Welcome to SteelConnect 2.14.0
The following is an overview of the changes in this release.
New features in 2.14.0
WAN Uplink failover on a single box: improved path-selection time to an alternate link
Allows configuring a more aggressive check interval for the uplinks. In case of network unreachability via the uplink, this feature enables a quicker failover to another uplink on the same box.Improved Zscaler/Cloudi-Fi integration
SCM automatically updates its Zscaler and Cloudi-Fi ZEN data centers list every 24 hours. When a specific location gets decommissioned, SCM initiates a refresh of the gateways that used it. No SCM UI changes or code changes in the appliances are required.Support for Zscaler Active-Active tunnels
Added the ability to configure a set of Active-Active Zscaler tunnels, essentially doubling their Zscaler bandwidth. This feature is only supported on WRT-based gateways: SDI-vGW, SDI-130, SDI-330, and SDI-1030.Improved performance for SDI-2030
The overall throughput and performance of SDI-2030 appliances is improved in the SteelConnect 2.14.0 release. Please contact your account team if you require more details.Smaller Additions, Improvements, and Bugfixes
- SCON-27748 -
Symptom: Some tunnels may not be displayed in the SCM dashboard tunnel details, even though the Health Check > Overlay Health page shows that the same tunnels are up and traffic is seen flowing over the tunnels.
Condition: This issue occurs when viewing tunnel details between sites from the dashboard.
- SCON-27145 -
Symptom: In the Health Check > Summary report, individual zones may show "need attention," but the Zone Health report shows the zones as healthy with green check marks.
Condition: When gateway assignments within zones are deleted, the DHCP status is not reported to SCM. This results in the Zone Health report displaying a "need attention" state for these zones. The overall summary still shows healthy because the last reported zones health was healthy.
- SCON-27088 -
Symptom: SteelConnect devices may forward traffic to incorrect VLANs or have a forwarding loop between the other virtual router.
Condition: This issue occurs when employing zone HA on a segment that also has other VRRP device groups. The VRRP ID used by the SteelConnect devices is in conflict with the VRRP ID being used by the external devices.
- SCON-29980 -
Symptom: The following kernel warning message can occur in the SDI-130 and SDI-330 system logs: "WARNING: at drivers/net/phy/b53/b53_spi.c:120."
Condition: This message is caused by the kernel attempting to read a nonexistent register in the on-board switch. There is no negative impact.
- SCON-29992 -
Symptom: In an SDI-5030 cluster, the default internet uplink is not hidden in Network Design -> Uplinks.
Condition: This issue occurs on a site with SteelConnect SDI-5030 gateways and additional appliances.
- SCON-29675 -
Symptom: Unable to connect to an internal VPN server.
Condition: This issue occurs when configuring NAT using a custom WAN IP.
- SCON-19789 -
Symptom: After HA failover, Zscaler tunnels cannot be reestablished until a new configuration is received from SCM.
Condition: Zscaler is enabled, a pair of gateways in an HA configuration is used, and a failover has occurred.
- SCON-34016 -
Symptom: Health check reports temperature offset from a maximum limit rather than an absolute temperature.
Condition: This issue is observed in SDI-2030, SDI-3070, and SDI-5030 gateways.
- SCON-34002 - Symptom: Every zone gets a VLAN tag assigned. If this field is left empty, the system will pick a free VLAN ID from the unused VLAN ID pool.
Condition: When a new zone is configured on SteelConnect Manager, the auto-assigned VLAN ID was unique across the organization. This issue has been fixed. The system will now pick a free VLAN ID from the site's unused VLAN ID pool and hence the auto-assigned VLAN ID is unique only within the site scope and not across the entire organization. - SCON-33099 -
Symptom: The Zscaler tunnel is reported as online even though the tunnel is actually offline.
Condition: ICMP monitoring of Zscaler is enabled, and HTTP monitoring of Zscaler is disabled. The ZEN is reachable via ICMP, but the tunnel cannot be established. This issue can occur due to a credentials mismatch. To work around this issue, enable HTTP-based monitoring of Zscaler tunnels. Zscaler does not support detecting higher-level failures via ICMP only.
- SCON-36474 -
Symptom: Names in the Organizations menu do not display in alphabetical order.
Condition: This issue occurs after upgrading to version 2.12.3.
- SCON-36516 -
Symptom: The remote syslog server stops receiving syslog messages from the SDI gateway.
Condition: Infrequent log messages can cause TCP session closure by upstream stateful firewalls.
- SCON-36297 -
Symptom: Occasionally, a tunnel can be reported down, then back up again, with no change in the underlying network connectivity.
Condition: The issue occurs during the rekey of a tunnel that is traversing a port-NAT. When the new key is installed, the destination port is reset to its default value. It only reverts to the NAT value when a packet arrives from the remote end. Therefore, outbound packets will be lost until a remote packet arrives, which may trigger a loss of connectivity.
With the fix, the destination port is not reset during a rekey, so there is no disruption to outbound traffic.
- SCON-36046 -
Symptom: A network outage occurs at all sites after upgrading to version 2.12.2.
Condition: This issue occurs after creating a custom application with a registered device configured with an invalid MAC address (00:00:00:00:00:00).
// code placeholder - SCON-32716 -
Symptom: The tunnel probe traffic is missing from NetFlow data.
Condition: This issue occurs when NetFlow is active.
- SCON-30974 -
Symptom: Classic VPN routing can fail for subnets that are also learned via BGP or OSPF on the underlay.
Condition: If a route that matches a Classic VPN route is learned via BGP or OSPF, and that learned route is subsequently retracted, traffic does not revert to the Classic VPN as expected.
- SCON-31564 -
Symptom: The SCM UI shows the wrong management IP address for the SDI-S48 switch.
Condition: This issue occurs when a default value is initialized inside the statistics of the appliance and never updated, which is then shown in the UI.
- SCON-30578 -
Symptom: SCM connectivity is disrupted.
Condition: This issue occurs when traffic on one SteelHead SD appliance or SDI-2030 gateway has to transit another SteelHead SD appliance or SDI-2030 gateway and NAT is disabled on the outgoing uplink of the appliance it is transiting.
- SCON-30518 -
Symptom: On SteelHead SD 2.0 appliances and SDI-2030 gateways, Multicast HSRP (224.0.0.2) received on the WAN results in TTL expired on AUX.
Condition: These appliances do not support HSRP, so receiving HSRP packets results in unnecessary ICMP TTL expired packets. Rather than create unnecessary packets for an unsupported protocols, the code has been changed to drop HSRP packets.
- SCON-37299 -
Symptom: When SCM organization migration is triggered, the order of CVM flow rule creation and deletion is incorrect.
Condition: This issue occurs when both SCMs are running with the same IP address or shared host organization.
- SCON-37183 -
Symptom: The SteelConnect SDI gateway can block outbound traffic from the LAN-side OSPF networks.
Condition: When the configuration update takes more than 1 minute, the LAN-side OSPF networks might not be properly updated.
- SCON-37051 -
Symptom: AS-path prepending only applies to the CONNECTED routes.
Condition: This issue occurs after upgrading to release 2.13.1.
- SCON-37050 -
Symptom: With "Manage all sites: Off" in the Role assignments, only a single record is displayed on the DHCP Lease page instead of a full client list.
Condition: This issue occurs when a user without "Manage all sites" rights tries to view the DHCP Lease client list.
- SCON-37373 -
Symptom: An incorrect application name is displayed in show commands for a particular TCP connection.
Condition: When TCP connection runs, the show connections command shows the first application in the AppChain as AppID used for Traffic Path Selection, but the actual AppID is different.
- SCON-20965 -
Symptom: SDI gateways reply to internet NTP requests.
Condition: On SDI gateways, the NTP server is always on.
- SCON-30365 -
Symptom: Routes are missing following upgrades or configuration changes.
Condition: This issue occurs when zones or uplinks have been added or removed, or the management zone has been reassigned.
2.14.0
Known Issues
- SCON-26211 - The backup appliance in an SDI HA pair loses connectivity to SCM when local internet uplinks are down.
- SCON-29694 - Internet breakout at the site level doesn't honor the organization level setting when enabled.
- SCON-16920 - SteelConnect Access Point 3 and Access Point 5 can occasionally lose link connectivity when directly connected to an SDI-1030 gateway.
- SCON-21653 - The Blocked Connections tab on the SteelHead SD 2.0, SteelConnect SDI-2030 gateway, and SteelConnect SDI-5030 gateway does not report firewalled connections in SCM.
- SCON-35403 - The uplink may flap when the NAT rules configuration is modified.
- An outbound NAT rule is created, deleted, enabled, or disabled.
- An inbound NAT rule with a custom WAN IP is created, deleted, enabled, or disabled.
- The custom WAN IP address in an inbound NAT rule is modified, added, or removed.
- The override IP address in an outbound NAT rule is modified.
- SCON-35373 - The TeamViewer application is not identified when used with some hostnames.
- SCON-33538 - An Active Directory user sync "Through appliance" on a SteelConnect SDI-5030 gateway gets stuck at "Waiting for callback from sync appliance."
- SCON-34506 - SCM traffic timeline statistics are inconsistent with the Top Talkers report on the SteelHead.
- SCON-33902 - During HA failover, route flaps occur on the LAN router.
- SCON-33808 - Outbound firewall rules are not applied on short-lived connections.
- SCON-33963 - The 5-GHz Wi-Fi radio goes offline when configuring "Default" or "40 MHz" bandwidth on an SDI-130 gateway.
- SCON-33200 - In a dual-hub deployment, the flow table entries report an incorrect remote site ID.
- SCON-36764 - Custom applications cannot match the flows against outbound and/or traffic path rules.
- SCON-30423 - SteelHead SD appliances and SteelConnect SDI-2030 gateways show latency spikes every 60 seconds.
- SCON-37317 - GRE tunnel traffic stops flowing.
- SCON-37202 - TA traffic rule using a device, device group, or zone without selecting the respective device, device group, or zone is ignored.
- SCON-37148 - Erroneous Zscaler tunnel offline/online Event Log messages occur with 570-SD appliances.
- SCON-37425 - Route propagation from the SDWC to some sites does not occur, leading to missing routes.
- SCON-37387 - Summary static is bouncing in and out of RIB on BGP updates.
- SCON-36500 - SteelHead SD fails to optimize the TCP connections.
Detailed Description:
Symptom: The backup appliance in an SDI HA pair loses connectivity to SCM when local internet uplinks are down.
Condition: This issue occurs when an SDI HA pair is configured in dedicated port mode, all local internet uplinks are down, and the only path to the internet is through an MPLS WAN with an internet breakout set to a remote site.
Suggested Workaround: None
Detailed Description:
Symptom: Internet breakout for a leaf site doesn't work when defined at the site level.
Condition: This issue occurs when breakout is defined at the site level.
Suggested Workaround: None
Detailed Description:
Symptom: SteelConnect Access Point 3 and Access Point 5 can occasionally lose link connectivity when directly connected to an SDI-1030 gateway.
Condition: Access Point 3 and Access Point 5 directly cabled to an SDI-1030 gateway can occasionally lose link connectivity.
Suggested Workaround: Connect the AP-3 and/or AP-5 to the SDI-1030 Gateway via a switch.
Detailed Description:
Symptom: The Blocked Connections tab on the SteelHead SD 2.0, SteelConnect SDI-2030 gateway, and SteelConnect SDI-5030 gateway does not report firewalled connections in SCM.
Condition: This issue occurs with connections that have been firewalled by the appliance.
Suggested Workaround: None
Detailed Description:
Symptom: The uplink may flap when the NAT rules configuration is modified on SDI-130, SDI-330, SDI-1030, and SDI-vGW gateways.
Condition: The issue can occur under these conditions:
Suggested Workaround: None
Detailed Description:
Symptom: The TeamViewer application is not identified when used with some hostnames like IT-MIL-ANX-R016.teamviewer.com.
Condition: Hostnames like IT-MIL-ANX-R016.teamviewer.com are used to access TeamViewer, but they are not currently present in the application identifier under the TeamViewer application. Therefore, traffic remains unknown and is blocked.
Suggested Workaround: Create a custom application with a URL such as IT-MIL-ANX-R016.teamviewer.com. After defining the custom application, you can use it in a rule.
Detailed Description:
Symptom: An Active Directory sync fails with the message "Waiting for callback from sync appliance."
Condition: This issue occurs when a SteelConnect SDI-5030 gateway is configured as a bridge appliance. Active Directory user sync is not supported on a SteelConnect SDI-5030 gateway.
Suggested Workaround: None
Detailed Description:
Symptom: SCM traffic timeline statistics are inconsistent with the Top Talkers report on the SteelHead.
Condition: This issue occurs when SCM is not able to process incoming flows in a timely manner. As a result, some flows are missing from the traffic timeline.
Suggested Workaround: None
Detailed Description:
Symptom: During HA failover, routes on the LAN router momentarily flap and then recover.
Condition: This issue occurs in a SteelConnect HA appliance configuration where a backup node is configured with a lower router ID and the LAN routers are configured with the next-hop pointing to the backup node. If HA failover is triggered, the backup becomes the master. The routes in the LAN router flap momentarily even though there is no failure in the next-hop backup node.
Suggested Workaround: None
Detailed Description:
Symptom: Outbound firewall rules are not applied on short-lived connections. As a result, SteelHead SD 2.0 appliances do not block the traffic denied in the outbound rule.
Condition: This issue occurs on short-lived connections when application classification is incomplete.
Suggested Workaround: None
Detailed Description:
Symptom: On an SDI-130 gateway, selecting "Default" or "40 MHz" bandwidth for the 5-GHz Wi-Fi radio in certain countries will cause the 5-GHz radio to go offline.
Condition: This issue occurs in Wi-Fi sites located in countries that don't allow 40-MHz bandwidth (that is, channel aggregation) in the 5-GHz spectrum, including Bahrain, Costa Rica, Ecuador, El Salvador, Guam, Indonesia, North Korea, and Sri Lanka.
Suggested Workaround: None
Detailed Description:
Symptom: In a dual-hub deployment with SteelHead SD 2.0 appliances, traffic reporting of the remote site ID may be inaccurate.
Condition: This issue occurs because the dual-hub configuration learns the same subnet from more than one site. Although the reported remote site ID is inaccurate, the traffic flows on the correct path.
Suggested Workaround: None
Detailed Description:
Symptom: Traffic/flows fail to match the outbound and/or traffic path rules of type custom app.
Condition: This issue occurs in custom applications that are created with type "IPs/Ports" and have both hostnames and IPs in them.
Suggested Workaround: Create a separate custom application for hostnames and a separate custom application for IPs.
Detailed Description:
Symptom: Latency spikes are observed every 60 seconds.
Condition: The garbage collection logic runs every 60 seconds. On an appliance with a large number of flows, this process ends up causing a latency spike in the data plane.
Suggested Workaround: Increase flow reporting interval
Detailed Description:
Symptom: GRE tunnel traffic stops flowing.
Condition: This issue occurs when the uplink is reconfigured or is down for a long time.
Suggested Workaround: Reestablish the GRE tunnel.
Detailed Description:
Symptom: A traffic rule using a device, device group, or zone without selecting the respective device, device group, or zone is ignored.
Condition: This is a persistent, known issue.
Suggested Workaround: Select the device, device group, or zone when creating an application of this type.
Detailed Description:
Symptom: Erroneous Zscaler tunnel offline/online messages occur in the Event Log while the tunnel has traffic in both directions.
Condition: This problem is seen with 570-SD appliances associated with sluggish response for affected uplinks. High-load conditions may increase the likelihood of this issue being seen.
Suggested Workaround: None
Detailed Description:
Symptom: Routes to a certain site are not present at another site, so communication over the SD-WAN is not possible for these two sites. The same routes are present at other sites in the same organization.
Condition: This issue occurs after the site that owns the routes loses connectivity briefly to the SDWC.
Suggested Workaround: None
Detailed Description:
Symptom: Continuous advertising and withdrawing of the route to and from BGP peers occur. This behavior goes in a loop where both the BGP peers are advertising and withdrawing the same route.
Condition: In the SD-570, this routing configuration is on the appliance for the supernet of 10.13.0.0/16:
S 10.13.0.0/16 [2/0] via 10.13.1.1, knet14.3
C 10.13.1.0/24 is directly connected, knet14.3
C 10.13.50.0/24 is directly connected, knet14.50
The 10.13.0.0/16 is sent and then withdrawn.
Suggested Workaround: None
Detailed Description:
Symptom: Optimization is not working on SteelHead SD.
Condition: The inner channel is not established as ARP resolution for in-path gateway fails.
Suggested Workaround: Manually add the SteelHead in-path IP address in the ARP table of the RVM on both the master and HA SteelConnect appliance.
To view the release notes for previous versions, please visit SteelConnect support and select the version of interest.
If you have questions regarding this update, please contact Riverbed Support for assistance.