Release Notes for Cisco vEdge Device, Cisco SD-WAN Release 20.3.x

These release notes accompany the Cisco SD-WAN Release 20.3.x, which provides Cisco SD-WAN capabilities. They include release-specific information for Cisco vSmart Controllers, Cisco vBond Orchestrators, Cisco vManage as applicable to Cisco vEdge devices.

For release information about Cisco IOS XE SD-WAN devices, refer to Release Notes for Cisco IOS XE SD-WAN Devices, Cisco IOS XE Release Amsterdam 17.3.x .

What's New for Cisco SD-WAN Release 20.3.x

This section applies to Cisco vEdge devices.

Cisco is constantly enhancing the SD-WAN solution with every release and we try and keep the content in line with the latest enhancements. The following table lists new and modified features we documented in the Configuration, Command Reference, and Hardware Installation guides. For information on additional features and fixes that were committed to the SD-WAN solution, see the Resolved and Open Bugs section in the Release Notes.

Table 1. Cisco SD-WAN Release 20.3.1 for vEdge Routers
Feature Description

User Documentation and Interactive Help in Cisco vManage

User Documentation

Starting from this release, we've restructured the listing page of our configuration guides to display category-wise book and chapter contents. This new page lets you switch between releases using the View Documents by Release drop-down list.

Interactive Help in Cisco vManage

This feature helps you navigate Cisco vManage and complete vManage procedures using guided workflows. The Interactive Help points to elements within the Cisco vManage interface and shows you where to click next and what to do to complete a selected workflow.

Cisco SD-WAN Getting Started

Cisco vManage Cluster Upgrade

This feature outlines the upgrade procedure for Cisco vManage servers in a cluster to Cisco vManage Release 20.3.1.

On-Site Bootstrap Process for Cisco vEdge 5000 using SHA2 Enterprise Certificates

By default, a Cisco vEdge 5000 device uses an SHA1 certificate for authentication with controllers in the overlay network. With this feature, you can authenticate the device using an OTP and a Public Key, and install an SHA2 enterprise certificate on the device. By authenticating the device using an OTP and a Public Key and installing an SHA2 enterprise certificate, you can bypass SHA1 certificate authentication and secure the device against SHA1 vulnerabilities.

Systems and Interfaces

Export vManage Audit Log as Syslog

The Cisco vManage NMS exports audit logs in syslog message format to a configured external syslog server. This feature allows you to consolidate and store network activity logs in a central location.

Configure Sessions in Cisco vManage

This feature lets you see all HTTP sessions open within Cisco vManage. It gives you details about the username, source IP address, domain of the user, and other information. A user with User Management Write access, or a netadmin user can trigger a log out of any suspicious user's session.

You can set client session timeouts, session lifetimes, server session timeouts, and enable the maximum number of user sessions in Cisco vManage.

Support for Multiple VRRP Groups on the Same LAN Interface or Sub-interface

This feature increases support from one VRRP group per interface to five VRRP groups per interface. Multiple VRRP groups are useful for providing redundancy and for load balancing.

Dynamic On-Demand Tunnels

This feature enables you to configure an Inactive state for tunnels between edge devices, reducing performance demands on devices and reducing network traffic.

Routing

Route Leaking Between Transport VPN and Service VPNs

This feature enables you to leak routes bidirectionally between the transport VPN and service VPNs. Route leaking allows service sharing and is beneficial in migration use cases because it allows bypassing hubs and provides migrated branches direct access to non-migrated branches.

Policies

Service insertion tracker support

This feature extends support for service chaining to Cisco IOS XE SD-WAN devices. On Cisco IOS XE SD-WAN devices and Cisco vEdge devices, it adds a tracking feature that logs the availability of a service.

Security

Self Zone Policy for Zone-Based Firewalls

This feature allows you to define firewall policies for incoming and outgoing traffic between a self zone of an edge router and another zone. When a self zone is configured with another zone, the traffic in this zone pair is filtered as per the applied firewall policy.

Extended DNS (EDNS) and Local Domain Bypass Support with Cisco Umbrella Integration

This feature enables cloud-based security service on Cisco vEdge devices by inspecting the DNS query. Once the DNS query is inspected, action is taken on it based on whether the query is for a local domain or an external domain.

Cloud OnRamp

New Configuration Workflow for Cloud onRamp for SaaS for Cisco vEdge devices

This feature updates the existing configuration workflow for Cloud onRamp for SaaS for Cisco vEdge devices.

Support Catalyst 48Y4C (Cloud OnRamp for Colocation)

This release supports the use of Cisco Catalyst 9500-48Y4C switches in the Cloud onRamp for Colocation cluster that enables 80G-200G of bidirectional throughput.

Flexible Topologies (Cloud OnRamp for Colocation)

This feature provides the ability to flexibly insert the NIC cards and interconnect the devices (CSP devices and Catalyst 9500 switches) within the Cloud onRamp for Colocation cluster. Any CSP ports can be connected to any port on the switches. The Stackwise Virtual Switch Link (SVL) ports can be connected to any port and similarly the uplink ports can be connected to any port on the switches.

TACACS Authentication (Cloud OnRamp for Colocation)

This feature allows you to configure the TACACS authentication for users accessing the Cisco CSP and Cisco Catalyst 9500 devices. Authenticating the users using TACACS validates and secures their access to the Cisco CSP and Cisco Catalyst 9500 devices.

Network Assurance –VNFs: Stop/Start/Restart (Cloud OnRamp for Colocation)

This feature provides the capability to stop, start, or restart VNFs on Cisco CSP devices from the Colocation Clusters tab. You can easily perform the operations on VNFs using Cisco vManage.

TAC Access

TAC Access to Cisco vManage

When working with the Cisco Technical Assistance Center (TAC) to address an issue in Cisco vManage, users may provide TAC with access to Cisco vManage or TAC teams may access Cisco vManage using the consent token mechanism. In the past, this access has relied on a user account called viptelatac. In this release, two separate user accounts have been added, one with read-only access and one with write access. The accounts use a challenge-response authentication method.

TCP Optimization

TCP Optimization Support for Cisco ISR1100 6G

Added TCP Optimization support for the Cisco ISR1100 6G platform.

Important Notes, Known Behavior, and Workaround

  • When you complete a Cisco SD-WAN software downgrade procedure on a device, the device goes into the configuration mode that it was in when you last upgraded the Cisco SD-WAN software on the device. If the device is in a different configuration mode when you start the downgrade than it was when you last upgraded, the device and Cisco vManage show different configuration modes after the downgrade completes. To put the configuration modes back in sync, reattach the device to a device template. After you reattach the device, both the device and Cisco vManage show that the device is in the Cisco vManage configuration mode.

  • Cisco vManage Release 20.3.1 implements a hardened security posture to comply with FedRamp guidelines. As a result, your vAnalytics login credentials that are stored locally get erased on upgrading the software, and you cannot access the vAnalytics service directly through Cisco vManage. In this case, log in to vAnalytics using this URL: https://analytics.viptela.com. If you can’t find your vAnalytics login credentials, open a case with Cisco TAC support.

Resolved and Open Bugs

About the Cisco Bug Search Tool

Use the Cisco Bug Search Tool to access open and resolved bugs for a release.

The tool allows you to search for a specific bug ID, or for all bugs specific to a product and a release.

You can filter the search results by last modified date, bug status (open, resolved), severity, rating, and support cases.

Bugs for Cisco SD-WAN Release 20.3.1

This section details all fixed and open bugs for this release. These are available in the Cisco Bug Search Tool through the Resolved Bug Search.

Resolved Bugs for Cisco SD-WAN Release 20.3.1

Bug ID

Description

CSCvi69788

Cisco vManage ElasticSearch is exposed to changes from any user using the Vshell (Posix), and has no authe

CSCvr29345

"show ospf database" does not show Type 5 external LSAs

CSCvs05128

Cisco SD-WAN passwords with an exclamation character does not work on vEdges and controllers

CSCvs07518

Cisco vManage stores stale session and renders to j_security_check or last cached url

CSCvs39545

Cisco vManage: for ipsec IKE Diffie-Hellman Group 2 should be removed

CSCvs70746

[Azure] Cisco vManage rebooted on 19.3 with Software initiated - Kernel Panic

CSCvs72371

Cisco vManage showing alarm " vEdge serial file uploaded"

CSCvt00153

Cisco vManage Security Policy ZBF can't use Protocol Names

CSCvt00459

Template page returning Server error: Unknown error

CSCvt04564

Template locked in edit mode permanently

CSCvt21380

Cisco vManage fail to create bootstrap config

CSCvt29432

Support for moving packet from service VPN to VPN 0 without changing source ip

CSCvt30224

Slash symbol cannot be used in a variable value of any device specific parameter scope in templates

CSCvt38373

Cisco vManage periodic cfgmgr crash

CSCvt50756

Doing "simulate flows" from Cisco vManage running 20.1 causes FTMD crash on ASR1002-HX running 16.12.01e

CSCvt52882

Cisco vManage API does not accept URL encoded string as path argument (the real problem is device has / )

CSCvt55924

SSH version 2 not available via Cisco vManage Template

CSCvu05280

[Enhancement] "ip http client source-interface" cannot be configured via template

CSCvu05829

route leaking between VPN with natpool in one VPN is not working.

CSCvu14289

Missing callin option in "ppp authentication pap ..." after upgrading to 20.1.1

CSCvu18699

EIGRP - Removing authentication template does not remove it entirely

CSCvu30288

Cisco vManage does not generate and push BGP "neighbor update-source" command in cedge cli template

CSCvu31228

cfgmgr changes needed from platform to support IPv6 on VPN 512

CSCvu41144

20.1 cEdge TACACS/RADIUS password are in clear text on Cisco AAA feature template

CSCvu46222

Cisco vManagedoes not generate and push DHCP "ip dhcp excluded-address" command in cedge cli template

CSCvu48660

Optional field is not considered as optional.

CSCvu49030

"Chassis Number not found" fails to indicate the problematic entry - Need more details in logging

CSCvu70566

20.3:Template Migration failing if device template is created for CLI Template in 19.2.x

CSCvu71611

Disable support for weak encryption ciphers on Cisco vManage and vSmart.

CSCvu93775

Cisco vManage image validation may fail for ZTP upgrade process on cEdge

CSCvu94816

WWAN : update cellular ZTP Polish carrier list

CSCvv25817

Cisco vManage API call showed error message "Exceeded possible number of hits to the API".

Open Bugs for Cisco SD-WAN Release 20.3.1

Bug ID

Description

CSCvq77957

MTCVM: AAA login to Multi-tenant Cisco vManage GUI is not working via TACACS

CSCvu19795

Confg-db error during the application-server startup

CSCvu48133

show ip route vpn <id> <ip address> isn't working with new confd version

CSCvu53588

DC1 Cisco vManage template attachment disappear after a switchover

CSCvu69446

20.3 : Modifying Active policies by deleting existing sequence number fails

CSCvu71432

Config O356 Endpoints with prefixes less specific than 24 with Custom App from web servcies API

CSCvu77817

OMPD crash with control-policy export vpn

CSCvu78635

Multicast stops working on vEdge

CSCvu87957

19.2.2 template push failing for 16.10.2 cedge devices

CSCvu88261

vEdge HUB is missing config after Cisco vManage successfully attached template to vedge and is in sync

CSCvu92172

Cisco vManage HELP redirects to cisco Intranet pages ( Unreachable )

CSCvu93393

Multitenant Cisco vManage may send CSR to wrong VA

CSCvu95532

Cisco vManage: Cisco vManage dashboard is reporting error while cluster management is all fine

CSCvu99861

Vedge end of line for the banner in 20.1 is not working as it did in 19.2

CSCvv00132

vEdge crashed with error "Software initiated - Daemon 'ompd' failed. Core files found"

CSCvv00251

OMP Crash || Software initiated - Daemon 'ompd' failed

CSCvv03068

vEdge control connections goes down after CSR generation

CSCvv04056

When generating new certificate for SSO login to Cisco vManage started to fail

CSCvv05641

20.3.907-16 : vBond upgrade fails after image download with control not established

CSCvv06133

port 830 open for Service/Management VPN.

CSCvv06517

Cisco vManage running 19.2.2 may stop responding to API calls for approutestatsstatistics

CSCvv10287

CoR probes working for O365 but failing for every other SaaS application

CSCvv11071

Cisco vManage is attempting to strip multiple LTE modem configs from ISR1000 and template push fails

CSCvv12705

vEdge Cloud | System Initialization Stuck on KVM Platform running Ubuntu 14

CSCvv18311

fpmd crashes on vEdge1k, 2k with 19.2.1, 18.4.302

CSCvv19652

vEdge crashes with dbgd failed message when running speed test

CSCvv21710

Cisco SD-WAN Cisco vManage Full GC (Allocation Failure)

CSCvv22385

Cisco vManage GUI down due to GC Allocation Failure on 19.2.3

CSCvv22466

vE5k after upgrade to 19.2.3 isn't form control connections; doesn't able to resolve vBond URL

CSCvv25745

Nutella - Cisco vManage not showing the correct hostname for Nutella device

CSCvv26925

ip community-list expanded test permit 64700:[0-9]+ not able to configure on vMnanage template.

CSCvv27194

vSmart crashes during vExpress run

CSCvv28149

Email List does not accept co.in email addresses

CSCvv29989

Control connection of vEdge Cloud going down after DR.

CSCvv31065

Unable to edit vbond config via CLI , when control connection breaks from Cisco vManage.

CSCvv31391

Cisco vManage: Configuration database restore in cluster fails due to password mismatch.

CSCvv34148

Need to Remove the unsupported device - C1117-4PLTEEAWA* from Cisco vManage 17.3/20.3 throttle

CSCvv40966

Remove all unsupported devices from 20.3 throttle

CSCvv48890

vAnalytics - Launch vAnalytics not working in Cisco vManage UI

CSCvv42937

No date and time info in the syslog payload

CSCvv49157

This serial number in upload file is already associated with another vEdge Error in Cisco vManage 20.3.1

Interactive Help in Cisco vManage

To access the list of guided workflows for this release, from Cisco vManage, click Interactive Help.

The Interactive Help interface allows you to search for a specific workflow and filter the search results by workflow names.

Figure 1. Interactive Help in Cisco vManage

This release provides guided workflows for the following procedures:

Table 2. List of Workflows Using Cisco vManage 20.3.1

Workflow

Description

Configure Controllers and Devices

Configure Cisco vBond Orchestrator

Configure the Cisco vBond Orchestrator and add it to the overlay network.

Configure Cisco vSmart Controller

Configure a Cisco vSmart Controller to control data traffic flow throughout the network.

Configure Cisco vManage Instance

Configure a Cisco vManage instance by creating a device configuration template and adding it to the overlay network.

Configure Cisco SD-WAN Devices

Configure Cisco IOS XE SD-WAN devices and Cisco vEdge devices by creating configuration templates.

Manage Devices in Overlay Network

Add Devices to the Overlay Network

Add Cisco SD-WAN devices either by using authorized serial numbers or from Cisco Smart account.

Decommission Virtual Devices

Decommission a Cisco IOS XE SD-WAN device or Cisco vEdge device to remove the device serial number.

Remove Devices from the Overlay Network

Remove Cisco SD-WAN devices to clear an old device configuration from the Cisco vManage server.

Change Device Values

Change Cisco SD-WAN device configuration by populating the variable values for the device.

Troubleshoot Device Issues

Determine and fix common Cisco SD-WAN device connectivity issues.

Upgrade Devices and Controllers

Install and activate an upgraded software for Cisco SD-WAN controllers and Cisco SD-WAN devices.

You cannot use this workflow for:

  • Cisco SD-WAN controller releases earlier than 20.3.1

  • Cisco SD-WAN device releases earlier than 17.3.1a or 20.3.1

Whom to contact for feedback?

We value your opinion and please send us your feedback at, mailto:sdwan-workflow-fb@cisco.com

Compatibility Matrix

Table 3. Compatibility Matrix

Controllers

ISR1000/ISR4000/ASR1000

CSR

ISRv (ENCS/CSP)

vEdge

ISR 1100-4G and ISR 1100-6G

ISR1100 - 4GLTENA, ISR1100 - 4GLTEGB

UCS-E Series using External Interfaces

UCS-E Series using Internal Backplane Interfaces**

18.4.4

16.10.4 and lower versions of 16.10.x and 16.9.x

Not Supported

Not Supported

17.2.8 or higher up to 18.4.4

Not Supported

Not Supported

Not Supported

Not Supported

19.2.099

16.12.1e and lower versions of 16.12,16.10.x, and 16.9.x

16.12.1e and lower versions of 16.12

16.12.1a with NFVIS 3.12.3FC4

18.4 and 19.2

19.2.099

Not Supported

Not Supported

Not Supported

19.2.1

16.12.2r and lower versions of 16.12, 16.10.x, and 16.9.x

16.12.2r and lower versions of 16.12

16.12.1a, 16.12.2r with NFVIS 3.12.3FC4

18.3, 18.4, and 19.2

19.2.099 and 19.2.1

19.2.1

Supported

Not Supported

19.2.2

16.12.3 and lower versions of 16.12, 16.10.x, 16.9.x

16.12.3 and lower versions of 16.12

16.12.3 with NFVIS 3.12.3FC4

18.3, 18.4, and 19.2

19.2.099, 19.2.1, and 19.2.2

19.2.1 and 19.2.2

Supported

Not Supported

20.1.1

17.2.1r, 16.12.x, 16.10.x, and 16.9.x

17.2.1r and 16.12.x

17.2.1r with NFVIS 4.1.2 FC2

18.3, 18.4, 19.2, and 20.1

20.1.1 & lower up to 19.2.099

20.1.1 & lower up to 19.2.1

Supported

Limited feature support configurable using only Cisco vManage CLI templates

20.1.1.1

17.2.1r, 16.12.x, 16.10.x, and 16.9.x

17.2.1v, 17.2.1r and 16.12.x

17.2.1r with NFVIS 4.1.2.FC2

18.3, 18.4, 19.2, 20.1, and 20.1.1.1

20.1.1.1 & lower up to 19.2.099

20.1.1.1 & lower up to 19.2.1

Supported

Limited feature support configurable using only Cisco vManage CLI templates

20.1.12

17.2.1v, 17.2.1r, 16.12.x, 16.10.x, and 16.9.x

17.2.1v, 17.2.1r and 16.12.x

17.2.1r with NFVIS 4.1.2 FC2

18.3, 18.4, 19.2, 20.1, 20.1.12

20.1.12 & lower up to 19.2.099

20.1.12 & lower up to 19.2.1

Supported

Limited feature support configurable using only Cisco vManage CLI templates

20.3.1

17.3.1a, 17.2.1v, 17.2.1r, 16.12.x and 16.10.x

17.3.1a, 17.2.1v, 17.2.1r and 16.12.x

17.3.1a, 17.2.1r with NFVIS 4.2.1 FC3

18.3, 18.4, 19.2, 20.1, 20.1.12, and 20.3.1

20.3.1 & lower up to 19.2.099

20.3.1 & lower up to 19.2.1

Supported

Limited feature support configurable using only Cisco vManage CLI templates

** Interfaces - ucse x/y/0 and ucse x/y/1

ESXi 6.0 / 6.5

ESXi 6.5 / 6.7

Controller versions 20.3.1 and lower up to 18.4.4

vEdge Cloud- versions 20.3.1 and lower up to 18.4.4

Cisco CSR 1000v- versions 17.3.1a and lower up to 16.10.1

For more information about Cisco CSR 1000v, refer to Release Notes for Cisco CSR 1000V Series, Cisco IOS XE Amsterdam 17.3.x

For information about Cisco vEdge Cloud Routers, refer to Cisco vEdge Cloud Data Sheet

Supported Devices

Table 4. Supported Devices and Versions in Cisco SD-WAN Release 20.3.1

Device Family

Device Name

Cisco vEdge device

  • vEdge 100, vEdge 100b, vEdge 100m, vEdge 100wm, vEdge 1000, vEdge 2000, vEdge 5000, vEdge Cloud

  • ISR1100-6G/ISR1100-4G, ISR1100-4GLTENA, ISR1100-4GLTEGB