HPE Distributed Cloud Networking 4.0R2 Release Notes
Abstract This document contains supplemental information for the 4.0R2 release.
Part Number: 5200-2040 Published: July 2016 Edition: 1
© Copyright 2016 Hewlett Packard Enterprise Development L.P. Confidential computer software. Valid license from HPE required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. The information contained herein is subject to change without notice. The only warranties for HPE products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HPE shall not be liable for technical or editorial errors or omissions contained herein. Acknowledgments Microsoft®, Windows®, Windows® XP, and Windows NT® are trademarks of the Microsoft group of companies. Java is a registered trademark of Oracle and/or its affiliates.
Contents 1 HPE Distributed Cloud Networking (DCN) 4.0R2 Release Notes.......................6 Description............................................................................................................................................6 Version history......................................................................................................................................6 DCN Release 4.0R2 software packages..............................................................................................6 DCN component requirements.............................................................................................................7 HPE VSD requirements...................................................................................................................7 HPE VSC requirements...................................................................................................................8 HPE VRS requirements...................................................................................................................9 CMS integrations...........................................................................................................................10 Installation and upgrade notes............................................................................................................11 Passphrase less SSH....................................................................................................................11 Enforcing IPv4 and preventing IPv6..............................................................................................11 Configuring to favor IPv4..........................................................................................................11 Turning off IPv6........................................................................................................................11 Licensing.......................................................................................................................................11 Deprecated Features..........................................................................................................................12 Enhancements....................................................................................................................................12 Release 4.0R2 (Release private)..................................................................................................12 OpenStack................................................................................................................................12 CloudStack...............................................................................................................................13 OpenShift.................................................................................................................................13 vCenter.....................................................................................................................................13 Release 4.0R1...............................................................................................................................13 DCN core .................................................................................................................................13 CloudStack...............................................................................................................................14 vCenter.....................................................................................................................................14 Release 3.2R7...............................................................................................................................15 Release 3.2R6...............................................................................................................................15 LACP fallback support for LAGs..............................................................................................15 HPE VSD monitoring improvements........................................................................................15 CloudStack 4.3 Plugin enhancements.....................................................................................15 CloudStack 4.4 Plugin enhancements.....................................................................................15 OpenStack Liberty enhancements...........................................................................................16 OpenStack File enhancements................................................................................................16 Release 3.2R5...............................................................................................................................16 HPE DCN core.........................................................................................................................16 OpenStack................................................................................................................................16 CloudStack 4.3.........................................................................................................................16 Docker......................................................................................................................................17 VMware....................................................................................................................................17 Release 3.2R4...............................................................................................................................17 DCN..........................................................................................................................................17 OpenStack................................................................................................................................17 VMware....................................................................................................................................17 Release 3.2R3...............................................................................................................................17 DCN..........................................................................................................................................17 OpenStack................................................................................................................................17 CloudStack...............................................................................................................................18 Release 3.2R2...............................................................................................................................18 DCN..........................................................................................................................................18 Application Designer................................................................................................................18 CloudStack...............................................................................................................................19 Contents
3
OpenStack................................................................................................................................19 VMware....................................................................................................................................19 Release 3.2R1...............................................................................................................................19 ACL..........................................................................................................................................19 ACL Sandwich..........................................................................................................................20 Commit/Rollback......................................................................................................................20 ECMP and static routing..........................................................................................................20 Floating IP rate limiting.............................................................................................................20 LDAP and AD support..............................................................................................................21 OpenFlow.................................................................................................................................21 PAT/NAT without gateway........................................................................................................21 Secure XMPP channel.............................................................................................................21 Shared Network Resources.....................................................................................................21 Syslog reporting.......................................................................................................................22 Fixes...................................................................................................................................................22 Release 4.0R1...............................................................................................................................22 Release 3.2R7...............................................................................................................................22 Release 3.2R6...............................................................................................................................23 Release 3.2R5...............................................................................................................................24 Release 3.2R4...............................................................................................................................25 Release 3.2R3...............................................................................................................................26 Release 3.2R2...............................................................................................................................26 Release 3.2R1...............................................................................................................................27 Issues and suggested actions............................................................................................................28 Support limitations.........................................................................................................................28 Monit logs......................................................................................................................................28 HPE VSD.......................................................................................................................................28 HPE VSD Architect........................................................................................................................32 HPE DCN......................................................................................................................................32 VRS...............................................................................................................................................33 VRS/VRS-G data path...................................................................................................................33 VMware.........................................................................................................................................34 OpenStack.....................................................................................................................................34 CloudStack....................................................................................................................................35 Static routes...................................................................................................................................35 Hardware.......................................................................................................................................36 RADIUS.........................................................................................................................................36 TACACS+......................................................................................................................................36 OVSDB..........................................................................................................................................36 CLI.................................................................................................................................................37 Management..................................................................................................................................37 Routing..........................................................................................................................................38 TCP Authentication Extension.......................................................................................................38 IS-IS...............................................................................................................................................38 OSPF.............................................................................................................................................38 BGP...............................................................................................................................................39 VPRN/2547....................................................................................................................................39 Usage notes........................................................................................................................................39 Management..................................................................................................................................39 Disallowed IP prefixes...................................................................................................................40 System...........................................................................................................................................40 CLI.................................................................................................................................................40 Routing..........................................................................................................................................40 IS-IS...............................................................................................................................................40 BGP...............................................................................................................................................41 4
Contents
Yum update...................................................................................................................................41 Pinning the repository to the HPE VSD-supported operating system versions.......................41 For CentOS 6.6...................................................................................................................41 For RHEL 6.6......................................................................................................................41 For RHEL 7.1......................................................................................................................41 Upgrade information...........................................................................................................................41 Post-upgrade activities.......................................................................................................................41 Contacting HPE..................................................................................................................................41 HPE security policy.............................................................................................................................42 Related information.............................................................................................................................42 Documents....................................................................................................................................42 Websites........................................................................................................................................43 Documentation feedback....................................................................................................................43
Contents
5
1 HPE Distributed Cloud Networking (DCN) 4.0R2 Release Notes Description This release note covers software versions for the 4.0. branch of the software.
Version history All released versions are fully supported by Hewlett Packard Enterprise, unless noted in the table. Version number
Based on
Remarks
4.0R2
4.0R1
Released, fully supported, and posted on the web.
4.0R1
3.2R7
Released, fully supported, and posted on the web.
3.2R.7
3.2R6
Released, fully supported, and posted on the web.
3.2R.6
3.2R5
Never released.
3.2R.5
3.2R4
Released, fully supported, and posted on the web.
3.2R4
3.2R3
Released, fully supported, and posted on the web.
3.2R3
3.2R2
Released, fully supported, and posted on the web.
3.2R2
3.2R1
Released, fully supported, and posted on the web.
3.2R1
3.0R8
Released, fully supported, but not posted on the web.
3.0R8
3.0R7
Released, fully supported, and posted on the web.
3.0R7
3.0R6
Released, fully supported, and posted on the web.
3.0R6
3.0R5
Released, fully supported, and posted on the web.
3.0R5
3.0R4
Released, fully supported, and posted on the web.
3.0R4
3.0R3
Released, fully supported, and posted on the web.
3.0R3
3.0R2
Released and fully supported.
3.0R2
Initial release
Initial release of Release 3.0, fully supported.
DCN Release 4.0R2 software packages Component
HPE Virtualized Services Directory (HPE VSD)
6
Filename
Description
DCN-VSD-QCOW-4.0R2.zip
HPE VSD software ZIP archive for KVM hypervisor deployment. This also includes the Docker Monitor (RPM package to support Docker containers with DCN) and VSPK (Open Development Kit) packages.
DCN-VSD-OVA-4.0R2.zip
HPE VSD software ZIP archive for OVA deployment. This also includes the Docker Monitor (RPM package to support Docker containers with DCN) and VSPK (Open Development Kit) packages.
DCN-VSD-ISO-4.0R2.zip
HPE VSD software ZIP archive ISO image for bare metal deployment. This also includes the Docker Monitor
HPE Distributed Cloud Networking (DCN) 4.0R2 Release Notes
Component
Filename
Description (RPM package to support Docker containers with DCN) and VSPK (Open Development Kit) packages.
HPE Virtualized Services Controller (HPE VSC)
DCN-VSC-4.0R2.zip
HPE VSC software ZIP archive
Virtual Routing and DCN-VRS-GW-4.0R2.zip Switching (VRS) Gateway
VRS Gateway software ZIP archive
Virtual Routing and Switching (VRS) for VMware
DCN-VRS-VMware-4.0R2.zip
VRS VMware software ZIP archive
Virtual Routing and Switching (VRS) for KVM
DCN-VRS-KVM-4.0R13.2R7.zip
VRS KVM software ZIP archive
Software and dependency packages related to the HPE DCN integration with Helion OpenStack, and Helion Carrier Grade OpenStack as part of the OpenStack plugin for HPE DCN, are supported directly by Helion. Contact your local Helion sales and support representative for more information.
DCN component requirements HPE VSD requirements The HPE VSD software can run in one or more servers depending on performance and availability requirements. The list below describes the requirements for a single system server configuration. Contact Hewlett Packard Enterprise for guidance on larger scale deployments. HPE VSD can be installed on a bare metal server or in a VM running on any of the following hypervisors: Table 1 VSD Hypervisor
Supported
ESXi 5.5
Yes
ESXi 6.0
Yes
CentOS 6.x/KVM
Yes
RHEL 6.x/KVM
Yes
RHEL 7.x/KVM
Yes
Installed system: 64–bit OS •
RHEL 6.7 (minimal install)
•
CentOS 6.7 (minimal install) CPU Any AMD Opteron or Intel E5/E7 series Xeon processor or better with six or more logical cores, each with a speed of 2.6 GHx or higher RAM Minimum 24 GB
DCN component requirements
7
Mass storage
◦
100 GB for HPE VSD software and supporting software packages.
◦
If statistics collection is used, a separate partition or virtual disk is required to store the statistical data.
◦
Contact Hewlett Packard Enterprise for details and recommended sizing based on the number of VMs and frequency of statistics collection.
NTP The server must run NTP to ensure the event notifications passed between the components have the proper timestamp. Table 2 HPE VSD Stats VM requirements Hypervisor
Supported
ESXi 5.
Yes
ESXi 5.5
Yes
ESXi 6.0
Yes
CentOS 6.x/KVM
Yes
RHEL 6.x/KVM
Yes
RHEL 7.x/KVM
Yes
Table 3 HPE VSD Stats VM specifications Hypervisor
Supported
Operating system
RHEL 7.2
Disk
100 GB
CPU
6 or more logical cores
Memory
16 GB
HPE VSC requirements Table 4 ESXi Hypervisor
Supported
ESXi 5.5
Yes
ESXi 6.0
Yes
Table 5 KVM
8
Hypervisor
Supported
CentOS 6.5
Yes
CentOS 6.6
Yes
CentOS 7.0
Yes
CentOS 7.1
Yes
CentOS 7.2
Yes
RHEL 6.5
Yes
RHEL 6.6
Yes
HPE Distributed Cloud Networking (DCN) 4.0R2 Release Notes
Table 5 KVM (continued) Hypervisor
Supported
RHEL 6.7
Yes
RHEL 7.0
Yes
RHEL 7.1
Yes
RHEL 7.2
Yes
CPU A processor from any AMD Opteron or Intel E5/E7 series Xeon processor or better with: •
Required:
◦
Four or more physical cores
◦
Intel Extended Page Tables (EPT) must be disabled in the KVM kernel module
•
Recommended: Processors with higher cores
•
Important: Hyperthreading must be disabled to achieve the best use of the physical cores
•
Best performance: Achieved with higher L3 cache and higher clock speed versions
Ethernet Chipset •
Any Ethernet 1GB or better NIC supported by the hypervisor (two physical NICs recommended)
•
Two emulated E1000 NICs to be provided by the hypervisor
Physical Memory 8 GB of ECC memory with higher speed RAM (DDR3 133/1600) recommended
HPE VSC VM •
Virtual Machine memory: 4 GB – Any memory in excess of 4 GB will not be used by the HPE VSC.
•
Mass storage: 2 GB of available mass storage (ComactFlash, SSD, or hard drive) for use by the HPE VSC VM as emulated disks.
•
NTP: the server must run NPT to ensure the event notifications passed between the DCN components have the proper timestamps
HPE VRS requirements HPE DCN ships with an optional Open vSwitch kernel module that enables MPLS over GRE. Native VXLAN-only Open vSwitch kernel modules in the supported distributions are compatible. Table 6 KVM Hypervisor
Supported
Native
DKMX (MPLSoGRE)
Kernel version
RHEL/CentOS 6.6 *
Yes
Yes
Yes
2.632–504.16.2
RHEL/CentOS 7.1
Yes
Yes
Yes
3.10.0–229.20.1
RHEL/CentOS 7.2
Yes
Yes
Yes
3.10.0–327.4.4
Ubuntu 14.04.2
Yes
Yes
Yes
3.16.0–43
SUSE Linux Enterprise 11 SP3
Yes
Yes
No
3.0.101–0.47.52
* Deprecated. Will be removed in a future release.
DCN component requirements
9
Table 7 Docker Hypervisor
Supported
Native
DKMX (MPLSoGRE)
Kernel version
RHEL 7.1/Docker 1.10.1
Yes
Yes
No
3.10.0–229.1.2
RHEL 7.2/Docker 1.10.1
Yes
Yes
No
3.10.0–327.4.4
Ubuntu 14.04.2/Docker 1.10.1
Yes
Yes
No
3.16.0–43
Table 8 ESXi Hypervisor
Supported
ESXi 5.5
Yes
ESXi 5.5 u2
Yes
ESXi 6.0
Yes
CMS integrations Table 9 CMS support matrix OpenStackKilo
Ubuntu Cloud Archive 14.04
OpenStackKilo
Red Hat OSP 7
OpenStackKilo
Mirantis 7
OpenStack Liberty
Ubuntu Cloud Archive 14.04
OpenStack Liberty
Red Hat OSP 7.0
OpenStack Mitaka
Ubuntu Cloud Archive 14.04
OpenStack Mitaka
RDO 9.0 (demo)
CloudStack
Apache CloudStack 4.3 and 4.5
VMware
VMware vSphere vCenter 5.5 and 6.0
Table 10 Hypervisor/OpenStack compatibility matrix RHEL OpenStack Ubuntu
10
Mirantis 7
OSP 7
OSP 8
Kilo
Liberty
Kilo
Liberty
Mitaka
Kilo
KVM/CentOS/RHEL 6.5, 6.6
No
N/A
N/A
N/A
N/A
N/A
KVM/CentOS/RHEL 7.1
Yes
Yes
N/A
N/A
N/A
N/A
KVM/CentOS/RHEL 7.2
Yes
Yes
Demo
N/A
N/A
N/A
KVM/Ubuntu 14.04
N/A
N/A
N/A
Yes
Yes
Yes
ESXi 5.5
Yes
Yes
Yes
Yes
Yes
Yes
ESXi 6.0
Yes
Yes
Yes
Yes
Yes
Yes
HPE Distributed Cloud Networking (DCN) 4.0R2 Release Notes
Table 11 Hypervisor/CloudStack compatibility matrix CloudStack 4.3
CloudStack 4.5
CloudStack 4.8
KVM/CentOS/RHEL 6.5, 6.6 Yes
No
Yes
KVM/CentOS/RHEL 7.1
No
Yes
No
KVM/CentOS/RHEL 7.2
No
Yes
No
ESXi 5.5
Yes
No
No
Installation and upgrade notes Passphrase less SSH In HPE DCN Release 3.2R1 and later, passphrase-less SSH root login is required between all HPE VSD hosts in a cluster deployment. Refer to the installation guide for details on how to create the required SSH keys and how to distribute them to the different HPE VSD cluster nodes. In Release 3.2R2, the hadoop and vsd users do not require passphrase-less SSH login. Therefore when upgrading from a previous release, the SSH access must be blocked for those users by removing the SSH keys from the SSH authorized keys and deleting the keys from the hosts.
Enforcing IPv4 and preventing IPv6 Beginning in HPE DCN Release 3.2R1, you must enforce IPv4 and prevent IPv6 before installing HPE VSD. You can either configure to favor IPv4 or turn off IPv6, or you can do both.
Configuring to favor IPv4 Run the following command to append precedence to gai.conf: cat >> /etc/gai.conf open-flow
•
config>vswitch-controller>open-flow auto-peer
•
config>vswitch-controller>xmpp
PAT/NAT without gateway For Internet access, new software or hardware gateways (GWs) are usually necessary to translate the encapsulations and control plane procedures for the service overlays on which the HPE DCN solution is based (HPE VSD Layer 2), VXLAN and Layer 3 dVRS). To enable the required gateway (GW) functions (IP VPN or VXLAN) what is normally needed is either a physical edge (PE) class GW deployed in the data centers (DCs) or, for existing GWs, software upgrades and new procedures defined. In release 3.2R1, HPE DCN provides Source Network Address Translation (SNAT, commonly known as Port Address Translation (PAT)) capability that allows external access to DCs without a PE class GW.
Secure XMPP channel XMPP is used as a communication channel between the HPE VSCs and the HPE VSD. Financial institutions mandate a security policy that requires any connection between management and system components to be encrypted. The ejabberd server running in the HPE VSD can be configured in two modes: clear and allow. When running in clear mode, the ejabberd server only accepts non-authenticated and non-encrypted connections from the ejabberd clients. All HPE VSCs are configured to use XMPP in clear text. When running in allow mode, the ejabberd server accepts both non-encrypted connections and TLS connections. HPE VSCs can be configured using either TLS authentication and encryption or a clear connection. After a fresh 3.2R1 installation, the HPE VSD is configured using the clear mode. The allow mode can be activated post installation. The allow mode requires generating certificates for the ejabberd server. In addition: •
VRS certificates revocation using OCSP; Certificate Revocation List (CRL) is supported.
•
In addition to the previously supported “clear” and “allow” modes, you can configure the XMPP server in “require” mode where the server accepts only TLS connections.
•
The HPE VSC CLI enables you to configure different security profiles per application (Openflow, OVSDB and XMPP).
•
There is a unique CLI to enable the use of TLS in the HPE VSC. Once TLS is enabled, it is used for both OpenFlow and XMPP connections.
◦
config>vswitch-controller>open-flow
◦
config>vswitch-controller>open-flow auto-peer
◦
config>vswitch-controller>xmpp
Shared Network Resources HPE DCN supports Shared Network Resources of types Floating IP, L3 Subnet and L2 Subnet. These shared networks are accessible to any organization in the system. Releases 3.0R7 and Enhancements
21
3.2R1 introduced per-organization permissions on Shared Network Resources, meaning that shared network resources can be restricted for use by a specified organization.
Syslog reporting Syslog, the widely used standard for logging, allows for separation of the systems that generate the logs, store the logs, and analyze the logs. Starting with release 3.2R1, the HPE VSD has a syslog server that collects the following types of system information: •
Events related to the HPE VSD Objects (CRUD operations)
•
Events related to the health of the HPE DCN System
•
Alarms such as Threshold Crossing Alarms (or TCAs) generated from the statistics collection module
Fixes Release 4.0R1 •
Updating a router with more than 8 extra routes to the same destination, or routes with invalid CIDR will cause the command to fail and leave that router in a state where it can no longer be updated. This has been resolved.
•
Open TSDB and the stats collector are susceptible to flapping due to a network even that causes Monit to misinterpret Hadoop status. This issue is resolved with the statistics architecture change.
•
Under certain conditions, the output section of the Monit UI for openstdb-status shows “no output”. This can be ignored.
•
opentsdb-status sometimes displays status failed due to Hadoop file system corruption. This issue is resolved with the statistics architecture change.
•
The first counter report received by any of the statistics collectors in HPE VSD will be discarded as this packet is used to trigger a metadata lookup on VSD that is then cached. Subsequent packets will find the metadata in the cache and thus be properly store in the statistics database. This issue is resolved.
Release 3.2R7
22
•
In OpenStack Icehouse and Juno releases, when creating a subnet using the Neutron subnet create CLI with -–tenant-id, the tenant id is erroneously taken from the environment context instead of using the command line value.
•
Release 3.2R7 introduces new router parameters backhaul-rt and backhaul-rd to support multi-HPE VSD router interconnect.
•
When a vPort is confgured with only a BUM rate limiter, the VRS became unresponsive when the VM starts to send traffic. This has been corrected.
•
When a redirection target is used in a forwarding policy and is assigned to a different vPort, the forwarding policy is not updated to reflect this change. Workaround: update the forwarding policy manually.
•
It is now possible to create a shared resource uplink subnet before creating the associated FIP or L3 shared resource.
•
The bootPercona.py script has been improved to avoid inadvertent false detection of mysqld already running.
•
The key server depends internally on Zookeeper to distribute keys. If Zookeeper is not up, keyserver-status shows status failed.
HPE Distributed Cloud Networking (DCN) 4.0R2 Release Notes
•
It is now possible to set the sharedResourceParentID on an L3 shared network resource (type PUBLIC). This allows multiple L3 shared network resources to be associated to the same uplink subnet and to the same uplink subnet as a FIP domain.
•
Updated versions of glibc to mitigate CVE-2015-7547 have been added to HPE VSD and NSG images.
•
During the upgrade process, when executing turn-on-api, the script originally required the existence of the ISO mount point originally created to upgrade the HPE VSD in order for the execution to succeed. This has been corrected.
Release 3.2R6 •
Creation of loadbalancer when using neutron-lbaas-agent on Debian/Ubuntu is working from OpenStack Liberty release.
•
Deleting the lbaas-listener will not kill the spawned haproxy process. This is an upstream bug (https://bugs.launchpad.net/neutron/+bug/1450474) and the fix has gone into Liberty.
•
LBaaS: Booting a nova VM on the Loadbalancer VIP port is a blocked action in Kilo 2015.1.2 and in Liberty.
•
When creating an ingress or egress ICMP rule in OpenStack, that rule now creates unidirectional ICMP allow rules in both directions. Previously only one unidirectional was created, so the return ICMP packet was dropped.
•
If a Managed L2 Shared Resource is linked to an L2 Domain and then exposed as an HPE VSD-managed subnet, the IP address allocated on OpenStack is different from the IP address allocated on HPE VSD. This issue has been resolved.
•
ML2 mechanism driver for HPE VSD-managed subnets is not supported in Liberty beta release.
•
The HPE OpenStack plugin now allows deletion of ports if the subnet has been deleted on HPE VSD.
•
In OpenStack Kilo and Liberty releases, when creating a subnet using the Neutron subnet create CLI with --tenant-id, the tenant-id now uses the value passed by –tenant-id.
•
The limitation of having an IP address in the BoF for an in-band connection from HPE VSC to HPE VSD has been fixed.
•
Statistics on reflexive ACLs can now be enabled. Previously, doing resulted in duplicate rows in the statistics database, preventing statistics being retrieved for that object. This issue has now been resolved.
•
In the HPE VSD UI, the cluster license shows up in the standard license panel. This issue has been resolved.
•
In the case of OpenTSDB failure (opentsdb-status displaying Status failed), see the OpenTSDB recovery procedure in the DCN User Guide.
•
When a process is stopped by Monit, under certain conditions it continues to show up in the ps table. This is now resolved.
•
The HPE VSD cluster installation/upgrade script’s question “What is the fully qualified domain name for the load balancer of HPE VSD stats (if any) (default=none)” has been deprecated and removed.
•
The status for HPE VSC up/down is displayed on the monitoring console. According to the design, HPE VSD checks the status of the HPE VSC at a default interval of 25 minutes (1500). The probe interval can be changed from the system config to a minimum value of 10 minutes (600).
•
Threshold crossing alarms (TCA) are fixed in 3.2R6. Fixes
23
•
The values shown in the Zone Statistics view do not amount to the sum of those shown in the Statistics views for the various sub networks. The system now provides the correct total sums.
•
The HPE VSD install script prompts unnecessarily for an FQDN for the load balancer in redundant HA installation. This issue has now been resolved.
•
In the HPE VSD GUI, in the design view for the bridge/host port, the port selection window lists no more than 50 ports. This issue has now been resolved.
•
Issues with repo reachability cause failures in the package removal portion of the installation/upgrade process. This has now been resolved.
•
The stats_collector could mis-read received messages and parse an illegal or incorrect length, causing memory buffer exhaustion. The stats_collector’s logic has been enhanced to deal with these mis-alignment cases.
•
A memory leak in ovs-vswitchd when ACL Stats logging is enabled has been fixed.
Release 3.2R5 The following issues were resolved in Release 3.2R7.
24
•
Static routes did not allow /1 network masks.
•
Traffic subject to a redirection policy also belonging to vports which had a FIP address applied to them incorrectly performed the redirection action by applying the FIP address translation to the source IP of the packet.
•
Certain restrictions related to the use of DHCP on L3 shared subnets with Openstack Kilo releases have been removed and the integration has been simplified. For more details, see the corresponding Openstack Kilo plugin guide
•
Installation of the HPE VSD ISO on RHEL 6.5 or 6.6 failed due to missing dependencies. The installer automatically installs the missing dependencies from the configured RHEL repository.
•
UI-created subnets have a correct default setting value of INHERITED.
•
Updating a static route IP on one hypervisor caused the UI to show it on all hypervisors. Static IP route configuration from the deployment toolbox UI has a problem whereby all profiles show the same configuration.
•
The UI now gives a warning in the VMWare deployment Toolbox when connectivity is bridged to the underlay.
•
The HPE VSC CLI now allows the configuration of different security profiles per application (Openflow, OVSDB and XMPP).
•
Statistics collection could result in exhaustion of row-ids due to excessive use.
•
If an object was deleted in HPE VSD, the corresponding object in OpenStack could be deleted, even though the HPE VSD object doesn’t exist.
•
Updating the subnet name in Neutron now updates the HPE VSD description for OpenStack-managed subnets
•
If Security Policy was manually modified for an HPE VSD domain containing an OpenStack-managed subnet, applying a security group to a port on that subnet would fail, leaving extraneous configuration on HPE VSD. HPE VSD configuration is now rolled back if a partial failure occurs.
•
Using Neutron to update permissions on a private network to shared now sets the permissions correctly.
HPE Distributed Cloud Networking (DCN) 4.0R2 Release Notes
•
Traffic between two bridge ports on VRS-G did not hit egress Policy-Group to Policy-Group Security Policy Rules. If enforcement of traffic between bridge ports was required, Ingress Security Policy Rules had to be used.
•
“Network Uplink Interface” IP and Gateway information were not deleted from VRS after being removed from the Deployment toolbox profile for that VRS.
•
While creating a profile for a VRS, you had to make sure that the personality field was set to “VRS” and not “VRS-G”.
•
Fresh Install of an EAM with an updated ovf did not deploy the new VRS version. This occurred if a deployment toolbox node was registered with a vCenter server and you lost or shut down the deployment toolbox node, and then brought up a new deployment toolbox node.
•
Portgroup metadata could not be used to assign Layer 2 metadata for guest VMs.
•
When you changed from a network offering with DNS to a network offering without DNS, VMs did not lose DNS information. The hostname of the running VMs was not removed if the network offering was changed from an offering with internal DNS to an offering without internal DNS. Newly created VMs would not have the CloudStack-assigned hostname
•
Audit ignored the default Ingress deny rule that is created when there is at least one allow ingress rule. As a result, Audit would not report the default deny rule if it was not available on the HPE VSD. It would not report the default deny rule even if it reported an allow rule should be added.
•
The previous audit configuration settings made the audit of a large deployment very slow.
Release 3.2R4 The following issues were resolved in Release 3.2R4. •
You can use CloudStack to update the PAT-enabled flag of the existing Isolated Networks in HPE VSD. To do so, enable (set to true) the global setting nuage.sourcenat.enabled at zonelevel, and restart the existing isolated networks. This was not possible for existing VPC networks, even after you restart the existing VPC networks/tiers in CloudStack.
•
There was a discrepancy between FIP pool subnets in HPE VSD and corresponding VLAN IP ranges in CloudStack while deleting and recreating them through CloudStack. This was because the FIP subnet in HPE VSD did not get deleted when the corresponding VLAN IP range was deleted in CloudStack. Workaround: Run Audit/Sync in between deleting and recreating the vlanIpRange, as Audit/Sync will delete the HPE VSD Shared Resource corresponding to the deleted CS vlanIpRange.
•
When a user created a VM in multiple networks and selected 1 Networks as the default, DCN did not orchestrate this network as the default at the actual VM route level.
•
RHEL 7.1 nova-compute nodes on which the DCN metadata agent is enabled might get stuck on boot and show A start job is running for Nuage Openvswitch error message when selinux was set to permissive.
•
When you restart openvswitch in a CloudStack– managed KVM hypervisor, manual intervention is no longer required to enable VM creation.
•
When HPE VSC OpenFlow was down for more than one minute, a Docker created during this time did not get an IP after OpenFlow was up.
•
RHEL 7.1 Docker nodes with selinux set to permissive might get stuck on boot and show A start job is running for Nuage Openvswitch error message.
•
The name of a Network Macro Group no longer must be unique across different enterprises.
•
OpenTSDB log files in /var/log/opentsdb are now rotated by rsyslogd. Fixes
25
Release 3.2R3 The following issues were resolved in Release 3.2R3. •
You can use the Neutron floatingip-update command to update the floating IP rate limit.
•
When a VM is migrated in a VMware environment, the VM is no longer be renamed and starts using the vmx file location as the name. Previously, this could prevent the migrated VM from being removed from VRS on the old hypervisor.
•
ESXi and vCenter 6 is now supported.
•
Required mode is now supported for XMPP authentication.
•
In a multiple node failure with a very large database (>100000 VMs), an HPE VSD instance now recovers without manual intervention.
•
Restarting the vCenter Integration node no longer removes all VRS Agent VMs.
•
Static routes on a FIP domain using a VM’s FIP as next-hops are now supported and do not cause a packet destined to the static-route to be generated with an invalid destination MAC address.
•
VM resolution no longer fails when SELinux is enabled.
Release 3.2R2 The following issues were resolved in Release 3.2R2. •
If you run show vswitch-controller vports type vm detail on a VPort with a forwarding policy rule applied, the command repeats continuously until the CLI session is closed.
•
In certain scenarios, static routes being advertised through BGP-EVPN from the HPE VSC might not be withdrawn after the end-point hosting the next hop is removed from the system. Depending on the particular user’s configuration and if the route is part of an ECMP set, partial traffic blackholing could occur.
•
Creating and deleting long filenames no longer corrupts the directory.
•
ACL counters might incorrectly count packets partially matched by a lower priority ACL entry. As such, the values might reflect a higher count than the actual traffic passing the rule-set.
•
PAT to underlay and FIP to underlay require IP forwarding to be manually enabled for the interfaces used for uplink and connection to VRS. The uplink interface is configured under the variable NETWORK_UPLINK_INTF in /etc/defaults/openvswitch. IP forwarding can be enabled with the following commands: sysctl net.ipv4.conf..forwarding=1 sysctl net.ipv4.conf.svc-pat-tap.forwarding=1 or, if a namespace is used, the following: ip netns exec sysctl net.ipv4.conf..forwarding=1 ip netns exec sysctl net.ipv4.conf.svc-pat-tap.forwarding=1
•
26
PAT to underlay and FIP to underlay fails to work properly if a namespace is used for the uplink interface. Spurious errors might be seen when starting openvswitch in the VRS relating to proxy_arp. The work-around is to enable proxy_arp manually for the interface in question
HPE Distributed Cloud Networking (DCN) 4.0R2 Release Notes
inside the namespace. Proxy_arp can be enabled for the namespace with the following command: ip netns exec sysctl net.ipv4.conf..proxy_arp=1 •
Static routes can be configured in HPE VSD for invalid or un-supported IP addresses in both its prefix and next-hop fields (such as 0/8, multicast ranges, loopback ranges, etc). These static-routes are not valid and will not be installed by the datapath but are erroneously accepted by HPE VSD.
•
If the service vsd status command is issued while a vsd-init is in progress on another node in a cluster, it waits until the init is completed before returning the prompt to the user.
•
The service vsd status command will show this error when the MySQL server on another member of a cluster believes that too many failed connection requests have been attempted from that host: Host vsdha-1.dc.nuagedemo.net is blocked because of many connection errors; unblock with mysqladmin flush-hosts. To correct this, the mysqladmin flush-hosts command must be issued on the host returning the error, not the one reporting it. For instance, if the service vsd status command issued from host #1 reports this message when listing the status of host #2, the flush-hosts must be issued on host #2.
•
In rare cases, the Update button does not get highlighted when the QOS policy is changed at the domain level.
•
If a domain is exported while policy edits are in progress, the export is permitted, but future attempts at domain export will fail with the job not found error.
•
Connecting a VM to networks in two different HPE VSD organizations is not supported. If this is attempted using nova interface-attach, an error message is supplied, but the HPE VSD VPort is not cleaned up correctly.
•
The floating IP rate limit cannot be updated using the floatingip-associate CLI command.
Release 3.2R1 The following issues were resolved in Release 3.2R1. •
BGP-EVPN NLRI, when withdrawn, are advertised with a tag field set to 0. This value does not match the advertised value on the reachability NLRI and causes the route not to be removed from the peer receiving the advertisement. Depending on the situation, this can cause traffic to be (partially) blackholed if the prefix is reachable via a different next hop.
•
Under rare circumstances stats cluster failures would not be detected.
•
Logging/count flags are not available for ACL entries in template.
•
During service vsd stop if the MySQL database fails to stop after 30 minutes, the HPE VSD management process no longer shuts down MySQL ungracefully. Instead it exits, and prompts the administrator to investigate the cause of the failure to stop.
•
Under rare circumstances, an HPE VSD instance might fail to rejoin the cluster after a network event. If this occurs, run service vsd restart to recover.
Fixes
27
Issues and suggested actions Support limitations •
Backward compatibility during upgrade is not supported.
•
CMS integration status is not supported for VMware vCloud Director, or for XEN hypervisor.
Monit logs You must perform the following to enable Monit log rotation on a standalone HPE VSD installation. 1. Add the following to /etc/monit.d/logs: check file monit-log with path /var/log/monit.log if size > 25 MB then exec "/opt/vsd/sysmon/ 2.
Run: monit reload
HPE VSD •
LDAP certificates must be imported on all cluster nodes manually for LDAP authentication to work in a clustered environment. Although the LDAP certificate imported on the first node shows up on the UI of the second node, the certificate is not stored in the second node.
Suggested actions: 1. 2. 3. 4.
Launch HPE VSD Architect on the second node. With the organization selected, select LDAP from the Dashboard menu. Scroll down, select Accept All Certificates, and click Save. Deselect Accept All Certificates and click Save again.
•
An unpredictable sequence of creation events renders Network Designer unable to display the updated VM/VM interface. Workaround: from the Domain Data view, refresh the topology by first clicking on another domain then clicking on the original domain.
•
Updating a redirection target (L3 redundancy disabled) to point to a new VPort does not update the virtual IP address associated with it.
Suggested action: Delete the virtual IP address and then re-create it. •
The password for the MySQL root user is not set during installation.
Suggested action: Immediately after verifying successful installation of all components on all VMs, set the root password on every node. •
An ungraceful shutdown of a standalone HPE VSD instance running stats might result in statistics data loss and/or corruption.
Suggested action: Stop running services on the affected instance before a power down or restart of the machine or the VM. For production deployments, use an HPE VSD cluster. •
28
When there is a jBoss crash or kill -9 has been used, on certain HA VMs, jBoss does not restart. This does not affect the whole cluster.
HPE Distributed Cloud Networking (DCN) 4.0R2 Release Notes
Suggested action: Restart the HPE VSD service on the affected VM. It is not necessary to restart the whole VM. •
After reboot, a KVM running HPE VSD VM is unable to access HPE VSD via the browser. If the Name Node and the data node data are not corrupted, do the following: 1. Shut down all four nodes. 2. Boot up Nodes 1, 2, and 3, but not the Name Node. 3. Run service vsd stop and service vsdstats stop on Nodes 1, 2, and 3. 4. Verify that all nodes are resolvable and have good network connections. 5. On the Percona master node, run service vsd startmaster. (For information on how to select the Percona Master, refer to the Percona documentation.) 6. Run service vsd start on Nodes 1, 2, and 3, but not the Name Node. 7. To verify that core HPE VSD services are up, run service vsd status on Nodes 1, 2, and 3. 8. On the Name Node, run service vsdstats start. 9. Wait to verify that the stats cluster becomes available.
•
Installation fails on the Name Node.
•
During creation of a VPort, if the selected gateway is of the type “Other” or “NCPE”, there is an internal server error.
•
Installation scripts do not determine whether there is a Python package installed on the server machine before installation.
•
Installation scripts do not verify that Hadoop and HPE VSD users were successfully created and working at completion of installation.
•
On an HA installation, MySQL fails during installation after uninstallation with keep data and then clean data.
•
If an organization user logs out and logs in again without cleaning the cache, the history, and then relaunches the browser, the picture in Account Management and the footer are not displayed.
•
If you have a large number of subnets in the same domain, disable the implicit egress security rules. If this is not done, one rule per subnet will be added to each VM, potentially resulting in poor performance.
•
Neutron TCP/UDP port range is from 0-64K, but HPE DCN supports only 1-64K.
•
When one of the nodes hosting the ejabberd component of HPE VSD experiences network connectivity issues, the node’s ejabberd process might be disconnected from the XMPP cluster and unable or unwilling to rejoin it automatically. The HPE VSD service monitoring detects and reports this issue, indicating an ejabberd failure. The service vsd status error message shows: EJabberd: 2 cna users connected, expecting 3.
Suggested actions: 1. 2. •
To identify the node that has split off the cluster, find the node where the error message indicates the following: EJabberd: 1 cna users connected, expecting 3. Restart the ejabberd or HPE VSD service stack by running service vsd restart on the affected node to recover the XMPP cluster.
The version of the glibc resident on the HPE VSD qcow appliance is subject to the security vulnerability described here: https://access.redhat.com/security/cve/CVE-2015-0235.
Issues and suggested actions
29
Suggested action: Although HPE VSD components do not use the library, installations can be patched by using the Centos/RHEL command yum update to retrieve a corrected version. •
Installation of the HPE VSD ISO on RHEL 6.5 or 6.6 fails due to missing dependencies.
Suggested action: Contact HPE DCN support for a modified install procedure. •
DNS server changes after the HPE VSD reboot are not reflected.
Suggested action: When the DNS server is changed, restart the HPE VSD services for the changes to be reflected. •
Backhaul EVPN VNID,RT & lRD can be updated to any valid value regardless of the “allowed RT/RD VNID range” present in the System Configuration panel on HPE VSD.
•
There is no required mode support for XMPP authentication.
•
The first counter report received by any of the statistics collectors in HPE VSD are discarded as this packet is used to trigger a metadata lookup on HPE VSD that is then cached. Subsequent packets will find the metadata in the cache and thus be properly stored in the statistics database.
Suggested action: There is currently no workaround, but HPE recommends that you configure the statistics interval to a value of a few minutes on the higher end to minimize the impact of the missing statistics. •
The vsd.log file in /var/log/vsd does not have a size limit but is being rotated every day.
•
After entering a wrong IP address and then correcting it, the error message is still visible. Correcting an IP address in the static route field on the development toolbox UI does not work.
•
When a container created using the docker run command on the VRS is deleted, sometimes the HPE VSD continues to display the VPort for several hours even after it has been successfully deleted from the HPE VSC and VRS.
•
When a nonexistent site-ID is specified, the container is not spawned and no HPE VSD alarm is triggered.
•
The stats-collector-status sometimes shows execution failed after starting vsd-stats group. Workaround: start stats group again using monit -g vsd-stats start.
•
No warning is provided when you try to run incorrect Monit commands such as monit start/stop -g vsdcore. Workaround: make sure that when you execute the Monit commands, you specify the correct group name and that afterwards you use the Monit summary command to verify the updated status.
•
OpenTSDB and the stats-collector are susceptible to flapping due to a network event that causes Monit to misinterpret Hadoop status.
•
In a multiple node failure with a very large database (>100000 VMs), an HPE VSD instance might not recover without manual intervention.
Suggested action: Use service vsd restart to recover the HPE VSD instance. 30
HPE Distributed Cloud Networking (DCN) 4.0R2 Release Notes
•
OpenStack requires a log rotation for HPE VSD log.
•
There is a malformed server (URL 503) when deleting a domain with PG.
•
The UI might not give a warning when the Network Uplink Interface is set to eth0, eth1 or eth2.
Suggested action: Configure eth0 or eth2 as an uplink interface on the deployment toolbox to make the underlay accessible to the guest VM. NOTE: Configuring eth1 as an uplink interface, and configuring a VLAN on eth0 or eth2 is not supported. •
In EAM, updating the static route IP on one hypervisor causes the UI to show the same configuration on all hypervisors.
Suggested action: Reload the page in the deployment toolbox. •
In EAM, correcting an IP address in the static route field on the development toolbox UI does not work.
•
After you delete and re-create profiles, no changes to the profile are applied to the VRS, and the reload config button does not resolve this.
Suggested action: Redeploy the VRS VMs to apply the new profiles. •
Under rare circumstances during an upgrade from 3.0 or 3.2 to a newer 3.2 release, your current license might become invalid and you will be forced to insert a new 3.2 license. Please request an updated license before starting a production upgrade to ensure continuity of service.
•
In AppDesigner, while configuring ACL entries, any configured entries are activated only upon deletion of an ACL entry.
•
Before upgrading your first node (or your only node if standalone), check a) to ensure /var/ lib/mysql has the nuageDbUpgrade folder; and b) to ensure that the folder is recognized by MySQL. To do this, run mysql -e ’show databases;’ | grep nuageDbUpgrade.
•
The custom enterprise logo is not replicated in cluster and not loadable from relative URL.
•
Neither the Monit UI for the key server nor the key server status script give any description for failure.
•
After upgrading from a release earlier than 3.2R1, the keyserver-status is marked as Status Failed until the turn-on-api script is executed, enabling the 3.2R6 feature set. The keyserver status script requires 3.2 API access to function.
•
opentsdb-status sometimes displays status failed due to Hadoop file system corruption. The workaround for recovering OpenTSDB is described in Hadoop File System Causing opentsdb-status to Fail.
•
When switching to ‘allow’ mode near the end of installation, ejabberd may fail the restart.
•
If the HPE VSD is experiencing delays and/or resource issues, it could be because the console.log files in the folder /var/log/jboss have grown too large. Workaround: check the folder periodically and clean it up if necessary.
Issues and suggested actions
31
•
Once HPE VSD is configured and statistics is enabled, the following parameters in System Configuration should not be changed, even though they can be updated on the fly using REST or UI:
◦
Elastic Cluster Name
◦
Collector Address
◦
Collector Port
◦
Collector Protobuf Port
◦
Max Data Points
◦
Min Duration
◦
Number of Data Points
◦
Elastic Server Address
•
When upgrading from 3.2x to 4.0.R2, there is a chance that after executing /opt/vsd/bin/turn-on-api, a REST call using the 3.2 API might not work.
•
When the host running VRS has a large number of containers being rapidly deleted, in certain conditions some containers do not get removed on VSD, which continues to show them in the active state.
•
After upgrade from 3.2Rx, the VCIN upgrade succeeds, but the VRS fails to get its profile. Workaround: After upgrade, move the FQDN from the Name field to the Address field.
•
Exporting “policies only” from a domain instance level or domain template level is not supported on DCN 4.0.R2. Workaround: Export the policies individually.
•
When processing ACL statistics messages, an error message appears in the stats-collector log. It does not refer to the functionality of the stats-collector or TCS and should be ignored: May17 12:57:16 vsd-1 stats_collector.log: ERROR 0 2016-05-17 12:57:16, 040 pool-5-thread-6 com.alu.nuage.stats.collector. StatsCollectorWorker
•
After auto-discovering a standalone host, it is not possible to update it.
HPE VSD Architect •
Within an L3 domain, the Zone parameters show only the total number of VMs, not the total number of VPorts.
•
Entering special characters into Organization and Domain filters leads to an Unknown error. This is a 412 precondition fail from an http request.
HPE DCN
32
•
Creating a static route with a next Hop to Floating IP is not supported.
•
IP resolution via DHCP is supported on VPorts of type VM and Host, not on Bridge VPorts.
•
The RD/RT for a subnet in a public zone can be incorrectly set to values other than those that have been allocated to that public zone.
•
The communication protocol between HPE VSD and HPE VSC was changed in 3.0R5. This means that when HPE VSD 3.0R5 (or later) is connected to HPE VSC 3.0R4 (or earlier), some provisioning changes might not take effect as expected (especially vPort deletes). No provisioning changes via REST should be performed when running 3.0R5 HPE VSD and older version HPE VSC (e.g. 3.0R.4 and earlier), and time running mixed HPE DCN versions must be minimized.
HPE Distributed Cloud Networking (DCN) 4.0R2 Release Notes
•
When one of the HPE VSD Nodes in an HPE VSD Cluster reboots, HPE VSD Sysmon shows it as up, even though the effected HPE VSD Node is in the process of joining the cluster. This information can be misleading. Once the effected node successfully joins the cluster, the information shown in Sysmon for this HPE VSD Node becomes current.
•
IPv6 is not qualified for Active/Standby MC-LAG.
•
BGIPv6 for VPRN services is not supported.
•
Upgrade 3.2.Rx to 4.0.Rx: After BRS, the XMPP push still has PAT configs at the gateway level.
•
The following error message is sometimes seen when the openvswitch service is restarted.
VRS Killing vm-monitor (27834) with SIGKILL /usr/share/openvswitch/scripts/ovs-lib: line 571: kill: (27834) No such proce ss [FAILED] The message is wrong. There is no impact on functionality. •
In multi-VM mode, a VM cannot have multiple NICs on the same port-group.
•
Reloading after updating a configuration does not work. Workaround: Restart the VRS VM.
•
When installing the VRS DKMS package on CentOS, the following messages are displayed. This does not impact the final installation of the module or its behavior. Building module: cleaning build area...(bad exit status: 2) ./configure --with-linux='/lib/modules/2.6.32-358.23.2.el6.x86_64/build' && make -C datapath/linux......... cleaning build area...(bad exit status: 2) `
•
The DHCP Decline and Release message types are treated as DHCP request packets. ACK is sent back with the resolved IP addresses. The DHCP Inform message type is also treated as a DHCP request packet, and instead of ACK being sent back with the resolved IP address, ACK is sent back with the IP address 0.0.0.0.
•
FIP-based rate limiting should not be configured for any VPort that belongs to a domain linked to a leakable domain, as this causes undesirable forwarding behavior on VRS.
•
Do not enable statistics on reflexive ACLs. Reflexive ACL statistics result in duplicate rows in the statistics database. When there are duplicate rows for an object, statistics cannot be retrieved for that object
•
When both controllers lose connectivity to the HPE VSD, both of their roles become ‘slave’.
•
For CloudStack and VMware installations, MPLS over GRE traffic does not work with Ubuntu unless Large Receive Offload (LRO) and Generic Receive Offload (GRO) are disabled. Workaround: Disable LRO and GRO for Ubuntu.
•
OpenShift integration is currently not supported with the tunnel type GRE. Ensure that the tunnel type is set to VXLAN before proceeding with OpenShift installation.
•
VRS will fail to start on RHEL 7 and CentOS 7 if the net-tools package is not installed. Install the net-tools package using yum install net-tools.
•
OpenShift Enterprise HA only supports developer workflow in HA without the subnet scaling feature. Operations workflow is fully supported.
VRS/VRS-G data path •
The ARP generated by the OVS is flooded on all ports.
•
If logging is enabled for egress ACLs and an ingressing packet is flooded, the log reports only one hit (to the first port in the switch implementing the particular ACL entry) and Issues and suggested actions
33
subsequent hits are not reflected for other copies of the same ACL entry in other VPorts of the same domain in the same hypervisor.
VMware •
In VRS for VMware, if both L2 domain metadata and L3 domain metadata are present, the VM is resolved by HPE VSD based on the L2 domain metadata. The L3 domain metadata is ignored. In the vCenter setup, the extra config fields cannot be deleted.
Suggested action: Put null entries in the unneeded fields. •
The vApp metadata file is not accessible after a hypervisor reboot. .
Suggested action: Shut down the OVS VM and then power it on again. •
Virtual machines under ESXi managed directly from vCenter using VM metadata as the attachment mechanism (such as using the HPE DCN vCenter Plugin) must use the first VNICs as managed by HPE DCN. Any non-HPE DCN VNIC must be after this range. That is, all HPE DCN-managed VNICs must be contiguous in numbering and must be the first virtual network cards exposed to the VM.
•
When a VRS profile is configured in the VCIN, all the port groups used should have a unique name in the vCenter.
•
Hewlett Packard Enterprise recommends that you have unique portgroup names for dvSwitch portgroups, even if the dvSwitch belongs to different data centers on the vCenter.
•
If you modify the MTU field under the general section in the Deployment Toolbox GUI, and you click the reload config button, the MTU is modified only for eth1 on the VRS. If you are restarting nuage-openvswitch-switch on VRS, you must restart the esxMonit service manually.
•
If a multicast interface is removed from a deployment toolbox profile, it does not get removed from the VRS.
•
If the Deployment Toolbox Node goes down, it is possible that the ESX Agency goes to “orphaned” state as observed on the vCenter web client. The only way to remove the agency and recover the vCenter is to reboot it.
•
VRS deployment using EAM gets stuck if vCenter tries to clone an existing VRS from an existing hypervisor and that hypervisor becomes unreachable.
OpenStack
34
•
When a Neutron net-update changes the network type to or from “shared”, the update is accepted, but the permissions are not changed. To change the network type to/from shared, the network must be re-created.
•
Deleting Enterprise (netpartition) from OpenStack does not succeed if HPE VSD-managed subnets are available in HPE VSD on the specific Enterprise. You must delete the resources on HPE VSD.
•
The HPE DCN Metadata Proxy does not work in an isolated subnet unless the gateway is configured and a VM exists and responds to ARPs for that gateway.
•
An OpenStack-managed router can be deleted, even though an HPE VSD-managed subnet is attached to the router in HPE VSD.
HPE Distributed Cloud Networking (DCN) 4.0R2 Release Notes
•
Updating the subnet name in Neutron does not update the HPE VSD description for OpenStack-managed subnets.
•
If a tenant does not exist in Keystone, an invalid UUID can be passed in the tenant-id when creating Neutron objects.
•
If a floating IP address is used before the external network is associated with a router, OpenStack attempts to use the .1 address for the floating IP. This is not permitted by HPE VSD. Attach the external network to the router before using the floating IP addresses.
•
Although HPE DCN does not permit the creation of VMs Floating IP subnet, this is not blocked by the HPE DCN OpenStack plugin. Thus, a VM can be attached on a network where external=True, but will never resolve. The VM attachment should be blocked by the plugin.
•
Booting a nova VM on the Loadbalancer VIP port is not blocked in the Kilo version 2015.1.1.
•
Although it is possible to create a VM on a Loadbalancer VIP port, this should not be done. If the VM is later deleted, a ghost VM remains on the HPE VSD stuck in deleting state.
•
Canonical OpenStack Kilo ships an out-of-date python-neutronclient (2.3.x), which does not support extensions. However, extensions are required for HP DCN Neutron client support. Until Canonical fixes bug https://bugs.launchpad.net/ubuntu/+source/ python-neutronclient/+bug/1467272, there is a Debian package for python-neutronclient 2.4.0 you can use. See http://ftp.us.debian.org/debian/pool/main/p/python-neutronclient/ python-neutronclient_2.4.0-1_all.deb.
•
When deleting an enterprise in HPE VSD, not all its related netpartitions on multiple OS setups can be deleted. They can be deleted only on the first OS instance where the delete netpartition is issued. On the other OS instances, the netpartition is dangling (until removed from the database).
•
If a Managed L2 Shared Resource is linked to an L2 Domain and then exposed as an HPE VSD-managed subnet, the IP address allocated on OpenStack will be different from the IP address allocated on HPE VSD.
•
Updating a router with more than eight extra routes to the same destination or routes with an invalid CIDR causes the command to fail, and leaves that router in a state where it can no longer be updated. To recover, the routes must be manually deleted from OpenStack.
•
IPSecSiteConnection will not work with RHEL because the vpnaas code only supports Openswan and Openswan is not available in the RHEL repo.
•
Although DCN does not permit the creation of VMs floating IP subnet, this is not blocked by the OpenStack plugin. Thus, a VM can be attached on a network where external=True, but will never resolve. The VM attachment should be blocked by the plugin.
CloudStack •
The Reset VPC function reboots the Virtual Router only and does not reset the ACLs, Load Balancers, FIPs, etc., which would be the expected behavior.
•
The API call listVpcInlineLoadBalancerVMs does not work properly if the LB VM is not in the right state, for example, expunging, etc.
•
During HPE VSD upgrade from 2.1 to 3.2, if the nuageVsp plugin is still in 2.1, the REST calls to HPE VSD sometimes fail. Workaround: restart the management server.
Static routes Static routes are not matched against their next-hop’s underlying policy groups or zone. Specific macros need to be defined for the static route’s destination CIDR to be used in ACLs. Also, static-routes are not matched against a particular zone’s subnets or subnets themselves, so zone-to-zone or subnet-to-subnet ACLs (or variations of these) do not cover a static route Issues and suggested actions
35
destination that falls within the zone’s subnets. The workaround here is also to define a specific macro and refer to it explicitly in the ACL.
Hardware •
1000BASE-TX copper small form-factor pluggable (SFP) transceivers that do not provide a loss of signal (LOS) indication are reported as link up when there is no cable plugged into the SFP.
RADIUS •
If the system IP address is not configured, RADIUS user authentication is not attempted for in-band RADIUS servers unless a source-address entry for RADIUS exists.
•
The NAS IP address selected is that of the management interface for out-of-band RADIUS servers. For in-band RADIUS servers, if a source-address entry is configured, the sourceIP address is used as the NAS IP address. Otherwise, the IP address of the system interface is used.
•
SNMP access cannot be authorized for users by the RADIUS server. RADIUS can be used to authorize access to a user by FTP, by the console, or both.
•
If the first server in the list cannot find a user, the server rejects the authentication attempt. In this case, the router does not query the next server in the RADIUS server list and denies access. If multiple RADIUS servers are used, the software assumes they all have the same user database.
TACACS+ •
If the TACACS+ start-stop option is enabled for accounting, every command results in two commands in the accounting log.
•
If TACACS+ is first in the authentication order and a TACACS+ server is reachable, the user is authenticated for access. If authenticated, the user can access the console and any rights assigned to the default TACACS+ authenticated user template (config>system>security>user-template tacplus_default). Unlike RADIUS, TACACS+ does not have fine granularity for authorization to define if the user has only console or FTP access, but a default template is supported for all TACACS+ authenticated users. If TACACS+ is first in the authentication order and the TACACS+ server is not reachable, authorization for console access for the user is checked against the user’s local or RADIUS profile, when configured. If the user is not authorized in the local/RADIUS profile, the user is not allowed to access the box. NOTE: Inconsistencies can arise depending upon combinations of the local, RADIUS, and TACACS+ configuration. For example, if the local profile restricts the user to only FTP access, the authentication order is TACACS+ before local, the TACACS+ server is UP and the TACACS+ default user template allows console access, an authenticated TACACS+ user will be able to log into the console using the default user template because TACACS+ does not provide granularity in terms of granting FTP or console access. If the TACACS+ server is DOWN, the user is denied access to the console as the local profile authorizes only FTP access.
OVSDB
36
•
The clear vswitch-controller vswitches command might not get the third party gateways back in a connected state.
•
The search option in the HPE VSD Architect for searching ports on a third party gateway does not work as expected. Workaround: Use the advanced search option.
HPE Distributed Cloud Networking (DCN) 4.0R2 Release Notes
CLI •
The FQDN is limited to approximately 100 characters for the XMPP server name.
•
There is no statistical information for traffic dropped in dynamic SAP.
•
The CLI allows the user to specify a TFTP location for the destination for the admin save and admin debug-save commands, which overwrite any existing file of the specified name.
•
There is currently no show command to display the current values of the password hash settings.
•
The system does not prevent the user from using the same IP address of its BGP peer on one of its router interfaces.
•
Non-printable 7-bit ASCII characters (for example, French letters with accents) are not allowed inside the various description fields. Configurations that do not comply might result in a failed config exec in the CLI and/or during system bootup.
•
Output modifiers (| match and >) are not supported in configuration files executed using the exec command scripts.
•
Although the http-download CLI command is referenced in the Systems Basics Guide, it is not currently supported.
•
An exec or rollback revert of a config file with an auto-peer config line fails because of extra double quotes around the auto-peer address. The error shown is as follows: ------------------------------------------------------------------MAJOR: CLI #1009 An error occurred while processing a CLI command File xyz.cfg, Line 96: Command "auto-peer "10.15.1.0"/24" failed. -------------------------------------------------------------------
Workaround: Manually remove the quotes around the auto-peer address from the config or rollback file - that is, replace the line auto-peer "10.15.1.0"/24 with the line auto-peer 10.15.1.0/24. Then re-attempt the exec or rollback revert command.
Management •
Packets sent to the CPU for MAC learning are also counted with network interface egress stats.
•
Generated OVA can be deployed only via vCenter because on standalone ESXi vApp parameters are not supported.
•
Changes in VMware vApp options are taken into account only if Update HPE DCN VSC configurations and reboot is chosen as a boot option. If not updated as you expected, be sure the vApp options have been updated correctly. VMware sometimes fails to update them (see the VMware logs).
•
Source address configuration applies only to the base routing instance and, where applicable, to VPRN services. As such, the source address configuration does not apply to unsolicited packets sent from the management interface.
•
The SSHv2 implementation does not support the RC5 cryptographic algorithm.
•
After 497 days, system up-time wraps around due to the standard RFC 1213 MIB-II 32-bit limit.
•
On slower machines, Firefox frequently displays a warning on the HPE VSD login page about an unresponsive script.
Issues and suggested actions
37
Routing •
MAC age time suddenly increases differently after switchover for a MAC learnt from a unicast stream and a multicast stream.
•
When traffic is sent from a VM or host to an endpoint on a bridge interface, an ARP is generated because the IP to MAC resolution is not known. If the only rule that allows traffic is the one to the vport group of the bridge interface, until the ARP route is generated from the VRS, it cannot be known that the endpoint belongs to the vport group. As a result, the ARP does not pass the ACL rule and the packet is dropped. If the ARP entry is created first, the ACL rule allows the traffic.
•
Setting a metric of zero in OSPF or IS-IS is not supported and causes the interface to fall back to the reference-bandwidth computed value instead of setting the value to zero.
•
Routes exported from one protocol to another are redistributed with only the first ECMP next-hop. Therefore, if BGP routes having multiple next-hops are exported to a VPRN client, only one next-hop for the route is exported. The one chosen is the lowest IP address of the next-hop address list.
•
A static route with a CPE connectivity target IP address that is part of the subnet of the static route itself does not come up if there is no alternate route available in the routing table that resolves the target IP address. This is because a static route can be activated only if the linked CPE session is up and, in this case, the CPE session can come up only if the static route itself is activated.
•
When the applied export policy is changed in conjunction with an export-limit, it might not take effect immediately without clearing the policy (no export/export), or in very few cases, toggling the administrative state of the protocol.
•
There is no warning trap sent after a clear export policy is issued when the export-limit is increased a few times and clear export is performed.
•
When an export limit is reduced via the export-limit command, toggling the administrative state of the protocol is required to remove all previously exported routes.
•
When a vPort is part of a domain where Address Translation is enabled, Underlay Support Disabled, and the vPort has Static Port Mappings configured along with a floating IP address, there can be a timing window where vPort resolution might not program VRS flows with respect to Static Port Mappings. Workaround: Clear the vPort resolution manually.
TCP Authentication Extension It is not possible to delete an authentication keychain if that keychain was recently removed from a BGP neighbor while BGP was operationally down. BGP has to become operationally active before the keychain can be deleted.
IS-IS •
A change in any IS-IS multi-topology or level causes the SPF to be run in all levels or topologies.
•
ECMP across multiple-instances is not supported. ECMP is per instance only. Only one route, the one with the lowest instance ID, is installed.
•
In a multi-instance IS-IS configuration, the same IS-IS prefix is not leaked to all instances via the traditional Layer-1 and Layer-2 leaking.
OSPF A router with more than one point-to-point adjacency to another router over links of equal metric might compute the shortest-path tree over the incorrect link in the case of unidirectional link failures on the far-end router. 38
HPE Distributed Cloud Networking (DCN) 4.0R2 Release Notes
BGP •
When BGP transitions to the operationally disabled state, the clear router bgp protocol command does not clear this state. The BGP protocol administrative state must be shutdown to clear this condition.
•
If the BGP neighbor address is configured prior to configuring that same IP address on a router interface, the configuration can be saved and loads properly with a warning message displayed. Also, the peering shows up as idle. Workaround: To not use the same IP address for a local router interface and a BGP neighbor.
•
If the BGP neighbor address is configured prior to configuring that same IP address on a router interface, the configuration can be saved and loads properly with a warning message displayed. The peering also shows up as idle. The workaround is not to use the same IP address for a local router interface and a BGP neighbor.
•
After a CPM or CFM failover, BGP graceful restart does not work initially. It starts working after the neighbor session is flapped and capability messages are exchanged.
•
BGP Graceful Restart (GR) helper supports the IPv4 address family but the VPN IPv4 address family is not supported.
VPRN/2547 •
The service operational state of a VPRN might be displayed incorrectly as UP during its configuration while some mandatory parameters to bring it up have yet to be set.
•
Each MP-BGP route has only one copy in the MP-BGP RIB, even if that route is used by multiple VRFs. Each MP-BGP route has system-wide BGP attributes and these attributes (preference) cannot be set to different values in different VRFs by means of vrf-import policies.
•
Executing a ping from a VPRN without a configured loopback address might fail with a no route to destination error message despite there being a valid route in the routing table. The error message is misleading and should state that the reason for the failure is not having a source address configured.
•
Executing a ping from a VPRN without a configured loopback address may fail with a “no route to destination” error message despite there being a valid route in the routing table. The error message is misleading and should state that the reason for the failure is not having a source address configured.
Usage notes Management •
For HPE DCN TiMOS, the primary “local” CLI access port is the serial port. TiMOS does not support local VGA consoles. The TiMOS CLI console session can be accessed via its serial port, virtualized by ESXi, and accessible via one of the methods detailed in:http://
Usage notes
39
pubs.vmware.com/vsphere-50/index.jsp#com.vmware.vsphere.vm_admin.doc_50/ GUID-941460CF-7C1E-45F7-B964-E16189183768.html. On KVM hypervisors, the serial console can be accessed using the command virsh console . •
SNMPv3 user authentication and privacy keys in the config>system>security>user user-name>snmp>authentication command must be entered as maximum length strings.
•
It is highly recommended that the management ports be on protected and controlled network segments not directly accessible from the Internet to prevent unwanted Denial-of-Service attacks.
Disallowed IP prefixes The following IP address prefixes are not allowed by the unicast routing protocols and the route table manager and will not be populated within the forwarding table: •
0.0.0.0/8 or longer
•
127.0.0.0/8 or longer
•
224.0.0.0/4 or longer (used for multicast only)
•
240.0.0.0/4 or longer
Any other prefixes that need to be filtered can be filtered explicitly using route policies.
System •
CF2: is a virtual disk reserved for the bootable HPE VSC image, so it should not be written to and treated as a read-only device.
•
When creating a new log file on a virtual disk, the system checks the amount of free disk space and the amount must be greater than or equal to the lesser of 5.2 MB or 10% of the virtual disk capacity.
CLI The special characters | and > cannot be used inside environment alias strings. Also, the special character / cannot be used as the first character inside an alias string.
Routing HPE recommends that the preference value for BGP routes be set to a higher value than that of the internal (IGP) routes used to resolve the next-hop addresses of iBGP routes because routing instability can occur while the BGP routes are constantly re-learned. Reducing the interval/timeout timers much below default values is not recommended for OSPF, IS-IS and BGP to ensure stability under transitional events like a CFM switchover.
IS-IS
40
•
The granularity of the IS-IS hold timer is accurate only to within +/- 0.5s, so having a computed holdtime value of less than 2s might result in adjacencies being randomly dropped. HPE recommends that hello-intervals and hello-multiplier values be adjusted accordingly, paying specific attention to the smaller hold-times computed on DIS systems.
•
IS-IS authentication is not activated at any given level or interface unless both the authentication key and type are added at that level. For instance, if the hello-authentication-type is set to password for an interface, it is not activated until a key is added at the interface level.
HPE Distributed Cloud Networking (DCN) 4.0R2 Release Notes
BGP HPE recommends that the local address be configured when a box has multiple BGP peers to same node.
Yum update To execute a yum update on an HPE VSD, you must do the following.
Pinning the repository to the HPE VSD-supported operating system versions For CentOS 6.6 You must pin the CentOS yum repository to version 6.6 to avoid upgrading to an unsupported version: 1. Disable all the repos: disable=0. 2. Create a new repo file pointing to 6.6 and enable it: [c66] name=CentOS66 enabled=1 gpgcheck=0 baseurl=http://vault.centos.org/centos/6.6/os/x86_64/
For RHEL 6.6 Do one of the following: •
Install from RHEL 6.6 installation media and do not perform any system update.
•
Use a local mirror that has 6.6 packages only (not 6.7).
•
Get a RHEL 6.6 EUS subscription from Red Hat.
For RHEL 7.1 Do one of the following: •
Install from RHEL 7.1 installation media and do not perform any system update.
•
Use a local mirror that has 7.1 packages only (not 7.2).
•
Get a RHEL 7.1 EUS subscription from Red Hat.
Upgrade information •
Upgrade is supported in DCN 4.0.R2.
•
From DCN 3.2R3 onward, non-incremental upgrades are supported with limitations related specifically to BGP, Keyserver, and EJBCA.
Post-upgrade activities •
Turn on node 2/3 encryption mode: Enabling allow mode for encryption using ENV_VSD_XMPP_ALLOW will fail for the second and third upgrade nodes. You must execute /opt/vsd/bin/ejmode allow after installation is finished.
•
Update API calls: After upgrading to HPE VSD 4.0Rx, update your API calls to use statefulACLTCPTimeout and statefulACLNonTCPTimeout instead of reflexiveACLTimeout. If you don’t do this and reflexiveACLTimeout is changed from 300 secs to 600 secs, the new value might reflect only to statefulACLTCPTimeout.
Contacting HPE For additional information or assistance, contact HPE Networking Support: Upgrade information
41
www.hpe.com/networking/support Before contacting HPE, collect the following information: •
Product model names and numbers
•
Technical support registration number (if applicable)
•
Product serial numbers
•
Error messages
•
Operating system type and revision level
•
Detailed questions
HPE security policy A Security Bulletin is the first published notification of security vulnerabilities and is the only communication vehicle for security vulnerabilities. •
Fixes for security vulnerabilities are not documented in manuals, release notes, or other forms of product documentation.
•
A Security Bulletin is released when all vulnerable products still in support life have publicly available images that contain the fix for the security vulnerability.
To find security bulletins: 1. Go to the HPE Support Center website at www.hpe.com/go/hpsc. 2. Enter your product name or number and click Go. 3. Select your product from the list of results. 4. Click the Top issues & solutions tab. 5. Click the Advisories, bulletins & notices link. To initiate a subscription to receive future HPE Security Bulletin alerts via email, sign up at: www4.hpe.com/signup_alerts
Related information Documents To find related documents, see the HPE Support Center website: www/hpe.com/support/manuals •
Enter your product name or number and click Go. If necessary, select your product from the resulting list.
•
For a complete list of acronyms and their definitions, see HPE FlexNetwork Technology Acronyms.
Related documents The following documents provide related information: •
HPE Distributed Cloud Network 3.0.R2 CloudStack Plugin User Guide (Document Number: 5998-6918)
•
HPE Distributed Cloud Network 3.0.R5 Installation Guide (Document Number: 5200-0181)
•
HPE Distributed Cloud Network 3.0.R5 User Guide (Document Number: 5200-0184)
•
HPE Distributed Cloud Networking CMS Integration Guide - vCenter (Document Number: 5998–6923) HPE Distributed Cloud Networking CMS Integration Guide – vCloud (Document Number: 5998–6924)
• 42
HPE Distributed Cloud Networking (DCN) 4.0R2 Release Notes
Websites •
Official HPE Home page: www.hpe.com
•
HPE Networking: www.hpe.com/go/networking
•
HPE product manuals: www.hpe.com/support/manuals
•
HPE download drivers and software: www.hpe.com/support/downloads
•
HPE software depot: www.software.hpe.com
•
HPE education services: www.hpe.com/learn
Documentation feedback HPE is committed to providing documentation that meets your needs. To help us improve the documentation, send any errors, suggestions, or comments to Documentation Feedback (
[email protected]). Include the document title and part number, version number, or the URL when submitting your feedback.
Documentation feedback
43
![Distributed Systems 2a. Networking Terminology [background information]](https://kipdf.com/img/300x300/distributed-systems-2a-networking-terminology-back_5ae379e97f8b9ab42c8b45b4.jpg)
