Release Notes for Cisco IOS XE SD-WAN Device, Cisco IOS XE Release Amsterdam 17.3.x

These release notes accompany the Cisco IOS XE Release Amsterdam 17.3.x, which provides Cisco SD-WAN capabilities. They include release-specific information for Cisco vSmart Controllers, Cisco vBond Orchestrators, Cisco vManage, as applicable to Cisco IOS XE SD-WAN devices.

For release information about Cisco vEdge Devices, refer to Release Notes for Cisco vEdge Devices, Cisco SD-WAN Release 20.3.x.

What's New for Cisco IOS XE Release Amsterdam 17.3.x

This section applies to Cisco IOS XE SD-WAN devices.

Cisco is constantly enhancing the SD-WAN solution with every release and we try and keep the content in line with the latest enhancements. The following table lists new and modified features we documented in the Configuration, Command Reference, and Hardware Installation guides. For information on additional features and fixes that were committed to the SD-WAN solution, see the Resolved and Open Bugs section in the Release Notes.

Table 1. Cisco IOS XE Release 17.3.1a
Feature Description

User Documentation and Interactive Help in Cisco vManage

User Documentation

Starting from this release, we've restructured the listing page of our configuration guides to display category-wise book and chapter contents. This new page lets you switch between releases using the View Documents by Release drop-down list.

Interactive Help in Cisco vManage

This feature helps you navigate Cisco vManage and complete vManage procedures using guided workflows. The Interactive Help points to elements within the Cisco vManage interface and shows you where to click next and what to do to complete a selected workflow.

Cisco SD-WAN Getting Started

Generate a Bootstrap File For Cisco IOS XE SD-WAN Devices Using the CLI

This feature enables you to generate a minimum bootstrap configuration file directly on a device, that enables a device to reconnect to the controller in case the full configuration is ever lost or removed.

Cisco SD-AVC Cloud Connector

When enabling Cloud onRamp for SaaS to manage Office 365 traffic, you can limit best path selection to apply only to some Office 365 traffic, according to the Office 365 traffic categories defined by Microsoft, or to include all Office 365 traffic.

The Cisco SD-AVC Cloud Connector provides support for this functionality.

On Premises ZTP Server for Cisco SD-WAN

This feature extends the on-premise Plug and Play implementation support to Cisco IOS XE SD-WAN routers.

Device Onboarding Enhancement

Starting from Cisco vManage Release 20.3.1 you can onboard a device to Cisco vManage by directly uploading a .csv file containing details of your device, from your system.

Cisco vManage Cluster Upgrade

This feature outlines the upgrade procedure for Cisco vManage servers in a cluster to Cisco vManage Release 20.3.1.

Systems and Interfaces

Configure a Router as an NTP Primary

This feature lets you configure a supported router as an NTP primary router. Other nodes in a Cisco SD-WAN deployment synchronize their clocks to the NTP primary router. This configuration is useful if you do not have an NTP server in your deployment.

Export vManage Audit Log as Syslog

The Cisco vManage NMS exports audit logs in syslog message format to a configured external syslog server. This feature allows you to consolidate and store network activity logs in a central location.

Hardened Passwords

This feature enables password policy rules in Cisco vManage. Once enabled, Cisco vManage enforces the use of strong passwords.

Configure Sessions in Cisco vManage

This feature lets you see all HTTP sessions open within Cisco vManage. It gives you details about the username, source IP address, domain of the user, and other information. A user with User Management Write access, or a netadmin user can trigger a log out of any suspicious user's session.

You can set client session timeouts, session lifetimes, server session timeouts, and enable the maximum number of user sessions in Cisco vManage.

Posture Assessment Support

Identity Services Engine (ISE) Posture functions are intergrated into Cisco 1100 Integrated Services Routers. This feature enables you to utilize Posture Assessment capabilities to validate the compliance of endpoints according to security policies of your enterprise.

For Cisco vManage Release 20.3.1 this feature can only be configured using CLI Add-On feature templates in Cisco vManage.

Remove Certificate SUDI requirement.

This feature allows you to use a subject SUDI serial number instead of a certificate serial number to add a device to a Cisco SD-WAN overlay network.

Integration with Cisco Unified Communications

This release adds support for using a feature template to enable Cisco IP-based media services.

Dynamic On-Demand Tunnels

This feature enables you to configure an Inactive state for tunnels between edge devices, reducing performance demands on devices and reducing network traffic.

Static Route Tracker for Service VPNs

This feature enables you to configure IPv4 static route endpoint tracking for service VPNs.

For static routes, endpoint tracking determines whether the configured endpoint is reachable before adding that route to the route table of the device.

To configure Static Route Tracking on Cisco vManage, configure an endpoint tracker using Cisco System template, and Configure a static route using the Cisco VPN template.

NAT DIA Tracker for Cisco IOS XE SD-WAN Devices

This feature allows you to configure a system tracker to probe the transport interface periodically to determine if the Internet or external network becomes unavailable.

You can configure DIA Tracker using the Tracker tab of the Cisco System template.

You can apply the tracker to a transport interface using either Cisco VPN Interface Ethernet or Cisco VPN Interface Cellular templates.

Service Side NAT on Cisco IOS XE SD-WAN devices

This feature allows you to configure inside and outside NAT on data traffic traveling to and from the service-side hosts of the network overlay.

The service-side NAT configuration allows you to translate the source IP addresses for data traffic from service- side hosts to the overlay and traffic from the overlay to service-side hosts.

To configure service-side NAT using Cisco vManage, configure a centralized data policy using the Configure > Policies, and configure a dynamic NAT Pool and Static NAT address using the Service VPN template.

Qualified Commands for Cisco IOS XE Release Amsterdam 17.3.1a

Starting Cisco IOS XE Release 17.3.1a, you can use additional commands in CLI Add-on feature templates.

Routing

BGP Community Propagation

This feature enables propagation of BGP communities between routing protocols during route redistribution. One one node, the OMP redistributes routes from BGP and on the other node, the OMP redistributes node into BGP. The BGP AS Path is propagated over OMP so that it can be preserved between Cisco SD-WAN nodes. The BGP community propagation helps in propagating BGP communities between Cisco SD-WAN sites, across VPNs using OMP redistribution.

OMP Route Aggregation

This feature is an enhancement where OMP route aggregation is performed only for the routes that are configured for route redistribution to avoid black hole routing. This enhancement is applicable for OSPF, Connected, Static, BGP and other protocols only if the redestribution is requested.

Route Leaking Between Global VRF and Service VPNs

This feature enables you to leak routes bidirectionally between the global VRF and service VPNs. Route leaking allows service sharing and is beneficial in migration use cases because it allows bypassing hubs and provides migrated branches direct access to non-migrated branches.

BFD for Routing Protocols in Cisco SD-WAN

This feature extends BFD support to BGP, OSPF, and EIGRP protocols in the Cisco SD-WAN solution. BFD provides a consistent failure detection method to detect forwarding path failures at a uniform rate, therefore enabling faster reconvergence time.

Multicast over L3 TLOC Extension

This feature enables support for transport location (TLOC) which allows addition of the peers transport to avoid the extra cost of additional IP and allows the use of dynamic load balance across multiple transports.

Forwarding and QoS

Adaptive QoS

This feature enables WAN interface shapers and per-tunnel shapers at the enterprise edge to adapt to the available WAN bandwidth. The capability to adapt to the bandwidth controls differentiated packet drops at the enterprise edge and reduces or prevents packet drops in the network core.

Policies

Application-Aware Routing Policy Support for Multicast

This feature enables support for configuring application-aware routing policy for multicast traffic on Cisco IOS XE SD-WAN devices based on source and destination, protocol matching and SLA requirement.

Support for six SLA Classes per Policy

This feature allows you to configure up to six SLA classes per policy on Cisco IOS XE SD-WAN devices. This allows additional options to be configured in an application-aware routing policy.

Support for Defining Custom Applications

This feature adds support for defining custom applications.

Service insertion tracker support

This feature extends support for service chaining to Cisco IOS XE SD-WAN devices. On Cisco IOS XE SD-WAN devices and Cisco vEdge devices, it adds a tracking feature that logs the availability of a service.

Security

Support for SGT Propagation with Cisco TrustSec Integration

This feature enables Cisco IOS XE SD-WAN edge devices to propagate Security Group Tag (SGT) inline tags that are generated by Cisco TrustSec-enabled switches in the branches to other edge devices in the Cisco SD-WAN network. While Cisco TrustSec-enabled switches does classification, propagation (inline SGT tagging) and enforcement on the branches, Cisco IOS XE SD-WAN devices carry the inline tags across the edge devices.

Cloud OnRamp

Support for Specifying Office 365 Traffic Categories for Cloud onRamp for SaaS on Cisco IOS XE SD-WAN Devices

This feature updates the existing Cloud onRamp for SaaS configuration workflow for Cisco IOS XE SD-WAN devices. The feature allows you to limit the use of best path selection to some or all Office 365 traffic, according to the Office 365 traffic categories defined by Microsoft.

Integration of AWS Branch with Cisco IOS XE SD-WAN Devices

Cisco SD-WAN Cloud OnRamp for Infrastructure as a Service (IaaS) extends enterprise WAN to public clouds. This multi-cloud solution helps to integrate public cloud infrastructure into Cisco SD-WAN fabric. This feature enables Transit Gateway (TGW) when the standard Cloud OnRamp solution is not sufficient. For example, one host VPC is connected to the Cisco SD-WAN edge router using an Internet Gateway (IGW). If the IGW bandwidth limit is less, then TGW is used for SD-WAN integration. TGW provides a way to interconnect VPCs and VPNs.

Support Catalyst 48Y4C (Cloud OnRamp for Colocation)

This release supports the use of Cisco Catalyst 9500-48Y4C switches in the Cloud onRamp for colocation cluster that enables 80G-200G of bidirectional throughput.

Flexible Topologies (Cloud OnRamp for Colocation)

This feature provides the ability to flexibly insert the NIC cards and interconnect the devices (CSP devices and Catalyst 9500 switches) within the Cloud onRamp for colocation cluster. Any CSP ports can be connected to any port on the switches. The Stackwise Virtual Switch Link (SVL) ports can be connected to any port and similarly the uplink ports can be connected to any port on the switches.

TACACS Authentication (Cloud OnRamp for Colocation)

This feature allows you to configure the TACACS authentication for users accessing the Cisco CSP and Cisco Catalyst 9500 devices. Authenticating the users using TACACS validates and secures their access to the Cisco CSP and Cisco Catalyst 9500 devices.

Network Assurance –VNFs: Stop/Start/Restart (Cloud OnRamp for Colocation)

This feature provides the capability to stop, start, or restart VNFs on Cisco CSP devices from the Colocation Clusters tab. You can easily perform the operations on VNFs using Cisco vManage.

Monitor and Maintain

Embedded Packet Capture

This feature is an onboard packet capture facility that allows network administrators to capture packets flowing to, through, and from the device and to analyze them locally or save and export them for offline analysis through Cisco vManage. This feature facilitates application analysis, security, and troubleshooting by gathering information about the packet format.

TAC Access

TAC Access to Cisco vManage

When working with the Cisco Technical Assistance Center (TAC) to address an issue in Cisco vManage, users may provide TAC with access to Cisco vManage or TAC teams may access Cisco vManage using the consent token mechanism. In the past, this access has relied on a user account called viptelatac. In this release, two separate user accounts have been added, one with read-only access and one with write access. The accounts use a challenge-response authentication method.

Cisco SD-WAN for Government

Cisco SD-WAN for Government

FedRAMP, the Federal Risk and Authorization Management Program, is a United States-government program that provides a specific set of standards to ensure that a cloud provider meets the requirements to be eligible for use by the U.S. federal government. With Cisco SD-WAN for Government, you can quickly and easily deploy a Cisco SD-WAN overlay network using the Cisco Self-Service Portal. This ensures that your Cisco SD-WAN network meets the stringent requirements of FedRAMP with enhanced security and rapid deployments.

Important Notes, Known Behavior, and Workaround

  • Cisco IOS XE SD-WAN devices with the SFP-10G-SR module do not support online insertion and removal (OIR) of this module.

  • When you complete a Cisco SD-WAN software downgrade procedure on a device, the device goes into the configuration mode that it was in when you last upgraded the Cisco SD-WAN software on the device. If the device is in a different configuration mode when you start the downgrade than it was when you last upgraded, the device and Cisco vManage show different configuration modes after the downgrade completes. To put the configuration modes back in sync, reattach the device to a device template. After you reattach the device, both the device and Cisco vManage show that the device is in the vManage configuration mode.

  • Cisco vManage Release 20.3.1 implements a hardened security posture to comply with FedRamp guidelines. As a result, your vAnalytics login credentials that are stored locally get erased on upgrading the software, and you cannot access the vAnalytics service directly through Cisco vManage. In this case, log in to vAnalytics using this URL: https://analytics.viptela.com. If you can’t find your vAnalytics login credentials, open a case with Cisco TAC support.

Resolved and Open Bugs

About the Cisco Bug Search Tool

Use the Cisco Bug Search Tool to access open and resolved bugs for a release.

The tool allows you to search for a specific bug ID, or for all bugs specific to a product and a release.

You can filter the search results by last modified date, bug status (open, resolved), severity, rating, and support cases.

Bugs for Cisco IOS XE Release 17.3.1a

This section details all fixed and open bugs for this release. These bugs are available in the Cisco Bug Search Tool

Resolved Bugs for Cisco IOS XE Release 17.3.1a

Bug ID

Description

CSCuz84374

SPA modules on ASR1002-X/ASR1001-X does not get recognized under show platform

CSCvh24730

PfRv3: Crash while Printing the Same TCA Message

CSCvp24405

Router crash after adding macsec reply-protection command on an interface

CSCvp79052

vManage is not exhibiting the correct hostname of cEdge

CSCvp88044

Performance Monitor crash

CSCvq84015

ISR1100 not booting up after power cycle and gets stuck in boot loop - cdb itself gets corrupted

CSCvr48928

Template push stuck on vManage Cluster when pushing new System IP to Edge router

CSCvr89957

CFT crashed frequently

CSCvs02000

%IOSXE-3-PLATFORM: R0/0: kernel: DMA: Out of SW-IOMMU space

CSCvs19084

UmbrellaConnector drops packets sent from Linux machine

CSCvs27907

Ctrl+Z causes syntax error: unknown argument

CSCvs28073

IOS-XE device has memory leak in linux_iosd-imag

CSCvs29412

x509 SSH authentication incorrect UPN value selected

CSCvs38028

cEdge_Policy_regression: Service IPv6 ping is failing if the interface vrf forwarding is replaced

CSCvs42498

NAT Alias not created for some configuration when using application redundancy

CSCvs45107

AnyConnect fails to reconnect when original session expires

CSCvs47682

Router crashed when attempting to remove a nonexistent trustpoint from dspfarm profile

CSCvs48162

Seeing IpsecOutput drop for cEdge even though ip packet size is less than 1442.

CSCvs51630

cEdge: 'security ipsec replay-window' needs to support 8192

CSCvs53749

EVPN RMAC stale routes seen

CSCvs56559

show crypto pki server shows wrong expire certificate date

CSCvs56721

spoke-to-spoke PLR packets should not change the interface PLR status

CSCvs57212

NGIO Lite is crashed when MT SMS with special characters (EMS) is received

CSCvs59402

Random IPSEC drops on ESP200 with esp-gcm transform set

CSCvs60195

ASR1K ucode crash after too many locks in ZBF pair setup

CSCvs61402

CFLOW_INSERT ABORT errors continue to increment

CSCvs63606

Ping fails on hundred gig primary interface with FRR configured though MPLS traffic is not impacted

CSCvs63841

SDWAN ISR1100: No SW Image listed when .bin image booted from flash / usb

CSCvs65950

IOS PKI: P12 not generated on IOS Sub CA at rollover certificate generation

CSCvs66091

XE SD-WAN Router SSH might get disabled followed by software reset and another reload

CSCvs75958

ISR4331/K9 Dialer cannot make calls suddenly

CSCvs78594

NAT doesn't translate SIP header's orignial source for return traffic on 16.9.3 and 16.9.4

CSCvs81161

Orthrus: Interface is down after shut/no shut.

CSCvs81791

Fix for kernel driver issue causing wake up for empty block, packet too large to process

CSCvs81967

ISR4K: %BOOT-3-BOOT_SRC: R0/0: No space on boot /dev/bootflash5 for packages, using bootflash!

CSCvs85642

ISR G3 router crashes when rtp-nte DTMF packet arrives at MTP + BDI

CSCvs88686

ISR4K / ASR / CBR8 crash in cpp_cp_svr due to watchdog timeout

CSCvs89840

Cedge reboot with UNIX-EXT-SIGNAL: Segmentation fault(11), Process = iosp_vty_100001_dmi_nesd

CSCvs90207

On cEDGE all the BFD session flap if there is a control connection flap to vmanage

CSCvs96540

SDWAN device admin-tech has empty "show running config" in /tech/ios file

CSCvs96719

ASR1k: Unicast DHCPREQUEST dropped when received on a EoGRE tunnel configured with VRF

CSCvs98389

Packet drops in XE-SDWAN because of "IN_CD_COPROC_ANTI_REPLAY_FAIL" errors

CSCvs98586

Skip SDWAN tunnel encapsulated packets in UTD DP and set inspected flag when skipping inspection

CSCvs99705

PKI CLI - no warning that rsakeypair name starting from 0 (zero) is not working for cert regenerate

CSCvt01186

Interface does down when "l2vpn xconnect" command is removed

CSCvt01532

SD-WAN router running 16.10.3 crashes with cpp_cp_svr fault

CSCvt02534

ISR4K Unexpectedly Reboots with CENT-BR-0

CSCvt03264

UltimaThule: ISR4451 router crashed when template is pushed from vManage

CSCvt03869

Router reloads due to crypto pki crl request <trustpoint-name> during get a fresh copy of CRL

CSCvt04864

cpp_cp_svr fault and fman_fp_image fault on ASR 1002-x routers running 16.12.2r

CSCvt05373

SDWAN device and vmanage is not in sync when manual software reset is done

CSCvt10151

Multiple Cisco Products Snort HTTP Detection Engine File Policy Bypass Vulnerability UTD

CSCvt10499

"Exporter Version" is not correct in the FNF cpp client exporter show command

CSCvt11538

Cisco SD-WAN Solution Software Buffer Overflow Vulnerability

CSCvt12299

XE SD-WAN : Cannot specify the specific vpn except <1-512> in show sdwan app-fwd cflowd flows vpn x

CSCvt15167

Cedge QOS Policy-Map on Parent Interface Maps Traffic to Wrong Queue When Traffic on Sub-Int

CSCvt15551

Crash observed in QFP in ASR1001-X running 16.06.05 when GPM is running low

CSCvt19873

ASR1k:Router stops forwarding traffic with MPLS TE & FRR when member link of port-channel is shut

CSCvt21263

Crash upon delete of virtual-access when virtual-template has "no tunnel protection ipsec initiate"

CSCvt21373

unexpected reload in CPP ucode forced by nat 514 .

CSCvt21691

VLAN1 is allowed on the trunk port even though it is not allowed in configurations of C111 interface

CSCvt28541

XE SD-WAN : cflowd not working after re attaching template

CSCvt31561

TBAR is not disabled in GM when it is disabled in KS

CSCvt31588

CSR on AWS - PAYG Broken in 17.1, 17.2, and Polaris

CSCvt33018

MACsec 128/256 XPN on 40g/100g, stop passing traffic for one of AN and interface link flap seen

CSCvt33028

Part of double encapsulated frames dropped with TunnelDecapTooManyTimes code reason

CSCvt33799

Virtual address not reachable: "mac:0000:0c07:xxxx download to DP failed" for HSRP / VRRP over BDI.

CSCvt35947

Duplicate ipv6 address while connecting to remote client

CSCvt37676

cEdge crashes after changing flow-sampling-interval within a cflow policy

CSCvt40523

GETVPN: KS 16.12.x - COOP switchover causes GMs to immediately use new TEK rekey

CSCvt42659

Possible Regression ISR4K Mgmt Port ACL Breakage or simply Day One Implementation As Designed

CSCvt46779

Route export not working as desired during failover testing

CSCvt50461

cEdge crashes after the push of a template for Umbrella

CSCvt52051

IPsec tunnel is getting established for a backup NHS DMVPN hub

CSCvt52168

SSH Process Thrash During Normal Operations

CSCvt52825

Memory leak in SCCP TLS Client on unexpected deregister event

CSCvt53726

Packet Duplication fails to duplicate packets in Cedge Devices

CSCvt54305

Device crashed after Boost license expire

CSCvt59311

ASR1K crash when modifying crypto keyring configuration

CSCvt65588

FlexVPN IKEv2 Tunnel route removed after establishing new IKEv2 SA to another peer

CSCvt67752

Object (IPv6 ACL ) stuck in forwarding data plane. No ipv6 traffic goes towards the upstream router

CSCvt80422

RTP-NTE to OOB DTMF Interworking Failure over BDI with Dot1q Tagging

CSCvu34653

CSR stuck in Bootloop while upgrading to 17.2.1r on Azure.

CSCvu57682

ASR1001-X 16GB: Kernel crashes repeatedly after upgrading from 16.12.2 to 17.2.1

CSCvu82189

Enabling guestshell gives "float division by zero"

CSCvu89033

Template push error due to NAT-MIB process helper traceback/warm restart

CSCvu54116

virtio interfaces not discovered by IOS when host MTU config > 1518

CSCvt44918

Incorrect PMTU programmed for XE SDWAN router tunnel control-plane while data-plane is correct

Open Bugs for Cisco IOS XE Release 17.3.1a

Bug ID

Description

CSCvp24405

Router crash after adding macsec reply-protection command on an interface

CSCvs45107

AnyConnect fails to reconnect when original session expires

CSCvs56559

show crypto pki server shows wrong expire certificate date

CSCvs63606

Ping fails on hundred gig primary interface with FRR configured though MPLS traffic is not impacted

CSCvs65950

IOS PKI: P12 not generated on IOS Sub CA at rollover certificate generation

CSCvs78594

NAT doesn't translate SIP header's orignial source for return traffic on 16.9.3 and 16.9.4

CSCvs98389

Packet drops in XE-SDWAN because of "IN_CD_COPROC_ANTI_REPLAY_FAIL" errors

CSCvs99705

PKI CLI - no warning that rsakeypair name starting from 0 (zero) is not working for cert regenerate

CSCvt01186

Interface does down when "l2vpn xconnect" command is removed

CSCvt03264

UltimaThule: ISR4451 router crashed when template is pushed from vManage

CSCvt03869

Router reloads due to crypto pki crl request <trustpoint-name> during get a fresh copy of CRL

CSCvt19873

ASR1k:Router stops forwarding traffic with MPLS TE & FRR when member link of port-channel is shut

CSCvt21263

Crash upon delete of virtual-access when virtual-template has "no tunnel protection ipsec initiate"

CSCvt31561

TBAR is not disabled in GM when it is disabled in KS

CSCvt32383

ASR1000 / RP2 upgrade fails from 16.9.4 to the 16.9.5

CSCvt33018

MACsec 128/256 XPN on 40g/100g, stop passing traffic for one of AN and interface link flap seen

CSCvt35947

Duplicate ipv6 address while connecting to remote client

CSCvt40523

GETVPN: KS 16.12.x - COOP switchover causes GMs to immediately use new TEK rekey

CSCvt50136

ASR1k - all Platform : Observing IpFragErr for EMIX traffic with basic IPSEC config

CSCvt52051

IPsec tunnel is getting established for a backup NHS DMVPN hub

CSCvt52825

Memory leak in SCCP TLS Client on unexpected deregister event

CSCvt59311

ASR1K crash when modifying crypto keyring configuration

CSCvt65588

FlexVPN IKEv2 Tunnel route removed after establishing new IKEv2 SA to another peer

CSCvt97642

MIP100 - Continous %SCOOBY-5-SERIAL_BRIDGE_BLOCK_EVENT flooding on the console

CSCvu57682

ASR1001-X 16GB: Kernel crashes repeatedly after upgrading from 16.12.2 to 17.2.1

CSCvu59952

ISR4461: Control Connections over sub-interface are down after upgrade, TX Channel create failure

CSCvu59956

IOS cannot boot with 16.12(1r) or later rommon due to cookie PID field incorrectly programmed

CSCvu73323

AAR policy does not work properly after Poweroff/Poweron Cedge ISR4451

CSCvu81329

sec policy pushing fail when remove L7 app from rule and action to drop

CSCvu85325

CSR1000V not processing padded and unknown option Hop-by-Hop Options Headers

CSCvu92277

Memory leak observed for FTM process leading to a device crash eventually.

CSCvv00899

Adaptive QoS history record LOCAL-LOSS is always 0 on ISR1000 platform

CSCvv05364

ASR1001-HX, CCP crash due to invalid address accessed by DTL

CSCvv05776

CXP Probe DNS packets are not exiting via correct source interface

CSCvv06021

20.3 vSmart Failover Induced vManage/Device Connection Failure

CSCvv14438

Azure csr-cedge 17.3.1-throttle (7/16) fresh-deploy crash once@qfp-ucode-csr when shut/no shut Gi1

CSCvv21398

sdwan multicast cEdge rpf failure even with unicast route present in rib and omp

CSCvv22768

[RM]-Observing router reload after saving the QOS+APP_PERF config in RAMONES

CSCvv27215

SDWAN 17.3/20.3 - SNMP MIB Query for Interface Description OID return only up to 64 characters

CSCvu02362

fmap_fp crash seen on removing utd ssl config with container uninstallation

CSCvv43957

Template push on ISR1k not working due to no authentication timer "reauthenticateError"

CSCvv48890

vAnalytics - Launch vAnalytics not working in Cisco vManage UI

CSCvt50136

ASR1k - all Platform : Observing IpFragErr for EMIX traffic with basic IPSEC config

Interactive Help in Cisco vManage

To access the list of guided workflows for this release, from Cisco vManage, click Interactive Help.

The Interactive Help interface allows you to search for a specific workflow and filter the search results by workflow names.

Figure 1. Interactive Help in Cisco vManage

This release provides guided workflows for the following procedures:

Table 2. List of Workflows Using Cisco vManage 20.3.1

Workflow

Description

Configure Controllers and Devices

Configure Cisco vBond Orchestrator

Configure the Cisco vBond Orchestrator and add it to the overlay network.

Configure Cisco vSmart Controller

Configure a Cisco vSmart Controller to control data traffic flow throughout the network.

Configure Cisco vManage Instance

Configure a Cisco vManage instance by creating a device configuration template and adding it to the overlay network.

Configure Cisco SD-WAN Devices

Configure Cisco IOS XE SD-WAN devices and Cisco vEdge devices by creating configuration templates.

Manage Devices in Overlay Network

Add Devices to the Overlay Network

Add Cisco SD-WAN devices either by using authorized serial numbers or from Cisco Smart account.

Decommission Virtual Devices

Decommission a Cisco IOS XE SD-WAN device or Cisco vEdge device to remove the device serial number.

Remove Devices from the Overlay Network

Remove Cisco SD-WAN devices to clear an old device configuration from the Cisco vManage server.

Change Device Values

Change Cisco SD-WAN device configuration by populating the variable values for the device.

Troubleshoot Device Issues

Determine and fix common Cisco SD-WAN device connectivity issues.

Upgrade Devices and Controllers

Install and activate an upgraded software for Cisco SD-WAN controllers and Cisco SD-WAN devices.

You cannot use this workflow for:

  • Cisco SD-WAN controller releases earlier than 20.3.1

  • Cisco SD-WAN device releases earlier than 17.3.1a or 20.3.1

Whom to contact for feedback?

We value your opinion and please send us your feedback at, mailto:sdwan-workflow-fb@cisco.com

Compatibility Matrix

Table 3. Compatibility Matrix

Controllers

ISR1000/ISR4000/ASR1000

CSR

ISRv (ENCS/CSP)

vEdge

ISR 1100-4G and ISR 1100-6G

ISR1100 - 4GLTENA, ISR1100 - 4GLTEGB

UCS-E Series using External Interfaces

UCS-E Series using Internal Backplane Interfaces**

18.4.4

16.10.4 and lower versions of 16.10.x and 16.9.x

Not Supported

Not Supported

17.2.8 or higher up to 18.4.4

Not Supported

Not Supported

Not Supported

Not Supported

19.2.099

16.12.1e and lower versions of 16.12,16.10.x, and 16.9.x

16.12.1e and lower versions of 16.12

16.12.1a with NFVIS 3.12.3FC4

18.4 and 19.2

19.2.099

Not Supported

Not Supported

Not Supported

19.2.1

16.12.2r and lower versions of 16.12, 16.10.x, and 16.9.x

16.12.2r and lower versions of 16.12

16.12.1a, 16.12.2r with NFVIS 3.12.3FC4

18.3, 18.4, and 19.2

19.2.099 and 19.2.1

19.2.1

Supported

Not Supported

19.2.2

16.12.3 and lower versions of 16.12, 16.10.x, 16.9.x

16.12.3 and lower versions of 16.12

16.12.3 with NFVIS 3.12.3FC4

18.3, 18.4, and 19.2

19.2.099, 19.2.1, and 19.2.2

19.2.1 and 19.2.2

Supported

Not Supported

20.1.1

17.2.1r, 16.12.x, 16.10.x, and 16.9.x

17.2.1r and 16.12.x

17.2.1r with NFVIS 4.1.2 FC2

18.3, 18.4, 19.2, and 20.1

20.1.1 & lower up to 19.2.099

20.1.1 & lower up to 19.2.1

Supported

Limited feature support configurable using only Cisco vManage CLI templates

20.1.1.1

17.2.1r, 16.12.x, 16.10.x, and 16.9.x

17.2.1v, 17.2.1r and 16.12.x

17.2.1r with NFVIS 4.1.2.FC2

18.3, 18.4, 19.2, 20.1, and 20.1.1.1

20.1.1.1 & lower up to 19.2.099

20.1.1.1 & lower up to 19.2.1

Supported

Limited feature support configurable using only Cisco vManage CLI templates

20.1.12

17.2.1v, 17.2.1r, 16.12.x, 16.10.x, and 16.9.x

17.2.1v, 17.2.1r and 16.12.x

17.2.1r with NFVIS 4.1.2 FC2

18.3, 18.4, 19.2, 20.1, 20.1.12

20.1.12 & lower up to 19.2.099

20.1.12 & lower up to 19.2.1

Supported

Limited feature support configurable using only Cisco vManage CLI templates

20.3.1

17.3.1a, 17.2.1v, 17.2.1r, 16.12.x and 16.10.x

17.3.1a, 17.2.1v, 17.2.1r and 16.12.x

17.3.1a, 17.2.1r with NFVIS 4.2.1 FC3

18.3, 18.4, 19.2, 20.1, 20.1.12, and 20.3.1

20.3.1 & lower up to 19.2.099

20.3.1 & lower up to 19.2.1

Supported

Limited feature support configurable using only Cisco vManage CLI templates

** Interfaces - ucse x/y/0 and ucse x/y/1

ESXi 6.0 / 6.5

ESXi 6.5 / 6.7

Controller versions 20.3.1 and lower up to 18.4.4

vEdge Cloud- versions 20.3.1 and lower up to 18.4.4

Cisco CSR 1000v- versions 17.3.1a and lower up to 16.10.1

For more information about Cisco CSR 1000v, refer to Release Notes for Cisco CSR 1000V Series, Cisco IOS XE Amsterdam 17.3.x

For information about Cisco vEdge Cloud Routers, refer to Cisco vEdge Cloud Data Sheet

ROMmon Requirements Matrix

The following table lists the minimum ROMmon versions supported on the corresponding devices and releases:

Table 4. ROMmon Versions

Device

ROMmon Version for 16.10 Devices

ROMmon Version for 16.12 Devices

ROMmon Version for 17.2 Devices

ISR 4000

16.7(4r)

16.12(1r)

16.12(1r)

ISR 1000

16.9(1r)

16.12(1r)

16.12(1r)

For ROMmon information for ASR 1000, refer to the Cisco ASR 1000 Series Aggregation Services Routers ROMmon Upgrade Guide.

Table 5. Recommended Rommon Release for SD-WAN for Cisco ISR 4000 series Integrated Services Routers (Cisco ISR 4000)

Cisco IOS XE Release

Cisco 4321 ISR

Cisco 4321 ISR

Cisco 4331 ISR

Cisco 4351 ISR

Cisco 4431 ISR

Cisco 4451 ISR

Cisco 4461 ISR

Cisco IOS XE 16.10.x

16.7(5r)

16.7(5r)

16.7(5r)

16.7(5r)

16.7(5r)

16.7(5r)

Cisco IOS XE 16.12.x

16.12(2r)

16.12(2r)

16.12(2r)

16.12(2r)

16.12(2r)

16.12(2r)

16.12(2r)

Cisco IOS XE 17.2.x

16.12(2r)

16.12(2r)

16.12(2r)

16.12(2r)

16.12(2r)

16.12(2r)

16.12(2r)

Cisco IOS XE 17.3.x

16.12(2r)

16.12(2r)

16.12(2r)

16.12(2r)

16.12(2r)

16.12(2r)

16.12(2r)


Note

ROMmon auto-upgrade is supported on the ISR 4000 series routers, beginning with 16.9.1 and all subsequent releases/throttles.



Note

ROMmon auto-upgrade is supported on the ISR 1000 series routers, beginning with 16.10.3 and 16.12.1b.



Note

For the ISR 1000 series routers, ROMmon version 16.8(1r) is not compatible with 16.10 releases and ROMmon version 16.9(1r) is not compatible with 16.9 releases. If an ISR 1000 series router is upgraded to a 16.10 release without auto-upgrade support, it is required that ROMmon be upgraded to 16.9(1r) or later by the user.


Supported Devices

The Cisco IOS XE SD-WAN software runs on the following devices.

Table 6. Supported Devices and Versions

Device Family

Device Name

Cisco ASR 1000 Series Aggregation Services Routers

  • ASR 1001-HX and ASR 1001-X

  • ASR 1002-HX and ASR 1002-X

Cisco ISR 1000 Series Integrated Services Routers

  • C1101-4PLTEP

  • C1109-4PLTE2P

  • C1109-2PLTEGB

  • C1109-2PLTEUS

  • C1109-2PLTEVZ

  • C1111-8P, C1111-8P LTE EA, and C1111-8P LTE LA

  • C1117-4P LTE EA, C1117-4P LTE LA

  • C1111-4P LTE EA, C1111-4P LTE LA, C1116-4P LTE EA, C1117-4P MLTE EA

  • C1111-4P, C1116-4P, C1117-4P, C1117-4PM, C1101-4P, C1111X-8P (8GB RAM)

  • C1111-4P (1GE/SFP)

  • C1111-4PLTEEA (1GE/SFP,LTE)

  • C1111-4PLTELA (1GE/SFP, LTE)

  • C1111-8P (1GE/SFP,1GE)

  • C1111-8PLTEEA (1GE/SFP,1GE+LTE)

  • C1111-8PLTEA (1GE/SFP,1GE+LTE)

  • C1111-8PLTELAWD (1GE/SFP,1GE+LTE)

  • C1111-8PLTELAWE

  • C1111-8PLTELAWF (1GE/SFP,1GE+LTE)

  • C1111-8PLTELAWH (1GE/SFP,1GE+LTE)

  • C1111-8PLTELAWN (1GE/SFP,1GE+LTE)

  • C1111-8PLTELAWQ (1GE/SFP,1GE+LTE)

  • C1111-8PLTELAWS

  • C1111-8PLTELAWZ (1GE/SFP,1GE+LTE)

  • C1111-8PWS

  • C1111X-8P (1GE/SFP,1GE)

  • C1121-4P

  • C1121-4PLTEP

  • C1128-8PLTEP (SHDSL)

  • C1111-8PLTEEAWA

  • C1113-8PMLTEEA

  • C1113-8PLTEEA (G.Fast Over POTS +1GE/SFP+LTE)

  • C1113-8PMLTEEA (G.Fast Over POTS Annex M +1GE/SFP+LTE)

  • C1116-4P (VA-DSL Annext B & J or 1GE/SFP)

  • C1116-4PLTEEA (VA-DSL Annext B & J or 1GE/SFP+LTE)

  • C1117-4P (VA-DSL Annex A or 1GE/SFP)

  • C1117-4PLTEEA (VA-DSL Annex A or 1GE/SFP+LTE)

  • C1117-4PLTEA (VA-DSL Annex A or 1GE/SFP+LTE)

  • C1117-4PM (VA-DSL Annex m or 1GE/SFP)

  • C1117-4PMLTEEA (VA-DSL Annex M or 1GE/SFP+LTE)

  • C1121X-8P, C1121X-8PLTEP

  • C1121-8P

  • C1121-8PLTEP

  • C1126X-8PLTEP

  • C1127X-8PLTEP, C1127X-8PMLTEP

  • C1161X-8P

  • C1161X-8PLTEP

  • C1126-8PLTEP

  • C1127-8PLTEP

  • P-LTEAP18-GL

  • Pluggable modules: CAT6 LTE Advanced P-LTEA-EA(=), CAT6 LTE Advanced P-LTEA-LA(=)

  • P-LTE-VZ

  • P-LTE-US

  • P-LTE-GB

  • P-1T(=)

Cisco ISR 1000 Series Integrated Services Routers with wireless services (WLanGigabitEthernet configuration required from vManage)

  • C1111-8PWY (1GE/SFP,1GE+WLAN) (WiFi domain WY; Y = A, B, E, F, H, N, Q, R, Z)

  • C1111-8PLTEEAWX^*^ (1GE/SFP,1GE+LTE) (WiFi domain WX; X = A, B, E, R)

  • C1111-8PLTELAWY* (WiFi domain WY; Y = D, F, H, N, Q, Z S, E and A)

  • C1101-4PLTEPWX* (WiFi domain WX; X = A, B, D, E, Z)

  • C1109-4PLTE2PWZ* (WiFi domain WZ; Z = A, B, D, E, Q, R, Z)

  • C1121-8PLTEPWX* (WiFi domain WX; X = B, E, Z, Q)

  • C1121X-8PLTEPWZ* (WiFi domain WZ; Z = B, E, Z, A)

Cisco ISR 4000 Series Integrated Services Routers

ISR 4221, ISR 4221-X, ISR 4321, ISR 4331, ISR 4351, ISR 4431, ISR 4451, ISR 4461

Cisco CSR 1000v Series Cloud Services Routers

CSR 1000v

Cisco 5000 Series Enterprise Network Compute System

  • ENCS 5104, ENCS 5406, ENCS 5408

  • ENCS 5412 with T1/E1 and 4G NIM modules

Cisco UCS E Series M2 servers

  • UCS-EN120S-M2/K9

  • UCS-EN140N-M2/K9

  • UCSE-140S-M2/K9

  • UCSE-160D-M2/K9

  • UCSE-180D-M2/K9

Cisco UCS E Series M3 servers

  • UCSE-160S-M3/K9

  • UCSE-180D-M3/K9

  • UCSE-1120D-M3/K9

Cisco IR1101 Integrated Services Router Rugged

Cisco SD-WAN capability can now be enabled on Cisco IR1101 Integrated Services Router Rugged.

  • IR1101-K9

  • IR1101-A-K9

Table 7. Supported Modules on Cisco 4000 Series Integrated Services Routers

Interfaces

Type

L3–Routed Ports

NIM-1GE-CU-SFP

NIM-2GE-CU-SFP

SM-X-6X1G

SM-X-4X1G-1X10

VDSL/ADS

NIM-VAB-A

NIM-VAB-M

3G/4G Modules

NIM-LTEA-EA

NIM-LTEA-LA

LAN–NIM & SM-X Modules

NIM-ES2-4

NIM-ES2-8

NIM-ES2-8-P

Analog Voice Network Interface Modules

NIM-2FXO

NIM-4FXO

NIM-2FXSP

NIM-4FXSP

NIM-2FXS/4FXOP

SM-X-24FXS/4FXO

SM-X-16FXS/2FXO

SM-X-8FXS/12FXO

SM-X-72FXS

T1, E1, and G.703 Multiflex Trunk WAN Interface Cards

NIM-1MFT-T1/E1 (Data or Voice)

NIM-2MFT-T1/E1 (Data or Voice)

NIM-4MFT-T1/E1 (Data or Voice)

NIM-8MFT-T1/E1 (Data or Voice)

NIM-1CE1T1-PRI (Voice)

NIM-2CE1T1-PRI (Voice)

NIM-8CE1T1-PRI (Voice)

Cisco 1-Port Serial WAN Network Interface Card (NIM-1T)

Packet Voice Digital Signal Processor Modules (PVDMs)

PVDM4-32

PVDM4-64

PVDM4-128

PVDM4-256

SM-X-PVDM-500

SM-X-PVDM-1000

SM-X-PVDM-2000

SM-X-PVDM-3000