Welcome to SteelConnect 2.13.1

The following is an overview of the changes in this release.

New features in 2.13.0

Single-click Office 365 integration

Riverbed SD-WAN is designated as a qualified networking solution and certified as "Works with Office 365" to provide an optimal end-user experience (certification is in progress and expected in September 2019). Riverbed partners with Microsoft to provide full support for and comply with its Office 365 connectivity principles. The SteelConnect Application Control Server (ACS) supports the Microsoft Office 365 REST APIs that catalog and return up-to-date information about the front-door endpoints. SteelConnect uses the endpoint data to enable direct routing of the internet traffic from the branch to the closest front-door endpoints.

Extended AutoVPN tunnel life

You can extend the time during which preprovisioned tunnel keys are used during an outage in SCM connectivity. Extending the number of days to use preprovisioned keys provides more time to prevent traffic forwarding disruptions on overlay routes during unforeseen issues that might persist longer than 24 hours.

Improved high availability failover

SteelHead SD high-availability failover improvements include:

Bidirectional tunnel failure detection - Tunnel probe requests are used to detect tunnel failures when either direction of the data flow is down. Default bidirectional-tunnel probe settings can only be changed by Riverbed Support at https://support.riverbed.com.

LAN-side subnet discovery on HA backup appliances - SteelConnect doesn't have to relearn LAN-side subnets when the HA master fails and the HA backup appliance is activated. No configuration is required.

BGP and OSPF graceful restart - SteelConnect allows continuous data flow forwarding even if the BGP or OSPF process on the peer device restarts. If there is a system restart, you can set the amount of time to wait before a neighbor reestablishes BGP peering and the amount of time that stale paths are kept. For OSPF, you can set the amount of time to wait before adjacencies are torn down if there is a system restart.

Smaller Additions, Improvements, and Bugfixes

    2.13.1

  • SCON-35483 -

    Symptom: When the appliance is rebooted, the auto-negotiation configuration for the uplink interface reverts to default settings.

    Condition: This issue occurs when auto-negotiation for the uplink interface is change to non-default settings and the appliance is later rebooted.

  • SCON-35331 -

    Symptom: System dump generation flaps uplinks and tunnels.

    Condition: When sysdump is requested from SteelConnect Control Manager, the appliance processes the sysdump, which causes uplinks and tunnels to flap due to high CPU utilization on the appliance.

  • SCON-35551 -

    Symptom: Traffic rules using hostname-based custom applications are not identified correctly and are not classified.

    Condition: This issue occurs when the hostname is used to define a custom application in a traffic rule.

  • SCON-36367 -

    Symptom: A port limitation of Classic VPN cannot be configured in SCM UI.

    Condition: This issue occurs when trying to edit the remote network of Classic VPN under Network Design -> Classic VPN in the Remote Network / Local zones tab.

  • SCON-34657 -

    Symptom: DNS-based custom IP:port applications are classified incorrectly on SteelHead SD appliances and SDI-2030 gateways.

    Condition: When a custom IP:port application is created with hostname:port, a corresponding Traffic rule or Outbound/Internal rule is created.
    When traffic is started for the given hostname, it is not classified as the custom application. The custom application with IP:port for the same hostname works correctly.

  • SCON-35965 -

    Symptom: The guest zone's traffic is taking MPLS underlay instead of local internet breakout.

    Condition: Traffic path rules are not being honored for the guest zone's/internet breakout traffic. This issue occurs in release 2.12.1 and later.

  • SCON-36340 -

    Symptom: All tunnels flap after upgrading SCM.

    Condition: This issue occurs after upgrading SCM to release 2.12.3.2 or later.

  • SCON-36486 -

    Symptom: NX DSCP marking is skipped.

    Condition: This issue occurs when the destination is considered to be local to the site.

  • SCON-35505 -

    Symptom: Some websites are misclassified as pornography and are then blocked by the relevant firewall rules.

    Condition: This issue occurs due to an error in the categorization vendor database.

  • SCON-36150 -

    Symptom: Appliances fail to download the upgrade image from the download server.

    Condition: This issue is caused by a race condition in which the appliance fails to connect to the download server because the download server's IP address can change often.

    • 2.13.0

  • SCON-33856 -

    Symptom: The SteelHead SD 2.0 appliance and SDI-2030 gateway experience a service core crash followed by a restart, which causes data path disruption.

    Condition: The data plane application classification service crashes due to invalid memory access while getting the hostname from the local DNS cache.

  • SCON-34919 -

    Symptom: On the SteelHead SD 2.0 appliance and the SDI-2030 gateway, inbound NAT with reflection doesn't work.

    Condition: This issue occurs when the client is part of another zone.

  • SCON-30405 -

    Symptom: The mDNS service is enabled on uplink interfaces for SDI-130, SDI-330, SDI-1030, and SDI-vGW gateways.

    Condition: The mDNS service was enabled on uplink interfaces for SDI-130, SDI-330, SDI-1030, and SDI-vGW gateways, but should be enabled only on specific interfaces where it is required. The issue has been fixed by disabling the mDNS service on uplink interfaces.

  • SCON-33642 -

    Symptom: On an SDI gateway, the firewall reloads if a DHCP server changes the lease time of the assigned address during DHCP renewal. This can result in a brief network interruption.

    Condition: Most DHCP servers will assign the same lease time regardless of when the client requests an address renewal. However, a small subset of DHCP servers will respond with the remaining time on the lease instead of the full lease time if the client requests early renewal. When this happens, the gateway interprets this as a change to the uplink configuration and reloads its firewall. With the fix, the gateway does not treat this condition as an uplink configuration change, so there is no firewall reload.

  • SCON-34655 -

    Symptom: A Classic VPN remote route is not added to the AWS or Azure client subnet routing table.

    Condition: When a Classic VPN connection is configured on SteelConnect Manager from Site A with local zones belonging to cloud sites other than Site A, the cloud routing tables for the other sites are not updated to reach the remote networks. This issue has been fixed and traffic should flow from all configured local zones to and from remote networks.

  • SCON-33551 -

    Symptom: MAC addresses on the Ports page may not be up to date.

    Condition: After a site is deleted on SteelConnect Manager and the appliances in the site are still present in the organization, the MAC addresses on the Ports page may not contain up-to-date information.

  • SCON-34121 -

    Symptom: SCM stops processing statistics from an SDI gateway that has a dynamic routing policy with BGP summarization enabled.

    Condition: Gateways are not populating the AS path information in statistics reported to SCM when a BGP route advertisement is suppressed due to route summarization. SCM rejects the gateway's statistics as a result.

  • SCON-31161 -

    Symptom: When disconnecting the uplink and connecting to another network, the appliance does not get a valid IP address via DHCP.

    Condition: This issue occurs when disconnecting the uplink and connecting to another network.

Known Issues

  • SCON-34506 - SCM traffic timeline statistics are inconsistent with the Top Talkers report on the SteelHead.

    • Detailed Description:

    Symptom: SCM traffic timeline statistics are inconsistent with the Top Talkers report on the SteelHead.

    Condition: This issue occurs when SCM is not able to process incoming flows in a timely manner. As a result, some flows are missing from the traffic timeline.

    Suggested Workaround: None

  • SCON-33963 - The 5-GHz Wi-Fi radio goes offline when configuring "Default" or "40 MHz" bandwidth on an SDI-130 gateway.

    • Detailed Description:

    Symptom: On an SDI-130 gateway, selecting "Default" or "40 MHz" bandwidth for the 5-GHz Wi-Fi radio in certain countries will cause the 5-GHz radio to go offline.

    Condition: This issue occurs in Wi-Fi sites located in countries that don't allow 40-MHz bandwidth (that is, channel aggregation) in the 5-GHz spectrum, including Bahrain, Costa Rica, Ecuador, El Salvador, Guam, Indonesia, North Korea, and Sri Lanka.

    Suggested Workaround: None

  • SCON-33902 - During HA failover, route flaps occur on the LAN router.

    • Detailed Description:

    Symptom: During HA failover, routes on the LAN router momentarily flap and then recover.

    Condition: This issue occurs in a SteelConnect HA appliance configuration where a backup node is configured with a lower router ID and the LAN routers are configured with the next-hop pointing to the backup node. If HA failover is triggered, the backup becomes the master. The routes in the LAN router flap momentarily even though there is no failure in the next-hop backup node.

    Suggested Workaround: None

  • SCON-33808 - Outbound firewall rules are not applied on short-lived connections.

    • Detailed Description:

    Symptom: Outbound firewall rules are not applied on short-lived connections. As a result, SteelHead SD 2.0 appliances do not block the traffic denied in the outbound rule.

    Condition: This issue occurs on short-lived connections when application classification is incomplete.

    Suggested Workaround: None

  • SCON-33538 - An Active Directory user sync "Through appliance" on a SteelConnect SDI-5030 gateway gets stuck at "Waiting for callback from sync appliance."

    • Detailed Description:

    Symptom: An Active Directory sync fails with the message "Waiting for callback from sync appliance."

    Condition: This issue occurs when a SteelConnect SDI-5030 gateway is configured as a bridge appliance. Active Directory user sync is not supported on a SteelConnect SDI-5030 gateway.

    Suggested Workaround: None

  • SCON-33200 - In a dual-hub deployment, the flow table entries report an incorrect remote site ID.

    • Detailed Description:

    Symptom: In a dual-hub deployment with SteelHead SD 2.0 appliances, traffic reporting of the remote site ID may be inaccurate.

    Condition: This issue occurs because the dual-hub configuration learns the same subnet from more than one site. Although the reported remote site ID is inaccurate, the traffic flows on the correct path.

    Suggested Workaround: None

  • SCON-29694 - Internet breakout at the site level doesn't honor the organization level setting when enabled.

    • Detailed Description:

    Symptom: Internet breakout for a leaf site doesn't work when defined at the site level.

    Condition: This issue occurs when breakout is defined at the site level.

    Suggested Workaround: None

  • SCON-35403 - The uplink may flap when the NAT rules configuration is modified.

    • Detailed Description:

    Symptom: The uplink may flap when the NAT rules configuration is modified on SDI-130, SDI-330, SDI-1030, and SDI-vGW gateways.

    Condition: The issue can occur under these conditions:

    • An outbound NAT rule is created, deleted, enabled, or disabled.
    • An inbound NAT rule with a custom WAN IP is created, deleted, enabled, or disabled.
    • The custom WAN IP address in an inbound NAT rule is modified, added, or removed.
    • The override IP address in an outbound NAT rule is modified.

    Suggested Workaround: None

  • SCON-32544 - An SDI-5030 gateway in a gateway cluster may report incorrect cluster health status to SCM.

    • Detailed Description:

    Symptom: An SDI-5030 gateway in a gateway cluster may report incorrect cluster health status to SCM.

    Condition: This issue occurs when the user creates or upgrades an SDI-5030 gateway cluster of three nodes with the data ports disabled on the SDI-5030 gateways.

    Suggested Workaround: Enable data ports associated with appliances resided in cluster

  • SCON-36448 - Sites are missing from Subnet Routing after upgrading SCM to 2.12.3.

    • Detailed Description:

    Symptom: Sites are missing from Subnet Routing.

    Condition: The issue occurs after upgrading SCM to 2.12.3.

    Suggested Workaround: None

  • SCON-26211 - The backup appliance in an SDI HA pair loses connectivity to SCM when local internet uplinks are down.

    • Detailed Description:

    Symptom: The backup appliance in an SDI HA pair loses connectivity to SCM when local internet uplinks are down.

    Condition: This issue occurs when an SDI HA pair is configured in dedicated port mode, all local internet uplinks are down, and the only path to the internet is through an MPLS WAN with an internet breakout set to a remote site.

    Suggested Workaround: None

  • SCON-21653 - The Blocked Connections tab on the SteelHead SD 2.0, SteelConnect SDI-2030 gateway, and SteelConnect SDI-5030 gateway does not report firewalled connections in SCM.

    • Detailed Description:

    Symptom: The Blocked Connections tab on the SteelHead SD 2.0, SteelConnect SDI-2030 gateway, and SteelConnect SDI-5030 gateway does not report firewalled connections in SCM.

    Condition: This issue occurs with connections that have been firewalled by the appliance.

    Suggested Workaround: None

  • SCON-16920 - SteelConnect Access Point 3 and Access Point 5 can occasionally lose link connectivity when directly connected to an SDI-1030 gateway.

    • Detailed Description:

    Symptom: SteelConnect Access Point 3 and Access Point 5 can occasionally lose link connectivity when directly connected to an SDI-1030 gateway.

    Condition: Access Point 3 and Access Point 5 directly cabled to an SDI-1030 gateway can occasionally lose link connectivity.

    Suggested Workaround: Connect the AP-3 and/or AP-5 to the SDI-1030 Gateway via a switch.

  • SCON-29836 - During power up or reboot, an SDI-130 or SDI-330 gateway can occasionally reboot multiple times in quick succession.

    • Detailed Description:

    Symptom: During power up or reboot, an SDI-130 or SDI-330 gateway can occasionally reboot multiple times in quick succession.

    Condition: SDI-130 and SDI-330 gateways can sometimes fail to detect the on-board switch during boot. When this occurs, the gateway will reboot immediately and attempt to reconnect to the on-board switch during the next boot.

    Suggested Workaround: None

  • SCON-36500 - Optimization is not working on SteelHead SD.

    • Detailed Description:

    Symptom: Optimization is not working on SteelHead SD.

    Condition: Inner channel is not established as ARP resolution for in-path gateway fail.

    Suggested Workaround: None

  • SCON-27088 - SteelConnect devices may forward traffic to incorrect VLANs or have a forwarding loop between the other virtual router.

    • Detailed Description:

    Symptom: SteelConnect devices may forward traffic to incorrect VLANs or have a forwarding loop between the other virtual router.

    Condition: This issue occurs when employing zone HA on a segment that also has other VRRP device groups. The VRRP ID used by the SteelConnect devices is in conflict with the VRRP ID being used by the external devices.

    Suggested Workaround: Change the conflicting vrrp session ID on non RVBD devices to a number greater than 50.

  • SCON-35373 - The TeamViewer application is not identified when used with some hostnames.

    • Detailed Description:

    Symptom: The TeamViewer application is not identified when used with some hostnames like IT-MIL-ANX-R016.teamviewer.com.

    Condition: Hostnames like IT-MIL-ANX-R016.teamviewer.com are used to access TeamViewer, but they are not currently present in the application identifier under the TeamViewer application. Therefore, traffic remains unknown and is blocked.

    Suggested Workaround: Create a custom application with a URL such as IT-MIL-ANX-R016.teamviewer.com. After defining the custom application, you can use it in a rule.

  • SCON-30578 - SteelHead SD appliances and the SDI-2030 gateway do not support SCM connectivity when traffic has to transit another SteelHead SD appliance or SDI-2030 gateway.

    • Detailed Description:

    Symptom: SCM connectivity is disrupted.

    Condition: This issue occurs when traffic on one SteelHead SD appliance or SDI-2030 gateway has to transit another SteelHead SD appliance or SDI-2030 gateway and NAT is disabled on the outgoing uplink of the appliance it is transiting.

    Suggested Workaround: None

  • SCON-36387 - Traffic with a source port range from 61440 to 65535 fails to get forwarded, where other traffic succeeds.

    • Detailed Description:

    Symptom: Traffic with a source port range from 61440 to 65535 fails to get forwarded, where other traffic succeeds.

    Condition: This issue occurs when incomplete rules programmed into flows switch when the backup-HA link is enabled.

    Suggested Workaround: None

  • SCON-36069 - AutoVPN flapping occurs on the SDI-5030 gateway after upgrading to 2.12.2.

    • Detailed Description:

    Symptom: AutoVPN flapping occurs on the SDI-5030 gateway after upgrading to 2.12.2.

    Condition: Some unhandled socket errors cause the data plane to restart, leading to the tunnel flaps.

    Suggested Workaround: None

  • SCON-30423 - SteelHead SD appliances and SteelConnect SDI-2030 gateways show latency spikes every 60 seconds.

    • Detailed Description:

    Symptom: Latency spikes are observed every 60 seconds.

    Condition: The garbage collection logic runs every 60 seconds. On an appliance with a large number of flows, this process ends up causing a latency spike in the data plane.

    Suggested Workaround: Increase flow reporting interval

  • SCON-36764 - Custom applications cannot match the flows against outbound and/or traffic path rules.

    • Detailed Description:

    Symptom: Traffic/flows fail to match the outbound and/or traffic path rules of type custom app.

    Condition: This issue occurs in custom applications that are created with type "IPs/Ports" and have both hostnames and IPs in them.

    Suggested Workaround: Create a separate custom application for hostnames and a separate custom application for IPs.

To view the release notes for previous versions, please visit SteelConnect support and select the version of interest.

If you have questions regarding this update, please contact Riverbed Support for assistance.