the timeout for IPSEC-NAT is 125 seconds.

  • I95-40660 Kernel Upgrade: The OS kernel has been upgraded to that of CentOS 8.4 to address several CVEs and provide support for Wireguard and Cordoba.

  • I95-41449 NTP Authentication with SHA1 or better: Support for NTP authentication provides options for external NTP server authentication. See NTP Authentication for more information.

  • I95-41509 STEP Route Computation enhancements: STEP uses additional service policy information when computing the best path scenario. See STEP Route Computation for more information.

  • I95-41557 Software Lifecycle Management: The download, upgrade, and software lifecycle process is more easily managed from a single location in the GUI. See Software Lifecycle for additional information.


  • I95-42887 Real-time alerts for Audit failure events: A service has been added a service that warns all logged in users if auditd fails to start and audit logging capability is impacted. See Audit Events for more information.

  • I95-42888 Logout mechanism for administrator-initiated communication sessions: A PCLI command and audit log are available to verify session closure.

  • I95-43039 File permissions, ownership/membership of system files and commands remain static: Unauthorized or unintended changes are not introduced during the operation of the SSR Software.

  • I95-43040 Non-certificate trusted host is not allowed SSH logon to the system: The SSH daemon performs strict mode checking and does not allow a non-trusted host SSH to logon to the system.

  • I95-43041 Datagram Congestion Control Protocol (DCCP) kernel module is disabled unless required: The DCCP module is prevented from loading unless it is specifically required.

  • I95-43047 Local initialization files do not execute world-writable programs: The directories are not world-writable.

  • I95-43049 The audit system notifies the user when there is an error sending audit records to a remote system: Remote logging for audit logs and appropriate messaging has been added. See Audit Events for more information.

  • I95-43050 Strict mode checking of home directory configuration files: The SSH daemon performs strict mode checking home directory configuration files.

  • I95-43051 Remote X connections are disabled except to fulfill documented and validated requirements: X server is disabled as part of the mode checking of home directory configuration files.

Resolved Issues

  • I95-36758 Redistributed service route distance not configurable: Support has been added for the configuration of admin distance for kernel routes generated by services with service routes and for BGP over SVR services.

  • I95-38408 DHCP server on wrong vlan sends offer in response to discover message: Hosted DHCP servers that do not have an explicit vlan configured are now explicitly treated as vlan 0, and handle any DHCP packets that are untagged/vlan 0, in order to prevent those packets from being multicasted to multiple DHCP servers.

  • I95-40904 Power save mode not working: This issue has been resolved.

  • I95-41992 Warning for Rate-Limit with Flow-Limit values at 0: A warning has been added to advise users that this will cause dropped packets.

  • I95-43239 LTE APN on Modem not set up correctly: The APN is now always written to the the modem using the default index of 1.

  • I95-44142 Automated Provisioner Race condition: Resolved a rare crash where applications would attempt to get information about already-closed sockets when responding to API requests.

  • I95-44435 Save Tech Support should include Service Paths: save tech-support-info includes show service-path and show rib.

  • I95-44722 Time series HMAC failures after rebooting node in HA router: Device interfaces are flushed upon becoming active to avoid handling of packets which have been delayed due to inactivity.

  • I95-44726 Invalid return code returned by LTE firmware creating a memory leak: Resolved a buffer leak in the wanpipe driver.

  • I95-44823 Conductor upgrade failure - extra space in integer is invalid: Extra spaces on integer types are now trimmed off to avoid this issue.

  • I95-44854 Extra "Application" column in Top Sessions panel: The extra column has been removed.

  • I95-44913 kmod-i40e metapackage causing upgrade issues: The metapackage has been removed and upgrade issues have been resolved.

  • I95-44991 SSR not passing Aruba data on GRE Tunnels: Resolved an issue where GRE packets with reserved bit in the header are incorrectly dropped as invalid.

  • I95-45063 SSR azure instances unstable on large machine types: Resolved an unpgrade issue causing instability in Azure instances using Mellanox5.

  • I95-45113 snmp override of the IfTable: An issue with SNMP reporting has been resolved.

  • I95-45123 CVE Issue: The latest Security vulnerabilities have been identified and addressed.

  • I95-45124 RBAC Config Endpoints Leaking Information: Resolved an issue where some configuration endpoints would allow users with incorrect permissions make requests.

  • I95-45146 GUI error message for users authenticated by LDAP to Active Directory Server: This issue has been resolved.

  • I95-45162 Improve download/upgrade error message if a router name does not exist: In situations where a router does not exist, the download and upgrade message now indicates that the router does not exist.

  • I95-45211 New users run into permissions errors: Access Control Lists are now preserved on file rotations.

  • I95-45220 Conductor local forwarding parameters not dynamic: Resolved an issue when transitioning a conductor from standalone to HA the managed routers were not automatically connecting to the newly added conductor node.

  • I95-45268 Third-party-drivers rpm install hung: Resolved an issue where the installation hangs when running a post-install scriptlet. The script is not necessary at that stage and has been disabled.

  • I95-45348 Update salt master and minion to 3002.8: This update resolves several CVE's and requires that the conductor must be running this release containing these fixes before upgrading a router. Important Please see the Caveat below for additional important information about HA upgrades.

  • I95-45374 Router Dropping SIP traffic: A warning is displayed if users configure a service-class to rate-limit but don't set max-flow-burst/max-flow-rate values (default is set to 0).

  • I95-45541 LDAP users are unable to login to the PCLI due to permission errors: This issue has been resolved.

  • I95-45559 Corrupted resolv.conf after ODM imaging: Resolved an issue on SSR systems running dns-proxy services with external interfaces configured using PEERDNS=yes, where a race condition may occur that results in corrupt nameservers being added to the /etc/resolv.conf file.

  • I95-45583 HA Connection lost during commit: Resolved an issue where session was missing necessary path data information relating to the peer path.

  • I95-45618 MAC address issue in Azure environment: Non-ethernet MAC addresses are now handled correctly during MLX device discovery.

  • I95-45641 Stuck BGPoSVR Sessions after Failover: Made changes to provide updates to less specific FIB entries when routes are updated to resolve this issue.

  • I95-45643 User created users missing after upgrade: Resolved an issue where the XML values true/false are also handled as 1/0.

  • I95-45696 Memory leak in pam challenge library: Resolved a memory leak in the PAM challenge library.

  • I95-45779 LDAP user login blocked during HA upgrade: Resolved an issue where the LDAP user login was blocked until the upgrade was complete on both HA conductors.

  • I95-45761 SSH ClientAliveInterval change: The SSH ClientAliveInterval has been reset to 900.

  • I95-45783 User home directories different across the topology during upgrade: Resolved an issue with incorrect LDAP user roles during upgrade.

  • I95-45816 "TCP State Stream Parse Error" filling up the flpp.log: This log issue has been addressed.

Caveats

  • I95-45348: Update salt master and minion to 3002.8: When upgrading an HA pair to version 5.6.0, please be aware of the following: While updating the conductors in an HA pair, the upgraded conductor node asset state will remain DISCONNECTED if the active automatedProvisioner is not running a corrected version. When performing an HA conductor upgrade the node running the oldest software assumes leadership. However, the older version will not be able to talk to the new software on the upgraded conductor.

The active automatedProvisioner can be determined by running the command show system processes. Once the upgrade begins on the old node, the newly upgraded conductor takes over.