SD-WAN 2013.6 release notes

December 13, 2013

SD-WAN 2013.6 supports Debian 7 (Wheezy) and improves provisioning capabilities. Bonders can be provisioned without assigning them to specific bonds- they can now be configured through a simple web interface after being deployed at a customer’s site. In addition, a bonder can be reset and used as a template for hard disk or network multicast cloning to make tens or hundreds of new bonders at once. In addition, a web service on the bonder has been added to show basic configuration and leg status information to the customer.

Bonding node

Additions

  • Debian 7 (Wheezy) is now supported. Debian 6 (Squeeze) bonders will continue to be supported. Please update your provisioning USB disks, CDs, and PXE servers to begin imaging new bonders and aggregators as Wheezy.
  • Bonders offer a simple web service, accessible via the connected IPs and trusted remote IPs, that show basic details about the current configuration including the state of the bonder’s legs.
  • Bonders can be provisioned without assigning them to a specific bond. They can then be configured from the web service after deploying them at a customer site.
  • The bonding-deconfigure script resets a bonder to a generic configuration. The bonder’s hard disk image can then be used as a template for provisioning other bonders.

Changes

  • Applications that download files from the management server check the server’s SSL certificate. Invalid or self-signed certificates must be accepted by the user. Updated applications include the package installer, nodeconfig, and the configuration web service.
  • The TCP proxy application runs as the bonding user.
  • The tunnel application is started as the bonding user; it is no longer started as root before dropping its privileges.
  • When a leg is down, the tunnel changes its UDP socket source port every 30 seconds. This helps to avoid buggy ISP connection tracking.

Fixes

  • Moving a bond to a new aggregator no longer risks the bonder going offline for up to 40 seconds.
  • Changing the tunnel authentication option no longer risks the bonder going offline for up to 40 seconds.
  • When the management server VPN is unavailable, fewer messages appear in the bonding log while trying to reconnect.
  • TCP proxy routing rules are consistent between the aggregator and bonder.
  • The syslog service has a limited message buffer. This ensures the node applications don’t block, or block for only a short period of time, if syslog is unable to flush its messages to disk.
  • The syslog service now sends SD-WAN messages only to the files in /var/log/bonding and no longer duplicates them in /var/log/syslog.
  • The service heartbeat check no longer restarts the node service unnecessarily in a certain rare situation.
  • The tunnel no longer crashes in a rare case when a speed test cannot be negotiated with the peer.
  • Bonder DNS redirection is now more robust when a leg is configured that has no Internet access.
  • Bonder DNS redirection on bonders no longer fails when the last leg is stopped.

Removals

  • Debian 5 (Lenny) is no longer supported. Lenny bonders will continue to be managed by the web application until June 2014; however, they cannot install 2013.6 or any future versions of SD-WAN. Critical bugs will still be fixed in 2013.5, the last version with Lenny support.

Patches

2013.6-1:Fixes an issue causing incorrect subnet masks to be used in connected IPs, CPE NAT IPs, and routes. Improves dependency package management to make upgrades more reliable.
2013.6-2:Fixes a crash in the tunnel application when an IP is removed from an interface in a certain circumstance.

Bonding admin

Changes

  • Node status indicators update immediately when the node VPN client connects or disconnects.
  • The upgradebonders script no longer offers to upgrade Debian 5 bonders.
  • The upgradebonders Django command restarts bonder firewalls.
  • New nodes are configured to use http.debian.net as their Debian mirror.
  • Service management and init scripts have been redesigned.
  • Speed test index pages load much faster.
  • It is no longer a validation error to configure two private connected IPs in the same subnet on the same bond.
  • The custom ISO has a 2-level boot menu instead of a single level with multiple options. Each logical option has its own menu.

Fixes

  • It is a validation error to provide a non-network address for a routed block.
  • CPE NAT IPs update their subnet masks when the destination IP field is changed to a different connected IP.
  • CPE NAT IPs update their subnet masks when the related connected IP changes its subnet mask.
  • No error message is shown when leaving the speed test results page while results are still loading.
  • Django processes start faster by delaying calling certain system commands.

Patches

2013.6-1:Fixes an issue creating new users and some minor display issues due to new HTML5 form inputs.
2013.6-2:Backs up more configuration files, simplifies logging, and fixes a few minor bugs.