Release Notes for Cisco IOS XE SD-WAN Release 16.10.x and SD-WAN Release 18.4.x

These release notes accompany the Cisco IOS XE SD-WAN Software Release 16.10, which provides SD-WAN capabilities for Cisco XE SD-WAN devices, and the compatible Cisco SD-WAN Release 18.4 for Cisco vSmart Controller devices—including vBond orchestrators and vManage NMSs—and Cisco vEdge devices. These Release Notes include Cisco IOS XE SD-WAN Releases 16.10 through 16.10.4 and corresponding Releases 18.4 through 18.4.4.

Supported Devices

The Cisco IOS XE SD-WAN software runs on the following devices.

Table 1. Supported Devices and Versions

Device Family

Device Name

Cisco ASR 1000 Series Aggregation Services Routers

  • ASR 1001-HX and ASR 1001-X

  • ASR 1002-HX and ASR 1002-X

Cisco ISR 1000 Series Integrated Services Routers

  • C1111-8P, C1111-8P LTE EA, and C1111-8P LTE LA

  • C1117-4P LTE EA, C1117-4P LTE LA

  • C1111-4P LTE EA, C1111-4P LTE LA, C1116-4P LTE EA, C1117-4P MLTE EA

  • C1111-4P, C1116-4P, C1117-4P, C1117-4PM, C1101-4P, C1111X-8P (8GB RAM)

Cisco ISR 1000 Series Integrated Services Routers, with wireless services (WLanGigabitEthernet configuration required from vManage)

  • C1111-8PWY (WiFi domain WY; Y = A, B, E, F, H, N, Q, R, Z)

  • C1111-8PLTEEAWX^*^ (WiFi domain WX; X = A, B, E, R)

Cisco ISR 4000 Series Integrated Services Routers

ISR 4221, ISR 4321, ISR 4331, ISR 4351, ISR 4431, ISR 4451

Cisco 5000 Series Enterprise Network Compute System

  • ENCS 5104, ENCS 5406, ENCS 5408

  • ENCS 5412 with T1/E1 and 4G NIM modules

vEdge Routers

vEdge 100, vEdge 100b, vEdge 100m, vEdge 100wm, vEdge 1000, vEdge 2000, vEdge 5000

Product Features

Below are the main product features added in Cisco SD-WAN Release 18.4 and Cisco IOS XE SD-WAN Release 16.10.

For Cisco IOS XE devices:

Cisco XE SD-WAN device support all the following SD-WAN software features. For more information, see Software Installation and Upgrade for Cisco XE SD-WAN device.

  • Cisco SD-WAN security features

    • Enterprise Firewall with Application Awareness

    • Intrusion Prevention System

    • URL Filtering

    • DNS/Web-Layer Security

    • Umbrella auto-registration

    • Cloud: Local domain bypass for umbrella

  • Onsite bootstrap process for SD-WAN edge routers.

  • Template improvements: Network Design Builder, Device Profile Builder.

  • vManage common template for multiple C1100 wireless SKUs.

  • IPv6 on the service side + dual-stack

    • Dual-stack interfaces (Gig, sub-Interface, SVI, and loopback) on service side.

    • v6 routing protocols on service side: Static, BGP, route maps, inbound filtering, outbound filtering, v4 and v6 OMP redistribute, v4 and v6 redistribute between service VPN's.

    • IPv6 services features on service side: QOS, QOS policer on service side, QOS dscp re-write rule for inbound and outbound, ip name-server, ICMP redirects, VRRP, ACL, DHCP relay agent, SSH, traceroute, SNMP, logging server, MIB.

    • IPv6 addressing: Unicast (link-local, unique-local, and global), Anycast.

  • Device life cycle (Monitoring Security Policies by Device).

For Cisco vEdge device:

  • Adaptive FEC for optimizing TCP retransmits.

  • ALG support for FTP client side with NAT— FTP ALG support with network address translation – SERVICE NAT, and Zone-Based Firewall (ZBFW).

  • Template improvements: Network Design Builder, Device Profile Builder.

  • Packet duplication for loss correction.

  • SR-IOV vEdgeCloud support.

SD-WAN Features Not Supported on IOS XE Devices

  • Cloud Express service

  • Cloud onRamp service

  • Standard IPsec with IKE version 1 or IKE version 2 for service-side connections

  • IPsec/GRE cloud proxy

  • IPv6 on transport connections

  • NAT pools on service-side connections

  • Nat pools for DIA

  • Service side NAT

  • Reverse proxy

  • Interface level policer (however, policer is supported through the interface ACL)

  • Policy actions: local-tloc, local-tloc-list, remote-tloc (CSCvn67980), remote-tloc-list , mirror, log, service

Compatibility Matrix

Table 2. Compatibility Matrix

Controllers

ENCS/ISR/ASR

ISRv

vEDGE

18.3.5

16.9.4

16.9.4 with NFVIS 3.9.1FC1 or NFVIS 3.9.2-FC4

17.2 or higher

18.4.0

16.10.1

16.10.1 with NFVIS 3.9.1FC1 or NFVIS 3.9.2-FC4

17.2 or higher

ROMmon Requirements Matrix

The following table lists the minimum ROMmon versions supported on the corresponding devices and releases:

Table 3. ROMmon Versions

Device

ROMmon Version for 16.9 Devices

ROMmom Version for 16.10 Devices

ASR

16.3(2r)

16.3(2r)

ISR 4000

16.7(3r)

16.7(4r)

ISR 1000

16.8(1r)

16.9(1r)


Note

ROMmon auto-upgrade is supported on the ISR 4000 series routers, beginning with 16.9.1 and all subsequent releases/throttles.



Note

ROMmon auto-upgrade is supported on the ISR 1000 series routers, beginning with 16.10.3 and 16.12.1b.



Note

For the ISR 1000 series routers, ROMmon version 16.8(1r) is not compatible with 16.10 releases and ROMmon version 16.9(1r) is not compatible with 16.9 releases. If an ISR 1000 series router is upgraded to a 16.10 release without auto-upgrade support, it is required that ROMmon be upgraded to 16.9(1r) or later by the user.


The ISRv router is running the minimum required version of the CIMC and NFVIS software, as shown in the table below:

Hardware Platform

CIMC

NFVIS

ISRv

3.2.4

3.8.1

Upgrade to SD-WAN Software Release from Cisco SD-WAN Release 18.3 to Cisco SD-WAN Release 18.4


Note

For details on upgrading the Cisco IOS XE SD-WAN software, see Software Installation and Upgrade for Cisco XE SD-WAN device.



Note

For details on upgrading the Cisco SD-WAN, see Software Installation and Upgrade for vEdge Routers.



Note

You cannot install a Release 17.2 or earlier image on a Cisco vEdge device that is running Release 18.2.0 or later. This is the result of security enhancements implemented in Release 18.2.0. Note that if a Release 17.2 or earlier image is already present on the router, you can activate it.



Note

When the vManage NMS is running Release 18.4.x, all Cisco XE SD-WAN device in the overlay network must run Release 16.10.1 or later.


To upgrade your Cisco vEdge device to Cisco SD-WAN Release 18.4:

  1. In vManage NMS, select the Maintenance > Software Upgrade screen.

  2. Upgrade the controller devices to Release 18.4 in the following order:

    1. Upgrade the vManage NMSs in the overlay network.

    2. Upgrade the vBond orchestrators.

    3. Upgrade the vSmart controllers.

  3. Select the Monitor > Network screen.

  4. Select the devices you just upgraded, click the Control Connections tab, and verify that control connections have been established.

  5. Select the Maintenance > Software Upgrade screen, and upgrade the vEdge routers.


Note

After you upgrade software on a vManage NMS to any major release, you can never downgrade it to a previous major release. For example, if you upgrade the vManage NMS to Release 18.4, you can never downgrade it to Release 18.3 or to any earlier software release.

The major release number consists of the first two numbers in the software release number. For Cisco IOS XE SD-WAN software, 16.10 is a major release, and 16.10.1 denotes the initial release of 16.10. For Cisco SD-WAN, 18.4 and 18.3 are examples of major releases. Releases 18.4.0 and 18.3.0 denote the initial releases, and Releases 18.3.1 and 18.2.1 are maintenance releases.



Note

When you upgrade from 16.9.x to 16.10.x, bootflash for 4GB platforms in 16.10.3 needs free space of 400MB besides having up to 3 images. Keeping space in bootflash is recommended beyond 400 MB for error free install/upgrades. The software reset command is not supported when the image is downloaded through USB and TFTP. Support of software reset is available only through bootflash.


Upgrade from Cisco IOS XE SD-WAN Release 16.2 and Earlier Software Releases

Because of software changes in Release 16.3, you must modify the router configuration as follows before you upgrade from Release 16.2 or earlier to Release 18.3:

  • Use max-control-connections 0 instead of the no control-connections command in tunnel-interface configuration mode. The no control-connections command has been deprecated and has no effect on releases 17.2 and later.

  • You can no longer configure RED drops on low-latency queuing (LLQ; queue 0). That is, if you include the policy qos-scheduler scheduling llq command in the configuration, you cannot configure drops red-drop in the same QoS scheduler. If your vEdge router has this configuration, remove it before upgrading to Release 17.2. If you do not remove the RED drop configuration, the configuration process (confd) fails after you perform the software upgrade, and the Cisco vEdge device roll back to their previous configuration.

  • For vEdge 2000 routers, you can no longer configure interfaces that are not present in the router. That is, the interface names in the configuration must match the type of PIM installed in the router. For example, if the PIM module in slot 1 is a 10-Gigabit Ethernet PIM, the configuration must refer to the proper interface name, for example,10ge1/0, and not ge1/0. If the interface name does not match the PIM type, the software upgrade fails. Before you upgrade from Release 16.2 or earlier to Release 17.2, ensure that the interface names in the router configurations are correct.

Resolved and Open Bugs for Cisco IOS XE SD-WAN16.10.x and Cisco SD-WAN 18.4.x

About the Cisco Bug Search Tool

Use the Cisco Bug Search Tool to access open and resolved bugs for a release.

The tool allows you to search for a specific bug ID, or for all bugs specific to a product and a release.

You can filter the search results by last modified date, bug status (open, resolved), severity, rating, and support cases.

Resolved Bugs

All resolved bugs for this release are available in the Cisco Bug Search Tool through the Resolved Bug Search.

Resolved bugs in Cisco IOS XE SD-WAN Release 16.10.4 and Cisco SD-WAN Release 18.4.4

Table 4. Resolved bugs in Cisco IOS XE SD-WAN Release 16.10.4 and Cisco SD-WAN Release 18.4.4

Caveat ID Number

Description

CSCvi80775

Decouple buffer allocation for egress queues from the interface speed negotiated

CSCvk51661

memory leak in vdaemon

CSCvn24727

Large number of out-of-order packets seen with vEdge5k and vEdge-Cloud

CSCvn67202

Cisco SD-WAN Solution Packet Filtering Bypass Vulnerability

CSCvo21464

MIPS images writing a bunch of FP printf() output to main console

CSCvo53544

Admin-tech Failure in vManage for Cisco XE SD-WAN Router

CSCvp00165

OSPF Feature Template : Area nssa summary and translate not configured on CSR

CSCvp24427

SDAVC fails to complete activation

CSCvq02230

vEdge-5000 running 18.4.1 hitting DPI-out-of-memory causing the memory to climb to 100%

CSCvq12913

vEdge1000 crashed even after applying the 18.4.101 ES image

CSCvq30332

fp-core watchdog failure on vEdge 5k running 18.4.1 (fp-um)

CSCvq34350

vEdge Service side interface not responding to inter-vpn/inter-zone pings from local host

CSCvq62238

Transport tracker is not going down when the default route via the interface is removed

CSCvq65977

Rollback timer doesn't work as expected, broken in 18.4 code

CSCvq67476

ikev2 dpd retransmit always 1s and fails after one retry with "giving up after 1 retransmits"

CSCvq75671

IPSEC interface down alarms are not cleared sometimes

CSCvq86066

vEdge 5K crash with kernel panic

CSCvq88184

a vEdge will crash if the WAN interface loses its IP via DHCP

CSCvq97954

Cellular interface doesn't get an IP address when brought up through the pnp workflow

CSCvq98760

Unable to add device specific value in bgp feature template in 18.4.3

CSCvr18076

ISR4K automatically reboot everytime after placing "commit".

CSCvr32117

connected routes are not distributed in OMP for VRF number greater than 512

CSCvr47452

KVM: vEdgeCloud is displaying swap_dup: Bad swap file entry after Upgrade to RHEL 7.6 OPS 10.21

CSCvr54141

Hostname is truncated in the event logs on the vManage

CSCvr63960

Vmanage Doesn't Allow Configuring IPv6 Static Route Under VPN512 for Cedge

CSCvr79487

Real-Time OMP Advertised routes taking longer on 18.4 and higher versions than 17.2 and lower

CSCvr91093

Error occurs when try to collect BFD link status by API

CSCvs01637

ms_teams is missing from the list of office365 cloudexpress

CSCvs13262

vedge-cloud receive locks up in openstack virtio environment

CSCvs14444

Packets drops observed when primary transport is coming back up on the router.

CSCvj72674

Adding dscp to AAR match clears counters that don't seem to increment

CSCvn65879

Hostname out of sync in IOS and confd after reload

CSCvp34370

After upgrade to 18.3.5 static routes with a nh ip on a shut SUB interface are redistributed to OMP.

CSCvq07958

Cloud OnRamp for SAAS doesn't work when sending via 3rd Party IKE IPSEC Tunnel (Zscaler)

CSCvq75871

IPSec SA receives anti-replay error for all packets for NAT session flap sometimes

CSCvq76075

HMAC failure due to incorrect stale nat fixup entry for the ipsec session after symnat session flap

CSCvr42619

No ARP ping packets generated after loading xe-sdwan 16.10.3a image on asr1k

CSCvr91255

improve handling of fragment failures with zone based firewall

CSCvr98412

FP core seen in fp_do_tx_pkt_duplication with vedge packet duplication testcases

Open bugs in Cisco IOS XE SD-WAN Release 16.10.4 and Cisco SD-WAN Release 18.4.4

Caveat ID Number

Description

CSCvp07124

FP core watchdog fail on vEdgecloud 18.4.1 running on Azure.

CSCvr35176

Device is crashing constantly when TCP optimization is enabled.

CSCvr52680

Stale vManage certs present on the vManage after we factory reset it and install a new cert

CSCvr76398

Wrong order of operations when changing TenGe subinterface on ASR1k to different vlan id

CSCvr84372

VPN0 interface won't come up on vbond KVM instance on RHEL7.5

CSCvm86435

confd_cli process is not terminated and hogging CPU

Resolved bugs in Cisco IOS XE SD-WAN Release 16.10.3b and Cisco SD-WAN Release 18.4.303

Table 5. Resolved bugs in Cisco IOS XE SD-WAN Release 16.10.3b and Cisco SD-WAN Release 18.4.303

Bug ID

Description

CSCvk77287

vEDGE 1000 Reboot - ospf crash

CSCvn02180

confd died on upgrading from 18.3.X to 18.4 on 100b

CSCvo33693

vEdge-1000 using DIA and ZBFW having issues intermittenly with iframes of specific site after zbfw s

CSCvp11416

cEdge - Template attach fails for a cedge device if theres a central policy with cflowd activated

CSCvp52043

vSmart Crashing: Core files "Daemon 'vdaemon_inst_0' failed" getting generated on the vSmart

CSCvp90232

cEdge omp aggregate-only gives unpredictable results

CSCvq61835

interface cant be moved from vrf 0 to service vrf when it has ip address

CSCvq70691

Configuring IPv6 DNS Server through vManage fails for vEdge platforms

CSCvq70727

Configuration fails to push with "Bad CLI switchport access vlan name ATM-1, location 2" error

CSCvq97694

Local internet breakout (DIA) doesn't work on subinterfaces in IOS-XE SD-WAN 16.11.1a, 16.12.1b

CSCvr02735

template hardening - allow encrypted fields with more than 31 chars

CSCvr15242

omp routes redistributed into ospf are advertised back into omp causing a routing loop

CSCvr19249

vEdge performs NAT translation to public source port 0 or overlaps ports when all ports exhausted

Resolved bugs in Cisco IOS XE SD-WAN Release 16.10.3a and Cisco SD-WAN Release 18.4.302

Table 6. Resolved bugs in Cisco IOS XE SD-WAN Release 16.10.3a and Cisco SD-WAN Release 18.4.302

Bug ID

Description

CSCvn24727

Large number of out-of-order packets seen with vEdge5k and vEdge-Cloud

CSCvo08423

[Vistraprint] GUI unresponsive after upgrade to 18.3.4

CSCvp02442

Connectivity to the service side of vEdgecloud in Azure is lost when sending lot of tcp packets.

CSCvp10364

cEdge router crash because of viptela_start_sh fault

CSCvp13167

vEdge5000: control connection stuck in "Challenge" phase with TPM lockup

CSCvp50832

Network > Device> Real Time options wont be displayed if we login with SSO

CSCvq02230

vEdge-5000 running 18.4.1 hitting DPI-out-of-memory causing the memory to climb to 100%

CSCvq10160

Cellular IP is getting reset when primary transport interface Gi0/0/0 is shutdown.

CSCvq12913

vEdge1000 crashed even after applying the 18.4.101 ES image

CSCvq41120

Banner Feature Template : Device Template Push Fails when banner template is removed

CSCvq46984

BFD goes down on a Cisco XE SDWAN Router if it is behind symmetric NAT & the ports change frequently

CSCvq56875

Failure in configuration push to a cedge when we move tunnel-interface from parent to sub-interface

CSCvq61992

ISR1100 not booting up after power cycle and gets stuck in boot loop - replaystore file corruption

CSCvq62764

Passive FTP connection fails when connections are routed through DIA link of VEdge

CSCvq67094

zbf drops hierarchical overlay traffic between spoke sites that go through hub ASR1001-X

CSCvq68449

QFP ucode crash while processing large packet with NBAR enabled

CSCvq86066

vEdge 5K crash with kernel panic

CSCvq88184

a vEdge will crash if the WAN interface loses its IP via DHCP

CSCvq98760

Unable to add device specific value in bgp feature template in 18.4.3

CSCvr27373

nesd crash on XE SDWAN router when pushing large configuration

CSCvq60546

sriov support for ixgbevf xl520 adapters in openstack environments

CSCvp24427

SDAVC fails to complete activation

Resolved bugs in Cisco IOS XE SD-WAN Release 16.10.3 and Cisco SD-WAN Release 18.4.3

Table 7. Resolved bugs in Cisco IOS XE SD-WAN Release 16.10.3 and Cisco SD-WAN Release 18.4.3

Bug ID

Description

CSCvk06180

vQos - Packets buffered too long in the interface queue

CSCvk48972

Admin-tech failure via vManage for multiple Cisco XE SD-WAN Router platforms

CSCvk79079

SSO Requires browser cache to sign in after first login

CSCvm56707

'default-information originate' not disabled in VPN0

CSCvm97332

config commit operation fails on ISRv on 5406 with error ext2_lookup:deleted inode referenced

CSCvn18683

qos: can't change bandwidth allocation for the class in the qos-map

CSCvn22546

vManage needs to adjust memory threshold for warnings on Cisco XE SD-WAN Router platform

CSCvn32354

"Factory reset all" makes the Cisco XE SD-WAN Router inaccessible. Cant boot image fr bootflash

CSCvn38443

Cloudexpress Errors - Failed to enable sites for CloudExpress

CSCvn38487

vManage does not generate proper AAA configuration for Cisco XE SD-WAN Router

CSCvn44400

Login banner does accept banners over 238 characters

CSCvn45732

Device crashing if we unconfigure the NTP on the device

CSCvn55971

Cisco XE SD-WAN Router: Locally sourced packets using wrong interface with ECMP

CSCvn56474

After swapping tunnel-destination among 2 gre-intfs, one of the gre-intf does not get programmed

CSCvn59626

NTP template attach fails with a non default vrf and source interface configured

CSCvn66750

vManage - VMAN does not gen proper config for DHCP static binding w/ hostname specified

CSCvo00790

Cisco XE SD-WAN Router cli_template: Unable to move interface from global vpn

CSCvo02422

class-queue mappings are never pushed until there are class references in local policy

CSCvo02433

'SNMP has locked CDB' error while trying to edit a user group in vManage

CSCvo02607

SVM: transaction log can grow up to 25 GB in size

CSCvo02748

packets sourced with loopback interface and that are exceeding mtu on the service side are not fragm

CSCvo26474

vEdge-1000 reboot with 18.4.0 (FP core watchdog fail)

CSCvo26926

Not able to push CLI template due to kafka error (Too many open files)

CSCvo31413

fman_fp crash after upgrading to build 201

CSCvo48927

WAN Interface stays down after an upgrade or reload of a vEdge 5000

CSCvo61990

'show system statistics diff' does not work

CSCvo68150

'allow-service bgp' on vEdge Cloud not working as expected

CSCvo68788

sdwan: vManage should not push ip nbar protocol-discovery on loopback0

CSCvo68842

Google applications access issues when using DIA with app-list match in data-policy

CSCvo69041

SVM: server config file is empty

CSCvo69105

vManage does not handle chassis id in uppercase when activating vEdge Cloud

CSCvo70767

Device may show out of sync after a control connection flap

CSCvo74585

Cisco IOS-XE SD-WAN router with factory 16.9.2 software is shown as vEdgeCloud on vManage

CSCvo77664

UTD: Server response is leaked if URL verdict response is late

CSCvo79535

template push failure on ISR4331(16.10) due to discrepancy in setting "weight" (tunnel) parameter

CSCvo94092

vManage in 18.4.1 is unable to push banner to Cisco XE SD-WAN Router 16.10.2

CSCvp13167

vEdge5000: control connection stuck in "Challenge" phase with TPM lockup

CSCvp13833

snmp-server trap-source configuration is not generated for Cisco XE SD-WAN Router by vManage

CSCvp16606

sdwan isr receiving any SOO changes AD to 252

CSCvp18231

DHCP relay not forwarding dhcp request packets.

CSCvp19188

vManage generates incorrect Cisco XE SD-WAN Router config for DHCP excluded-address ranges

CSCvp21016

vEdge FTMD crash

CSCvp25994

CVM: OOM - vManage GUI becomes very sluggish. Tasks start to time out

CSCvp34862

Unable to import Database with TACACS login details

CSCvp37418

vManage is not sending filtered queries while displaying real time cflowd data from the vEdge.

CSCvp38066

ZTP: All production ztp servers vdaemon cored at the same time

CSCvp46023

vEdge dropping DHCP offer when source ip and dhcp-helper does not match.

CSCvp51861

DHCP ip pool config get removed after upgrade from 18.4.0.1 to 18.4.1

CSCvp51863

Ping intermittently fails because vEdge sends wrong ICMP ident in the header.

CSCvp52217

FTMD crash seen on a vE1K node

CSCvp61972

After reload of v5k with cloud-qos-service-side configured throughput drops and RED drops seen

CSCvp63629

Cellular modem is rebooting frequently

CSCvp65817

"default-information originate" stays in the config even if "originate" is disabled in the template

CSCvp65969

Tunnel group-id does not work as expected causing traffic loss

CSCvp67098

Can't update existing Localized Policy with new Access Control List

CSCvp68381

Unable to push policy to the vSmart after upgrade of the vManage from 18.3.5 to 18.4.101.

CSCvp70217

SVM: NMS app-server fails to start

CSCvp77191

vManage not processing statistics from device when vAnalytics is enabled for large deployments

CSCvp77533

Template failure results in 'Failed to finish the task' after 30 min

CSCvp78025

Stuck 'Send to Controllers' task on vManage blocking other tasks

CSCvp78629

Template fails due to physical interface removal after upgrade

CSCvp79222

ZBFW policy sequences not displayed in vManage UI after upgrade to 18.4 or higher from 18.3

CSCvp86310

Cisco XE SD-WAN Router unable to inject packets when traffic is destined to it

CSCvp96887

Failed to attach template to Cisco XE SDWAN Rtr if qos-map name changed after policy-map is attached

CSCvq02087

BFD sessions not forming between a Cisco XE SD-WAN Router behind symmetric NAT & a vEdge with NO NAT

CSCvq07823

Control connection drops even with high timeout with low-bandwidth-link on vEdge

CSCvq12443

tracker doesn't work for DIA in case of centralised data-policy used

CSCvq13368

packet loss seen with rapid pings on nat interface, drop reason showing as map-db add failures

CSCvq22687

<ip name-server vrf 1> configuration not saved upon upgrade from 16.9 to 16.10

CSCvq42802

vedge : DIA Traffic Policy restrict doesn't work as expected

CSCvq46984

BFD goes down on a Cisco XE SDWAN Router if it is behind symmetric NAT & the ports change frequently

CSCvq50896

BFD session not coming up on tloc-extension interface due to wrong UID

CSCvq54726

continuous nat-pool exhausted failure leads to map-db leak

CSCvq56813

vSmart allowing 5 SLA classes under policy causing problem pushing that to vEdges

CSCvq61992

XE SDWAN router stuck in boot loop after power-cycle due to replaystore file corruption

Resolved bugs in Cisco IOS XE SD-WAN Release 16.10.2 and Cisco SD-WAN Release 18.4.1

Table 8. Resolved bugs in Cisco IOS XE SD-WAN Release 16.10.2 and Cisco SD-WAN Release 18.4.1

Bug ID

Description

CSCvj50058

The vManage DPI screen displays a DIA graph for a vEdge router on which local Internet exit is not c

CSCvj88473

cEdge doesn't revert configuration after WAN interfaces shut from vManage

CSCvj90293

nesd crash on show platform software trace message nesd R0 on TSN

CSCvk72985

Device goes out-of-sync during network flap and never attempts template push after it is reachable

CSCvm61034

Template push cEdge failing with: (ERR): Bad CLI source Loopback0, location 16

CSCvm68397

NTP source interface configuration is not genrated by vManage

CSCvm70027

GC allocations errors causing GUI to be unresponsive

CSCvn77852

{StaticPageTitle} {static error message } seen on select device page

CSCvn78404

Unable to push policy to vSmart after upgrading from 18.3.4 to 18.4.0

Resolved bugs in Cisco IOS XE SD-WAN Release 16.10.1 and Cisco SD-WAN Release 18.4.0

Table 9. Resolved bugs in Cisco IOS XE SD-WAN Release 16.10.1 and Cisco SD-WAN Release 18.4.0

Bug ID

Description

CSCvk77480

An '&' character in the organization-names breaks template pushes

CSCvm46954

vEdge 5K Template Attach - Null Error Msg

CSCvk78359

vEdge Crashed when issuing a "show ospf ... " command

CSCvm68056

Incorrect VRF name mapping for NTP source VPN in vManage

Open Bugs

All open bugs for this release are available in the Cisco Bug Search Tool through the Open Bug Search.

The following list contains open bugs for Cisco IOS XE SD-WAN Release 16.10.1 through 16.10.3 andCisco SD-WAN Release 18.4.0 through 18.4.3.

Bug ID

Description

CSCvi80775

Decouple buffer allocation for egress queues from the interface speed negotiated

CSCvj26197

Update statistics from Oecteon viptela code to platform

CSCvj29165

ENH - all user groups for cEdge are configured with same privilege 15

CSCvj82776

Incorrect tag for omp routes

CSCvk27129

The requirement to shutdown Dialer interface before its deletion causes an issue for vManage

CSCvk48972

Admin-tech failure via vManage for multiple Cisco XE SD-WAN Router platforms

CSCvk72903

cEdge-vDaemon: Sub-interface's control-local-properties shows state=UP even though it is oper-down

CSCvn38487

vManage does not generate proper AAA configuration for Cisco XE SD-WAN Router

CSCvn76615

source-interface mapping is missing in vmanage for tacacs and radius server group.

CSCvo34208

Memory leak in SMAND

CSCvo40967

linux_iosd memory goes up on ISR1100 over extended soak

CSCvo88281

Config Diffs not aligned properly in vManage due to line spacing

CSCvp09156

NTP issue on Cisco XE SD-WAN Router - cannot specify source interface in service VPN

CSCvp50832

Network > Device> Real Time options wont be displayed if we login with SSO

CSCvq62764

Passive FTP connection fails when connections are routed through DIA link of VEdge

CSCvr32117

connected routes are not distributed in OMP for VRF number greater than 512

Important Notes, Known Behavior, and Workaround

Known Behaviour - Hardware

The following are known behaviors of the hardware:

  • On vEdge 1000 routers, support for USB controllers is disabled by default. To attach an LTE USB dongle to a vEdge 1000 router, first attach the dongle, and then enable support for USB controllers on the vEdge router by adding the system usb-controller command to the configuration. When you enter this command in the configuration, the router immediately reboots. Then, when the router comes back up, continue with the router configuration. Also for vEdge 1000 routers, if you plug in an LTE USB dongle after you enable the USB controller, or if you hot swap an LTE USB dongle after you enable the USB controller, you must reboot the router in order for the USB dongle to be recognized. For information about enabling the USB controller, see USB Dongle for Cellular Connection.

  • For vEdge 2000 routers, if you change the PIM type from a 1-Gigabit Ethernet to a 10-Gigabit Ethernet PIM, or vice versa, possibly as part of an RMA process, follow these steps:

    1. Delete the configuration for the old PIM (the PIM you are returning as part of the RMA process).

    2. Remove the old PIM, and return it as part of the RMA process.

    3. Insert the new PIM (the PIM you received as part of the RMA process).

    4. Reboot the vEdge 2000 router.

    5. Configure the interfaces for the new PIM.

  • On a vEdge 5000 router, you cannot enable TCP optimization by configuring the tcp-optimization-enabled command.

  • Cisco XE SD-WAN device with the SFP-10G-SR module do not support online insertion and removal (OIR) of this module.

Known Behaviour - Software

The following are known behaviors of the software:

Cellular Interfaces

  • On a vEdge 100m-NA and 100m-GB routers, when you configure profile 1 for a wireless WAN, you might see the error "Aborted: 'vpn 0 interface cellular0 profile': Invalid profile 1 : APN missing". [VIP-31721].

  • When configuring cellular attach-profile and data-profile on Cisco IOS XE routers running the XE SD-WAN software, you must use the default profile ID.

  • The vEdge 100wm router United States certification allows operation only on non-DFS channels.

  • When you are configuring primary and last-resort cellular interfaces with high control hello interval and tolerance values, note the following caveats:

    • When you configure two interfaces, one as the primary interface and the other as the last-resort interface, and when you configure a high control hello interval or tolerance values on the last-resort interface (using the hello-interval and hello-tolerance commands, respectively, the OMP state indicates init-in-gr even though it shows that the control connections and BFD are both Up. This issue was resolved in Release 16.2.3. However, the following caveats exist:

      — You can configure only one interface with a high hello interval and tolerance value. This interface can be either the primary or the last-resort interface.

      — In certain cases, such as when you reboot the router or when you issue shutdown and no shutdown commands on the interfaces, the control connections might take longer than expected to establish. In this case, it is recommended that you issue the request port-hop command for the desired color. You can also choose to wait for the vEdge router to initiate an implicit port-hop operation. The request port-hop command or the implicit port hop initiates the control connection on a new port. When the new connection is established, the stale entry is flushed from the vSmart controllers.

    • If the primary interface is Up, as indicated by the presence of a control connection and a BFD session, and if you configure a last-resort interface with higher values of hello interval and tolerance than the primary interface, if you issue a shutdown command, followed by a no shutdown command on the last-resort interface, the last-resort interface comes up and continuously tries to establish control connections. Several minutes can elapse before the operational status of the last-resort interfaces changes to Down. If this situation occurs, it is recommended that you issue a request port-hop command for the desired color.

    • If you have configured a primary interface and a last-resort interface that has higher hello interval and tolerance values than the primary interface, and if the last-resort interface has control connections to two vSmart controllers, if you issue a shutdown command, followed by a no shutdown command on the last-resort interface, a control connection comes up within a reasonable amount of time with only one of the vSmart controllers. The control connection with the second vSmart controller might not come up until the timer value configured in the hello tolerance has passed. If this situation occurs, it is recommended that you issue a request port-hop command for the desired color.

  • When you activate the configuration on a router with cellular interfaces, the primary interfaces (that is, those interfaces not configured as circuits of last resort) and the circuit of last resort come up. In this process, all the interfaces begin the process of establishing control and BFD connections. When one or more of the primary interfaces establishes a TLOC connection, the circuit of last resort shuts itself down because it is not needed. During this shutdown process, the circuit of last resort triggers a BFD TLOC Down alarm and a Control TLOC Down alarm on the vEdge router. These two alarms are cleared only when all the primary interfaces lose their BFD connections to remote nodes and the circuit of last resort activates itself. This generation and clearing of alarms is expected behavior.

  • For cellular interface profile, the profile number can be 0 through 15. Profile number 16 is reserved, and you cannot modify it.

Configuration and Command-line Interface

  • When you upgrade to Release 17.2 from any prior Cisco SD-WAN release, the CLI history on the Cisco vEdge device is lost. The CLI history is the list of commands previously entered at the CLI prompt. You typically access the history using the up and down arrows on the keyboard or by typing Ctrl-P and Ctrl-N. When you upgrade from Release 17.2 to a later software release, the CLI history is maintained.

  • When you issue the request reset configuration command on a vEdge Cloud router, a vManage NMS, or a vSmart controller, the software pointer to the device's certificate might be cleared even though the certificate itself is not deleted. When the device reboots and comes back up, installation of a new certificate fails, because the certificate is already present. To recover from this situation, issue the request software reset command.

Control and BFD Connections

  • When a vBond orchestrator, vManage NMS, or vSmart controller goes down for any reason and the vEdge routers remain up, when the controller device comes back up, the connection between it and the vEdge router might shut down and restart, and in some cases the BFD sessions on the vEdge router might shut down and restart. This behavior occurs because of port hopping: when one device loses its control connection to another device, it port hops to another port in an attempt to reestablish the connection. For more information, see the Firewall Ports for Cisco SD-WAN Deployments article. Two examples illustrate when this might occur:

    • When a vBond orchestrator goes down for any reason, the vManage NMS might take down all connections to the vEdge routers. The sequence of events that occurs is as follows: when the vBond orchestrator crashes, the vManage NMS might lose or close all its control connections. The vManage NMS then port hops, to try to establish connections to the vSmart controllers on a different port. This port hopping on the vManage NMS shuts down and then restarts all its control connections, including those to the vEdge routers.

    • All control sessions on all vSmart controllers go down, and BFD sessions on the vEdge routers remain up. When any one of the vSmart controllers comes back up, the BFD sessions on the routers go down and then come back up because the vEdge routers have port hopped to a different port in an attempt to reconnect to the vSmart controllers.

  • When a vEdge router running Release 16.2 or later is behind a symmetric NAT device, it can establish BFD sessions with remote vEdge routers only if the remote routers are running Release 16.2 or later. These routers cannot establish BFD sessions with a remote vEdge router that is running a software release earlier than Release 16.2.0.

  • When you add or remove an IPv4 address on a tunnel interface (TLOC) that already has an IPv6 address, or when you add or remove an IPv6 address on a TLOC that already has an IPv4 address, the control and data plane connections for that interface go down and then come back up.

  • Release 16.3 introduces a feature that you can use to configure the preferred tunnel interface to use to exchange traffic with the vManage NMS. In the vManage NMS, you configure this on cellular, Ethernet, and PPP Interface feature templates, in the vManage Connection Preference field under Tunnel Interface. In the CLI, you configure this with the vmanage-connection-preference command. The preference value can be from 0 through 8, with a lower number more preferable. The default value is 5. If you set the preference value to 0, that tunnel interface is never used to exchange traffic with the vManage NMS, and it is never able to send or receive any overlay network control traffic.

    With this configuration option, there is one situation in which you can accidentally configure a device such that it loses all its control connections to all Cisco vSmart Controller devices (the vManage NMSs and the vSmart controllers). If you create feature templates and then consolidate them into a device template for the first time, the NMS software checks whether each device has at least one tunnel interface. If not, a software error is displayed. However, when a device template is already attached to a device, if you modify one of its feature templates such that the connection preference on all tunnel interfaces is 0, when you update the device with the changes, no software check is performed, because only the configuration changes are pushed to the device, not the entire device template. As a result, these devices lose all their control connections. To avoid this issue, ensure that the vManage connection preference on at least one tunnel interface is set either to the default or to a non-0 preference value.

Interfaces

  • On virtual interfaces, such as IRB, loopback, and system interfaces, the duplex and speed attributes do not apply, and you cannot configure these properties on the interfaces.

  • When a vEdge router has two or more NAT interfaces, and hence two or more DIA connections to the internet, by default, data traffic is forwarding on the NAT interfaces using ECMP. To direct data traffic to a specific DIA interface, configure a centralized data policy on the vSmart controller that sets two actions—nat and local-tloc color. In the local-tloc color action, specify the color of the TLOC that connects to the desired DIA connection.

  • When configuring interfaces for an IOS XE router using one of the VPN Interface feature configuration templates, you must spell out the interface names completely. For example, you must type GigabitEthernet0/0/0. Also, you must define all the interfaces in the router even if you are not using them so that they are configured in the shutdown state and so that all default values for them are configured.

  • For IOS XE routers that have a DSLAM module plugged in, you must include the VPN Interface DSL PPPoA or the VPN Interface DSL PPPoE feature configuration template in the device configuration template to successfully configure the routers from vManage NMS.

IPv6

  • You can configure IPv6 only on physical interfaces (ge and eth interfaces), loopback interfaces (loopback0, loopback1, and so on), and on subinterfaces (such as ge0/1.1).

  • For IPv6 WAN interfaces in VPN 0, you cannot configure more than two TLOCs on the vEdge router. If you configure more than two, control connections between the router and the Cisco vSmart Controller might not come up.

  • IPv6 transport is supported over IPsec encapsulation. GRE encapsulation is not supported.

  • You cannot configure NAT and TLOC extensions on IPv6 interfaces.

  • HMAC failure due to incorrect stale nat fixup entry for the ipsec session after symnat session flap.

  • DHCPv6 returns only an IPv6 address. No default information is accepted. IPv6 router solicitation and router advertisement messages are not processed.

IRB

  • On integrated routing and bridging (IRB) interfaces, you cannot configure autonegotiation.

NAT

  • When you reboot a vSmart controller, the BFD sessions for all symmetric NAT devices go down and come back up. This is expected behavior.

Policy

  • In policy definitions, any application list or application family list that you define with an app-list option cannot have more than 10 items per list.

Routing Protocols

  • When a vEdge router transport interface is using an old IPv6 SLAAC address for control connections or BFD sessions, or both, the IP address used for control connections and BFD might become out of sync with the actual IPv6 address. This situation can happen when the IPv6 address that SLAAC advertises from the gateway router changes suddenly and the old IPv6 address has not first been invalidated. As a workaround, if the router has no mechanism to invalidate older prefixes when the IPv6 prefix changes, first remove the router-advertisement configuration on the default gateway router and then change the IPv6 address. To resolve this problem when it occurs on a vEdge router, shut down the interface and then restart it; that is, issue a shutdown command, followed by a no shutdown command.

  • When you configure OSPF using a vManage NMS device configuration template, the configuration of an NSSA area or a stub area and the configuration of an area range are not pushed to the router when you attach the device configuration template to the router. As a workaround, configure these parameters in CLI mode on the router, from the vManage Tools ► SSH Terminal screen, using the OSPF area and range configuration commands.

Security

  • It is recommended that you use IKE Version 2 only with Palo Alto Networks and Ubuntu strongSwan systems. Cisco SD-WAN has not tested IKE Version 2 with other systems.

SNMP

  • When you configure an SNMP trap target address, you must use an IPv4 address.

  • The Cisco SD-WAN interface MIB supports both 32-bit and 64-bit counters, and by default sends 64-bit counters. If you are using an SNMP monitoring tool that does not recognize 64-bit counters, configure it to read 32-bit MIB counters.

  • On a vEdge router, if you perform an snmpwalk getnext request for an OID for which there is no information, the response that is returned is the next available instance of that OID. This is the expected behavior.

T1/E1

  • If you wish to change the card and controller type on the device, you must first remove the previously configured card and controller and reboot the device.

  • You cannot configure rollback or load override features on a multilink interface.

  • PPP multilink QoS is currently not supported in the VPN Interface Multilink template.

  • PPP multilink NAT is currently not supported in the VPN Interface Multilink template.

  • For a vEdge Cloud VM instance on the KVM hypervisor, for Cisco SD-WAN Releases 16.2.2 and later, it is recommended that you use virtio interfaces. For software versions earlier than Release 16.2.2, if you are using the Ubuntu 14.04 or 16.04 LTS operating system, you can use IDE, virtio, or virtio-scsi interfaces.

vManage NMS

  • On a Cisco vEdge device that is being managed by a vManage NMS system, if you edit the device's configuration from the CLI, when you issue the commit command, you are prompted to confirm the commit operation. For example:

    vEdge(config-banner)# commit

    The following warnings were generated:

    'system is-vmanaged': This device is being managed by the vManage. Any configuration changes to this device will be overwritten by the vManage. Proceed? [yes,no]

    You must enter either yes or no in response to this prompt.

    During the period of time between when you type commit and when you type either yes or no, the device's configuration database is locked. When the configuration database on a device is locked, the vManage NMS is not able to push a configuration to the device, and from the vManage NMS, you are not able to switch the device to CLI mode.

  • The members of a vManage cluster rely on timestamps to synchronize data and to track device uptime. For this time-dependent data to remain accurate, do not change the clock time on any one of the vManage servers of the cluster after you create the cluster.

  • When you use the vManage Maintenance ► Software Upgrade screen to set the default software version for a network device, that device must be running Release 16.1 or later at the time you set the default software version. If the network device is running Release 15.4 or earlier, use the CLI request software set-default command to set the default software version for that device.

  • When you are using a vManage cluster, when you are bring up a new vManage NMS in the cluster, use an existing vManage NMS to install the certificate on the new vManage NMS.

  • In vManage feature configuration templates, for the passwords listed below, you cannot enter a cleartext password that starts with $6 or $8. You can, however, use such passwords when you are configuring from the CLI.

    • Neighbor password, in the BGP feature configuration template.

    • User password, in the Cellular Profile feature configuration template.

    • Authentication type password and privacy type password, in the SNMP feature configuration template.

    • RADIUS secret key and TACACS+ secret key, in the System feature configuration template.

    • IEEE 802.1X secret key, in the VPN Interface Ethernet feature configuration template.

    • IPsec IKE authentication preshared key, in the VPN Interface IPsec feature configuration template.

    • CHAP and PAP passwords, in the VPN Interface PPP Ethernet feature configuration template.

    • Wireless LAN WPA key, in the WiFi SSID feature configuration template.

  • PPP CHAP is currently not supported in the VPN Interface Multilink template.

  • PPP multilink fragmentation is currently not supported in the VPN Interface Multilink template.

  • If a serial interface is bundled into a multilink interface, you cannot remove it from the vManage NMS.

  • After you attach the VPN Interface Multilink template to a device, you cannot detach it from the device.

Licensing

  • The maximum aggregated cyrpto throughput for the ISR 1000 series routers is 250 Mbps. HSECK9 license is required to achieve IPSec tunnel scale greater than 100 on ISR1000 series routers.

  • Base licensing package of AX needs to be enabled for IOS-XE SDWAN ISRv during VM deployment on the ENCS portal.