SD-WAN 6.7 release notes

We are pleased to announce the release of SD-WAN 6.7. This release brings improvements to the management server database, support for bridge interfaces, as well as a number of new API endpoints.

Major Features

  • Improved scalability of the management server database. This prevents issues that could sometimes result in configuration updates getting stuck on servers with a large number of nodes.
  • Implemented support for bridge interfaces. Details about configuration can be found in the documentation.
  • A new beta frontend which provides a modern streamlined experience is available. Check it out here.
  • Added API endpoints for warnings and alerts. These endpoints offer increased observability for nodes and bonds, including:
    • Bond tunings, interfaces, legs, connected IPs, routes, services, details, and statuses.
    • Node protocols, filters, details, and statuses.

Deprecations

Warning

Debian 8 “Jessie” and Debian 9 “Stretch” will be deprecated in Bonding 6.8.

  • Minimum MTU has been removed for legs. The API now returns 0, so existing queries will continue to function as normal.
  • The Replify WAN optimization feature has been removed

Bondingadmin

Note

Flow collectors using the management VPN IP that share the same port should no longer be assigned to the same bond. Doing so could prevent traffic from being sent to the flow collector.

Note

Gateway aggregators are now called persistent aggregators.

Additions:

  • Bondingadmin now uses nftables instead of iptables for rule management.
  • Bonding repositories now take up less storage space on bondingadmin.
  • Bondingadmin now sends QoS profiles to aggregators only if they are needed, rather than all profiles on bondingadmin. This was known to cause longer load times for nftables on aggregators with a large number of profiles.
  • A single static address can now be defined for routing group VLAN assignments.
  • Multiple bonds can now have different connected IPs in the same subnet when included in private WAN.
  • Interfaces now contain a free-form note field, similar to legs.
  • The documentation has been updated to include PXE support for Debian 10 “Buster”. Configuration details can be found here.
  • API endpoints have been added for creating and deleting QoS profiles.
  • Access to salt-master has been added to bondingadmin but is restricted to only aggregator IPs.
  • Network filters on bonds now allow minimum and maximum prefix lengths.
  • Improved handling for errors reported by nodes. This could sometimes result in high CPU usage on bondingadmin.
  • Aggregators and bonders can now be modified in bulk through API PATCH requests.
  • Users are no longer able to delete spaces with associated resources. This prevents accidental deletion of items like classification profiles and flow collectors.
  • ISOs for a space are now removed when the space is deleted.
  • The node setup page has been updated to include Bonding installation instructions for RHEL 8 and openSUSE Leap 15.4.
  • Bonding repos for all distributions are now accessible via the new endpoint /download/. For compatibility reasons, the Debian repos will continue to be accessible via the old url structure as well.
  • A new beta frontend was added under /beta/. It can be enabled as the default frontend by running bondingadmin-frontend-beta on the management server. The classic frontend can be restored by running bondingadmin-frontend-classic on the management server.
  • Added a “Service Name” field for PPPoE legs
  • Support for OpenSUSE Leap 15.4 has been added
  • Spaces and QoS profiles will now run on any primary or secondary aggregators, not just the current aggregator.

Fixes:

  • Routes can now overlap on different bonds.
  • Fixed an issue where setting the cost value on a BGP protocol could result in connectivity issues between nodes.
  • Fixed an issue that resulted in delayed start times for speed tests on servers with a large number of nodes.
  • Fixed an issue where the repositories on bondingadmin would reset to the latest version.
  • Fixed the method of exporting traffic to flow collectors using the management VPN IP as the source IP policy.
  • QoS charts on bonds now include data from previously active profiles.
  • Flow collectors can now be included in bond creation API requests.
  • Fixed an issue where changing the space of a QoS profile would result in an error.
  • The ‘Ethernet interface’ field on a VLAN interface can no longer be edited after creating the interface.
  • Bond protocols and filter permissions are no longer dependent on route permissions.
  • Added a fix for LetsEncrypt expired certificates on devices running Debian 8 “Jessie”.
  • Fixed an issue that caused the upgradebonders script to fail.
  • Fixed an issue where mobile broadband charts on bonds would not show any data.
  • Fixed an issue where the incorrect support email was being used for nodes.
  • Attempting to delete a routing group VLAN assignment now shows the correct error message.
  • Fixed an issue where adding a private WAN gateway on a space would have no effect.
  • Fixed an issue where aggfail would move bonds to a secondary aggregator even if it was down.
  • API will no longer reject requests without CSRF token if token authentication is used.
  • Fixed an issue where dns server updates were being set to the previous version.
  • Fixed an issue where outage stats for the day were not updated if a connection issue happened during an update.
  • Fixed an issue where inherited aggregators were not being shown for child spaces.

Bonding Node

Additions:

  • Optimized how nftables works on nodes, leading to faster rule loading times all around.
  • /32 IPv4 DHCP addresses are now properly supported.
  • Aggregators now support a single static address for routing group VLAN assignments.
  • Updated the collect-bonding-info script to capture additional information.
  • Improved security and portability of bonding hooks.

Fixes:

  • Fixed an issue where the tunnel process could sometimes reach high CPU usages on aggregators.
  • Fixed issues related to TCP proxy and CPE NAT IPs.
  • Fixed an issue that caused TCP proxy rules to break nftables on aggregators.
  • Fixed an issue with salt key not being sent to bondingadmin.
  • Fixed an issue where tunnel did not properly handle TCP packets with an option length of 0.
  • Fixed compatibility issues with the bonding-setup script on RHEL8.
  • Fixed an issue where 6.6 nodes would try to load iptables after upgrading and crash.
  • Fixed an issue related to VXLAN rules on RHEL8 that would cause nftables to crash.
  • Fixed an issue where TCP MSS clamped packets would contain the incorrect TCP checksum value.
  • Fixed an issue with SSL encryption on nodes that would require a reboot to bring them back online.
  • Nodes can now restore the physical MAC address on an interface after setting and removing a custom one through bondingadmin.

Changes:

  • DHCP services udhcpc and dhclient have been changed to dhcpv4-client and dhcpv6-client, respectively.