SD-WAN 2014.3 release notes¶
July 25, 2014
SD-WAN 2014.3 offers a variety of improvements: the TCP proxy uses fewer resources, Bonding Admin supports Debian 7 (Wheezy), and many bugs are fixed.
Aggregators must be upgraded to 2014.3 before upgrading their bonders. A 2014.3 bonder with TCP proxy enabled will not work properly on a 2014.2 or earlier aggregator.
Bonding Node¶
Additions¶
- If a DHCP leg is assigned a gateway outside of the IP subnet, an error is logged and the leg is stopped.
- The
nodeconfigandnodesslcommands show the name of the management server when run in verbose mode.
Changes¶
- The TCP proxy protocol has been replaced with a new protocol that improves performance and uses fewer resources. The old protocol required “concurrency” number of TCP connections between the bonder and aggregator for each proxied connection—for example, with concurrency 8 and 100 connections proxied, there would be 800 TCP connections between the bonder and aggregator. The new protocol uses only “concurrency” connections between the bonder and aggregator no matter how many connections are proxied. The application has also been simplified by moving certain functionality to the operating system, and logging and error reporting have been improved.
- Supervision of tunnel and TCP proxy applications has been significantly improved. The new design offers better reliability and scalability.
Removals¶
- The TCP proxy connection timeout option has been removed. It is now statically set to 30.0 seconds.
Fixes¶
- Upload speed tests no longer run repeatedly in certain conditions.
- Aggregators apply bond configuration changes correctly even when the updates come immediately after adding the bond.
- Nodes release DHCP leases properly.
- The node process handles setting a leg MTU to an impossibly small value.
- Idle aggregator tunnel processes no longer report invalid traffic rates in certain rare cases.
- Link latency charts show current data instead of the average of latency samples from up to the last hour.
- The config service no longer leaks memory when the nodeupdates service on the management server is unavailable.
- When a tunnel process restarts, the bond’s TCP proxy application no longer restarts unnecessarily.
- When a bond is restarted from Bonding Admin, the TCP proxy no longer starts before the tunnel and then fails because it cannot bind to the tunnel IP. Instead, it waits until the tunnel has started.
- QoS hooks no longer fail with a “File descriptor out of range” error in certain rare conditions.
- Bonders imaged from a clone template no longer report errors about failing to find RSA keys.
- The tunnel process on bonders no longer opens an unused UDP socket for each link.
Patches¶
| 2014.3-1: | Fixed an issue between connected IPs and TCP proxies. |
|---|---|
| 2014.3-2: | Fixed an issue between CPE NAT IPs and TCP proxies. |
| 2014.3-3: | PPPoE links handle losing Ethernet carrier more gracefully in some rare scenarios. |
| 2014.3-4: | TCP proxies close connections more reliably. |
| 2014.3-5: | Fixed TCP proxy memory leaks related to connection state tracking. |
| 2014.3-6: | Improved connection handling in TCP proxy and fixed a TCP proxy memory leak relating to data retention for incomplete connections. |
| 2014.3-7: | Further improved supervision of PPPoE sessions. |
| 2014.3-8: | Fixed issues relating to speed tests and source IP selection on bonds with TCP proxy and CPE NAT IPs. |
| 2014.3-9: | Fixed a rare issue with DTLS encryption and added a minor improvement to the CPE NAT IP fix in the previous patch. |
| 2014.3-10: | Improved error handling and logging in the TCP proxy. |
| 2014.3-11: | Fixed an issue causing high CPU and memory usage in the TCP proxy when many connection errors occur. |
| 2014.3-12: | Improved fairness of connection handling in the TCP proxy. Short and interactive TCP sessions now perform much better when bulk transfers are in progress. |
| 2014.3-13: | Increased buffer sizes in TCP proxy to support higher, more stable speeds, and other reliability improvements. |
| 2014.3-14: | Fixed an issue where connections could be closed before sending all the connection’s data. |
| 2014.3-15: | Fixed uncaught exceptions in the config service and PPPoE leg management. |
| 2014.3-17: | Fixed various issues with connection closing logic in the TCP proxy. |
| 2014.3-18: | Further improvements to connection closing logic in the TCP proxy. |
| 2014.3-19: | Worked around a possible kernel crashing bug when disabling the TCP proxy. |
| 2014.3-21: | Minor change to socket creation behaviour of the TCP proxy to reduce the number of “address already in use” warnings. |
Bonding Admin¶
Additions¶
- The management server supports Debian 7 (Wheezy).
- A completely unattended installation option has been added to the ISO installer menus and PXE server setup instructions. This method does not prompt for a node key but creates a default bonder without prompting the user.
- Traffic sent to the management server with a destination in the 10.250.0.0/16 network used by the management VPN clients is NAT’ed and forwarded to the nodes. This allows external hosts such as SNMP monitors to access the nodes over the VPN.
- Console commands have be added that copy SSH authorized key files, resolve.conf files, and firewall configuration files to nodes. These commands can be used to update nodes in bulk. For details, please e-mail the technical support department.
- Notes have been added to the bonder and aggregator username and password fields to clarify that passwords are not synced on the devices.
- The management server 5-minute load average chart has been added to the System Charts web page.
Changes¶
- The “filter unrecognized traffic” option has been renamed “source address verification” to match industry standards. The corresponding API field has been renamed.
- The certificate authority updates its certificate revocation list daily instead of monthly.
- Management servers report more detailed information about errors in the web application. This will help Technical Support staff investigate errors more effectively.
Fixes¶
- The position of QoS filters is saved properly when the form is submitted.
- The aggregator failover service no longer tries to access sockets that have been closed.
- The management VPN server accurately records when a client connects. A race condition between two applications meant that a node’s connected status could previously have been incorrect for up to five minutes.
- The service that pushes out configuration updates to nodes no longer pushes duplicate updates in some circumstances.
- Munin configuration files for each node have correct permissions.
- The push-bondingadmin-backup script has been renamed to fix a misspelling.
Patches¶
| 2014.3-1: | Fixed some documentation pages not loading. |
|---|---|
| 2014.3-2: | Improved validation of connected IP forms and reliability of configuration updates. |
| 2014.3-3: | Doubled the number of worker processes handling HTTP application requests. Added scripts to the ISO that ensure bonder Ethernet ports are assigned in the expected order even if the motherboard has two different Ethernet controllers. |