Welcome to SteelConnect 2.13.2

The following is an overview of the changes in this release.

New features in 2.13.0

Improved high availability failover

SteelHead SD high-availability failover improvements include:

Bidirectional tunnel failure detection - Tunnel probe requests are used to detect tunnel failures when either direction of the data flow is down. Default bidirectional-tunnel probe settings can only be changed by Riverbed Support at https://support.riverbed.com.

LAN-side subnet discovery on HA backup appliances - SteelConnect doesn’t have to relearn LAN-side subnets when the HA master fails and the HA backup appliance is activated. No configuration is required.

BGP and OSPF graceful restart - SteelConnect allows continuous data flow forwarding even if the BGP or OSPF process on the peer device restarts. If there is a system restart, you can set the amount of time to wait before a neighbor reestablishes BGP peering and the amount of time that stale paths are kept. For OSPF, you can set the amount of time to wait before adjacencies are torn down if there is a system restart.

Single-click Office 365 integration

Riverbed SD-WAN is designated as a qualified networking solution and certified as “Works with Office 365” to provide an optimal end-user experience (certification is in progress and expected in September 2019). Riverbed partners with Microsoft to provide full support for and comply with its Office 365 connectivity principles. The SteelConnect Application Control Server (ACS) supports the Microsoft Office 365 REST APIs that catalog and return up-to-date information about the front-door endpoints. SteelConnect uses the endpoint data to enable direct routing of the internet traffic from the branch to the closest front-door endpoints.

Extended AutoVPN tunnel life

You can extend the time during which preprovisioned tunnel keys are used during an outage in SCM connectivity. Extending the number of days to use preprovisioned keys provides more time to prevent traffic forwarding disruptions on overlay routes during unforeseen issues that might persist longer than 24 hours.

Smaller Additions, Improvements, and Bugfixes

2.13.2

• SCON-36896 -

  Symptom: Internet-bound traffic from one site is incorrectly classified as a zone-based custom application configured for zones of another site.

  Condition: This issue occurs when a zone-based custom application is defined for zones of another site.

• SCON-36672 -

  Symptom: SteelHead SD appliances report multiple AutoVPN tunnel flaps to SCM.

  Condition: When a local DNS server is configured in the Site DNS server list followed by a public DNS server, all the DNS resolution queries are first forwarded to the local DNS server. This leads to increased latency in service core, which delays the communication between uplink probers and RVM. This leads to the tunnel flaps.

• SCON-35670 -

  Symptom: Zscaler traffic prefers underlay routing over Traffic Path Rule configuration.

  Condition: This issue occurs because the underlay route is preferred over the Traffic Path Rule. The Traffic Path Rule now takes precedence over non-RFC 1918, non-zone traffic (with the option to select Underlay in the Traffic Path Rule).

• SCON-36828 -

  Symptom: Rest API /site/{localsiteid}/sitelinks/{remoteserial} returns an incorrect number of tunnels.

  Condition: This is a persistent issue.

• SCON-37215 -

  Symptom: Some tunnels fail.

  Condition: This issue occurs when the AutoVPN tunnel uptime value is changed. This issue is caused by an error in the way the tunnel uptime value is communicated to appliances. 

• SCON-37085 -

  Symptom: Transit hub LAN-side networks are not reachable from the peer BGP router.

  Condition: This issue occurs when OSPF-to-BGP route redistribution is enabled in a SteelConnect SDI gateway transit hub.

• SCON-36610 -

  Symptom: The SDI-1030 fan speed is stuck at the maximum RPM, causing excessive noise.

  Condition: The fan noise occurs immediately after power on for some SDI-1030 gateways.

• SCON-36536 -

  Symptom: Appliances might not have all the subnets in their overlay routes.

  Condition: This issue occurs after an SDWC controller restart due to a crash or a software upgrade to 2.12.0 or later. 

2.13.1

• SCON-35965 -

  Symptom: The guest zone's traffic is taking MPLS underlay instead of local internet breakout.

  Condition: Traffic path rules are not being honored for the guest zone's/internet breakout traffic. This issue occurs in release 2.12.1 and later.

• SCON-36150 -

  Symptom: Appliances fail to download the upgrade image from the download server.

  Condition: This issue is caused by a race condition in which the appliance fails to connect to the download server because the download server's IP address can change often.

• SCON-35483 -

  Symptom: When the appliance is rebooted, the auto-negotiation configuration for the uplink interface reverts to default settings.

  Condition: This issue occurs when auto-negotiation for the uplink interface is change to non-default settings and the appliance is later rebooted.

• SCON-35505 -

  Symptom: Some websites are misclassified as pornography and are then blocked by the relevant firewall rules.

  Condition: This issue occurs due to an error in the categorization vendor database.

• SCON-35331 -

  Symptom: System dump generation flaps uplinks and tunnels. 

  Condition: When sysdump is requested from SteelConnect Control Manager, the appliance processes the sysdump, which causes uplinks and tunnels to flap due to high CPU utilization on the appliance.

• SCON-36486 -

  Symptom: NX DSCP marking is skipped.

  Condition: This issue occurs when the destination is considered to be local to the site.

• SCON-36367 -

  Symptom: A port limitation of Classic VPN cannot be configured in SCM UI.

  Condition: This issue occurs when trying to edit the remote network of Classic VPN under Network Design -> Classic VPN in the Remote Network / Local zones tab.

• SCON-34657 -

  Symptom: DNS-based custom IP:port applications are classified incorrectly on SteelHead SD appliances and SDI-2030 gateways.

  Condition: When a custom IP:port application is created with hostname:port, a corresponding Traffic rule or Outbound/Internal rule is created.
  When traffic is started for the given hostname, it is not classified as the custom application. The custom application with IP:port for the same hostname works correctly.

• SCON-35551 -

  Symptom: Traffic rules using hostname-based custom applications are not identified correctly and are not classified.

  Condition: This issue occurs when the hostname is used to define a custom application in a traffic rule.

• SCON-36340 -

  Symptom: All tunnels flap after upgrading SCM.

  Condition: This issue occurs after upgrading SCM to release 2.12.3.2 or later. 

2.13.0

• SCON-35274 -

  Symptom: On rebooting the backup appliance, uplinks on the master appliance flap once.

  Condition: This issue is caused by a race condition in the interface IP management code. Fixed in 2.13.0.

• SCON-34919 -

  Symptom: On the SteelHead SD 2.0 appliance and the SDI-2030 gateway, inbound NAT with reflection doesn’t work.

  Condition: This issue occurs when the client is part of another zone.

• SCON-31161 -

  Symptom: When disconnecting the uplink and connecting to another network, the appliance does not get a valid IP address via DHCP.

  Condition: This issue occurs when disconnecting the uplink and connecting to another network.

• SCON-30405 -

  Symptom: The mDNS service is enabled on uplink interfaces for SDI-130, SDI-330, SDI-1030, and SDI-vGW gateways.

  Condition: The mDNS service was enabled on uplink interfaces for SDI-130, SDI-330, SDI-1030, and SDI-vGW gateways, but should be enabled only on specific interfaces where it is required. The issue has been fixed by disabling the mDNS service on uplink interfaces.

• SCON-34121 -

  Symptom: SCM stops processing statistics from an SDI gateway that has a dynamic routing policy with BGP summarization enabled.

  Condition: Gateways are not populating the AS path information in statistics reported to SCM when a BGP route advertisement is suppressed due to route summarization. SCM rejects the gateway’s statistics as a result.

• SCON-33856 -

  Symptom: The SteelHead SD 2.0 appliance and SDI-2030 gateway experience a service core crash followed by a restart, which causes data path disruption.

  Condition: The data plane application classification service crashes due to invalid memory access while getting the hostname from the local DNS cache. 

• SCON-33642 -

  Symptom: On an SDI gateway, the firewall reloads if a DHCP server changes the lease time of the assigned address during DHCP renewal. This can result in a brief network interruption.

  Condition: Most DHCP servers will assign the same lease time regardless of when the client requests an address renewal. However, a small subset of DHCP servers will respond with the remaining time on the lease instead of the full lease time if the client requests early renewal. When this happens, the gateway interprets this as a change to the uplink configuration and reloads its firewall. With the fix, the gateway does not treat this condition as an uplink configuration change, so there is no firewall reload.

• SCON-33551 -

  Symptom: MAC addresses on the Ports page may not be up to date.

  Condition: After a site is deleted on SteelConnect Manager and the appliances in the site are still present in the organization, the MAC addresses on the Ports page may not contain up-to-date information.

• SCON-34655 -

  Symptom: A Classic VPN remote route is not added to the AWS or Azure client subnet routing table.

  Condition: When a Classic VPN connection is configured on SteelConnect Manager from Site A with local zones belonging to cloud sites other than Site A, the cloud routing tables for the other sites are not updated to reach the remote networks. This issue has been fixed and traffic should flow from all configured local zones to and from remote networks.

Known Issues

• SCON-35403 - The uplink may flap when the NAT rules configuration is modified.

Detailed Description:

Symptom: The uplink may flap when the NAT rules configuration is modified on SDI-130, SDI-330, SDI-1030, and SDI-vGW gateways.

Condition: The issue can occur under these conditions:

• An outbound NAT rule is created, deleted, enabled, or disabled.
• An inbound NAT rule with a custom WAN IP is created, deleted, enabled, or disabled.
• The custom WAN IP address in an inbound NAT rule is modified, added, or removed.
• The override IP address in an outbound NAT rule is modified.

Suggested Workaround: None

• SCON-35373 - The TeamViewer application is not identified when used with some hostnames.

Detailed Description:

Symptom: The TeamViewer application is not identified when used with some hostnames like IT-MIL-ANX-R016.teamviewer.com.

Condition: Hostnames like IT-MIL-ANX-R016.teamviewer.com are used to access TeamViewer, but they are not currently present in the application identifier under the TeamViewer application. Therefore, traffic remains unknown and is blocked.

Suggested Workaround: Create a custom application with a URL such as IT-MIL-ANX-R016.teamviewer.com. After defining the custom application, you can use it in a rule.

• SCON-30423 - SteelHead SD appliances and SteelConnect SDI-2030 gateways show latency spikes every 60 seconds.

Detailed Description:

Symptom: Latency spikes are observed every 60 seconds.

Condition: The garbage collection logic runs every 60 seconds. On an appliance with a large number of flows, this process ends up causing a latency spike in the data plane.

Suggested Workaround: Increase flow reporting interval

• SCON-29694 - Internet breakout at the site level doesn't honor the organization level setting when enabled.

Detailed Description:

Symptom: Internet breakout for a leaf site doesn't work when defined at the site level.

Condition: This issue occurs when breakout is defined at the site level.

Suggested Workaround: None

• SCON-33902 - During HA failover, route flaps occur on the LAN router.

Detailed Description:

Symptom: During HA failover, routes on the LAN router momentarily flap and then recover.

Condition: This issue occurs in a SteelConnect HA appliance configuration where a backup node is configured with a lower router ID and the LAN routers are configured with the next-hop pointing to the backup node. If HA failover is triggered, the backup becomes the master. The routes in the LAN router flap momentarily even though there is no failure in the next-hop backup node.

Suggested Workaround: None

• SCON-33808 - Outbound firewall rules are not applied on short-lived connections.

Detailed Description:

Symptom: Outbound firewall rules are not applied on short-lived connections. As a result, SteelHead SD 2.0 appliances do not block the traffic denied in the outbound rule.

Condition: This issue occurs on short-lived connections when application classification is incomplete.

Suggested Workaround: None

• SCON-33963 - The 5-GHz Wi-Fi radio goes offline when configuring "Default" or "40 MHz" bandwidth on an SDI-130 gateway.

Detailed Description:

Symptom: On an SDI-130 gateway, selecting "Default" or "40 MHz" bandwidth for the 5-GHz Wi-Fi radio in certain countries will cause the 5-GHz radio to go offline.

Condition: This issue occurs in Wi-Fi sites located in countries that don’t allow 40-MHz bandwidth (that is, channel aggregation) in the 5-GHz spectrum, including Bahrain, Costa Rica, Ecuador, El Salvador, Guam, Indonesia, North Korea, and Sri Lanka.

Suggested Workaround: None

• SCON-33538 - An Active Directory user sync “Through appliance” on a SteelConnect SDI-5030 gateway gets stuck at “Waiting for callback from sync appliance.”

Detailed Description:

Symptom: An Active Directory sync fails with the message “Waiting for callback from sync appliance.”

Condition: This issue occurs when a SteelConnect SDI-5030 gateway is configured as a bridge appliance. Active Directory user sync is not supported on a SteelConnect SDI-5030 gateway.

Suggested Workaround: None

• SCON-33200 - In a dual-hub deployment, the flow table entries report an incorrect remote site ID.

Detailed Description:

Symptom: In a dual-hub deployment with SteelHead SD 2.0 appliances, traffic reporting of the remote site ID may be inaccurate.

Condition: This issue occurs because the dual-hub configuration learns the same subnet from more than one site. Although the reported remote site ID is inaccurate, the traffic flows on the correct path.

Suggested Workaround: None

• SCON-34506 - SCM traffic timeline statistics are inconsistent with the Top Talkers report on the SteelHead.

Detailed Description:

Symptom: SCM traffic timeline statistics are inconsistent with the Top Talkers report on the SteelHead.

Condition: This issue occurs when SCM is not able to process incoming flows in a timely manner. As a result, some flows are missing from the traffic timeline.

Suggested Workaround: None

• SCON-26211 - The backup appliance in an SDI HA pair loses connectivity to SCM when local internet uplinks are down.

Detailed Description:

Symptom: The backup appliance in an SDI HA pair loses connectivity to SCM when local internet uplinks are down.

Condition: This issue occurs when an SDI HA pair is configured in dedicated port mode, all local internet uplinks are down, and the only path to the internet is through an MPLS WAN with an internet breakout set to a remote site.

Suggested Workaround: None

• SCON-21653 - The Blocked Connections tab on the SteelHead SD 2.0, SteelConnect SDI-2030 gateway, and SteelConnect SDI-5030 gateway does not report firewalled connections in SCM.

Detailed Description:

Symptom: The Blocked Connections tab on the SteelHead SD 2.0, SteelConnect SDI-2030 gateway, and SteelConnect SDI-5030 gateway does not report firewalled connections in SCM.

Condition: This issue occurs with connections that have been firewalled by the appliance.

Suggested Workaround: None

• SCON-16920 - SteelConnect Access Point 3 and Access Point 5 can occasionally lose link connectivity when directly connected to an SDI-1030 gateway.

Detailed Description:

Symptom: SteelConnect Access Point 3 and Access Point 5 can occasionally lose link connectivity when directly connected to an SDI-1030 gateway.

Condition: Access Point 3 and Access Point 5 directly cabled to an SDI-1030 gateway can occasionally lose link connectivity.

Suggested Workaround: Connect the AP-3 and/or AP-5 to the SDI-1030 Gateway via a switch.

• SCON-36500 - SteelHead SD fails to optimize the TCP connections.

Detailed Description:

Symptom: Optimization is not working on SteelHead SD.

Condition: The inner channel is not established as ARP resolution for in-path gateway fails.

Suggested Workaround: None

• SCON-36069 - AutoVPN flapping occurs on the SDI-5030 gateway after upgrading to 2.12.2.

Detailed Description:

Symptom: AutoVPN flapping occurs on the SDI-5030 gateway after upgrading to 2.12.2.

Condition: Some unhandled socket errors cause the data plane to restart, leading to the tunnel flaps.

Suggested Workaround: None

• SCON-36764 - Custom applications cannot match the flows against outbound and/or traffic path rules.

Detailed Description:

Symptom: Traffic/flows fail to match the outbound and/or traffic path rules of type custom app. 

Condition: This issue occurs in custom applications that are created with type "IPs/Ports" and have both hostnames and IPs in them.

 

Suggested Workaround: Create a separate custom application for hostnames and a separate custom application for IPs.

To view the release notes for previous versions, please visit SteelConnect support and select the version of interest.

If you have questions regarding this update, please contact Riverbed Support for assistance.