Release Notes for Cisco vEdge Device, Cisco SD-WAN Release 20.3.x

These release notes accompany the Cisco SD-WAN Release 20.3.x, which provides Cisco SD-WAN capabilities. They include release-specific information for Cisco vSmart Controllers, Cisco vBond Orchestrators, Cisco vManage as applicable to Cisco vEdge devices.

For release information about Cisco IOS XE SD-WAN devices, refer to Release Notes for Cisco IOS XE SD-WAN Devices, Cisco IOS XE Release Amsterdam 17.3.x .

What's New for Cisco SD-WAN Release 20.3.x

This section applies to Cisco vEdge devices.

Cisco is constantly enhancing the SD-WAN solution with every release and we try and keep the content in line with the latest enhancements. The following table lists new and modified features we documented in the Configuration, Command Reference, and Hardware Installation guides. For information on additional features and fixes that were committed to the SD-WAN solution, see the Resolved and Open Bugs section in the Release Notes.

Table 1. Cisco SD-WAN Release 20.3.1 for vEdge Routers
Feature Description

User Documentation and Interactive Help in Cisco vManage

User Documentation

Starting from this release, we've restructured the listing page of our configuration guides to display category-wise book and chapter contents. This new page lets you switch between releases using the View Documents by Release drop-down list.

Interactive Help in Cisco vManage

This feature helps you navigate Cisco vManage and complete vManage procedures using guided workflows. The Interactive Help points to elements within the Cisco vManage interface and shows you where to click next and what to do to complete a selected workflow.

Cisco SD-WAN Getting Started

Cisco vManage Cluster Upgrade

This feature outlines the upgrade procedure for Cisco vManage servers in a cluster to Cisco vManage Release 20.3.1.

On-Site Bootstrap Process for Cisco vEdge 5000 using SHA2 Enterprise Certificates

By default, a Cisco vEdge 5000 device uses an SHA1 certificate for authentication with controllers in the overlay network. With this feature, you can authenticate the device using an OTP and a Public Key, and install an SHA2 enterprise certificate on the device. By authenticating the device using an OTP and a Public Key and installing an SHA2 enterprise certificate, you can bypass SHA1 certificate authentication and secure the device against SHA1 vulnerabilities.

Systems and Interfaces

Export vManage Audit Log as Syslog

The Cisco vManage NMS exports audit logs in syslog message format to a configured external syslog server. This feature allows you to consolidate and store network activity logs in a central location.

Configure Sessions in Cisco vManage

This feature lets you see all HTTP sessions open within Cisco vManage. It gives you details about the username, source IP address, domain of the user, and other information. A user with User Management Write access, or a netadmin user can trigger a log out of any suspicious user's session.

You can set client session timeouts, session lifetimes, server session timeouts, and enable the maximum number of user sessions in Cisco vManage.

Support for Multiple VRRP Groups on the Same LAN Interface or Sub-interface

This feature increases support from one VRRP group per interface to five VRRP groups per interface. Multiple VRRP groups are useful for providing redundancy and for load balancing.

Dynamic On-Demand Tunnels

This feature enables you to configure an Inactive state for tunnels between edge devices, reducing performance demands on devices and reducing network traffic.


Route Leaking Between Transport VPN and Service VPNs

This feature enables you to leak routes bidirectionally between the transport VPN and service VPNs. Route leaking allows service sharing and is beneficial in migration use cases because it allows bypassing hubs and provides migrated branches direct access to non-migrated branches.


Service insertion tracker support

This feature extends support for service chaining to Cisco IOS XE SD-WAN devices. On Cisco IOS XE SD-WAN devices and Cisco vEdge devices, it adds a tracking feature that logs the availability of a service.


Self Zone Policy for Zone-Based Firewalls

This feature allows you to define firewall policies for incoming and outgoing traffic between a self zone of an edge router and another zone. When a self zone is configured with another zone, the traffic in this zone pair is filtered as per the applied firewall policy.

Extended DNS (EDNS) and Local Domain Bypass Support with Cisco Umbrella Integration

This feature enables cloud-based security service on Cisco vEdge devices by inspecting the DNS query. Once the DNS query is inspected, action is taken on it based on whether the query is for a local domain or an external domain.

Cloud OnRamp

New Configuration Workflow for Cloud onRamp for SaaS for Cisco vEdge devices

This feature updates the existing configuration workflow for Cloud onRamp for SaaS for Cisco vEdge devices.

Support Catalyst 48Y4C (Cloud OnRamp for Colocation)

This release supports the use of Cisco Catalyst 9500-48Y4C switches in the Cloud onRamp for Colocation cluster that enables 80G-200G of bidirectional throughput.

Flexible Topologies (Cloud OnRamp for Colocation)

This feature provides the ability to flexibly insert the NIC cards and interconnect the devices (CSP devices and Catalyst 9500 switches) within the Cloud onRamp for Colocation cluster. Any CSP ports can be connected to any port on the switches. The Stackwise Virtual Switch Link (SVL) ports can be connected to any port and similarly the uplink ports can be connected to any port on the switches.

TACACS Authentication (Cloud OnRamp for Colocation)

This feature allows you to configure the TACACS authentication for users accessing the Cisco CSP and Cisco Catalyst 9500 devices. Authenticating the users using TACACS validates and secures their access to the Cisco CSP and Cisco Catalyst 9500 devices.

Network Assurance –VNFs: Stop/Start/Restart (Cloud OnRamp for Colocation)

This feature provides the capability to stop, start, or restart VNFs on Cisco CSP devices from the Colocation Clusters tab. You can easily perform the operations on VNFs using Cisco vManage.

TAC Access

TAC Access to Cisco vManage

When working with the Cisco Technical Assistance Center (TAC) to address an issue in Cisco vManage, users may provide TAC with access to Cisco vManage or TAC teams may access Cisco vManage using the consent token mechanism. In the past, this access has relied on a user account called viptelatac. In this release, two separate user accounts have been added, one with read-only access and one with write access. The accounts use a challenge-response authentication method.

TCP Optimization

TCP Optimization Support for Cisco ISR1100 6G

Added TCP Optimization support for the Cisco ISR1100 6G platform.

Important Notes, Known Behavior, and Workaround

  • When you complete a Cisco SD-WAN software downgrade procedure on a device, the device goes into the configuration mode that it was in when you last upgraded the Cisco SD-WAN software on the device. If the device is in a different configuration mode when you start the downgrade than it was when you last upgraded, the device and Cisco vManage show different configuration modes after the downgrade completes. To put the configuration modes back in sync, reattach the device to a device template. After you reattach the device, both the device and Cisco vManage show that the device is in the Cisco vManage configuration mode.

  • Cisco vManage Release 20.3.1 implements a hardened security posture to comply with FedRamp guidelines. As a result, your vAnalytics login credentials that are stored locally get erased on upgrading the software, and you cannot access the vAnalytics service directly through Cisco vManage. In this case, log in to vAnalytics using this URL: If you can’t find your vAnalytics login credentials, open a case with Cisco TAC support.

Resolved and Open Bugs

About the Cisco Bug Search Tool

Use the Cisco Bug Search Tool to access open and resolved bugs for a release.

The tool allows you to search for a specific bug ID, or for all bugs specific to a product and a release.

You can filter the search results by last modified date, bug status (open, resolved), severity, rating, and support cases.

Bugs for Cisco SD-WAN Release 20.3.1

This section details all fixed and open bugs for this release. These are available in the Cisco Bug Search Tool through the Resolved Bug Search.

Resolved Bugs for Cisco SD-WAN Release 20.3.1

Bug ID



Cisco vManage ElasticSearch is exposed to changes from any user using the Vshell (Posix), and has no authe


"show ospf database" does not show Type 5 external LSAs


Cisco SD-WAN passwords with an exclamation character does not work on vEdges and controllers


Cisco vManage stores stale session and renders to j_security_check or last cached url


Cisco vManage: for ipsec IKE Diffie-Hellman Group 2 should be removed


[Azure] Cisco vManage rebooted on 19.3 with Software initiated - Kernel Panic


Cisco vManage showing alarm " vEdge serial file uploaded"


Cisco vManage Security Policy ZBF can't use Protocol Names


Template page returning Server error: Unknown error


Template locked in edit mode permanently


Cisco vManage fail to create bootstrap config


Support for moving packet from service VPN to VPN 0 without changing source ip


Slash symbol cannot be used in a variable value of any device specific parameter scope in templates


Cisco vManage periodic cfgmgr crash


Doing "simulate flows" from Cisco vManage running 20.1 causes FTMD crash on ASR1002-HX running 16.12.01e


Cisco vManage API does not accept URL encoded string as path argument (the real problem is device has / )


SSH version 2 not available via Cisco vManage Template


[Enhancement] "ip http client source-interface" cannot be configured via template


route leaking between VPN with natpool in one VPN is not working.


Missing callin option in "ppp authentication pap ..." after upgrading to 20.1.1


EIGRP - Removing authentication template does not remove it entirely


Cisco vManage does not generate and push BGP "neighbor update-source" command in cedge cli template


cfgmgr changes needed from platform to support IPv6 on VPN 512


20.1 cEdge TACACS/RADIUS password are in clear text on Cisco AAA feature template


Cisco vManagedoes not generate and push DHCP "ip dhcp excluded-address" command in cedge cli template


Optional field is not considered as optional.


"Chassis Number not found" fails to indicate the problematic entry - Need more details in logging


20.3:Template Migration failing if device template is created for CLI Template in 19.2.x


Disable support for weak encryption ciphers on Cisco vManage and vSmart.


Cisco vManage image validation may fail for ZTP upgrade process on cEdge


WWAN : update cellular ZTP Polish carrier list


Cisco vManage API call showed error message "Exceeded possible number of hits to the API".

Open Bugs for Cisco SD-WAN Release 20.3.1

Bug ID



MTCVM: AAA login to Multi-tenant Cisco vManage GUI is not working via TACACS


Confg-db error during the application-server startup


show ip route vpn <id> <ip address> isn't working with new confd version


DC1 Cisco vManage template attachment disappear after a switchover


20.3 : Modifying Active policies by deleting existing sequence number fails


Config O356 Endpoints with prefixes less specific than 24 with Custom App from web servcies API


OMPD crash with control-policy export vpn


Multicast stops working on vEdge


19.2.2 template push failing for 16.10.2 cedge devices


vEdge HUB is missing config after Cisco vManage successfully attached template to vedge and is in sync


Cisco vManage HELP redirects to cisco Intranet pages ( Unreachable )


Multitenant Cisco vManage may send CSR to wrong VA


Cisco vManage: Cisco vManage dashboard is reporting error while cluster management is all fine


Vedge end of line for the banner in 20.1 is not working as it did in 19.2


vEdge crashed with error "Software initiated - Daemon 'ompd' failed. Core files found"


OMP Crash || Software initiated - Daemon 'ompd' failed


vEdge control connections goes down after CSR generation


When generating new certificate for SSO login to Cisco vManage started to fail


20.3.907-16 : vBond upgrade fails after image download with control not established


port 830 open for Service/Management VPN.


Cisco vManage running 19.2.2 may stop responding to API calls for approutestatsstatistics


CoR probes working for O365 but failing for every other SaaS application


Cisco vManage is attempting to strip multiple LTE modem configs from ISR1000 and template push fails


vEdge Cloud | System Initialization Stuck on KVM Platform running Ubuntu 14


fpmd crashes on vEdge1k, 2k with 19.2.1, 18.4.302


vEdge crashes with dbgd failed message when running speed test


Cisco SD-WAN Cisco vManage Full GC (Allocation Failure)


Cisco vManage GUI down due to GC Allocation Failure on 19.2.3


vE5k after upgrade to 19.2.3 isn't form control connections; doesn't able to resolve vBond URL


Nutella - Cisco vManage not showing the correct hostname for Nutella device


ip community-list expanded test permit 64700:[0-9]+ not able to configure on vMnanage template.


vSmart crashes during vExpress run


Email List does not accept email addresses


Control connection of vEdge Cloud going down after DR.


Unable to edit vbond config via CLI , when control connection breaks from Cisco vManage.


Cisco vManage: Configuration database restore in cluster fails due to password mismatch.


Need to Remove the unsupported device - C1117-4PLTEEAWA* from Cisco vManage 17.3/20.3 throttle


Remove all unsupported devices from 20.3 throttle


vAnalytics - Launch vAnalytics not working in Cisco vManage UI


No date and time info in the syslog payload


This serial number in upload file is already associated with another vEdge Error in Cisco vManage 20.3.1

Interactive Help in Cisco vManage

To access the list of guided workflows for this release, from Cisco vManage, click Interactive Help.

The Interactive Help interface allows you to search for a specific workflow and filter the search results by workflow names.

Figure 1. Interactive Help in Cisco vManage

This release provides guided workflows for the following procedures:

Table 2. List of Workflows Using Cisco vManage 20.3.1



Configure Controllers and Devices

Configure Cisco vBond Orchestrator

Configure the Cisco vBond Orchestrator and add it to the overlay network.

Configure Cisco vSmart Controller

Configure a Cisco vSmart Controller to control data traffic flow throughout the network.

Configure Cisco vManage Instance

Configure a Cisco vManage instance by creating a device configuration template and adding it to the overlay network.

Configure Cisco SD-WAN Devices

Configure Cisco IOS XE SD-WAN devices and Cisco vEdge devices by creating configuration templates.

Manage Devices in Overlay Network

Add Devices to the Overlay Network

Add Cisco SD-WAN devices either by using authorized serial numbers or from Cisco Smart account.

Decommission Virtual Devices

Decommission a Cisco IOS XE SD-WAN device or Cisco vEdge device to remove the device serial number.

Remove Devices from the Overlay Network

Remove Cisco SD-WAN devices to clear an old device configuration from the Cisco vManage server.

Change Device Values

Change Cisco SD-WAN device configuration by populating the variable values for the device.

Troubleshoot Device Issues

Determine and fix common Cisco SD-WAN device connectivity issues.

Upgrade Devices and Controllers

Install and activate an upgraded software for Cisco SD-WAN controllers and Cisco SD-WAN devices.

You cannot use this workflow for:

  • Cisco SD-WAN controller releases earlier than 20.3.1

  • Cisco SD-WAN device releases earlier than 17.3.1a or 20.3.1

Whom to contact for feedback?

We value your opinion and please send us your feedback at,

Compatibility Matrix

Table 3. Compatibility Matrix






ISR 1100-4G and ISR 1100-6G

ISR1100 - 4GLTENA, ISR1100 - 4GLTEGB

UCS-E Series using External Interfaces

UCS-E Series using Internal Backplane Interfaces**


16.10.4 and lower versions of 16.10.x and 16.9.x

Not Supported

Not Supported

17.2.8 or higher up to 18.4.4

Not Supported

Not Supported

Not Supported

Not Supported


16.12.1e and lower versions of 16.12,16.10.x, and 16.9.x

16.12.1e and lower versions of 16.12

16.12.1a with NFVIS 3.12.3FC4

18.4 and 19.2


Not Supported

Not Supported

Not Supported


16.12.2r and lower versions of 16.12, 16.10.x, and 16.9.x

16.12.2r and lower versions of 16.12

16.12.1a, 16.12.2r with NFVIS 3.12.3FC4

18.3, 18.4, and 19.2

19.2.099 and 19.2.1



Not Supported


16.12.3 and lower versions of 16.12, 16.10.x, 16.9.x

16.12.3 and lower versions of 16.12

16.12.3 with NFVIS 3.12.3FC4

18.3, 18.4, and 19.2

19.2.099, 19.2.1, and 19.2.2

19.2.1 and 19.2.2


Not Supported


17.2.1r, 16.12.x, 16.10.x, and 16.9.x

17.2.1r and 16.12.x

17.2.1r with NFVIS 4.1.2 FC2

18.3, 18.4, 19.2, and 20.1

20.1.1 & lower up to 19.2.099

20.1.1 & lower up to 19.2.1


Limited feature support configurable using only Cisco vManage CLI templates

17.2.1r, 16.12.x, 16.10.x, and 16.9.x

17.2.1v, 17.2.1r and 16.12.x

17.2.1r with NFVIS 4.1.2.FC2

18.3, 18.4, 19.2, 20.1, and & lower up to 19.2.099 & lower up to 19.2.1


Limited feature support configurable using only Cisco vManage CLI templates


17.2.1v, 17.2.1r, 16.12.x, 16.10.x, and 16.9.x

17.2.1v, 17.2.1r and 16.12.x

17.2.1r with NFVIS 4.1.2 FC2

18.3, 18.4, 19.2, 20.1, 20.1.12

20.1.12 & lower up to 19.2.099

20.1.12 & lower up to 19.2.1


Limited feature support configurable using only Cisco vManage CLI templates


17.3.1a, 17.2.1v, 17.2.1r, 16.12.x and 16.10.x

17.3.1a, 17.2.1v, 17.2.1r and 16.12.x

17.3.1a, 17.2.1r with NFVIS 4.2.1 FC3

18.3, 18.4, 19.2, 20.1, 20.1.12, and 20.3.1

20.3.1 & lower up to 19.2.099

20.3.1 & lower up to 19.2.1


Limited feature support configurable using only Cisco vManage CLI templates

** Interfaces - ucse x/y/0 and ucse x/y/1

ESXi 6.0 / 6.5

ESXi 6.5 / 6.7

Controller versions 20.3.1 and lower up to 18.4.4

vEdge Cloud- versions 20.3.1 and lower up to 18.4.4

Cisco CSR 1000v- versions 17.3.1a and lower up to 16.10.1

For more information about Cisco CSR 1000v, refer to Release Notes for Cisco CSR 1000V Series, Cisco IOS XE Amsterdam 17.3.x

For information about Cisco vEdge Cloud Routers, refer to Cisco vEdge Cloud Data Sheet

Supported Devices

Table 4. Supported Devices and Versions in Cisco SD-WAN Release 20.3.1

Device Family

Device Name

Cisco vEdge device

  • vEdge 100, vEdge 100b, vEdge 100m, vEdge 100wm, vEdge 1000, vEdge 2000, vEdge 5000, vEdge Cloud

  • ISR1100-6G/ISR1100-4G, ISR1100-4GLTENA, ISR1100-4GLTEGB