SteelConnect Manager Release Notes v2.11.1

Welcome to SteelConnect 2.11.1

The following is an overview of the changes in this release.

New features in 2.11.0

Topology discovery

Support for local subnet discovery enables discovery of routes from the LAN side of the network and distribution of those routes into the overlay with inclusion/exclusion filters. The SD-WAN fabric is aware of all dynamically learned routes on the LAN side of the remote sites. This learning avoids tedious route configurations and renders an intelligent overlay fabric.

SteelConnect and SteelHead SD support for route retraction

Support is introduced for route retraction to dynamically withdraw routes from the underlay when routes become unavailable.

ASBR full support

Support for autonomous system boundary router (ASBR) functions enable distribution of routes between different autonomous systems: for example, distribution of routes between OSPF on the LAN side and BGP on the WAN side. As part of this capability, we support route filtering and policy maps, which provide a lot of control to customers over which routes can or cannot be distributed. eBGP and ASBR functions are enablers for the CE router replacement use case in branch offices.

SteeHead SD route filtering and policy maps

SteelHead SD 2.0 supports route filtering and policy maps, which provide a lot of control to customers over which routes can or cannot be distributed. eBGP and ASBR functions are enablers for the CE router replacement use case in branch offices.

SteelConnect native VLAN support

Native VLANs are now supported on SteelConnect SDI-130, SDI-330, gateways and SDI-S12 POE+, SDI-S24 POE+, and SDI-S48 POE+ switches. This support enables smooth integration of Xirrus Wi-Fi access points with SteelConnect solutions.

Brownfield transit routing

The brownfield transit feature enables connectivity between internet-only SteelConnect sites to legacy or non-SteelConnect MPLS/underlay sites. With the SteelConnect SDI-2030 gateway and SteelHead SD appliances, more complex brownfield use cases can be supported due to advanced routing support on these platforms introduced in version 2.11.

SteelHead SD and SDI-2030 visibility enhancements

SteelHead SD 2.0 appliances and SteelConnect SDI-2030 gateways can be monitored using Health Check and are integrated into the Insights reporting tool. They also provide SNMP-based management for easy integration into external operations support systems (OSS) and network management systems (NMS).

SteelHead SD and SDI-2030 Health Check enhancements

Overlay LPM and underlay path selection

Path selection supports underlay circuits, giving customers better flexibility in selecting path preferences for application steering (for all SteelConnect platforms).

SteelHead SD and SDI-2030 Zscaler integration

Zscaler cloud security solution is supported on SteelHead SD 570-SD, 770-SD, and 3070-SD appliances and the SteelConnect SDI-2030 gateway located at the branch. SteelHead SD appliances and SteelConnect SDI-2030 gateways also provide Zscaler support for HA deployments.

SteelHead SD and SDI-2030 uplink flow distribution

Enhanced flow distribution is introduced across multiple uplinks on SteelHead SD/SDI-2030 platforms.

Smaller Additions, Improvements, and Bugfixes

2.11.0

SCON-17537 - Symptom: When the Redis server client connections reach the maxclients count, it closes some of the connections. This causes one of the SDWC services to panic and causes the controller to restart. This disrupts the tunnels configuration and also end-to-end data traffic. Condition: This issue occurs when more than 10000 clients connect to Redis server port 6379.
SCON-22054 - Symptom: The SteelConnect Manager user interface doesn't load. Condition: This issue occurs when a zone on SteelConnect Manager doesn't have a gateway IP address configured.
SCON-22003 - Symptom: A LINK_ON_DISABLED_PORTS alert is raised. Condition: This alert is raised when the user has appliances in high availability.
SCON-21873 - Symptom: The SteelConnect Manager may generate invalid appliance configurations, preventing configuration updates from taking effect. Condition: This issue occurs when certain errors are encountered in a background batch processing job on the SteelConnect Manager. These errors are not visible to the user.
SCON-21164 - Symptom: After an upgrade or a factory reset, the SNMP or remote syslog configuration is not applied by a SteelHead SD appliance or a SteelConnect SDI-5030 gateway. Condition: After an appliance undergoes a factory reset or a firmware upgrade, it receives the remote syslog and SNMP configuration from SCM. But the appliance intentionally skips applying these settings because the service VMs have not yet been created. Once the appliance is online and up-to-date, a subsequent configuration change will automatically make the appliance apply the pending remote syslog/SNMP configuration. This is applicable for: 1. Remote syslog on SteelHead SD appliances and the SteelConnect SDI-5030 gateway. 2. SNMP on SteelHead SD appliances only.
SCON-20983 - Symptom: Multiple zones might have the same unique ID. Condition: When the cc-user ID-unique flag is turned off, certain race conditions (for example, concurrent REST API calls) might lead to multiple zones with the same unique ID.
SCON-20917 - Symptom: The uplink table does not show a valid status, but a page refresh does. Condition: If SCM does not receive statistics on an uplink, the uplink table row does not get refreshed. When switching DHCP to or from static IP, the SCM stops getting new uplink statistics. The status is therefore never updated.
SCON-21365 - Symptom: Ulogd floods the gateway log with error messages stating "Resource not available" when trying to report flows to the SCM. Condition: High level of traffic is going through the appliance while flows simultaneously need to be reported to the SCM.
SCON-21601 - Symptom: The customer cannot upgrade the appliance after USB provisioning is done with static configuration. Condition: Updating an appliance to recent versions (2.10.1) fails when the customer is using USB provisioning with static configurations. The out-of-the-box appliance has the factory image, which is 1.12, and we are plugging in a USB with static configuration. The upgrade fails when we try to connect the appliance to SCM in order to upgrade.
SCON-21656 - Symptom: On gateways, syslog shows a large number of "ulogd[pid]: Failed to write to event socket, closing: Resource temporarily unavailable" or "ulogd[5087]: Failed to connect to event socket: Resource temporarily unavailable" messages. Condition: System is under load.
SCON-21506 - Symptom: Health Check shows a single SDI-5030 gateway as degraded when the cluster port is offline or not in use. Condition: A SDI-5030 gateway deployed in single appliance configuration.
SCON-21420 - Symptom: When a Classic VPN remote network conflicts with a subnet in a SteelConnect zone, a 1:1 NAT can be applied to the remote network to resolve the conflict. Condition: A routing bug caused the NATed traffic to be routed to the SteelConnect zone instead of the remote network.
SCON-21438 - Symptom: The uplink is considered down, and routes towards the uplink are withdrawn. Condition: The reflector service (rfl.x.riverbed.cc) is not reachable on the uplink.
SCON-20348 - Symptom: The service core was restarted, the SCM service was restarted, and tunnels were re-created. Condition: Flow records show a huge number in the service core before the overflow error message.
SCON-20332 - Symptom: An SNMP response is seen on the gateway WAN interface for release 2.11 where SNMP services are meant to be available on LAN interfaces only. Condition: A network element sends an SNMP request on the gateway WAN interface.
SCON-20330 - Symptom: HA failover is unsuccessful and can result in HA flaps. Condition: A backup uplink is configured in the SteelConnect Manager, and a conservative ping profile is used. The primary uplink is offline and only the backup uplink is online when failover to the node occurs.
SCON-20317 - Symptom: The SteelConnect SDI-2030 gateway takes more than 4 minutes for the rebooting process. Condition: This issue occurs when upgrading or when a factory reset requiring a reboot is sent to the appliance.
SCON-20391 - Symptom: In rare cases, Zscaler/Cloudi-Fi tunnels go down and do not recover until they are manually restarted or the appliance is rebooted. Condition: Zscaler/Cloudi-Fi are in use, a related configuration change is made, and additional rare circumstances are being met.
SCON-20706 - Symptom: Incorrect routing decisions in HA setups can cause traffic to be blackholed. Condition: The HA backup appliance and client experience connectivity loss when HA failover occurs during a WAN outage where that WAN was previously up on the new HA master appliance.
SCON-19916 - Symptom: Syslog messages sent to a remote server do not contain the PRI field, as required by RFC 3164. Condition: This issue may prevent the proper function of syslog filters, which rely on the priority field.
SCON-19850 - Symptom: The SDI-5030 gateway would see tunnel flaps caused by an internal process restarting. Condition: When exceeding 60,000 flows (30,000 TCP connections) on a data plane instance, an artificial memory limit was reached.
SCON-19836 - Symptom: Tunnels are reported as offline on SCM. Condition: The statistics reporting service in the SteelConnect SDI-5030 gateway never finished activation due to which the system, port, and tunnel statistics were never reported to SCM.
SCON-20263 - Symptom: If an HA pair is deployed with AutoVPN disabled on the pair, the configuration push fails for that pair of appliances.
SCON-20158 - Symptom: In Insights, the uplink ID is missing and there is no flow reporting so there are no statistics available. Condition: This issue occurs when the uplink is in a VLAN. The VLAN UIN was not carried forward.
SCON-20090 - Symptom: In prior versions to the 2.11 SCM, attaching an uplink to the BGP appliance was a requirement and part of the setup. Condition: The configuration is not necessary in this section.
SCON-20278 - Sometimes the ICA Citrix traffic can get reclassified to TCP.
SCON-20215 - Symptom: SteelConnect Manager does not use the latest application pattern definitions and is unable to display them on the Applications page. Condition: SteelConnect Manager is not able to use the latest definitions of application patterns when an update of the patterns fails.
SCON-20051 - Symptom: A SteelConnect SDI-1030 gateway goes offline. Logs are unavailable after failure. Condition: This issue occurs rarely, and generally affects backup HA appliances.
SCON-19958 - Symptom: Certain tunnels to an SDI-5030 site went down. Condition: If two interfaces on an SDI-5030 gateway are configured with addresses in the same subnet, and one of the interfaces goes down, the routing process might crash when trying to move traffic to the other interface. The 5030 is then not advertising all its interfaces via BGP.
SCON-19938 - Symptom: The SteelConnect 3070-SD appliance takes more than 30 minutes to reboot. Condition: Some of the raid device processes take too long to finish during reboot, and the timeout parameter that forces the kernel to reboot the appliance is set to 30 minutes.
SCON-20057 - Symptom: When the user tries to access HealthCheck > Routing Tables under a small screen resolution, the tables drawn on the screen overlap with each other, making it difficult to read a few details on the screens. Condition: This issue occurs when HealthCheck > Routing Tables is accessed in different screen resolutions.
SCON-19655 - Symptom: Organization migration was failing for organizations that have SteelHead SD appliances in version 2.10.x. Condition: This issue occurs when trying to migrate the organization with export/import functionality on SCM that contains SteelHead SD 570-SD, 770-SD, and 3070-SD appliances.
SCON-19752 - Symptom: On an SDI-130W appliance, the radio state is not displayed in SCM. Instead, SCM shows the "Radio state not reported recently" message. Condition: SSID and Broadcast are configured on SDI-130W.
SCON-19698 - Symptom: When filtering the Traffic Timeline report by zone, the data is not displayed. Condition: When searching by zone in the Traffic Timeline report, the data was not displayed.
SCON-19502 - Symptom: Traffic flowing through Zscaler tunnels on SteelHead SD appliances is interrupted during an IPsec tunnel rekey with the Zscaler Enforcement Nodes (ZENs). Condition: During an IPsec rekey, StrongSwan sends a delete notification for the old tunnel security association (child-SA) as soon as the SteelConnect control plane receives new keys to replace the old keys. The delete notification goes out before the control plane has enough time to establish the keys for the new tunnel in the data plane. While the control plane is establishing the new keys in the data plane, the data plane continues to use the old keys. However, because StrongSwan has already sent a delete notification for the old tunnel security association (child-SA), a ZEN peer will drop any packets still using the old key. This will cause a traffic interruption until the new keys are received by both the control and data planes.
SCON-22790 - Symptom: Previously, newly created sites would not be properly geolocated and could show up in the wrong place on the Google map. Condition: Newly created sites may not have shown up in the right place on the Google map.
SCON-22784 - Symptom: The subnet common to the split site is reachable only through one of the sites in the split group. Condition: This issue occurs when the community topology discovery filter is configured in a site after receiving the overlay routes from the other member of the same split group.
SCON-15105 - Symptom: After updating a traffic rule, the DSCP values for outbound traffic reflect the update but DSCP values for inbound traffic do not. Condition: After updating a traffic rule, the DSCP values for outbound traffic reflect the update but DSCP values for inbound traffic use outdated, cached values.
SCON-14949 - Symptom: Longest Prefix Match (LPM) routing always prioritized the overlay WAN path before the underlay. Condition: The traffic rules did not include an option to prioritize the underlay as the preferred WAN path. Underlay is now included as a WAN path preference option.
SCON-14056 - Symptom: A mismatch occurs between health check path quality (Health Check > Overlay > PQ) and dashboard path quality statistics. (Choose Dashboard and click tunnel to display Tunnel Statistics Details, and then scroll to Path Quality). Condition: Based on appliance statistics reporting, if the number of path quality samples reported is more than 1, it leads to a mismatch between the health check path quality (Health Check > Overlay > PQ) and dashboard path quality statistics.
SCON-10897 - Symptom: DSCP tags are not updated based on traffic rules matching an application classification for internet traffic. Condition: A flow must hit a traffic rule that has an action of setting a DSCP tag, matching on the first packet. Further rules matching the flow based on Layer 7 or flow classification, which should also update the DSCP tag, do not take effect.
SCON-12479 - Symptom: Configured static routes on SDI-5030 do not take effect. Condition: This issue only affects SDI-5030 devices.
SCON-12714 - Symptom: The appliance configuration state remains frozen at "Shipped" in SCM. Condition: In rare occasions, after writing data to the files in the /storage partition, the file system switches to read-only mode because of a bitflip in an erased page, which prevents saving newer configurations shipped from SCM.
SCON-10288 - Symptom: The SteelConnect SDI-5030 gateway cluster health toggles between offline and healthy. Condition: This issue occurs when the SteelConnect SDI-5030 gateway nodes are unsynchronized with the NTP server because the NTP service isn't started on SVMs or the NTP configuration isn't correct.
SCON-11487 - Symptom: The SteelConnect Manager upgrade process takes a long time. Condition: The SteelConnect Manager upgrade process is affected by the number of users on the system. In cases where the number of users exceed 300, the upgrade process can take an unusually long time.
SCON-18296 - Symptom: RBAC users are unable to add an appliance that was previously deleted. Condition: This issue occurs when an appliance is deleted from a given organization and an RBAC user tries to add the appliance with the same serial number to any other organization.
SCON-19072 - Symptom: Clicking an On or Off button to toggle a rule or an uplink causes a slow response with no indication that SteelConnect is processing the action. Condition: SCM can be slow to respond to an On or Off action in a large-scale SteelConnect deployment. The On or Off button is now disabled while processing an action and reenabled after the action is complete.
SCON-19034 - Symptom: A transfer network added to multiple WANs (or multi-uplinks in the same WAN) is not getting configured for all applicable WAN interface paths on the appliance. Condition: Configure the same transfer network in more than one WAN.
SCON-18525 - Symptom: Generating the Zscaler configuration fails if there is a wide character in the site name. Condition: 1. Have a site with a wide character in its name (HeadquartersEUR). 2. Go to Zscaler, and click Download Config. 3. Click either Download VPN credentials or Download locations. 4. Observe no CSV file is generated and the screen hangs.
SCON-18355 - Symptom: The number of tunnels reported on the Health Check Overlay Routes page is inaccurate. Condition: This issue occurs when a Zscaler WAN is enabled. The Zscaler tunnels are not included in the Health Check Overlay Routes page.
SCON-18595 - There were multiple scenarios under which an SDI-5030 cluster upgrade would fail. The cluster upgrade process was overhauled to be more robust.
SCON-18590 - Symptom: The browser cache is not updated to the latest version of JavaScript files. Hence the application is having console errors. Condition: This issue is seen while upgrading from SCM 2.9.1.
SCON-18382 - Symptom: The firmware upgrade rules under Organization -> Maintenance allow end users to add non-site tags also. Condition: 1. Create a site. 2. Create a registered device and assign it a new tag. 3. Go to the maintenance page and create a "Schedule rule" by clicking Add schedule. 4. The Site Group drop-down menu shows a newly created device tag as well.
SCON-18350 - Symptom: With a large number of traffic path rules configured, it may take a bit longer to process the configuration on the gateway. Condition: There may be some delay in the configuration to take effect.
SCON-18504 - Symptom: The OSPF configuration for a tagged uplink interface has an incorrect interface name. Condition: This issue occurs when an uplink is tagged with a VLAN ID.
SCON-18505 - Symptom: The BGP configuration for a tagged uplink interface has an incorrect interface name. Condition: This issue can occur when the uplink is tagged with the VLAN ID.
SCON-18462 - Symptom: Due to a regression in the upgrade module in releases 9.7.0 and 9.7.0a, customers running 9.7.0 and 9.7.0a need to upgrade to 9.7.1 before performing In-Field Upgrade to 2.11.0. Condition: This issue affects RiOS 9.7.0 and 9.7.0a only.
SCON-18249 - Symptom: The WiFi Planner allows saving the radio power as part of a plan, but when reopening the plan to deploy another AP, this power setting does not get loaded or used. The Planner appears to set an arbitrary value of its own choosing each time the plan is edited. Condition: 1. Create a new wireless plan, and add a new AP. 2. Change the radio power on the AP to some other value than the default. 3. Save the plan, and exit the planner. 4. Open the saved plan in the planner again. The updated power value is not reflected by the AP in the plan.
SCON-19118 - Symptom: When a user tries to see the current device status under Devices > Registered, the status of the device shown is not consistent. Condition: The user is not shown a consistent status that the device is currently in. For instance, though the device is Active with traffic flowing, it could be showing Inactive.
SCON-18876 - Symptom: The Overlay Routes page can show out-of-date data when an appliance is removed from a site and no new appliance is added to that site. Condition: If two sites have assigned appliances (for example, Site A is assigned Appliance A and Site B is assigned Appliance B), this issue occurs when both appliances are removed completely from the realm, where Site A is deleted and Site B remains without an assigned appliance.
SCON-19321 - Symptom: With a dual hub configuration, the internet traffic for a leaf site does not follow breakout preferences when the configured breakout site is a non-hub site. Condition: Add a remote internet breakout preference for the leaf site of a dual-hub, and select a non-hub site as the breakout site for the leaf-site.
SCON-18836 - Symptom: A process crash occurs on SteelHead SD 770-SD when learning routes. Condition: This issue occurs when learning underlay routes via the dynamic routing protocol.
SCON-19238 - Symptom: A large increase in volume of logging with dubious diagnostic value is seen when NetProfiler is enabled. Condition: NetProfiler is enabled.
SCON-18906 - Symptom: The SteelHead Connector process crashes with coredump. Condition: This issue occurs when SteelHead is connected to a LAN-side gateway with the SteelHead Compatibility feature enabled.
SCON-19162 - Symptom: A zone-based remote internet breakout for a leaf site is not working when a single-hub site is the breakout site. The internet-bound traffic from the leaf site gets dropped in the hub site. Condition: Configure the zone-based remote internet breakout rule for the leaf site with a single hub as the breakout site.
SCON-18807 - Symptom: The UI allows configuring an alternate hub for a site containing an SDI-5030 cluster. Condition: The alternate hub configuration is not supported for SDI-5030, and configuring as such can lead to unknown behavior.
SCON-19023 - Symptom: With Zscaler or Cloudi-Fi enabled, the SteelHead SD appliance or SDI gateway tunnel status is incorrectly reported as online while the appliance or gateway is reported as offline by SteelConnect Manager. Condition: SteelConnect Manager incorrectly selects the last reported status of the tunnel for the SteelHead SD appliance or SDI gateway that went offline.
SCON-17616 - Symptom: Google Project Zero has reported vulnerabilities in x86 CPUs that are now known as Spectre and Meltdown. Condition: Data security is compromised when more than one customer is using the same CPU in a virtualized environment.
SCON-18076 - Symptom: SCM UI does not allow split-site configuration to pick a site that is already configured to be a part of dual-hub configuration. It is valid for a site to be part of a split-site configuration and a dual-hub configuration. Condition: This issue only happens when a site is already part of a dual-hub configuration and then you attempt to configure a split site. To workaround this issue, first configure a split site by selecting those sites to be a part of the split-site group and then configure dual hub by selecting the site that is already in a split-site group.
SCON-17717 - Symptom: Some route tables created by Riverbed internally keep hanging even after undeployment is completed for the site. Condition: This issue occurs when triggering a routing mode change immediately after the cloud site deployment finishes.
SCON-17725 - Users using the SteelHead SD uplink IP and port 61444 to reach the controller VM shell is now reachable using default SSH port 22. Port 61444 is no longer open.
SCON-17551 - Symptom: The reverse SSH tunnel disconnects. Condition: Every 5 minutes or so, the reverse SSH tunnel disconnects.
SCON-17437 - Symptom: Tunnel creation fails for a site. Condition: This issue occurs when the site under observation is converted from a cluster site to a non-cluster site.
SCON-17332 - Symptom: A NIC is stuck in standard-nic mode; bypass is not available. This issue persists into remanufacture as SteelHead. Condition: Certain NICs change to standard-nic mode at every reboot.
SCON-17017 - Symptom: Traffic from the leaf site towards the hubs does not honor the hub priorities in a path failover scenario when there is traffic rule match. Condition: This issue occurs in a hub-and-spoke topology with dual hub and leaf sites connected on hybrid WAN.
SCON-17030 - Symptom: After changing a management zone's VLAN tag, tunnels to gateways using that management zone go offline. Condition: The issue arises when changing an existing management zone's VLAN tag. The flaw is in the update logic only, so a workaround is to reboot the impacted appliance(s).
SCON-16878 - Symptom: When configuring the ping gateway feature for a WAN, sites with uplinks configured for DHCP would not use the next hop gateway for ping check. Condition: The uplink for the WAN with ping gateway enabled would have to be configured to obtain its IP address using DHCP. Statically assigned uplinks are not affected.
SCON-17109 - Symptom: Detailed information about the default gateway for an uplink with a DHCP address on the 130, 330, and 1030 SDI appliance is not properly collected or displayed in the SCM.
SCON-16545 - Symptom: The port name and speed overlap on the Ports page. Condition: This issue occurs when the name exceeds six characters.
SCON-16386 - Symptom: The appliance is toggling between online and offline on SCM. Condition: This issue occurs if there is an intermittent network connectivity issue between CVM and SCM. Specifically, if the CVM is not able to talk to SCM for 60 seconds, then SCM marks the appliance offline. If the connectivity restores after 60 seconds, then SCM marks it online again. If this network issue keeps repeating, then the appliance appears to toggle between offline and online on SCM.
SCON-13478 - Symptom: Tunnels are down. On the routing virtual machine, the user cannot log in to the zebos imish interface. Condition: This issue can occur when trying to change the interface IP address from SCM.
SCON-13307 - In certain scenarios, the data plane process in an SDI-5030 gateway would crash, causing a certain subset of tunnels to an SDI-5030 site to flap.
SCON-13184 - Symptom: The SDI-5030 gateway stopped advertising routes for a subnet residing in more than one zone. Condition: When a subnet residing in multiple zones is deleted from one zone, the SDI-5030 gateway stops advertising the route for that zone.
SCON-16210 - Improved security for VLAN autotrunking.
SCON-16086 - Symptom: A logic error in the routine that searches for flow-table matches might result in multiple redundant searches through the table. When this error occurs, the CPU utilization might rise, the system might become less responsive, and packet drops might be observed. Condition: This error is likely to occur when the flow table is full or nearly full. A full flow table is indicated by the log messages: flows_cmd_dequeue_state: create flow fails since match table is full.
SCON-15919 - Symptom: An example configuration for PXE boot was not working. Condition: Fixed the configuration generation for PXE boot.
SCON-15745 - Symptom: Cloudi-Fi tunnels are not shown on the Troubleshooting page. Condition: Cloudi-Fi is enabled but Zscaler is not enabled.
SCON-15214 - Symptom: Custom applications using a port range were not supported by the SDI-5030. Condition: If the user creates a custom application with IP/port or zone type using a port range and creates a traffic rule with this custom application, it is now honored by SDI-5030 appliances.
SCON-15357 - Symptom: Upgrading a SteelConnect Manager or SteelHead SD appliance that has an MTU size greater than 1500 bytes will change the MTU setting to the maximum size: 1500 bytes per frame. Condition: SCM allows you to change the uplink MTU (Network Design -> Uplinks -> Settings tab) to a maximum value of 9586.
SCON-12898 - Symptom: A tunnel shows the status as "online" for a maximum of 10 minutes when there is no stats report from either of the tunnel endpoint gateways. Condition: This issue can only occur when both gateways are down at the same time. In this case, the tunnel status remains online for 10 minutes.
SCON-8073 - Symptom: Error message appears in syslog: "Keepalived_vrrp: Netlink: filter function error." Condition: This error can occur during the HA failover process.
SCON-7596 - Symptom: Uplinks appear to be down despite having connectivity. Condition: This problem can occur when intermediate routers pin the liveness ping test traffic to the wrong route. Because the ICMP ID of the test traffic never changes, the test traffic stays pinned to the wrong route even after routing tables and rules have been corrected.
SCON-16381 - Symptom: Zscaler or Cloudi-Fi automatic node selection is not performed. Condition: This issue occurs when the Zscaler or Cloudi-Fi cloud is changed.
SCON-14307 - Symptom: When you click a tunnel in the Dashboard to display the Tunnel Statistics Details page, the total throughput for inbound and outbound traffic displayed in bold is not the total of the individual throughput values shown. Condition: The total throughput shown in bold in the Tunnel Statistics Details page are not refreshed. This behavior can lead to a confusion when you look at the throughput numbers displayed in bold.
SCON-25120 - Symptom: A timeout of the Virtual Router Redundancy Protocol (VRRP) check script, which is checking for external triggers, is interpreted by keepalived as a fault condition and a failover is triggered. Condition: This issue occurs when HA systems are under high load.
SCON-25112 - Symptom: VoIP phone calls from the LAN side of the gateway are interrupted after HA failover. Condition: This issue occurs when HA failover is initiated between VoIP calls.
SCON-18587 - Symptom: In rare circumstances, an IPv6 route update causes an appliance to reboot with a kernel backtrace indicating a crash in fib6_walk_continue(). Condition: Typically, this issue only happens when there is a combination of heavy traffic and a significant number of configuration updates. While it only impacts the IPv6 routing table, it can occasionally be seen when uplinks do not have IPv6 enabled. With the fix, a backtrace is logged to indicate that a process may have had a temporary issue reading the IPv6 routing table and the appliance no longer reboots.
SCON-12188 - Symptom: SteelHead SD doesn't talk to SCM while connecting through another SteelHead SD. Condition: When a branch SteelHead SD appliance using an MPLS-only uplink tries to reach SCM through another branch SteelHead SD appliance using an internet uplink, it is unable to communicate with SCM.
SCON-22162 - Symptom: The SCM UI displays the wrong information under the Usage column on the Uplinks page. Condition: This issue occurs when an uplink is configured for local internet breakout and attached to a WAN that doesn't have a default gateway setting.
SCON-14486 - Symptom: Traffic to uplink networks follow the internet breakout preference instead of routed correctly to the uplink network. Condition: This issue occurs on a configuration with hybrid WAN (internet and MPLS).
SCON-21886 - Symptom: The appliance reboots with a kernel backtrace indicating a crash in xfrm_validate_rev(). Condition: Typically this issue is only seen when there is very heavy traffic on AutoVPN tunnels.
SCON-17962 - Symptoms: LAN port link states do not match the actual state of the link, or LAN port statistics report random data or no data at all. Condition: This is a very rare occurrence reflecting an unexpected hardware state in the appliance.
SCON-22792 - Symptom: AutoVPN tunnel flaps on SteelConnect SDI-5030 gateway. Condition: This issue occurs when updating the community filter for topology discovery under Network Design > Sites > Local Subnet Discovery.
SCON-20030 - Symptom: REST API reveals the appliance console password configured on the Organization > Console login page even if the RBAC user doesn't have permission on that page.
SCON-14315 - Symptom: Wrong memory allocations to certain SteelHead processes resulted in critical process failures on SteelHead SD. Condition: We've fixed these memory allocation problems on 2.11.0. The SteelHead SD process is not going to run out of memory on a high number of optimized connections.
SCON-18212 - Symptom: After failover, Zscaler tunnels are down. Condition: When Zscaler is used in an HA environment and a failover occurs, Zscaler tunnels are not reestablished.
SCON-20273 - Symptom: In SCM, all possible traffic-path inbound-rule selections are not validated. Condition: In SCM, when creating traffic path rules with particular settings, validations for some selections are not occurring.
SCON-25224 - Symptom: When WAN optimization is enabled on SteelHead SD 2.0 and the appliance sees traffic from certain Microsoft applications (such as Windows Store), the service_core can segfault. The customer sees this behavior as an uplink and/or tunnel flap at that appliance. Condition: Certain Microsoft applications use HTTP as their application layer protocol for all data transfer. As part of HTTP, they use HTTP request pipelining (where multiple HTTP requests are sent using a single TCP connection), and these HTTP requests contain different hostnames. This scenario causes the service_core to segfault when it receives multiple hostnames as part of the SteelHead compatibility application identification information from the SteelHead-v.
SCON-19821 - Symptom: In some cases, tunnel statistics between an appliance and an SDI-5030 gateway can be missing in the UI for up to four hours following an upgrade. The tunnel is functioning normally and the issue resolves itself when the tunnel is rekeyed. Condition: The issue can occur whenever the AutoVPN node in the cluster changes multiple times in a short period of time, which is not unusual during an SDI-5030 upgrade. This issue can also rarely occur during normal failovers or reassignment.
SCON-21052 - Symptom: Tunnels go down when sysdump collection is triggered. Condition: When sysdump collection is triggered for an appliance, debug commands for the flow's vSwitch are enabled before starting the data collection, and they're disabled after the sysdump has been generated. In case the sysdump collection fails, the debug commands were not being disabled. During heavy traffic scenarios, this behavior can introduce high latencies and even cause the tunnels to go down.
SCON-20466 - Symptom: Memory pressure results in the appliance going offline. Condition: Under high workloads, memory pressure can result in the appliance getting disconnected from SCM.
SCON-19872 - Symptom: The Redis database uses a lot of memory in buffering reporting statistics to SCM. This can cause low memory issues on the appliance, causing a reboot of the appliance. Condition: When SCM processes flow reporting statistics with a delay, a reboot of the branch appliance can occur because of a backlog of reportint statistics.
SCON-17283 - Symptom: WAN and Internet traffic rules, with the pass-through flag set, causes the gateway to drop the WAN and Internet rules. Condition: When the pass-through flag is set on traffic rules with WAN and Internet specified, the gateway to drops the rule.

2.11.1

SCON-22359 - Symptom: When an uplink is configured as the backup uplink on SteelConnect Manager, the traffic may take the backup uplink even if the active uplink is up. Condition: This issue can occur because SCM does not generate routing rules that consider the active and backup status of an uplink.
SCON-25075 - Symptom: Users are unable to create split-site/dual hub with the site having supported devices and switches or access points. The fix for the bug would be ignoring switches and access points from the site before processing supported devices for split-site/dual-Hub. As per the documentation, the SDI-130 gateway, the SDI-330 gateway, and SteelHead SD appliances won't support split-site/dual hub functionality: https://support.riverbed.com/bin/support/cdndoc/steelconnect/2.11/sc_ug_html/index.html#page/SteelConnect%2520Manager%2Fdatacenters.html%23ww481322 Dual Hub Supported Devices: Dual hubs are supported on SDI-1030, SDI-2030, and SDI-5030 gateways or SDI-VGW virtual gateways acting as the hub devices. You cannot configure an SDI-130 or SDI-330 gateway or a SteelHead SD appliance as a hub device. Split Site Supported Devices: Split sites are supported with SDI-2030 and SDI-5030 data center gateways and SDI-VGW virtual gateways. You cannot configure split data centers using an SDI-130, SDI-330, or SDI-1030 gateway or a SteelHead SD appliance as the split data center appliances. Any gateway or SteelHead SD appliances can be deployed at the remote site connected to the split data center sites. Condition: The Member Preference drop-down under the Create Split-Site/Dual-hub page was not showing sites, which has supported devices and switches/access points.
SCON-23139 - Symptom: Packet loss is seen after an appliance in an HA deployment recovers. Condition: Consider the following scenario: 1. HA deployment with asymmetric uplinks. 2. One of the appliances in the HA deployment is down. 3. The uplink of the preferred WAN is owned by the appliance that is down. In this scenario when the appliance that owns the preferred WAN comes back up, we see packet loss for the next 30 seconds.
SCON-22987 - Symptom: "Found new device" events are inconsistently missing site information in the References column for SCMs. Condition: While generating the event job(lfmeta_org_device_info, triggers every 19 seconds) is missing Node(Device) and Site info. This information will be available only after job(lfmeta_nodestats_maclists, triggers every 15 mins) gets completed. However, we don't have logic/code to read the events after processing the device information. To fix this issue, we have updated the $oid.'_neigh=' landfil hash with node_id info, which reads this info while triggering an event instead of waiting for job(lfmeta_nodestats_maclists, triggers every 15 mins) to get completed.
SCON-23042 - Symptom: Unable to create a new gateway assignment under the Gateways tab while editing zones. Condition: Unable to create a new gateway assignment under the Gateways tab while editing zones when the manual IPv4 address is incorrectly entered, even though the Automatic IPv4 address option is selected.
SCON-23396 - Symptom: When a user with the org-admin role requests an uplink update using REST API, "org => 'undef'", the request is getting sent to DragonPut when compared to UI operation. When the '_retrieve_organization' method receives the org => 'undef' value, its returning organization value is 'undef', which causes a "permission denied" error message. The fix for the issue is to fetch the organization value by passing rule information and sending this retrieved value to DragonPut. Condition: This issue occurs when a user with the org-admin role requests an uplink update using REST API, "org => 'undef'", the request is getting sent to DragonPut when compared to UI operation.
SCON-23380 - Symptom: LPM route lookup prefers the WAN transfer network over the local zone. Condition: This issue occurs when configuring SteelConnect zones as a WAN transfer network.
SCON-22596 - Symptom: Traffic leaks to the internet. Condition: This issue occurs when fallback is off and the RouteVPN tunnels are down.
SCON-22556 - Symptom: When BGP reloads the configuration, it always sends a session established event even if session that was established a long time ago. Condition: This issue occurs during a BGP configuration change.
SCON-26937 - Symptom: Unable to add a gateway for /31 and /32 IPv4 addresses. Condition: All broadcast and network addresses are restricted to be configured as a gateway, but for /31 and /32 IPv4 addresses there are no available hosts. Customers who had previously configured them get a flag error in Network Design > Zones > IP > IPv4 Gateway(widget).
SCON-25647 - Symptom: Devices are getting registered for AWS and Azure accounts through SCM polling. Condition: This issue occurs when deploying a large number of devices for Azure/AWS sites. SCM polls directly to those devices and start registering them on SCM. Due to this large number of devices getting registered on SCM, the generated configuration becomes much bigger. Also, SCM is not removing these devices once they are not in use. This configuration is becoming too large for the AP5 gateway and it causes a crash.
SCON-17929 - Symptom: The delete option is not enabled if the gateways are not associated with any organization or site. Condition: Create an AWS/Azure site and delete the organization. This will create an orphaned appliance in realm.
SCON-17532 - Symptom: A new SteelConnect security group name cannot be created if the existing security group doesn't have creator tags on them. The filtering for cleanup of a security group is based on the creator tags. The AWS security group name should be unique in VPC. Condition: This issue occurs when old SteelConnect security group tags are deleted.
SCON-15225 - Symptom: The DHCP client from the remote zone does not receive an IP address. Condition: The remote site LAN tag has the same tag as the one from the DHCP server site.
SCON-22492 - Symptom: Internet-bound traffic takes the backup uplink when it is sent over a tunnel. Condition: When there are two uplinks (for example, primary and backup) configured with internet breakout preference, the internet-bound traffic takes the backup uplink when it is sent over a tunnel.
SCON-22457 - Symptom: Sporadic brief (up to a few seconds) interruptions of zone-to-zone traffic occurs. These interruptions are especially noticeable with VoIP traffic. Condition: HA is configured to use the management zone instead of a dedicated HA link.
SCON-17597 - Symptom: SCM services are unavailable. Condition: This issue occurs when more than 100 orgs are configured on a single SCM.
SCON-25258 - Symptom: A crash dump is not saved on SDI-1030 gateways, preventing analysis. Condition: This issue occurs during a kernel crash.
SCON-25228 - Symptom: Sometimes LLDP does not add type 3 TLVs to LLDP packets on autotrunking-enabled ports after start-up. This leads to the autotrunking feature not becoming active. Condition: A potential start-up race condition during configuration can trigger this issue.
SCON-25606 - Symptom: CPU usage for the ribd process is high and routing-svc is stuck. This issue can lead to failure when configuring any routing-related configuration and reporting learned routes. Condition: The SDI-330 gateway with the issue has BGP configured, but the neighborship isn't established.
SCON-21387 - Symptom: AutoVPN tunnels reported on the dashboard are less than the expected number of tunnels. Condition: Offline VPN tunnels do not get reported on the SCM dashboard for SDI devices.
SCON-26171 - Symptom: If the inventory configuration is not updated, the appliance gets a configuration without the inventory information. The LAN ports may be down or unconfigured. Condition: When creating a virtual gateway, the inventory update request may fail.
SCON-25282 - Symptom: Sometimes Cronimon does not select the third hop into the WAN as the ICMP target. The target remains set to the default value of 8.8.8.8. Condition: This issue can be caused by various triggers, such as the interface is not up when Cronimon tries to determine the third hop into the WAN.
SCON-22761 - Symptom: The appliance tries to establish Zscaler/Cloudi-Fi tunnels over an offline uplink, even though an online uplink is available. Condition: A site has uplinks into multiple WANs. All of the site's uplinks into one of these WANs are offline. All of the site's uplinks that are online belong to the WAN, which have a lower priority than this WAN. The internet WAN has the highest priority; any other WANs follow the organization's WAN usage preferences.
SCON-26594 - Symptom: HA failover triggers when a zone is added at a different site. Condition: This issue occurs when any network configuration change occurs, such as adding a new zone to a remote site.
SCON-26173 - Symptom: After registering an SDI-S24 shadow appliance, the device appears in the UI with a reduced number of ports available for configuration. Condition: This issue is caused by a timeout during appliance registration when there are a large number of registered appliances in the organization.
SCON-22577 - Symptom: DNS requests are getting rejected. Condition: The internet uplink is down, and the static uplink is up.
SCON-26534 - Symptom: A network outage occurs due to missing rules for the local network after an HA state change. Condition: This issue occurs after an HA state change.
SCON-22377 - Symptom: The appliance gets stuck in the configuration pending state. Condition: The appliance fails to load the custom SSH configuration, which causes failures while applying SCM configuration, and the appliance gets stuck in the configuration pending state.

Known Issues

SCON-20246 - The Appliance Health page displays faults in the Management Interfaces.

Detailed Description: Symptom: The Health Check status for an appliance incorrectly shows a fault under Alarm status. Condition: The uplinks connected to the appliance are configured with static IPs.

Suggested Workaround: None

SCON-22988 - Xirrus access points stop forwarding DHCP packets to SteelConnect gateways.

Detailed Description: Symptom: After a period of time, clients stop getting DHCP replies. After troubleshooting, the client creates DHCP requests but the gateway doesn't receive the reply. TCP dumps indicate the client is sending the request but it doesn't make it past the Xirrus access point. 11:19:57.210175 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from f0:18:98:24:e2:42, length 300 11:20:06.004887 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from f0:18:98:24:e2:42, length 300 11:20:14.160589 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from f0:18:98:24:e2:42, length 300 Other times, the gateway receives DHCP packets and does not respond. Rebooting the gateway or access point fixes the issue. Condition: This issue occurs with Xirrus access points on a SteelConnect network. Native VLAN is not enabled and there is a simple 1VLAN link from the switch to the Xirrus access point.

Suggested Workaround: reboot gateway or AP

SCON-23012 - Traffic is not routed to Zscaler or Cloudi-Fi.

Detailed Description: Symptom: Traffic is not routed to Zscaler or Cloudi-Fi. The gateway's syslog contains the error messages "Unable to create rule" and "Unable to apply routing rule." Condition: Zscaler or Cloudi-Fi is being used, and SCM has been upgraded from an earlier version.

Suggested Workaround: This issue can be fixed in any affected SCM. Please contact support.

SCON-14657 - Passive FTP data traffic is not classified as FTP.

Detailed Description: Symptom: Passive FTP connections are displayed as an unclassified application in Insights.

Suggested Workaround: None

SCON-19297 - Fixed an issue that caused remote logging to fail.

Detailed Description: Symptom: SteelConnect SDI gateways occasionally fail to initiate remote logging even though the feature is enabled. Manually restarting the remote logging service fixes the issue. Condition: A race condition initiating the remote logging service would occasionally cause it to exit prematurely, leaving remote logging disabled on the impacted appliance.

Suggested Workaround: Manually restart the remote logging service, (rsyslogd).

SCON-16920 - SteelConnect Access Point 3 and Access Point 5 can occasionally lose link connectivity when directly connected to an SDI-1030 gateway.

Detailed Description: Symptom: SteelConnect Access Point 3 and Access Point 5 can occasionally lose link connectivity when directly connected to an SDI-1030 gateway. Condition: Access Point 3 and Access Point 5 directly cabled to an SDI-1030 gateway can occasionally lose link connectivity. The workaround for this issue is to connect the Access Point 3 and Access Point 5 to the SDI-1030 gateway via a switch.

Suggested Workaround: None

SCON-16680 - SCM inadvertently exported intra-site traffic to Insights

Detailed Description: Symptom: Insights reports display traffic for "Unnamed Uplink: 0" Condition: On affected versions, intra-site traffic will be reported.

Suggested Workaround: None

SCON-15618 - warmStart traps (1.3.6.1.6.3.1.1.5.2) are not triggered.

Detailed Description: Symptom: warmStart traps are not seen in the SNMP Manager when an agent re-initializes without a config change.

Suggested Workaround: None

SCON-15458 - SNMP operations such as GET/WALK are not supported for non-physical interfaces.

Detailed Description: Symptom: SNMP get/walk returns values for virtual interfaces used internally by the appliance. These devices will look like vtiX_X_X or ovsXXXX. Traps like LinkUp(1.3.6.1.6.3.1.1.5.4)/LinkDown(1.3.6.1.6.3.1.1.5.3) related to these devices can be safely ignored.

Suggested Workaround: None

SCON-8048 - SCM sends the same user ID to Insights after deleting the user or device.

Detailed Description: Symptom: A deleted user continues to be displayed on the user-related reports on Insights. Condition: After a user is deleted from SCM, traffic belonging to that user's device(s) is still marked with the deleted user, resulting in the deleted user continuing to be displayed on the user-related reports on Insights.

Suggested Workaround: None

SCON-27195 - Traffic is being sent to a non-existent tunnel on the SDI-2030 gateway.

Detailed Description: Symptom: ICMP traffic originating from the headquarters SDI-2030 gateway is sent to a tunnel that doesn't exist on its configuration, hence ping fails to the remote site. Pings originating from the remote site to the headquarters, however, are working and using the correct tunnel.

Suggested Workaround: None

SCON-26895 - The SCM dashboard maps don't load.

Detailed Description: Symptom: The SCM dashboard maps don't load. Condition: This issue occurs when the on-premise SCM patch for GMAPS is missing.

Suggested Workaround: None

SCON-26666 - The hardware license does not persist after initial registration.

Detailed Description: Symptom: When the SDI-1030 hardware is originally registered, it comes up online with the correct license information in SCM. However, after a while, the license information is no longer displayed; the license field is blank. Condition: The license disappears after some time.

Suggested Workaround: None

SCON-26481 - Multiple AutoVPN tunnels went down after the version 2.11 upgrade.

Detailed Description: Symptom: Multiple AutoVPN tunnels went down after the version 2.11 upgrade.

Suggested Workaround: None

SCON-26200 - The gateway fails to send messages to syslog servers on locally learned network.

Detailed Description: Symptom: The gateway fails to send messages to syslog servers on locally learned network.

Suggested Workaround: None

SCON-27088 - The zone HA VRRP ID may conflict with existing devices.

Detailed Description: Symptom: When employing zone HA on a segment that also has other VRRP device groups, the SteelConnect devices may forward traffic to incorrect VLANs and/or have a forwarding loop between the other virtual router. Condition: The VRRP ID used by the SteelConnect devices is in conflict with the VRRP ID being used by the external devices.

Suggested Workaround: None

SCON-12308 - A tunnel status may be shown as unconfigured if the data is not available at SteelConnect Manager.

Detailed Description: Symptom: In a very rare scenario, a tunnel status may be shown as unconfigured if SteelConnect Manager has not received statistics from the appliance. Condition: This issue can be a transient situation when the tunnel data is not received by SteelConnect Manager from the appliance.

Suggested Workaround: None

SCON-22296 - Deleting one of the SDI-5030 cluster uplinks causes tunnels on the other uplink to go down.

Detailed Description: Symptom: When one of the cluster uplinks is deleted, tunnels for the other cluster uplink go down. Condition: When multiple cluster uplinks are configured, deleting any uplink other than the last created uplink causes tunnels for all other uplinks go down.

Suggested Workaround: Delete all Cluster Uplinks and re-create them

SCON-26151 - AWS trial users are unable to log in to SCM after creating an AWS trial account.

Detailed Description: Symptom: AWS trial users are unable to log in to SCM after creating an AWS trial account. Condition: This limitation prevents on-boarding a new customer using the SCM trial account creation workflow.

Suggested Workaround: None

SCON-22340 - The traffic timeline report shows no data when filtered by a SteelHead SD zone.

Detailed Description: Symptom: For SteelHead SD appliances, when a user tries to filter the traffic timeline report, the report does not show any traffic details. Condition: Choose Reporting -> Traffic Timeline. Currently, a user is not able to filter SteelHead SD traffic by zone.

Suggested Workaround: None

SCON-27145 - The Health Check Zone report may show zones needing attention, but all zones are green.

Detailed Description: In the Health Check > Summary report, zones may report "need attention," but all zones appear healthy with green check marks.

Suggested Workaround: None

SCON-26752 - An incomplete addition of Active Directory synchronization occurs in the Users page in SCM.

Detailed Description: Symptom: Not all users are shown in the Users page that are in the directory synchronization listing of SCM. Condition: An incomplete active user list results after the active directory synchronization operation.

Suggested Workaround: None

SCON-20193 - Zscaler/Cloudi-Fi doesn't work if AutoVPN is disabled.

Detailed Description: Symptom: Zscaler/Cloudi-Fi tunnels are not being configured. Condition: AutoVPN is disabled on the gateway uplink.

Suggested Workaround: None

SCON-27354 - The Unregistered Devices page takes more time to load with an increase in the devices.

Detailed Description: Symptom: The Unregistered Devices page takes more time to load with an increase in the devices.

Suggested Workaround: None

SCON-27352 - The FIB table in SCM for sites with SDI-2030 gateways is not displaying any routes.

Detailed Description: Symptom: The FIB table in SCM for sites with SDI-2030 gateways is not displaying any routes. Other SteelConnect gateway models are displaying okay. Condition: This issue is caused by an unreliable SCM UI.

Suggested Workaround: None

SCON-26418 - BGP learned routes are not removed after the neighbor stops advertising.

Detailed Description: Symptom: BGP learned routes are not removed after the neighbor stops advertising. Condition: The BGP neighbor stops advertising route.

Suggested Workaround: None

SCON-26565 - Traffic path rules are not appearing in the SteelConnect Manager rule list.

Detailed Description: Symptom: After creating a traffic path rule, the rule doesn't appear in the rule list in SteelConnect Manager. Without being able to see the rule in the rule list, it cannot be enabled.

Suggested Workaround: None

SCON-26492 - Poor UI performance of SCM occurs.

Detailed Description: Symptom: Poor performance of SCM UI occurs. High load average and multiple workers are greater than 100 percent CPU. Condition: This issue occurred while trying to create zones for a conversion.

Suggested Workaround: None

SCON-27385 - Read-only users are able to reload appliances.

Detailed Description: Symptom: Read-only users are able to reload appliances. Condition: Read-only users shouldn't be allowed to reload appliances.

Suggested Workaround: None

SCON-27431 - SteelHead SD appliances and the SDI-2030 gateway do not prioritize uplinks over the HA port for SCM connectivity.

Detailed Description: Symptom: SteelHead SD appliances and the SDI-2030 gateway do not prioritize uplinks over the HA port for SCM connectivity. Condition: This issue occurs on SteelHead SD appliances and the SDI-2030 gateway configured for HA.

Suggested Workaround: None

SCON-26761 - Classic VPN outbound ESP packets are missing on the uplink.

Detailed Description: Symptom: Classic VPN outbound ESP packets are missing on the uplink. Condition: This issue occurs when the other end is a Cisco ASA firewall.

Suggested Workaround: None

SCON-19867 - Flow rules take a lot of time to get configured.

Detailed Description: Symptom: If there are lot of flow rules, it takes a lot of time to configure them. Condition: Traffic doesn't flow after flow manager restart.

Suggested Workaround: None

SCON-26172 - The SDI-330 HA cluster is not switching to the backup uplink.

Detailed Description: Symptom: The SDI-330 HA cluster is not switching to the backup uplink. Condition: After encountering problems on the active uplink, traffic did not switch to the backup uplink.

Suggested Workaround: None

SCON-26661 - The traffic path rule is not working due to a missing overlay route.

Detailed Description: Symptom: The traffic path rule does not use the specified path. Condition: The overlay route is not available over the specified WAN.

Suggested Workaround: None

SCON-26608 - Branch site traffic was blackholed after creation of a new firewall rule.

Detailed Description: Symptom: The branch site was cut off without internet or inter-site access. Condition: This issue occurs after a new firewall rule was created.

Suggested Workaround: None

SCON-20427 - Unknown Uplink : <*> might be seen in Insights reports.

Detailed Description: This issue occurs because of the internal representation of VLAN IDs in the Insight Flow Records of the SCM. Resolution will be via code upgrade in a later version.

Suggested Workaround: None

SCON-26311 - Tunnels go down due to the gateway time being out of sync.

Detailed Description: Symptom: Tunnels go down due to the gateway time being out of sync. Condition: The clock on the gateway is out of sync.

Suggested Workaround: None

SCON-17959 - Customer is able to edit a deleted object.

Detailed Description: Symptom: A deleted rule can be edited by clicking the link in the events log. While submitting the change to the deleted rule, an unknown error is displayed.

Suggested Workaround: None

SCON-26362 - The control virtual machine (CVM) is out of memory.

Detailed Description: Symptom: The control virtual machine (CVM) is out of memory.

Suggested Workaround: None

SCON-19924 - DENY ALL firewall rule does not block some outbound IP protocol traffic.

Detailed Description: Symptom: Outbound traffic is not getting blocked by a DENY ALL outbound rule. Condition: This issue affects outbound packets carrying unknown/proprietary IP protocol numbers.

Suggested Workaround: None

SCON-26958 - A custom IP/ports application matches incorrectly when 0.0.0.0/0 is included in the rule.

Detailed Description: Symptom: A custom rule matches when it shouldn't. Condition: This issue occur when there are multiple lines in an IP/ports rule, and one of them contains .0.0.0.0/32.

Suggested Workaround: None

SCON-22223 - Internet breakout via the WAN breakout site doesn't work when WAN encryption is off.

Detailed Description: Symptom: The WAN breakout site is ignored, and traffic is routed onto the underlay. Condition: This issue occurs on the WAN with an internet breakout site when encryption is disabled.

Suggested Workaround: None

SCON-27030 - After upgrading to version 2.11, BGP TEP routes are not being advertised.

Detailed Description: Symptom: TEP routes are not seen at upstream BGP neighbors. Condition: This issue occurs after upgrading to version 2.11.

Suggested Workaround: None

SCON-27041 - Unexpected link flaps occur on uplinks.

Detailed Description: Symptom: Unexpected link flaps occur on uplinks.

Suggested Workaround: None

SCON-27478 - logd takes up too much memory due to large amount of logs.

Detailed Description: Symptom: logd takes up too much memory due to large amount of logs. Condition: This issue occurs when the remote site's uplink IP address is changed.

Suggested Workaround: None

SCON-27353 - Under Devices > Registered, the status of the device shown is not consistent.

Detailed Description: Symptom: Under Devices > Registered, the status of the device shown is not consistent.

Suggested Workaround: None

SCON-26723 - Classic VPN status flaps in SCM while closing one of the established CHILD_SAs.

Detailed Description: Symptom: Classic VPN status flaps in SCM. Condition: This issue occurs when closing one of the CHILD_SAs.

Suggested Workaround: None

SCON-25111 - When a new route is added, SDWC doesn't send it to xcontrold on the gateway.

Detailed Description: When a new route is added, SDWC doesn't send it to xcontrold on the gateway.

Suggested Workaround: None

SCON-19876 - Health Check -> Routing Tables page does not refresh automatically.

Detailed Description: Symptom: Health Check -> Routing Tables page does not refresh automatically.

Suggested Workaround: Manually refresh the page to view the latest data.

SCON-19455 - Uplink AutoVPN settings prevent tunnels from being created under some circumstances.

Detailed Description: Symptom: SteelConnect Manager fails to create AutoVPN tunnels among sites with the same public IPv4 address. Condition: When multiple sites exist and those sites share the same public IPv4 address, and AutoVPN IPv4 target address settings for uplinks on those sites are heterogeneous (a mix of external and internal), then SteelConnect Manager will fail to properly create tunnels among those sites.

Suggested Workaround: None

SCON-13591 - Cannot delete a site configured with an OSPF network and an OSPF area.

Detailed Description: Symptom: Deleting a site results in an ERR_IN_USE error. Condition: This issue affects sites configured with an OSPF network and area.

Suggested Workaround: To delete a site with OSPF configuration, delete the OSPF network and area first, then delete the site

SCON-26008 - Upgrading from version 2.9.x to 2.11.0 causes a disruptive change on the tunnels.

Detailed Description: Symptom: Upgrading from version 2.9.x to 2.11.0 causes a disruptive change on the tunnels. Tunnels are rebuilt, which causes tunnels to go offline and come back online. Additionally, the active/backup uplink handling changes, which can cause the tunnel count to vary and is noticeable in the reporting. Condition: This issue occurs when upgrading from version 2.9.x to 2.11.0. Any upgrades after 2.11.0 should not see any change in the tunnels, and the dashboard should continue to report the same tunnel count and status as it did prior to the upgrade.

Suggested Workaround: None

SCON-27731 - BGP redistribution updates are not shown in the event log.

Detailed Description: Symptom: Changes made to BGP redistribution settings are not shown in the event log.

Suggested Workaround: None

SCON-27668 - The gateway is not sending some metadata to SCM, or SCM missed sending metadata to Insights.

Detailed Description: Symptom: Insights is not showing data for some sites. Condition: The gateway is not sending some metadata to SCM, or SCM missed sending metadata to Insights.

Suggested Workaround: None

SCON-7565 - The SteelConnect SDI-130 and SDI-330 gateways can enter a state where the tx queue on WAN ports stops processing Ethernet frames.

Detailed Description: Symptom: The SteelConnect SDI-130 and SDI-330 gateways can enter a state where the tx queue on WAN ports stops processing Ethernet frames. Condition: This issue occurs when the SDI-130 or SDI-330 WAN ports receive an excessive quantity of malformed Ethernet frames from the connected device. The workaround is to place a switch in between the misbehaving device and the SDI-130/SDI-330.

Suggested Workaround: None

SCON-26277 - secure-ovl can crash on the SDI-1030 gateway.

Detailed Description: Symptom: Random crashes can occur in secure-ovl on SDI-1030 gateways running version 2.11.0.

Suggested Workaround: None

SCON-22299 - The firmware upgrade fails on SteelHead SD appliances.

Detailed Description: Symptom: The firmware upgrade fails on SteelHead SD appliances. Condition: Multiple DNS servers are configured (either through a site-level DNS or a DHCP lease file) and a different server resolves the download domain (download.riverbed.com) to different IP addresses.

Suggested Workaround: None

SCON-26056 - Packet latency is reported on scale setup.

Detailed Description: Symptom: Too many packets get forwarded to a slow path, which can cause latency in delivering packets. Condition: This issue is seen during scale setup.

Suggested Workaround: None

SCON-27335 - show_overlay_route is broken with traceback.

Detailed Description: Symptom: show_overlay_route is broken with traceback. Traceback (most recent call last): File "/usr/local/bin/show_overlay_route", line 184, in subnet_dict['local_uplink'])]['name'] KeyError: 4 Condition: This issue occurs when executing show_overlay_route.

Suggested Workaround: None

SCON-19174 - The capacity of the uplink shows disabled on the Details page.

Detailed Description: Symptom: For SteelHead SD appliances, under Health Check > Uplink Health, on the Details page, the capacity of the uplink appears as disabled. Condition: When QoS for a particular SteelHead SD uplink is turned on, the Capacity Status under the Health Check page appears as disabled.

Suggested Workaround: None

SCON-26305 - The SDI-5030 gateway tunnel flaps.

Detailed Description: The SDI-5030 gateway tunnel flaps.

Suggested Workaround: None

SCON-26211 - The backup HA node SCM connection can be routed via MPLS overlay.

Detailed Description: Symptom: The backup HA node SCM connection can be routed via MPLS overlay. Condition: There is a dual circuit site when the internet uplink is down. MPLS is set to breakout via another site.

Suggested Workaround: None

SCON-26985 - All AD users are not synced with SteelConnect Manager when the number of AD users is more than the maximum configured AD users allowed for SteelConnect Manager.

Detailed Description: Symptom: All AD users are not synced with SteelConnect Manager. Condition: This issue occurs when the number of AD users is more than the maximum configured AD users allowed for SteelConnect Manager.

Suggested Workaround: None

SCON-27337 - Inter-area OSPF routes discovered from the WAN side are not listed in the LPM table and SCM's Uplink > Networks tab.

Detailed Description: Symptom: Inter-area OSPF routes discovered from the WAN side are not listed in the LPM table and SCM's Uplink > Networks tab.

Suggested Workaround: None

SCON-27226 - The SCM ping tool uses the wrong interface as the source interface for the ICMP packet when testing the connection for the PPPoE uplink.

Detailed Description: Symptom: The SCM ping tool uses the wrong interface as the source interface for the ICMP packet when testing the connection for the PPPoE uplink. Condition: Ping fails when testing the source uplink to the destination IP.

Suggested Workaround: None

SCON-27795 - The appliance loses connectivity and goes offline when the user updates the Port 1 configuration from DHCP to Static.

Detailed Description: Symptom: When the user updates the Port 1 configuration on data center appliances from DHCP to Static on SCM, the appliance goes offline. Condition: To avoid this issue, configure the site-level-DNS value on SCM when modifying the port configuration from DHCP to Static: Sites -> select the SteelConnect SDI-5030 gateway site -> DNS -> Site DNS Servers field.

Suggested Workaround: Work around is to send port level dns as site level dns from SCM. Site level DNS can be changed on SCM under Sites -> select panther appliance site -> DNS -> Site DNS Servers field.

SCON-26156 - SteelHead SD2 gets stuck in configuration pending due to an out-of-memory condition.

Detailed Description: Symptom: SteelHead SD2 gets stuck in configuration pending. Condition: This issue is caused by an out-of-memory condition.

Suggested Workaround: None

SCON-27288 - Internet-bound syslog traffic is incorrectly routed.

Detailed Description: Symptom: Internet-bound syslog traffic is incorrectly routed via MPLS uplink when it should be routed on the internet uplink. Condition: This issue occurs when the syslog server is on the internet with a public IP address.

Suggested Workaround: None

SCON-27230 - The uplink is shaped to 4 Mbps with SteelHead service enabled after upgrading the CX 570 to CX 570-SD.

Detailed Description: Symptom: The uplink is shaped to 4 Mbps with SteelHead service enabled after upgrading the CX 570 to CX 570-SD despite QoS for SCM's uplink being configured as 9 Mbps. Condition: This issue occurs when the CX 570 is upgraded to CX 570-SD.

Suggested Workaround: None

SCON-27604 - The SCM dashboard shows an incorrect tunnel count with AWS sites.

Detailed Description: Symptom: The SCM dashboard shows an incorrect tunnel count with AWS sites. Condition: SCM filters a few tunnels incorrectly from the Dashboard report.

Suggested Workaround: None

SCON-25271 - The tunnel count is incorrect following an upgrade.

Detailed Description: Symptom: The tunnel count between healthcheck and the dashboard is inconsistent following an upgrade. Condition: After an upgrade, the wrong number of tunnels is reported.

Suggested Workaround: None

SCON-15127 - Invalid nested leaf mode configurations are permitted in the UI.

Detailed Description: Symptom: Invalid nested leaf mode configurations are permitted in the UI, resulting in tunnel formation failure in some cases. Condition: This issue negatively affects SDI-5030 deployments.

Suggested Workaround: None

To view the release notes for previous versions, please visit SteelConnect support and select the version of interest.

If you have questions regarding this update, please contact Riverbed Support for assistance.