SteelConnect Manager Release Notes, v2.11.0

Welcome to SteelConnect 2.11.0

The following is an overview of the changes in this release.

New features in 2.11.0

SteelHead SD and SDI-2030 Zscaler integration

Zscaler cloud security solution is supported on SteelHead SD 570-SD, 770-SD, and 3070-SD appliances and the SteelConnect SDI-2030 gateway located at the branch. SteelHead SD appliances and SteelConnect SDI-2030 gateways also provide Zscaler support for HA deployments.

SteelConnect and SteelHead SD support for route retraction

Support is introduced for route retraction to dynamically withdraw routes from the underlay when routes become unavailable.

Brownfield transit routing

The brownfield transit feature enables connectivity between internet-only SteelConnect sites to legacy or non-SteelConnect MPLS/underlay sites. With the SteelConnect SDI-2030 gateway and SteelHead SD appliances, more complex brownfield use cases can be supported due to advanced routing support on these platforms introduced in version 2.11.

SteelHead SD and SDI-2030 Health Check enhancements

SteelHead SD 2.0 appliances and SteelConnect SDI-2030 gateways can be monitored using Health Check and are integrated into the Insights reporting tool. They also provide SNMP-based management for easy integration into external operations support systems (OSS) and network management systems (NMS).

SteelConnect native VLAN support

Native VLANs are now supported on SteelConnect SDI-130, SDI-330, gateways and SDI-S12 POE+, SDI-S24 POE+, and SDI-S48 POE+ switches. This support enables smooth integration of Xirrus Wi-Fi access points with SteelConnect solutions.

SteelHead SD and SDI-2030 visibility enhancements

SteelHead SD and SDI-2030 uplink flow distribution

Enhanced flow distribution is introduced across multiple uplinks on SteelHead SD/SDI-2030 platforms.

Overlay LPM and underlay path selection

Path selection supports underlay circuits, giving customers better flexibility in selecting path preferences for application steering (for all SteelConnect platforms).

Topology discovery

Support for local subnet discovery enables discovery of routes from the LAN side of the network and distribution of those routes into the overlay with inclusion/exclusion filters. The SD-WAN fabric is aware of all dynamically learned routes on the LAN side of the remote sites. This learning avoids tedious route configurations and renders an intelligent overlay fabric.

ASBR full support

Support for autonomous system boundary router (ASBR) functions enable distribution of routes between different autonomous systems: for example, distribution of routes between OSPF on the LAN side and BGP on the WAN side. As part of this capability, we support route filtering and policy maps, which provide a lot of control to customers over which routes can or cannot be distributed. eBGP and ASBR functions are enablers for the CE router replacement use case in branch offices.

SteeHead SD route filtering and policy maps

SteelHead SD 2.0 supports route filtering and policy maps, which provide a lot of control to customers over which routes can or cannot be distributed. eBGP and ASBR functions are enablers for the CE router replacement use case in branch offices.

Smaller Additions, Improvements, and Bugfixes

2.11.0

SCON-17537 - Symptom: When the Redis server client connections reach the maxclients count, it closes some of the connections. This causes one of the SDWC services to panic and causes the controller to restart. This disrupts the tunnels configuration and also end-to-end data traffic. Condition: This issue occurs when more than 10000 clients connect to Redis server port 6379.
SCON-17717 - Symptom: Some route tables created by Riverbed internally keep hanging even after undeployment is completed for the site. Condition: This issue occurs when triggering a routing mode change immediately after the cloud site deployment finishes.
SCON-17551 - Symptom: The reverse SSH tunnel disconnects. Condition: Every 5 minutes or so, the reverse SSH tunnel disconnects.
SCON-17616 - Symptom: Google Project Zero has reported vulnerabilities in x86 CPUs that are now known as Spectre and Meltdown. Condition: Data security is compromised when more than one customer is using the same CPU in a virtualized environment.
SCON-19958 - Symptom: Certain tunnels to an SDI-5030 site went down. Condition: If two interfaces on an SDI-5030 gateway are configured with addresses in the same subnet, and one of the interfaces goes down, the routing process might crash when trying to move traffic to the other interface. The 5030 is then not advertising all its interfaces via BGP.
SCON-19916 - Symptom: Syslog messages sent to a remote server do not contain the PRI field, as required by RFC 3164. Condition: This issue may prevent the proper function of syslog filters, which rely on the priority field.
SCON-20263 - Symptom: If an HA pair is deployed with AutoVPN disabled on the pair, the configuration push fails for that pair of appliances.
SCON-20215 - Symptom: SteelConnect Manager does not use the latest application pattern definitions and is unable to display them on the Applications page. Condition: SteelConnect Manager is not able to use the latest definitions of application patterns when an update of the patterns fails.
SCON-20090 - Symptom: In prior versions to the 2.11 SCM, attaching an uplink to the BGP appliance was a requirement and part of the setup. Condition: The configuration is not necessary in this section.
SCON-20057 - Symptom: When the user tries to access HealthCheck > Routing Tables under a small screen resolution, the tables drawn on the screen overlap with each other, making it difficult to read a few details on the screens. Condition: This issue occurs when HealthCheck > Routing Tables is accessed in different screen resolutions.
SCON-20030 - Symptom: REST API reveals the appliance console password configured on the Organization > Console login page even if the RBAC user doesn't have permission on that page.
SCON-19850 - Symptom: The SDI-5030 gateway would see tunnel flaps caused by an internal process restarting. Condition: When exceeding 60,000 flows (30,000 TCP connections) on a data plane instance, an artificial memory limit was reached.
SCON-17332 - Symptom: A NIC is stuck in standard-nic mode; bypass is not available. This issue persists into remanufacture as SteelHead. Condition: Certain NICs change to standard-nic mode at every reboot.
SCON-17283 - Symptom: WAN and Internet traffic rules, with the pass-through flag set, causes the gateway to drop the WAN and Internet rules. Condition: When the pass-through flag is set on traffic rules with WAN and Internet specified, the gateway to drops the rule.
SCON-17109 - Symptom: Detailed information about the default gateway for an uplink with a DHCP address on the 130, 330, and 1030 SDI appliance is not properly collected or displayed in the SCM.
SCON-17437 - Symptom: Tunnel creation fails for a site. Condition: This issue occurs when the site under observation is converted from a cluster site to a non-cluster site.
SCON-17030 - Symptom: After changing a management zone's VLAN tag, tunnels to gateways using that management zone go offline. Condition: The issue arises when changing an existing management zone's VLAN tag. The flaw is in the update logic only, so a workaround is to reboot the impacted appliance(s).
SCON-17017 - Symptom: Traffic from the leaf site towards the hubs does not honor the hub priorities in a path failover scenario when there is traffic rule match. Condition: This issue occurs in a hub-and-spoke topology with dual hub and leaf sites connected on hybrid WAN.
SCON-16878 - Symptom: When configuring the ping gateway feature for a WAN, sites with uplinks configured for DHCP would not use the next hop gateway for ping check. Condition: The uplink for the WAN with ping gateway enabled would have to be configured to obtain its IP address using DHCP. Statically assigned uplinks are not affected.
SCON-16545 - Symptom: The port name and speed overlap on the Ports page. Condition: This issue occurs when the name exceeds six characters.
SCON-16381 - Symptom: Zscaler or Cloudi-Fi automatic node selection is not performed. Condition: This issue occurs when the Zscaler or Cloudi-Fi cloud is changed.
SCON-16386 - Symptom: The appliance is toggling between online and offline on SCM. Condition: This issue occurs if there is an intermittent network connectivity issue between CVM and SCM. Specifically, if the CVM is not able to talk to SCM for 60 seconds, then SCM marks the appliance offline. If the connectivity restores after 60 seconds, then SCM marks it online again. If this network issue keeps repeating, then the appliance appears to toggle between offline and online on SCM.
SCON-16210 - Improved security for VLAN autotrunking.
SCON-16086 - Symptom: A logic error in the routine that searches for flow-table matches might result in multiple redundant searches through the table. When this error occurs, the CPU utilization might rise, the system might become less responsive, and packet drops might be observed. Condition: This error is likely to occur when the flow table is full or nearly full. A full flow table is indicated by the log messages: flows_cmd_dequeue_state: create flow fails since match table is full.
SCON-15919 - Symptom: An example configuration for PXE boot was not working. Condition: Fixed the configuration generation for PXE boot.
SCON-15745 - Symptom: Cloudi-Fi tunnels are not shown on the Troubleshooting page. Condition: Cloudi-Fi is enabled but Zscaler is not enabled.
SCON-22162 - Symptom: The SCM UI displays the wrong information under the Usage column on the Uplinks page. Condition: This issue occurs when an uplink is configured for local internet breakout and attached to a WAN that doesn't have a default gateway setting.
SCON-20983 - Symptom: Multiple zones might have the same unique ID. Condition: When the cc-user ID-unique flag is turned off, certain race conditions (for example, concurrent REST API calls) might lead to multiple zones with the same unique ID.
SCON-20917 - Symptom: The uplink table does not show a valid status, but a page refresh does. Condition: If SCM does not receive statistics on an uplink, the uplink table row does not get refreshed. When switching DHCP to or from static IP, the SCM stops getting new uplink statistics. The status is therefore never updated.
SCON-21420 - Symptom: When a Classic VPN remote network conflicts with a subnet in a SteelConnect zone, a 1:1 NAT can be applied to the remote network to resolve the conflict. Condition: A routing bug caused the NATed traffic to be routed to the SteelConnect zone instead of the remote network.
SCON-21365 - Symptom: Ulogd floods the gateway log with error messages stating "Resource not available" when trying to report flows to the SCM. Condition: High level of traffic is going through the appliance while flows simultaneously need to be reported to the SCM.
SCON-21164 - Symptom: After an upgrade or a factory reset, the SNMP or remote syslog configuration is not applied by a SteelHead SD appliance or a SteelConnect SDI-5030 gateway. Condition: After an appliance undergoes a factory reset or a firmware upgrade, it receives the remote syslog and SNMP configuration from SCM. But the appliance intentionally skips applying these settings because the service VMs have not yet been created. Once the appliance is online and up-to-date, a subsequent configuration change will automatically make the appliance apply the pending remote syslog/SNMP configuration. This is applicable for: 1. Remote syslog on SteelHead SD appliances and the SteelConnect SDI-5030 gateway. 2. SNMP on SteelHead SD appliances only.
SCON-21052 - Symptom: Tunnels go down when sysdump collection is triggered. Condition: When sysdump collection is triggered for an appliance, debug commands for the flow's vSwitch are enabled before starting the data collection, and they're disabled after the sysdump has been generated. In case the sysdump collection fails, the debug commands were not being disabled. During heavy traffic scenarios, this behavior can introduce high latencies and even cause the tunnels to go down.
SCON-21506 - Symptom: Health Check shows a single SDI-5030 gateway as degraded when the cluster port is offline or not in use. Condition: A SDI-5030 gateway deployed in single appliance configuration.
SCON-21601 - Symptom: The customer cannot upgrade the appliance after USB provisioning is done with static configuration. Condition: Updating an appliance to recent versions (2.10.1) fails when the customer is using USB provisioning with static configurations. The out-of-the-box appliance has the factory image, which is 1.12, and we are plugging in a USB with static configuration. The upgrade fails when we try to connect the appliance to SCM in order to upgrade.
SCON-20466 - Symptom: Memory pressure results in the appliance going offline. Condition: Under high workloads, memory pressure can result in the appliance getting disconnected from SCM.
SCON-20348 - Symptom: The service core was restarted, the SCM service was restarted, and tunnels were re-created. Condition: Flow records show a huge number in the service core before the overflow error message.
SCON-20330 - Symptom: HA failover is unsuccessful and can result in HA flaps. Condition: A backup uplink is configured in the SteelConnect Manager, and a conservative ping profile is used. The primary uplink is offline and only the backup uplink is online when failover to the node occurs.
SCON-20317 - Symptom: The SteelConnect SDI-2030 gateway takes more than 4 minutes for the rebooting process. Condition: This issue occurs when upgrading or when a factory reset requiring a reboot is sent to the appliance.
SCON-20278 - Sometimes the ICA Citrix traffic can get reclassified to TCP.
SCON-20273 - Symptom: In SCM, all possible traffic-path inbound-rule selections are not validated. Condition: In SCM, when creating traffic path rules with particular settings, validations for some selections are not occurring.
SCON-19655 - Symptom: Organization migration was failing for organizations that have SteelHead SD appliances in version 2.10.x. Condition: This issue occurs when trying to migrate the organization with export/import functionality on SCM that contains SteelHead SD 570-SD, 770-SD, and 3070-SD appliances.
SCON-19836 - Symptom: Tunnels are reported as offline on SCM. Condition: The statistics reporting service in the SteelConnect SDI-5030 gateway never finished activation due to which the system, port, and tunnel statistics were never reported to SCM.
SCON-19698 - Symptom: When filtering the Traffic Timeline report by zone, the data is not displayed. Condition: When searching by zone in the Traffic Timeline report, the data was not displayed.
SCON-19821 - Symptom: In some cases, tunnel statistics between an appliance and an SDI-5030 gateway can be missing in the UI for up to four hours following an upgrade. The tunnel is functioning normally and the issue resolves itself when the tunnel is rekeyed. Condition: The issue can occur whenever the AutoVPN node in the cluster changes multiple times in a short period of time, which is not unusual during an SDI-5030 upgrade. This issue can also rarely occur during normal failovers or reassignment.
SCON-19752 - Symptom: On an SDI-130W appliance, the radio state is not displayed in SCM. Instead, SCM shows the "Radio state not reported recently" message. Condition: SSID and Broadcast are configured on SDI-130W.
SCON-19502 - Symptom: Traffic flowing through Zscaler tunnels on SteelHead SD appliances is interrupted during an IPsec tunnel rekey with the Zscaler Enforcement Nodes (ZENs). Condition: During an IPsec rekey, StrongSwan sends a delete notification for the old tunnel security association (child-SA) as soon as the SteelConnect control plane receives new keys to replace the old keys. The delete notification goes out before the control plane has enough time to establish the keys for the new tunnel in the data plane. While the control plane is establishing the new keys in the data plane, the data plane continues to use the old keys. However, because StrongSwan has already sent a delete notification for the old tunnel security association (child-SA), a ZEN peer will drop any packets still using the old key. This will cause a traffic interruption until the new keys are received by both the control and data planes.
SCON-19118 - Symptom: When a user tries to see the current device status under Devices > Registered, the status of the device shown is not consistent. Condition: The user is not shown a consistent status that the device is currently in. For instance, though the device is Active with traffic flowing, it could be showing Inactive.
SCON-19072 - Symptom: Clicking an On or Off button to toggle a rule or an uplink causes a slow response with no indication that SteelConnect is processing the action. Condition: SCM can be slow to respond to an On or Off action in a large-scale SteelConnect deployment. The On or Off button is now disabled while processing an action and reenabled after the action is complete.
SCON-19238 - Symptom: A large increase in volume of logging with dubious diagnostic value is seen when NetProfiler is enabled. Condition: NetProfiler is enabled.
SCON-19162 - Symptom: A zone-based remote internet breakout for a leaf site is not working when a single-hub site is the breakout site. The internet-bound traffic from the leaf site gets dropped in the hub site. Condition: Configure the zone-based remote internet breakout rule for the leaf site with a single hub as the breakout site.
SCON-19321 - Symptom: With a dual hub configuration, the internet traffic for a leaf site does not follow breakout preferences when the configured breakout site is a non-hub site. Condition: Add a remote internet breakout preference for the leaf site of a dual-hub, and select a non-hub site as the breakout site for the leaf-site.
SCON-18382 - Symptom: The firmware upgrade rules under Organization -> Maintenance allow end users to add non-site tags also. Condition: 1. Create a site. 2. Create a registered device and assign it a new tag. 3. Go to the maintenance page and create a "Schedule rule" by clicking Add schedule. 4. The Site Group drop-down menu shows a newly created device tag as well.
SCON-18355 - Symptom: The number of tunnels reported on the Health Check Overlay Routes page is inaccurate. Condition: This issue occurs when a Zscaler WAN is enabled. The Zscaler tunnels are not included in the Health Check Overlay Routes page.
SCON-18350 - Symptom: With a large number of traffic path rules configured, it may take a bit longer to process the configuration on the gateway. Condition: There may be some delay in the configuration to take effect.
SCON-18296 - Symptom: RBAC users are unable to add an appliance that was previously deleted. Condition: This issue occurs when an appliance is deleted from a given organization and an RBAC user tries to add the appliance with the same serial number to any other organization.
SCON-18249 - Symptom: The WiFi Planner allows saving the radio power as part of a plan, but when reopening the plan to deploy another AP, this power setting does not get loaded or used. The Planner appears to set an arbitrary value of its own choosing each time the plan is edited. Condition: 1. Create a new wireless plan, and add a new AP. 2. Change the radio power on the AP to some other value than the default. 3. Save the plan, and exit the planner. 4. Open the saved plan in the planner again. The updated power value is not reflected by the AP in the plan.
SCON-18212 - Symptom: After failover, Zscaler tunnels are down. Condition: When Zscaler is used in an HA environment and a failover occurs, Zscaler tunnels are not reestablished.
SCON-19023 - Symptom: With Zscaler or Cloudi-Fi enabled, the SteelHead SD appliance or SDI gateway tunnel status is incorrectly reported as online while the appliance or gateway is reported as offline by SteelConnect Manager. Condition: SteelConnect Manager incorrectly selects the last reported status of the tunnel for the SteelHead SD appliance or SDI gateway that went offline.
SCON-18876 - Symptom: The Overlay Routes page can show out-of-date data when an appliance is removed from a site and no new appliance is added to that site. Condition: If two sites have assigned appliances (for example, Site A is assigned Appliance A and Site B is assigned Appliance B), this issue occurs when both appliances are removed completely from the realm, where Site A is deleted and Site B remains without an assigned appliance.
SCON-19034 - Symptom: A transfer network added to multiple WANs (or multi-uplinks in the same WAN) is not getting configured for all applicable WAN interface paths on the appliance. Condition: Configure the same transfer network in more than one WAN.
SCON-18906 - Symptom: The SteelHead Connector process crashes with coredump. Condition: This issue occurs when SteelHead is connected to a LAN-side gateway with the SteelHead Compatibility feature enabled.
SCON-18836 - Symptom: A process crash occurs on SteelHead SD 770-SD when learning routes. Condition: This issue occurs when learning underlay routes via the dynamic routing protocol.
SCON-18807 - Symptom: The UI allows configuring an alternate hub for a site containing an SDI-5030 cluster. Condition: The alternate hub configuration is not supported for SDI-5030, and configuring as such can lead to unknown behavior.
SCON-18595 - There were multiple scenarios under which an SDI-5030 cluster upgrade would fail. The cluster upgrade process was overhauled to be more robust.
SCON-18590 - Symptom: The browser cache is not updated to the latest version of JavaScript files. Hence the application is having console errors. Condition: This issue is seen while upgrading from SCM 2.9.1.
SCON-18525 - Symptom: Generating the Zscaler configuration fails if there is a wide character in the site name. Condition: 1. Have a site with a wide character in its name (HeadquartersEUR). 2. Go to Zscaler, and click Download Config. 3. Click either Download VPN credentials or Download locations. 4. Observe no CSV file is generated and the screen hangs.
SCON-18504 - Symptom: The OSPF configuration for a tagged uplink interface has an incorrect interface name. Condition: This issue occurs when an uplink is tagged with a VLAN ID.
SCON-18505 - Symptom: The BGP configuration for a tagged uplink interface has an incorrect interface name. Condition: This issue can occur when the uplink is tagged with the VLAN ID.
SCON-18076 - Symptom: SCM UI does not allow split-site configuration to pick a site that is already configured to be a part of dual-hub configuration. It is valid for a site to be part of a split-site configuration and a dual-hub configuration. Condition: This issue only happens when a site is already part of a dual-hub configuration and then you attempt to configure a split site. To workaround this issue, first configure a split site by selecting those sites to be a part of the split-site group and then configure dual hub by selecting the site that is already in a split-site group.
SCON-22792 - Symptom: AutoVPN tunnel flaps on SteelConnect SDI-5030 gateway. Condition: This issue occurs when updating the community filter for topology discovery under Network Design > Sites > Local Subnet Discovery.
SCON-22784 - Symptom: The subnet common to the split site is reachable only through one of the sites in the split group. Condition: This issue occurs when the community topology discovery filter is configured in a site after receiving the overlay routes from the other member of the same split group.
SCON-22054 - Symptom: The SteelConnect Manager user interface doesn't load. Condition: This issue occurs when a zone on SteelConnect Manager doesn't have a gateway IP address configured.
SCON-22003 - Symptom: A LINK_ON_DISABLED_PORTS alert is raised. Condition: This alert is raised when the user has appliances in high availability.
SCON-21873 - Symptom: The SteelConnect Manager may generate invalid appliance configurations, preventing configuration updates from taking effect. Condition: This issue occurs when certain errors are encountered in a background batch processing job on the SteelConnect Manager. These errors are not visible to the user.
SCON-14315 - Symptom: Wrong memory allocations to certain SteelHead processes resulted in critical process failures on SteelHead SD. Condition: We've fixed these memory allocation problems on 2.11.0. The SteelHead SD process is not going to run out of memory on a high number of optimized connections.
SCON-14056 - Symptom: A mismatch occurs between health check path quality (Health Check > Overlay > PQ) and dashboard path quality statistics. (Choose Dashboard and click tunnel to display Tunnel Statistics Details, and then scroll to Path Quality). Condition: Based on appliance statistics reporting, if the number of path quality samples reported is more than 1, it leads to a mismatch between the health check path quality (Health Check > Overlay > PQ) and dashboard path quality statistics.
SCON-14307 - Symptom: When you click a tunnel in the Dashboard to display the Tunnel Statistics Details page, the total throughput for inbound and outbound traffic displayed in bold is not the total of the individual throughput values shown. Condition: The total throughput shown in bold in the Tunnel Statistics Details page are not refreshed. This behavior can lead to a confusion when you look at the throughput numbers displayed in bold.
SCON-15105 - Symptom: After updating a traffic rule, the DSCP values for outbound traffic reflect the update but DSCP values for inbound traffic do not. Condition: After updating a traffic rule, the DSCP values for outbound traffic reflect the update but DSCP values for inbound traffic use outdated, cached values.
SCON-15357 - Symptom: Upgrading a SteelConnect Manager or SteelHead SD appliance that has an MTU size greater than 1500 bytes will change the MTU setting to the maximum size: 1500 bytes per frame. Condition: SCM allows you to change the uplink MTU (Network Design -> Uplinks -> Settings tab) to a maximum value of 9586.
SCON-15214 - Symptom: Custom applications using a port range were not supported by the SDI-5030. Condition: If the user creates a custom application with IP/port or zone type using a port range and creates a traffic rule with this custom application, it is now honored by SDI-5030 appliances.
SCON-14949 - Symptom: Longest Prefix Match (LPM) routing always prioritized the overlay WAN path before the underlay. Condition: The traffic rules did not include an option to prioritize the underlay as the preferred WAN path. Underlay is now included as a WAN path preference option.
SCON-14486 - Symptom: Traffic to uplink networks follow the internet breakout preference instead of routed correctly to the uplink network. Condition: This issue occurs on a configuration with hybrid WAN (internet and MPLS).
SCON-13478 - Symptom: Tunnels are down. On the routing virtual machine, the user cannot log in to the zebos imish interface. Condition: This issue can occur when trying to change the interface IP address from SCM.
SCON-12898 - Symptom: A tunnel shows the status as "online" for a maximum of 10 minutes when there is no stats report from either of the tunnel endpoint gateways. Condition: This issue can only occur when both gateways are down at the same time. In this case, the tunnel status remains online for 10 minutes.
SCON-12479 - Symptom: Configured static routes on SDI-5030 do not take effect. Condition: This issue only affects SDI-5030 devices.
SCON-13184 - Symptom: The SDI-5030 gateway stopped advertising routes for a subnet residing in more than one zone. Condition: When a subnet residing in multiple zones is deleted from one zone, the SDI-5030 gateway stops advertising the route for that zone.
SCON-13307 - In certain scenarios, the data plane process in an SDI-5030 gateway would crash, causing a certain subset of tunnels to an SDI-5030 site to flap.
SCON-12188 - Symptom: SteelHead SD doesn't talk to SCM while connecting through another SteelHead SD. Condition: When a branch SteelHead SD appliance using an MPLS-only uplink tries to reach SCM through another branch SteelHead SD appliance using an internet uplink, it is unable to communicate with SCM.
SCON-11487 - Symptom: The SteelConnect Manager upgrade process takes a long time. Condition: The SteelConnect Manager upgrade process is affected by the number of users on the system. In cases where the number of users exceed 300, the upgrade process can take an unusually long time.
SCON-10288 - Symptom: The SteelConnect SDI-5030 gateway cluster health toggles between offline and healthy. Condition: This issue occurs when the SteelConnect SDI-5030 gateway nodes are unsynchronized with the NTP server because the NTP service isn't started on SVMs or the NTP configuration isn't correct.
SCON-10897 - Symptom: DSCP tags are not updated based on traffic rules matching an application classification for internet traffic. Condition: A flow must hit a traffic rule that has an action of setting a DSCP tag, matching on the first packet. Further rules matching the flow based on Layer 7 or flow classification, which should also update the DSCP tag, do not take effect.
SCON-8073 - Symptom: Error message appears in syslog: "Keepalived_vrrp: Netlink: filter function error." Condition: This error can occur during the HA failover process.
SCON-7596 - Symptom: Uplinks appear to be down despite having connectivity. Condition: This problem can occur when intermediate routers pin the liveness ping test traffic to the wrong route. Because the ICMP ID of the test traffic never changes, the test traffic stays pinned to the wrong route even after routing tables and rules have been corrected.
SCON-20158 - Symptom: In Insights, the uplink ID is missing and there is no flow reporting so there are no statistics available. Condition: This issue occurs when the uplink is in a VLAN. The VLAN UIN was not carried forward.
SCON-20051 - Symptom: A SteelConnect SDI-1030 gateway goes offline. Logs are unavailable after failure. Condition: This issue occurs rarely, and generally affects backup HA appliances.
SCON-21438 - Symptom: The uplink is considered down, and routes towards the uplink are withdrawn. Condition: The reflector service (rfl.x.riverbed.cc) is not reachable on the uplink.
SCON-20332 - Symptom: An SNMP response is seen on the gateway WAN interface for release 2.11 where SNMP services are meant to be available on LAN interfaces only. Condition: A network element sends an SNMP request on the gateway WAN interface.
SCON-18587 - Symptom: In rare circumstances, an IPv6 route update causes an appliance to reboot with a kernel backtrace indicating a crash in fib6_walk_continue(). Condition: Typically, this issue only happens when there is a combination of heavy traffic and a significant number of configuration updates. While it only impacts the IPv6 routing table, it can occasionally be seen when uplinks do not have IPv6 enabled. With the fix, a backtrace is logged to indicate that a process may have had a temporary issue reading the IPv6 routing table and the appliance no longer reboots.
SCON-20391 - Symptom: In rare cases, Zscaler/Cloudi-Fi tunnels go down and do not recover until they are manually restarted or the appliance is rebooted. Condition: Zscaler/Cloudi-Fi are in use, a related configuration change is made, and additional rare circumstances are being met.
SCON-19938 - Symptom: The SteelConnect 3070-SD appliance takes more than 30 minutes to reboot. Condition: Some of the raid device processes take too long to finish during reboot, and the timeout parameter that forces the kernel to reboot the appliance is set to 30 minutes.
SCON-17725 - Users using the SteelHead SD uplink IP and port 61444 to reach the controller VM shell is now reachable using default SSH port 22. Port 61444 is no longer open.
SCON-19297 - Symptom: SteelConnect SDI gateways occasionally fail to initiate remote logging even though the feature is enabled. Manually restarting the remote logging service fixes the issue. Condition: A race condition initiating the remote logging service would occasionally cause it to exit prematurely, leaving remote logging disabled on the impacted appliance.
SCON-22790 - Symptom: Previously, newly created sites would not be properly geolocated and could show up in the wrong place on the Google map. Condition: Newly created sites may not have shown up in the right place on the Google map.
SCON-21886 - Symptom: The appliance reboots with a kernel backtrace indicating a crash in xfrm_validate_rev(). Condition: Typically this issue is only seen when there is very heavy traffic on AutoVPN tunnels.
SCON-20706 - Symptom: Incorrect routing decisions in HA setups can cause traffic to be blackholed. Condition: The HA backup appliance and client experience connectivity loss when HA failover occurs during a WAN outage where that WAN was previously up on the new HA master appliance.
SCON-19872 - Symptom: The Redis database uses a lot of memory in buffering reporting statistics to SCM. This can cause low memory issues on the appliance, causing a reboot of the appliance. Condition: When SCM processes flow reporting statistics with a delay, a reboot of the branch appliance can occur because of a backlog of reportint statistics.
SCON-12714 - Symptom: The appliance configuration state remains frozen at "Shipped" in SCM. Condition: In rare occasions, after writing data to the files in the /storage partition, the file system switches to read-only mode because of a bitflip in an erased page, which prevents saving newer configurations shipped from SCM.
SCON-21656 - Symptom: On gateways, syslog shows a large number of "ulogd[pid]: Failed to write to event socket, closing: Resource temporarily unavailable" or "ulogd[5087]: Failed to connect to event socket: Resource temporarily unavailable" messages. Condition: System is under load.
SCON-18462 - Symptom: Due to a regression in the upgrade module in releases 9.7.0 and 9.7.0a, customers running 9.7.0 and 9.7.0a need to upgrade to 9.7.1 before performing In-Field Upgrade to 2.11.0. Condition: This issue affects RiOS 9.7.0 and 9.7.0a only.
SCON-25120 - Symptom: A timeout of the Virtual Router Redundancy Protocol (VRRP) check script, which is checking for external triggers, is interpreted by keepalived as a fault condition and a failover is triggered. Condition: This issue occurs when HA systems are under high load.
SCON-25112 - Symptom: VoIP phone calls from the LAN side of the gateway are interrupted after HA failover. Condition: This issue occurs when HA failover is initiated between VoIP calls.
SCON-25224 - Symptom: When WAN optimization is enabled on SteelHead SD 2.0 and the appliance sees traffic from certain Microsoft applications (such as Windows Store), the service_core can segfault. The customer sees this behavior as an uplink and/or tunnel flap at that appliance. Condition: Certain Microsoft applications use HTTP as their application layer protocol for all data transfer. As part of HTTP, they use HTTP request pipelining (where multiple HTTP requests are sent using a single TCP connection), and these HTTP requests contain different hostnames. This scenario causes the service_core to segfault when it receives multiple hostnames as part of the SteelHead compatibility application identification information from the SteelHead-v.

Known Issues

SCON-20246 - The Appliance Health page displays faults in the Management Interfaces.

Detailed Description: Symptom: The Health Check status for an appliance incorrectly shows a fault under Alarm status. Condition: The uplinks connected to the appliance are configured with static IPs.

Suggested Workaround: None

SCON-19876 - Health Check -> Routing Tables page does not refresh automatically.

Detailed Description: Symptom: Health Check -> Routing Tables page does not refresh automatically.

Suggested Workaround: Manually refresh the page to view the latest data.

SCON-20193 - Zscaler/Cloudi-Fi doesn't work if AutoVPN is disabled.

Detailed Description: Symptom: Zscaler/Cloudi-Fi tunnels are not being configured. Condition: AutoVPN is disabled on the gateway uplink.

Suggested Workaround: None

SCON-16920 - SteelConnect Access Point 3 and Access Point 5 can occasionally lose link connectivity when directly connected to an SDI-1030 gateway.

Detailed Description: Symptom: SteelConnect Access Point 3 and Access Point 5 can occasionally lose link connectivity when directly connected to an SDI-1030 gateway. Condition: Access Point 3 and Access Point 5 directly cabled to an SDI-1030 gateway can occasionally lose link connectivity. The workaround for this issue is to connect the Access Point 3 and Access Point 5 to the SDI-1030 gateway via a switch.

Suggested Workaround: None

SCON-15618 - warmStart traps (1.3.6.1.6.3.1.1.5.2) are not triggered.

Detailed Description: Symptom: warmStart traps are not seen in the SNMP Manager when an agent re-initializes without a config change.

Suggested Workaround: None

SCON-22296 - Deleting one of the SDI-5030 cluster uplinks causes tunnels on the other uplink to go down.

Detailed Description: Symptom: When one of the cluster uplinks is deleted, tunnels for the other cluster uplink go down. Condition: When multiple cluster uplinks are configured, deleting any uplink other than the last created uplink causes tunnels for all other uplinks go down.

Suggested Workaround: Delete all Cluster Uplinks and re-create them

SCON-22176 - An SDI-5030 cluster configured and operational with one SDI-5030 appliance becomes nonoperational when adding an additional SDI-5030 appliance

Detailed Description: Symptom: Under certain conditions, adding additional SDI-5030 appliances to an already existing cluster containing only one appliance can cause the cluster to go into an irrecoverable error state. Condition: An SDI-5030 cluster with only one appliance already exists and additional SDI-5030 appliances are added to the same cluster.

Suggested Workaround: Before adding additional SDI-5030 appliances to an existing single appliance cluster, the cluster must be deleted in the Network Design > Clusters page and then recreated with all the desired appliances.

SCON-19174 - The capacity of the uplink shows disabled on the Details page.

Detailed Description: Symptom: For SteelHead SD appliances, under Health Check > Uplink Health, on the Details page, the capacity of the uplink appears as disabled. Condition: When QoS for a particular SteelHead SD uplink is turned on, the Capacity Status under the Health Check page appears as disabled.

Suggested Workaround: None

SCON-19455 - Uplink AutoVPN settings prevent tunnels from being created under some circumstances.

Detailed Description: Symptom: SteelConnect Manager fails to create AutoVPN tunnels among sites with the same public IPv4 address. Condition: When multiple sites exist and those sites share the same public IPv4 address, and AutoVPN IPv4 target address settings for uplinks on those sites are heterogeneous (a mix of external and internal), then SteelConnect Manager will fail to properly create tunnels among those sites.

Suggested Workaround: None

SCON-18455 - Agent pool IPv4 skipped during cloud overlapping check during connection.

Detailed Description: Symptom: Azure/AWS traffic is not routed correctly due to a routing conflict. Condition: This issue occurs when the configured VPC/VNET address space overlaps with the configured agent address space.

Suggested Workaround: Configure the agent pools to be non-overlapping.

SCON-18763 - A warning occurs when connecting a subnet that has its address space overlapping the agent IPv4 pool address or discovered zones.

Detailed Description: Symptom: Packets destined to connected subnets from an Azure site (with a SteelHead and a gateway) are ricocheted between the SteelHead and the gateway. Condition: In version 2.10.0 and later, when a cloud site is also the agent site for clients, and its agent IPv4 pool address overlaps with one of the connected subnets, the problem occurs with packets destined to such subnets.

Suggested Workaround: Provision a non-overlapping subnet for the agent IPv4 pool.

SCON-23033 - Traffic intended to travel through a SteelHead optimized HTTPS connection is incorrectly routed under some circumstances.

Detailed Description: Symptom: Traffic intended to travel through a SteelHead optimized HTTPS connection is routed through an unexpected path. Condition: When WAN optimization is on and the application target of a traffic rule is set to SSL, the system does not correctly classify SSL traffic and the traffic will not travel across the SteelHead optimized path.

Suggested Workaround: None

SCON-23012 - Traffic is not routed to Zscaler or Cloudi-Fi.

Detailed Description: Symptom: Traffic is not routed to Zscaler or Cloudi-Fi. The gateway's syslog contains the error messages "Unable to create rule" and "Unable to apply routing rule." Condition: Zscaler or Cloudi-Fi is being used, and SCM has been upgraded from an earlier version.

Suggested Workaround: This issue can be fixed in any affected SCM. Please contact support.

SCON-22988 - Xirrus access points stop forwarding DHCP packets to SteelConnect gateways.

Detailed Description: Symptom: After a period of time, clients stop getting DHCP replies. After troubleshooting, the client creates DHCP requests but the gateway doesn't receive the reply. TCP dumps indicate the client is sending the request but it doesn't make it past the Xirrus access point. 11:19:57.210175 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from f0:18:98:24:e2:42, length 300 11:20:06.004887 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from f0:18:98:24:e2:42, length 300 11:20:14.160589 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from f0:18:98:24:e2:42, length 300 Other times, the gateway receives DHCP packets and does not respond. Rebooting the gateway or access point fixes the issue. Condition: This issue occurs with Xirrus access points on a SteelConnect network. Native VLAN is not enabled and there is a simple 1VLAN link from the switch to the Xirrus access point.

Suggested Workaround: reboot gateway or AP

SCON-22944 - The firewall configuration module times out when processing a large number of outbound rules.

Detailed Description: Symptom: The firewall configuration module can sometimes timeout without applying the entire filter rules. Condition: This issue can occur when a large number of outbound rules are configured for the site.

Suggested Workaround: None

SCON-22340 - The traffic timeline report shows no data when filtered by a SteelHead SD zone.

Detailed Description: Symptom: For SteelHead SD appliances, when a user tries to filter the traffic timeline report, the report does not show any traffic details. Condition: Choose Reporting -> Traffic Timeline. Currently, a user is not able to filter SteelHead SD traffic by zone.

Suggested Workaround: None

SCON-21713 - AP5 crash observed when large number of devices are registered.

Detailed Description: Symptom: AP5s reboot unexpectedly. Condition: This issue occurs when over 7000 device MAC addresses are registered on the SCM.

Suggested Workaround: Reduce the number of registered MAC addresses in the Devices section of the SCM.

SCON-14657 - Passive FTP data traffic is not classified as FTP.

Detailed Description: Symptom: Passive FTP connections are displayed as an unclassified application in Insights.

Suggested Workaround: None

SCON-15127 - Invalid nested leaf mode configurations are permitted in the UI.

Detailed Description: Symptom: Invalid nested leaf mode configurations are permitted in the UI, resulting in tunnel formation failure in some cases. Condition: This issue negatively affects SDI-5030 deployments.

Suggested Workaround: None

SCON-15458 - SNMP operations such as GET/WALK are not supported for non-physical interfaces.

Detailed Description: Symptom: SNMP get/walk returns values for virtual interfaces used internally by the appliance. These devices will look like vtiX_X_X or ovsXXXX. Traps like LinkUp(1.3.6.1.6.3.1.1.5.4)/LinkDown(1.3.6.1.6.3.1.1.5.3) related to these devices can be safely ignored.

Suggested Workaround: None

SCON-13591 - Cannot delete a site configured with an OSPF network and an OSPF area.

Detailed Description: Symptom: Deleting a site results in an ERR_IN_USE error. Condition: This issue affects sites configured with an OSPF network and area.

Suggested Workaround: To delete a site with OSPF configuration, delete the OSPF network and area first, then delete the site

SCON-8048 - SCM sends the same user ID to Insights after deleting the user or device.

Detailed Description: Symptom: A deleted user continues to be displayed on the user-related reports on Insights. Condition: After a user is deleted from SCM, traffic belonging to that user's device(s) is still marked with the deleted user, resulting in the deleted user continuing to be displayed on the user-related reports on Insights.

Suggested Workaround: None

SCON-16680 - SCM inadvertently exported intra-site traffic to Insights

Detailed Description: Symptom: Insights reports display traffic for "Unnamed Uplink: 0" Condition: On affected versions, intra-site traffic will be reported.

Suggested Workaround: None

SCON-17962 - LAN ports on SDI-130 or SDI-330 HA pairs enter an inconsistent state and may report incorrect statistics.

Detailed Description: Symptoms: LAN port link states do not match the actual state of the link, or LAN port statistics report random data or no data at all. Condition: This is a very rare occurrence reflecting an unexpected hardware state in the appliance.

Suggested Workaround: Restart the appliance and it will likely self-correct. Call Riverbed Technical Support in the unlikely event that the issue is persistent.

SCON-23205 - RADIUS communication from the gateway can sometimes use the uplink IP address as the source IP.

Detailed Description: Symptom: RADIUS communication from the gateway can sometimes use the uplink IP address as the source IP. Condition: Configure the RADIUS server for a site that exists in one of the LAN-side discovered networks in the remote SteelConnect site.

Suggested Workaround: Delete and re-add the radius server at the site level.

SCON-22223 - Internet breakout via the WAN breakout site doesn't work when WAN encryption is off.

Detailed Description: Symptom: The WAN breakout site is ignored, and traffic is routed onto the underlay. Condition: This issue occurs on the WAN with an internet breakout site when encryption is disabled.

Suggested Workaround: None

SCON-22492 - Internet-bound traffic takes the backup uplink when it is sent over a tunnel.

Detailed Description: Symptom: Internet-bound traffic takes the backup uplink when it is sent over a tunnel. Condition: When there are two uplinks (for example, primary and backup) configured with internet breakout preference, the internet-bound traffic takes the backup uplink when it is sent over a tunnel.

Suggested Workaround: None

SCON-7565 - The SteelConnect SDI-130 and SDI-330 gateways can enter a state where the tx queue on WAN ports stops processing Ethernet frames.

Detailed Description: Symptom: The SteelConnect SDI-130 and SDI-330 gateways can enter a state where the tx queue on WAN ports stops processing Ethernet frames. Condition: This issue occurs when the SDI-130 or SDI-330 WAN ports receive an excessive quantity of malformed Ethernet frames from the connected device. The workaround is to place a switch in between the misbehaving device and the SDI-130/SDI-330.

Suggested Workaround: None

SCON-22577 - DNS queries fail when the internet uplink is down, even when the public DNS is reachable via an MPLS uplink.

Detailed Description: Symptom: DNS requests are getting rejected. Condition: The internet uplink is down, and the static uplink is up.

Suggested Workaround: None

SCON-17959 - Customer is able to edit a deleted object.

Detailed Description: Symptom: A deleted rule can be edited by clicking the link in the events log. While submitting the change to the deleted rule, an unknown error is displayed.

Suggested Workaround: None

SCON-22761 - The appliance tries to establish Zscaler/Cloudi-Fi tunnels over an offline uplink, even though an online uplink is available.

Detailed Description: Symptom: The appliance tries to establish Zscaler/Cloudi-Fi tunnels over an offline uplink, even though an online uplink is available. Condition: A site has uplinks into multiple WANs. All of the site's uplinks into one of these WANs are offline. All of the site's uplinks that are online belong to the WAN, which have a lower priority than this WAN. The internet WAN has the highest priority; any other WANs follow the organization's WAN usage preferences.

Suggested Workaround: None

SCON-19867 - Flow rules take a lot of time to get configured.

Detailed Description: Symptom: If there are lot of flow rules, it takes a lot of time to configure them. Condition: Traffic doesn't flow after flow manager restart.

Suggested Workaround: None

SCON-14237 - Zones with empty subnet cause SCM to get into an inconsistent configuration state.

Detailed Description: Symptom: SCM can create zones with empty subnets, which cause SCM to go into an inconsistent configuration state. Condition: SCM allows creation of a site and its associated zones when the network pool is exhausted. Zones created in such a state do not have subnets. This results in an inconsistent configuration.

Suggested Workaround: Delete the zones and associated site which don't have a subnet.

SCON-19924 - DENY ALL firewall rule does not block some outbound IP protocol traffic.

Detailed Description: Symptom: Outbound traffic is not getting blocked by a DENY ALL outbound rule. Condition: This issue affects outbound packets carrying unknown/proprietary IP protocol numbers.

Suggested Workaround: None

SCON-22540 - SCM is showing the backup appliance as an AutoVPN node.

Detailed Description: Symptom: SCM is showing the backup appliance as an AutoVPN node. Condition: This issue occurs on an HA setup.

Suggested Workaround: None

SCON-20427 - Unknown Uplink : <*> might be seen in Insights reports.

Detailed Description: This issue occurs because of the internal representation of VLAN IDs in the Insight Flow Records of the SCM. Resolution will be via code upgrade in a later version.

Suggested Workaround: None

SCON-22299 - The firmware upgrade fails on SteelHead SD appliances.

Detailed Description: Symptom: The firmware upgrade fails on SteelHead SD appliances. Condition: Multiple DNS servers are configured (either through a site-level DNS or a DHCP lease file) and a different server resolves the download domain (download.riverbed.com) to different IP addresses.

Suggested Workaround: None

If you have questions regarding this update, please contact Riverbed Support for assistance.

You can find release notes for other software versions on the SteelConnect page of the Riverbed Support Site.