ECOS 8.1.9.14 Release Notes RevC

Silver Peak Unity ECOSTM (ECOS)
Release Notes
Version 8.1.9.14_77958
Revision C: October 12, 2020
NOTE: Silver Peak’s VXOA appliance software is now Silver Peak Unity ECOSTM (ECOS).
This document provides important information about ECOS 8.1.9.14, including top items for the release, new features,
issues fixed, upgrade considerations, and known issues. See Additional Information for details about system
requirements and a historical list of features and fixes from past releases.
Top Items for this Release

ECOS 8.1.9.14 requires Silver Peak Unity OrchestratorTM version 8.9.2 or higher. Before upgrading any appliances
to this version of ECOS, you must upgrade Orchestrator to at least 8.9.2.
When upgrading from a previous release train (for example, 8.1.7.x to 8.1.9.x), you should upgrade to the latest
version currently available to prevent upgrade failures and to get the latest security and product updates.
When upgrading from 8.1.7.x to 8.1.9.x, users must ensure that peer priority values are not zero. Peer priority
values must be set to appropriate positive integer values before performing the upgrade.
ECOS 8.1.9.14 interoperates fully with most prior versions, though it may interoperate in Reduced Functionality
mode with some older prior versions.
Silver Peak Systems, Inc. Strictly Confidential Page 1 of 29

ECOS 8.1.9.14 Release Notes PN 200002-8.1.9.14 Rev C
New Features and Enhancements

The following new features and enhancements are included in ECOS 8.1.9.14.
Multiple Ranges for DHCP Server

DHCP Settings now support adding multiple IP address ranges under the DHCP Server options.
If multiple IP address ranges are configured, ensure that they do not overlap.
NOTE: To see a historical list of new features, see New Features from Past Releases.

Issues Fixed
The following known issues have been fixed in ECOS 8.1.9.14.
ID: 55421 On some platforms, a management controller that reboots the appliance in the case of a system hang
could lose its configuration and fail to operate as intended.
ID: 55317 A driver on certain appliance platforms was preventing the appliance from rebooting itself after
detecting a system hang.
ID: 55166 The local DHCP server was stalling while performing a DNS update during DHCP negotiation. As a result,
no IP addresses were being assigned.
ID: 51738 After upgrading to 8.1.9.6, spokes were using LTE backup links as the primary transmit path.
ID: 48409 In rare instances, when trying to add an appliance to Orchestrator after preconfiguration, configuration
race conditions caused the appliance to reboot continuously.
NOTE: To see a historical list of issues fixed in appliance software releases, see Issues Fixed from Past Releases.

Upgrade Considerations
The following list summarizes considerations that must be addressed when upgrading from any previous version of
appliance software to ECOS 8.1.9.14.
Upgrades from ECOS 6.2

ECOS 6.2 can be directly upgraded to ECOS 8.1.9.14. Network downtime is expected during the process. It is
recommended to upgrade spokes first, then hubs.
Removal of Weak Cyphers

Support for older, weak ciphers has been removed from SNMP, HTTPS, and ssh. Please use modern tools to manage
Silver Peak appliances. Additionally, TLS 1.0 and 1.1 are no longer supported for HTTPS access – only TLS 1.2 is
supported.
Limited Support for Inline Router Mode on x600

Inline router mode support on x600 platforms is limited. Please contact customer support if you wish to enable inline
router mode on x600 model.
Removal of ip datapath route Command

The “ip datapath route” CLI command has been replaced with the “subnet” command.
No Support for Specific NX-1700 Appliances

ECOS 8.1.9.14 does not support NX-1700 appliances with part number 200404-001.
10Gbps Default for Auto-sensing Fiber Interfaces

Auto-sensing fiber interfaces are configured for 10Gbps operation by default. If you wish to use fiber interfaces in
1Gbps mode, please set the interface speed via Configuration > [System & Networking] Interfaces.
Change Admin Distance if PE-router is Configured

Admin distance must be changed if BGP peer-type of PE-router is configured. When upgrading from ECOS 8.1.5.x,
change the “Subnet Shared” and “BGP Remote” Admin Distance values to lower than the default value of 20 (for
example, 10).
Change Duplicate Routes Advertisement

Starting in release 8.1.9.4, the software selects the best route based on metric and then determines if the best route
needs to be advertised. If there are duplicate routes with the same characteristics, the appliance chooses one of the
routes at random. Due to this, you should remove any configured duplicate routes and enable the LAN subnet
advertisement flag.

Upgrade Considerations (continued)

Enhanced Admin Distance Configuration
The 8.1.9.4 release replaced Silver Peak “PE” and “Branch” AD values with EBGP and IBGP AD values respectively. After
upgrade:
• The EBGP AD will be the previously configured BGP-PE AD
• The IBGP AD will be the previously configured BGP-Branch AD.
For new installations the following are the default ADs:
• Subnet-shared static = 10
• Subnet-shared-BGP = 15
• Subnet-shared-OSPF = 15
• EBGP = 20
• IBGP = 200
• OSPF = 110
If branch or branch-transit BGP peers on LAN interfaces are configured as EBGP peers, ensure that the default ADs or
configured ADs in your network will continue to result in intended traffic paths for destination prefixes received from
multiple sources (e.g., same prefix received from MPLS PE router, subnet-sharing, and branch side BGP peers). If you
notice any change in traffic patterns after the upgrade, you may want to adjust ADs or other BGP parameters to
achieve desired traffic behavior.
VLANs Supported on Hyper-V

To ensure consistent behavior with VLANs in virtual environments, please ensure that *ALL* VLANs of interest are
defined in ECOS.

Known Issues
The following list contains known issues in ECOS 8.1.9.14.
ID: 53800 When swapping transceivers, you will need to manually change the speed in the GUI or CLI, or reboot
empty-db from the CLI, to ensure the correct speed is displayed in the UI.
ID: 48490 Loopback interfaces do not support firewall zones.
ID: 24657 For SaaS optimization in router mode, both LAN- and WAN-side routes must be identical. Configuring
a different LAN-side route (aka LAN gateway) is not currently supported.
ID: 23470 PPPoE is only supported in ILRM. PPPoE interfaces cannot be used for flow redirection.
ID: 16824 Jumbo frames are not supported on Virtual Appliances installed on the KVM hypervisor.
ID: 16799 Jumbo frames are not supported on Virtual Appliances installed on the XenServer hypervisor. Only one
VLAN is supported on Virtual Appliances installed on the XenServer hypervisor. The XenServer
hypervisor can be configured with one and only one VLAN; the hypervisor will strip the VLAN tag and
send untagged packets to the Virtual Appliance.
ID: 16106 The EdgeConnect-US, EdgeConnect-XS, NX-700 and NX-1700 appliances do not support jumbo
frames.
ID: 15101 Jumbo frames are not supported on Virtual Appliances installed on Microsoft’s Hyper-V hypervisor.
ID: 14168 Hot-swapping an SSD (or an SSD failure) may result in TCP connection resets or IP packet drops.
ID: 13155 If the https server and client negotiate an SSL compression method that is other than “NONE” (which
can happen if a compression method is configured on the https server), the connection will not receive
SSL-specific optimization (deduplication). If this occurs the error message reported in Current Flows will
be “'unsupported SSL compression method'”. To work around this, configure the compression method
on the https server as “NONE”.
ID: 12818 Using VMware Snapshots severely degrades the performance of Virtual Machines. Do not take
snapshots of Silver Peak Virtual Appliances.
ID: 10929 On the VX, VRX, and EC-V Virtual Appliances, configuration of Ethernet MTU, speed and/or duplex
settings requires host configuration in addition to Virtual Appliance configuration in the Appliance
Manager.
ID: 9316 Application classification of http on non-standard ports relies on heuristics that are determined after
flow creation. Therefore, the application classification is valid for reporting and monitoring but cannot
be used for route, QoS, or optimization match lookups because these lookups occur simultaneously
with flow creation. Such flows will be annotated “Heuristically Classified” in Monitoring > Current
Flows.
ID: 6508 mgmt1 cannot be in the same subnet as mgmt0. Always use separate subnets for mgmt0 and mgmt1.

Known Issues (continued)

ID: 6370 Bonding interfaces may fail to negotiate correctly with a Cisco switch after an appliance reboot. To
avoid this, enable auto-recovery on the Cisco switch to which the appliance is connected.
ID: 6333 If WCCP custom redirection is used with a 7-bit mask, add a route-map entry that directs all WCCP
control traffic (protocol UDP, port 2048) from Appliance IP addresses to pass-through unshaped.
ID: 6332 Auto-optimization is not effective in a network where there is a NAT implementation or a firewall that
does TCP sequence offsetting. In such networks, connections will fail to optimize.
ID: 6330 While configuring tunnels, software checks are not present to disallow the VRRP virtual IP address from
being the tunnel endpoint. Configuring the virtual IP address to be the tunnel endpoint can disrupt
traffic when a VRRP master switch happens and is not recommended.
ID: 2899 CIFS directory browsing optimization is not effective with Samba servers.

Additional Information
This section contains additional information about ECOS software, as well as past features and fixes that are included
in this release.
System Requirements
Hardware Compatibilities and Dependencies
ECOS supports Unity EdgeConnect US, Unity EdgeConnect XS, Unity EdgeConnect S, Unity EdgeConnect M, Unity
EdgeConnect L, Unity EdgeConnect XL, NX-700, NX-1700, NX-2500, NX-2600, NX-2610, NX- 2700, NX-3500, NX-3600,
NX-3700, NX-5500, NX-5504, NX-5600, NX-5700, NX-6700, NX-7500, NX-7504, NX-7600, NX-7700, NX-8504, NX-
8600, NX-8700, NX-9610, NX-9700, NX-10700, and NX-11700 Silver Peak Appliance hardware, and Unity
EdgeConnect V, VX-500, VX-1000, VX-2000, VX-3000, VX-5000, VX- 6000, VX-7000, VX-8000 and VX-9000 Silver Peak
Virtual Appliance software, and VRX-2, VRX-4, VRX-6, and VRX-8 Velocity Replication Acceleration software.
Software Compatibilities and Dependencies
• In the latest ECOS release, both HTTP and HTTPS connections to the Appliance Manager GUI are supported;
HTTPS is the recommended method of connection. The default method supports both.
• The Silver Peak Appliance’s Command Line Interface (CLI) can be accessed through a remote connection to
the device’s management interface using Secure Shell (ssh), or via the serial console port. For security
reasons, telnet connections are not supported.
• The Silver Peak Software upgrade process supports transferring the software image from a server to the
appliance via HTTP, HTTPS, FTP, and SCP (Secure Copy), via the Orchestrator (GMS), or transferring the image
directly from a host running the Appliance Manager GUI.
• It is highly recommended that interconnected appliances run the same image version. It is also highly
recommended that all appliances run the latest software version, 8.3.0.3. Consult the hardware/software
compatibility matrix on the Silver Peak Customer Support Portal at http://www.silver-
peak.com/support/portal_login.asp to ensure compatibility of your hardware platform(s) with ECOS 8.3.0.3.
• Please refer to the Silver Peak Appliance Manager Operator’s Guide for product and feature descriptions,
detailed instructions on how to configure and monitor the Silver Peak Appliances, and for detailed
instructions on how to install or upgrade appliance software.
• Silver Peak Systems does not recommend or support WCCP deployments with WCCP running on the Catalyst
6500 or 7600 running Hybrid CATOS.

New Features from Past Releases

The following table contains new features and enhancements, organized by the software version that first included
them.
Feature Description Earliest Release

with Feature
25 Gbps Support This release adds support for 25 Gbps fiber interface cards in 8.1.9.12
the EC-XL appliance with the following part numbers.
Appliance Fiber Card Part Number

EC-XL-P 201632
EC-XL-P-NM 201633
spsadmin Account The spsadmin account has been removed. 8.1.9.12

Removed
Reject Self-signed Appliances can now be configured to reject self-signed 8.1.9.12

Certificates certificates. This feature addresses CVE-2020-12143 and CVE-
2020-12144.
IKE-less Seed Distribution A new IKE-less seed distribution mechanism is now 8.1.9.12
supported in ECOS. This feature addresses CVE-2020-12142.
Directory Traversal Fixes API changes have been made to restrict traversal of other 8.1.9.12
directories, limiting access to sensitive data.
CSRF Fixes Changes have been made that greatly reduce or eliminate 8.1.9.12
the possibility of a cross-site forgery request (CSRF) on the
appliance.
Support for additional ECOS 8.1.9 adds support for the following part numbers. 8.1.9.6
hardware appliance part
EC-M-P 201552
numbers.
EC-M-B 201553
NX-2700 201554
NX-3700 201555
NX-5700 201556
NX-6700 201557
NX-7700 201558
DNS Proxy ECOS 8.1.9 adds DNS proxy support to allow local Internet 8.1.9.5
breakout traffic to resolve DNS with one server while internal
traffic is resolved via a separate server.
DNS proxies are configured vis the Orchestrator
“Configuration > DNS Proxy.” It is required to create a
loopback interface for the DNS proxy (see below).
Support for Multiple DHCP ECOS 8.1.9 allows the configuration of multiple DHCP relay 8.1.9.5
Relay Agents agents (on an interface or VLAN basis).
Zone Based Firewall Flow ECOS 8.1.9 adds flow logging to the zone-based firewall. This 8.1.9.5
Logging is configured via the Orchestrator “Security Policies” tab.


with Feature
Loopback Interfaces ECOS 8.1.9.5 adds support for loopback interfaces, 8.1.9.5
configured via Orchestrator under Configuration >
Networking > Loopback Interfaces.
USB ZTP Configuration ECOS 8.1.9.5 adds support for USB-based Zero Touch 8.1.9.5
Provisioning (ZTP) by searching for a yaml pre-configuration
file on attached USB drives.
Zscaler Orchestration ECOS 8.1.9 adds support for orchestration of tunnels to 8.1.9.4
Zscaler ZENs. Please consult the Orchestrator release notes
for details on this feature.
Multi-hop BGP ECOS 8.1.9 adds support for BGP peers that are not directly 8.1.9.4
connected.
BGP Next-Hop Self ECOS 8.1.9 adds configurable BGP next-help-self. BGP next- 8.1.9.4
hop-self can be enabled from Configuration > BGP.
AS Path Propagate ECOS 8.1.9 adds the capability to propagate AS path learned 8.1.9.4
at remote sites to local BGP peers. This can be enabled from
Configuration > BGP.
Port Forwarding Port forwarding now supports protocol wildcard specifier 8.1.9.4
Enhancement “any”.
Admin Distance ECOS 8.1.9 replaces Silver Peak “PE” and “Branch” AD values 8.1.9.4
Enhancements with EBGP and IBGP AD values respectively. After upgrade:
• The EBGP AD will be the previously configured BGP-

PE AD
• The IBGP AD will be the previously configured BGP-

Branch AD.
For new installations the following are the default ADs:
• Subnet-shared static = 10
• Subnet-shared-BGP = 15
• Subnet-shared-OSPF = 15
• EBGP = 20
• IBGP = 200
• OSPF = 110
Please review “Considerations for Upgrade.”
BGP Graceful Restart ECOS 8.1.9 adds support for BGP graceful restart. BPG 8.1.9.3
graceful restart can be enabled from Configuration > BGP.


with Feature
Support for additional ECOS 8.1.9 adds support for the following part numbers. 8.1.9.1
EC-L-B 201270
numbers.
EC-XL-B 201271
EC-L-B-NM 201272
EC-XL-B-NM 201273
EC-L-P 201305
EC-XL-P 201306
EC-L-P-NM 201307
EC-XL-P-NM 201308
Find Preferred Route and ECOS 8.1.9 provides the ability to find the preferred route for 8.1.9.1
Admin Distance / Peer a specific IP address. This is available via Configuration >
Priority Metrics Routes.
ECOS 8.1.9 adds a metric column to Configuration > Routes

that can be toggled to display either the admin distance or
peer priority metrics.
“Comments” Field for ECOS 8.1.9 adds a “Comments” field to the deployment 8.1.9.1
Deployment dialog which retains notes or comments specific to the
appliance.
Support for Multiple LAN- ECOS 8.1.9 adds support for multiple LAN-side interfaces in 8.1.9.1
side Interfaces in the Same the same subnet.
Subnet
Disabling Support for OSPF ECOS 8.1.9 adds the capability to disable support for opaque 8.1.9.1
Opaque LSAs OSPF LSAs. Opaque LSAs are enabled by default and can be
disabled via the CLI commend: ospf opaque disable.
ATA Secure Erase ECOS 8.1.9 adds ATA secure erase that wipes the entire 8.1.9.1
contents of a drive at the hardware level. Extremely security
conscious customers may want to exercise this command
prior to replacing and disposing of a failed SSD. ATA secure
erase is available via the CLI command: system disk <disk
ID> remove secure.
“Fail Open” in Bridge Mode ECOS 8.1.9 adds the capability to configure a bridge mode 8.1.9.1
appliance to “fail open” instead of the default fail-to-wire
behavior. This is configurable via the CLI command: system
bypass mode [fail-to-open | fail-to-close | fail-to-nic |
default].
Protection from Port ECOS 8.1.9 adds protection from port scanning devices or 8.1.9.1
Scanning software by internally rate limiting the rate at which
connections with no data are serviced.
SSL Optimization SSL optimization now supports ECDHE ECDSA with AES 256 8.1.9.1
Enhancement GCM SHA384.


with Feature
DNS Application DNS application classification has been enhanced to cached 8.1.9.1
Classification Enhancement DNS entries across appliance reboots.
Multicast ECOS 8.1.9 introduces support for Protocol Independent 8.1.9.0

Multicast - Sparse Mode (PIM-SM). Currently this feature
supports MPLS links only and is configurable by the CLI:
• pim set rp <rp-ip>
• pim interface <name of intf> enable/disable
• show pim neighbors
• show pim mroute
• show igmp groups
• show pim interfaces
• show pim rp
• igmp interface <name of intf> enable/disable
Multicast is a Beta feature.
IP Address ACL Match ECOS 8.1.9 enhances the ACL match for IP Address by 8.1.9.0
Enhancements allowing for ranges and wildcards.
Enhancements to SaaS SaaS optimization now supports: 8.1.9.0

Optimization
• User-defined SaaS applications. This enables SaaS
optimization for applications that are not available
from the Silver Peak portal.
• Configuration of SaaS optimization probe interface

via labels in addition to physical interfaces.
Explicit Declaration of ECOS 8.1.9 displays built-in policies via “Support > User 8.1.9.0
Implicit Policies Documentation > Built-in Policies.”
Inbound Port Forwarding Inbound port forwarding has been enhanced to allow in- 8.1.9.0
Enhancement bound WAN packets to pass un-modified (not translated) to
the LAN.
SSL Optimization SSL optimization now supports ECDHE named curve 29. 8.1.9.0
Enhancement
MOS Estimation ECOS 8.1.9 adds MOS (Mean Opinion Score) estimates for 8.1.9.0
Quality of Experience. MOS estimates are visualized via
Orchestrator.


with Feature
Zone Based Firewall ECOS 8.1.8 introduces zone-based firewalling which enables 8.1.8.0
end-to-end network segmentation across an enterprise SD-
WAN network.
The zone-based firewall provides complete segmentation

between zones on the LAN side with built-in anti-spoofing.
Zones can be defined based on physical interfaces, logical

interfaces, sub-interfaces, VLAN-tags, or layer-7 ACLs.
The zone-based firewall is fully automated via the

Orchestrator “Security Policies” tab.
IPSec Service Chaining ECOS 8.1.8 introduces IPSec service chaining to 3rd parties 8.1.8.0
(e.g. cloud-hosted next generation firewalls).
IPSec service chaining can be configured via the Orchestrator

“Tunnels” tab.
IPFIX ECOS 8.1.8 adds support for flow export via IPFIX. 8.1.8.0
IPFIX is enabled via the Orchestrator “Flow Export” tab.
IP SLA Enhancements ECOS 8.1.8 adds an HTTP ping monitor to the IP SLA tracking 8.1.8.0
feature.
IP SLA is fully automated via the Orchestrator “IP SLA” tab.
Web Proxy Support ECOS 8.1.8.0 now supports application classification when 8.1.8.0
deployed behind a web proxy.
EC-M-P and EC-M-B ECOS 8.1.7 introduces support for the Unity EdgeConnect 8.1.7.3
EC-M-P and EC-M-B appliances. The EC-M-P (P for
pluggable) is a variant of the EC-M that supports pluggable
SR and/or LR optics. EC-M-B (B for bypass) is the new name
for the EC-M.
IPv6 Support for Inline ECOS 8.1.7 adds IPv6 support to inline router mode 8.1.7.0
Router Mode deployments.
BGP Enhancements ECOS 8.1.7 adds the following enhancements to BGP routing: 8.1.7.0
• Soft-Reset: Soft reset is a manual trigger to request

a BGP route update from a BGP peer
• Input Metric: Input metric provides the capability to

change the BGP learned metric before the route is
added to the routing table
• BGP Communities: Locally learned BGP communities

are carried over the Silver Peak fabric to remote
Silver Peak peers and advertised to the remote BGP
neighbors


with Feature
Inbound Port Forwarding ECOS 8.1.7 adds inbound port forwarding in order to allow 8.1.7.0
reachability to LAN-side branch devices from the WAN.
Inbound port forwarding rules can be added via the

Orchestrator: Configuration > Inbound Port Forwarding.
Inbound port forwarding is limited to one hundred rules.
Shaper Enhancements ECOS 8.1.7 adds the capability to automatically rebalance the 8.1.7.0
shaper’s bandwidth should any of outbound WAN links
become unavailable.
To enable this feature, select the “Rebalance for Available
Interfaces” checkbox on Configuration > Shaper.
Additionally, shaper minimum and maximum bandwidths can

now be configured both as absolute values and relative
percentages.
TCP MSS Clamping for ECOS 8.1.7 introduces TCP MSS clamping in order to prevent 8.1.7.0
Internet Breakout fragmentation (and potentially increased latency or dropped
packets) for internet breakout traffic on networks with lower
MTUs.
To enable TCP MSS clamping, set the Maximum TCP MSS on

the Configuration > System page.
Flow Redirection on WAN ECOS 8.1.7 adds support for flow redirection on WAN 8.1.7.0
Interfaces interfaces.
TCP Acceleration for IPv6 ECOS 8.1.7 adds support for TCP acceleration of IPv6 traffic. 8.1.7.0
Cloud-Init ECOS 8.1.7 adds Cloud-Init support to EdgeConnect Virtual 8.1.7.0

(EC-V). When EC-V is used as a VNF (Virtual Network
Function), Cloud-Init loads startup configuration on first
boot. This configuration typically contains management IP
address / mask, default route, interface MAC addresses,
tenant’s account name, key etc.
OSPF ECOS 8.1.7 introduces OSPF routing to allow Silver Peak’s 8.1.7.0
SD-WAN subnet-sharing protocol to share routes with
traditional WAN routers. ECOS 8.1 can advertise routes to
traditional routers as well as learn routes from traditional
routers. The primary use-cases supported are:
1. Advertisement of Silver Peak SD-WAN subnets into

an existing data-center router for the purposes of
allowing traditional branch routers to gain
reachability to Silver Peak SD-WAN branches.
2. Learning branch routes from an existing large

branch router that is subtending many subnets.
OSPF support is enabled via Configuration > OSPF.


with Feature
Edge High Availability ECOS 8.1.6 introduces Edge High Availability. 8.1.6.0
Edge High Availability is a unique high availability

architecture that enables each appliance in an HA pair to
terminate only one WAN link while still providing automation
via Business Intent Overlays and link resiliency via tunnel
bonding.
IPSec UDP Overlays ECOS 8.1.6 introduces IPSec UDP overlays. IPSec UDP 8.1.6.0
overlays are more deterministic and reliable than traditional
IPSec Overlays. IPSec UDP overlays must be configured via
the Orchestrator.
Mini License ECOS 8.1.6 introduces the Mini license which supports up to 8.1.6.0
50Mbps of SD-WAN.
Please note that Plus cannot be applied to a Mini license.
Application Visibility and ECOS 8.1.6 introduces new Application Groups that provide 8.1.6.0
Control Enhancements more flexible grouping of applications than was previously
possible. Further, over 200 groups are pre-defined and most
data-center and SaaS applications are pre-assigned into
groups.
Upon upgrade to 8.1.6 existing Application Groups can be
migrated to the new Application Groups.
Configurable BGP ECOS 8.1.6 adds configuration of the following BGP peer 8.1.6.0
Parameters parameters:
• Local Preference
• MED (Multi-Exit Discriminator)
• AS Prepend Count
• Keep Alive Timer
• Hold Timer
Configurable Interface for ECOS 8.1.6 allows configuration of the physical interface over 8.1.6.0
SaaS Probes which SaaS Optimization probes are sent.
Modified High Efficiency ECOS 8.1.5 modifies the behavior of High Efficiency bonding 8.1.5.3
Bonding to maintain equal percentage utilization of all links.


with Feature
EC-US ECOS 8.1.5 introduces support for the Unity EdgeConnect US 8.1.5.3
appliance.
The Unity EdgeConnect US is an ultra-compact form factor,

thin edge appliance that serves to build an SD-WAN fabric
using Zero Touch Provisioning. It supports MPLS, 4G/LTE and
internet-based hybrid WAN data paths and a control plane
that is automated and secured by the Unity Orchestrator
software, providing policy-based virtual network
segmentation and acceleration of on-premise and SaaS
cloud applications. A key feature of EdgeConnect US is silent,
fanless operation, making it an ideal platform for small
branch and home office environments with typical WAN
bandwidth up to 100 Mbps.
IP SLA ECOS 8.1.5 introduces IP SLA tracking that allows you to 8.1.5.0
perform actions according to the state of certain monitored
objects. The currently available monitors are interface, IP
ping, and VRRP state. The current actions are enable/disable
tunnel, decrease/increase VRRP priority, and modify subnet
metrics.
IP SLA can be configured via “Configuration > IP SLA”.
PPPoE Interfaces ECOS 8.1.5 introduces support for PPPoE (Point-to-Point 8.1.5.0
Protocol over Ethernet). PPPoE can be configured via
“Configuration > PPPoE”.
New “Interfaces” “Configuration > Interfaces” has been redesigned for 8.1.5.0
Configuration Page simplicity and clarity.
Improved Application Port-based application classification is now dynamically 8.1.5.0

Classification by Port updated from the Silver Peak cloud portal via the published
IANA port list.
Per-Flow Maximum Rate ECOS 8.1.5 introduces a new QoS parameter – per-flow 8.1.5.0
Control maximum rate control.
DNS Application DNS Application Classification now extracts domain 8.1.4.0

Classification Enhancement information from HTTP get responses.
Internet Breakout with ECOS 8.1.4 introduces internet breakout with stateful firewall. 8.1.4.0
Stateful Firewall and NAT Internet breakout is enabled via Configuration > Tunnels.
Fine Grained Control of ECOS 8.1.3 adds fine-grained control of appliance 8.1.3.0
Management Traffic management plane traffic.
Enhanced Application ECOS 8.1 greatly enhances application visibility with IP 8.1.0.0
Visibility intelligence, domain name classification, and automatic
classification of RTP traffic. ECOS 8.1 also adds wild-card
matching (e.g. “*Netflix*) in match criteria.


with Feature
BGP Routing ECOS 8.1 introduces BGP routing to allow Silver Peak’s SD- 8.1.0.0
WAN subnet-sharing protocol to share routes with
traditional WAN routers. ECOS 8.1 can advertise routes to
traditional routers as well as learn routes from traditional
routers. The primary use-cases supported are:
1. Advertisement of Silver Peak SD-WAN subnets into
an existing data-center router for the purposes of
allowing traditional branch routers to gain
reachability to Silver Peak SD-WAN branches.
2. Learning branch routes from an existing large

branch router that is subtending many subnets.
BGP support is enabled via Configuration > BGP.
Interface Bonding on ECOS 8.1 introduces interface bonding for 10Gbps interfaces. 8.1.0.0
10Gbps Ports This feature is only available on the EdgeConnect-XL, NX-
10700, and NX-11700 appliances.
When 10Gbps interface bonding is enabled, the bonded

pairs are blan0 (tlan0/tlan1) and bwan0 (twan0/twan1).
Interface bonding is enabled via Configuration >

Deployment.
IPv6 ECOS 8.1 introduces IPv6 UDP, GRE, and IPSec tunnels. 8.1.0.0
SHA-2 Hash for IPSec ECOS 8.1 introduces SHA-2 hash support for IPSec tunnels. 8.1.0.0
SHA-2 hash support is enabled via Configuration > Tunnels
[Advanced Options].
Extended DHCP Server ECOS 8,1 extends the DHCP Server feature to support all 8.1.0.0
Options options in RFC 1533.
SNMPv3 Enhancements ECOS 8.1 extends SNMPv3 support by adding support for 8.1.0.0
traps and supporting multiple SNMPv3 users, each with their
own authentication/privacy settings.
Custom https Certificates ECOS 8.1 supports the addition of custom https certificates 8.1.0.0
for Appliance Management for appliance management, Custom certificates can be
uploaded via Administration > HTTPS Certificate Upload.
Interface Flexibility for Flow ECOS 8.1 allows any configured physical interface to be 8.1.0.0
Redirection utilized for Flow Redirection.
Return Pass-Through Traffic ECOS 8.1 allows pass-through L2 redirected traffic to be sent 8.1.0.0
to L2 Sender to the original (forwarding) router instead of the WAN-side
next hop. This feature is disabled by default and can be
enabled via Configuration > System [Always send pass-
through traffic to original router].


with Feature
Support for additional ECOS 8.0 adds support for the following part numbers. 8.0.3.0
numbers. EC-M 200969
NX-2700 201020
NX-3700 201021
NX-5700 201022
NX-6700 201023
NX-7700 201024
Business Intent Overlays ECOS 8.0 introduces Business Intent Overlays. 8.0.0.0
Business Intent Overlays virtualize all underlying transports

and segment the WAN allowing for different policies to be
applied per application or application group.
Business Intent Overlays are described at a high-level and are

applied enterprise wide. The components of the Overlays
include the access policy, logical topology, link bonding and
QoS policies.
Business Intent Overlays are deployed and managed by the

Unity Orchestrator.
Deployment Profiles ECOS 8.0 introduces Deployment Profiles to abstract the 8.0.0.0
personality of EdgeConnect devices. Deployment Profiles
assign labels with global (SD-WAN fabric-wide) semantics to
the underlying physical transports (for example, “MPLS” and
“Internet”).
Deployment Profiles can be applied at the time a new
EdgeConnect device is Zero Touch Provisioned and ensure
consistent configuration of network policies without
configuration drift due to manual box-by-box configuration.
Deployment Profiles are created and managed by the Unity
Orchestrator.


with Feature
Packet-Based DPC ECOS 8.0 introduces Packet-Based Dynamic Path Control also 8.0.0.0
known as “bonded tunnels.” Bonded tunnels form a virtual
transport that combines one more underlying physical
transports (for example, MPLS and Internet) into one logical
“pipe.”
Bonded tunnels allow the configuration of a bonding policy
that can either emphasize transmission resiliency in the face
of transmission errors and losses or favor maximum
throughput by load balancing packet data. Bonded tunnels
also allow for the specification of blackout or brownout SLA
policies that dictate when data are sent over a backup
physical transport instead (for example, 4G LTE).
Bonded tunnels form the data plane of the Business Intent
Overlays and therefore each application or category of
applications can specify its own independent bonding
policies.
Bonded tunnels are deployed and managed by the Unity
Orchestrator.
DHCP Server/Relay ECOS 8.0 introduces built-in DHCP server and relay 8.0.0.0
capabilities. The DHCP server or relay function can be
configured per interface i.e. any combination of physical port
and/or VLAN.
DHCP Server/Relay configuration can be applied by the Unity
Orchestrator from the Deployment Profiles screen or
performed manually using the CLI on an EdgeConnect
device.
Inbound QoS ECOS 8.0 introduces support for inbound (ingress) QoS. 8.0.0.0
Inbound QoS can be enabled via Configuration > [System &
Networking] Shaper.
IPv6 ECOS 8.0 introduces support for PBR router mode 8.0.0.0
deployments.

Issues Fixed from Past Releases

The following table contains new features and enhancements, organized by the software version that first included
them.
Issue First Release to

Resolve
ID: 54295. ACL rules were not working as expected if the rule used both an IP range and a 8.1.9.13
wildcard.
ID: 54145. Orchestrator failed to push optimization template to an appliance without a boost 8.1.9.13
license.
ID: 54123. The LAN interface was listening on TCP 80 even though session management was 8.1.9.13
configured for HTTPS only.
ID: 54092. Routes were not getting advertised to BGP PE peers, and an auto-configured failover 8.1.9.13
route was not getting installed after the manual route went down.
ID: 53902. At times, an appliance could have duplicate entries on Cloud Portal, and one of the 8.1.9.13
entries would remain in the unapproved state.
ID: 53861. When running in "Allow All" mode, tunnels were going down intermittently if they 8.1.9.13
terminated at the WAN interfaces of a pair of appliances in an Edge HA configuration.
ID: 53857. In some cases, the IPSec UDP key material (seed) lifetime value from Orchestrator was 8.1.9.12
being overwritten by a tunnel configuration change. This would result in the seed expiring before
getting refreshed, and tunnels were going down temporarily.
ID: 53788. VLANs were not working on the EC-XL with 25Gbps fiber cards 8.1.9.12
ID: 53677. Appliance software could not be rolled back to 8.1.9.x after being upgraded to 8.3.x. 8.1.9.12
ID: 53670. After advertising a route to the LAN side, the appliance would reboot unexpectedly 8.1.9.12
after receiving ping packets.
ID: 53644. An issue with flow redirection was causing the appliance to reboot unexpectedly 8.1.9.12
ID: 53636. Setting speed-duplex to auto/auto for fiber interfaces is now allowed, and the setting 8.1.9.12
will be preserved during an upgrade.
ID: 53548. GRE tunnels with Zscaler were not working with an interface's secondary IP address. 8.1.9.12
ID: 53534. Some changes have been made to help prevent a stack overflow that was causing the 8.1.9.12
appliance to reboot unexpectedly.
ID: 53180. Threshold crossing alerts were not being cleared after a tunnel had been deleted. 8.1.9.12
ID: 53169. Running the running "show ssh server host-keys" command was generating an internal 8.1.9.12
error.
ID: 52989. Some BGP peers were advertising the appliance's own route back to the appliance. 8.1.9.12
ID: 52980. In rare cases, when http/https snooping was enabled, Orchestrator was unable to fetch 8.1.9.12
flows on an appliance, and the appliance indicated that flow data had been corrupted.
ID: 52805. Named passthrough tunnels were not being assigned a valid remote node ID, which 8.1.9.12
was causing traffic to be routed incorrectly.
ID: 52803. In certain cases, a TCP MSS mismatch between the sender and receiver was causing 8.1.9.12
issues with some application traffic.


Resolve
ID: 52782. Traffic matching the Zscaler BIO was using an incorrect underlay. 8.1.9.12
ID: 52703. In some cases, the Orchestrator IP address could not be configured via USB ZTP. 8.1.9.12
ID: 52663. When TCP acceleration was enabled, some flows that should have been passthrough 8.1.9.12
had an optimization policy applied.
ID: 52631. The appliance was unreachable from Orchestrator due to an issue with the node.js 8.1.9.12
service. Rebooting the appliance fixed the issue.
ID: 52613. For some appliances that were connected to Cloud Orchestrator via internet circuits, the 8.1.9.12
appliances were repeatedly showing as unreachable in Orchestrator.
ID: 52514. In some cases, sshd was causing unexpectedly high CPU usage. 8.1.9.12
ID: 52488. Customers can now use the RMA wizard to replace a virtual appliance. 8.1.9.12
ID: 51566. In certain cases, some tunnels would only come up after applying a tunnel exception in 8.1.9.12
Orchestrator and then later removing the exception.
ID: 48581. After modifying the deployment LAN side next hop IP address, the VRRP configuration 8.1.9.12
was getting unexpectedly deleted.
ID: 52453. In some cases when a partial page was being merged from a flow that had aged out 8.1.9.11
and been deleted, the appliance would reset unexpectedly.
ID: 52378. Management traffic from certain sites was getting dropped. 8.1.9.11
ID: 52362. For some EdgeHA UDP IPSec tunnels, more than one packet in a flow was being treated 8.1.9.11
as the first packet, and NAT was allocating multiple ports.
ID: 52091. A mismatch in UDP payload size was causing DNS resolution to fail from LAN side 8.1.9.11
appliances.
ID: 52049. Added some additional logging capabilities to help diagnose issues with certain tunnels 8.1.9.11
going down and showing up in flows as Passthrough (NO ROUTE).
ID: 51982. Manually adding a management route results in duplicate routing table entries as the 8.1.9.11
system is auto-creating the same route.
ID: 51977. Self-gen packets were getting dropped at a non-existent interface, causing the 8.1.9.11
ID: 51964. The appliance reset unexpectedly after adding an interface on the Deployment page. 8.1.9.11
ID: 51789. Default routes were being repeatedly added and deleted, causing connection issues. 8.1.9.11
ID: 51749. Rapid addition/deletion of the same route was causing the appliance to reboot 8.1.9.11
unexpectedly.
ID: 51707. Tunnel utilization alarms were being triggered even though the alert threshold had not 8.1.9.11
been crossed.
ID: 51129. NAT rules were not working for all flows. 8.1.9.11
ID: 50763. sysd.EMERG logs were being seen at the NOTICE level. 8.1.9.11
ID: 48515. Rapid addition/deletion of the same route was causing the appliance to reboot 8.1.9.11
unexpectedly.


Resolve
ID: 47759. VRRP was ignoring configured priority on sub interfaces when authentication was 8.1.9.11
enabled.
ID: 47454. Users were unable to select bwan0 as the flow-redirection interface on a pair of EC-XL 8.1.9.11
appliances.
ID: 51825. BGP community information was not being passed between appliances running 8.1.9.10
different ECOS software versions.
ID: 51702. Following a reboot, the PPPoE interface was losing label information. Since IPSLAs use 8.1.9.10
interface labels for specifying an interface, the PPPoE IPSLA stopped working as the label was no
longer associated with any interface.
ID: 51735. Audit logs were displaying the password for PPPoE. 8.1.9.9
ID: 51727. Disabled Dead Peer Detection (DPD) to avoid having tunnels torn down due to 8.1.9.9
timeouts. Note that full DPD support is available in ECOS 8.2.1.0 and 8.3.0.0.
ID: 51695. An issue with WAN packet routing was causing the data path to use an invalid flow 8.1.9.9
WAN tunnel ID, resulting in an unexpected reboot.
ID: 51648. In some scenarios, the node process was trying to synchronize a change while also 8.1.9.9
updating the RTT calculation, resulting in an unexpected reboot.
ID: 51439. If an HA tunnel went down, the flow was dropped but not resuming when the tunnel 8.1.9.9
came back up because the flow was not getting reclassified.
ID: 51279. Fixed an issue that was causing flows to be transmitted as "passthrough-unshaped," 8.1.9.9
even though a route to the destination existed and underlay and overlay tunnels were up - active.
ID: 50731. Fixed an issue that was causing UDP traffic to be sent as passthrough, even though a 8.1.9.9
valid route and peer were available.
ID: 50690. In some scenarios, SNMPv3 pooling would stop working and could only be restored by 8.1.9.9
disabling and re-enabling it.
ID: 51654. Following an upgrade to ECOS 8.1.9.7, flow count was unusually high and causing 8.1.9.8
excessive CPU utilization.
ID: 51475. When multicast was enabled on mgmt0, routes were getting added to the management 8.1.9.8
routing table and causing unexpected reboots.
ID: 51445. When using the API to configure multiple applications, including compound 8.1.9.8
applications, multiple domain/service names were given for a compound rule, resulting in an
unexpected reboot.
ID: 51324. A memory leak in the IPSLA module was causing unexpected appliance reboots. 8.1.9.8
ID: 51313. In rare cases, the appliance would reboot when processing a Citrix- accelerated 8.1.9.8
connection.
ID: 51300. In some cases, following a tunnel down event, the best route for a subnet was being 8.1.9.8
determined incorrectly.
ID: 51150. If a subnet metric value was modified by an IPSLA, the value was not being restored to 8.1.9.8
its original setting after the affecting IPSLA was removed.


Resolve
ID: 51035. In some instances, the API was being called with invalid data, causing one or more 8.1.9.8
processes to hang and eventually leading to an unexpected reboot.
ID: 51000. High flow rates were causing abnormally high CPU utilization, resulting in an overall 8.1.9.8
performance degradation.
ID: 50800. ESP traffic was getting dropped at the WAN interface when firewall state was set to 8.1.9.8
"stateful."
ID: 50591. When a route policy was directing traffic pass-through and an optimization policy for 8.1.9.8
the same traffic was disabling TCP acceleration, expired flows were not being deleted.
ID: 49757. Some changes have been made to help prevent a stack overflow that was causing the 8.1.9.8
ID: 51263. The PPPoE interface was failing to recover when the underlying interface went down 8.1.9.7
and came back up.
ID: 50964. Insufficient validation when manually adding routes via CSV import were allowing bad 8.1.9.7
routes to be created, and these entries could not be deleted without restoring a previous
configuration to the appliance.
ID: 50879. Changed the way security associations (SAs) behave for 3rd party IPSec tunnels to avoid 8.1.9.7
a high number of repeated negotiation requests or rekeys.
ID: 50875. Creating a default route entry (0.0.0.0/32) for interfaces assigned a 32- bit IP address 8.1.9.7
and not having a configured default gateway was causing issues in some customer deployments.
ID: 50803. Local BGP routes were not being advertised to local BGP peers during Admin Distance 8.1.9.7
(AD) change for remote static routes. If two protocols (e.g., subnet sharing and BGP) have the
same AD, route metrics will be used to choose the best route among duplicates across route
types.
ID: 50756. In this release, we removed CIFS, CITRIX, and iSCSI rules and changed TCP advanced 8.1.9.7
options for lan-to-wan and wan-to-lan max buffer for default 65535 from 64,000KB to 4,000KB.
ID: 50692. Packet direction was being set incorrectly when received from the WAN side and 8.1.9.7
destination was local. This was causing the return packet direction to be set as WAN to LAN, which
meant that reverse DNAT was not being applied.
ID: 50687. Under some circumstances, BGP/OSPF was causing CPU0 to hit 0% idle intermittently. 8.1.9.7
ID: 50652. A race condition between tunnel deletion and pathchar message processing was 8.1.9.7
causing a segment fault, resulting in an unexpected reboot.
ID: 50592. During upgrade, the appliance rebooted unexpectedly while applying loopback 8.1.9.7
configuration, causing the upgrade to fail.
ID: 50567. For hairpin flows, the Rx action was being updated before the flow became bidirectional 8.1.9.7
and it was displaying an incorrect status.
ID: 50523. When a route policy directed traffic pass-through and an optimization policy for the 8.1.9.7
same traffic disabled TCP acceleration, expired flows were not being deleted.
ID: 50492. Under some rare circumstances, subnet sharing updates were delayed by up to 15 8.1.9.7
minutes.


Resolve
ID: 50490. Fixed an issue where appliance datapath IPs were not accessible from the SDWAN 8.1.9.7
fabric when Zone-based Firewall was enabled.
ID: 50486. The auto-generated route had been DOWN for a newly added loopback interface. 8.1.9.7
ID: 50442. The "ssh listen interface" command was not working as expected, depending on the 8.1.9.7
interface selected.
ID: 50375. After Orchestrator closed the appliance browser, the active session would remain until 8.1.9.7
the appliance auto logout timer expired, resulting in failure of new logins when sessions should be
available.
ID: 50320. In some cases, Threshold Crossing Alerts were being incorrectly triggered for bonded 8.1.9.7
tunnels.
ID: 50248. AVC domain match was incorrectly matching substrings of a domain. 8.1.9.7
ID: 50214. On rare occasions, an installed IP SLA monitor could not be modified or deleted until 8.1.9.7
after an appliance reboot.
ID: 50199. When the IP SLA monitor comes back up, the priority of the VRRP interface was not 8.1.9.7
being restored to the configured value.
ID: 50132. Under certain circumstances, the VRRP module was delayed in responding to 8.1.9.7
management requests, causing the UI to hang briefly.
ID: 50020. In rare cases, deleting and adding VLAN interfaces was causing the appliance to reboot 8.1.9.7
unexpectedly.
ID: 49995. DHCP relay flows were being policy dropped and not getting reset for some time, 8.1.9.7
making it appear that the appliance had no route to the DHCP server.
ID: 49841. Added a fix so that PPPoE interfaces start and restart in a more reliable way to ensure 8.1.9.7
that unknown or non-configured device numbers are getting created.
ID: 50218. Multicast failed to initialize on tlan0 or twan0 interfaces. 8.1.9.6
ID: 50186. Some tunnels “Down Mis-configured” in Edge HA deployment. 8.1.9.6
ID: 50026. Incorrect subnet selection after 8.1.7.x to 8.1.9.x upgrade running mis- matched 8.1.9.6
releases.
ID: 49866. DSCP matching in ACL incorrect. 8.1.9.6
ID: 49839. Only the first port entry in a comma separated ACL entry is matched. 8.1.9.6
ID: 49814. Node service fails to start when 'web https enable' is enabled. 8.1.9.6
ID: 49765. Zone-based firewall fails to forward traffic when using tagged VLAN interfaces with LAN 8.1.9.6
interface labels.
ID: 49734. CLI: show pim neighbors has no output. 8.1.9.6
ID: 49688. ECOS should permit /31 addresses. 8.1.9.6
ID: 49675. [CVE-2018-15473] OpenSSH vulnerability. 8.1.9.6
ID: 49635. EC-V is limited to 16 CPUs. 8.1.9.6

Resolution: EC-V now supports 32 CPUs.


Resolve
ID: 49560. BGP- local preference attribute ignored over AS path. 8.1.9.6
ID: 49497. BGP route updates are not logged. 8.1.9.6
ID: 49375. ECOS should support the option to add ASN and locally configured communities to 8.1.9.6
subnet shared routes.
ID: 49209. ECOS does not support AWS CloudInit. 8.1.9.6
ID: 49186. IP addresses in routing logs are not human readable. 8.1.9.6
ID: 49094. LAN side VRRP addresses not responding to ICMP when received via tunnel. 8.1.9.6
ID: 48992. Appliance reset when performing FEC at high rates with a large amount of errored 8.1.9.6
packets.
ID: 46714. EC-V VLAN filtering issues with SRIOV i40evf driver on ENCS platform. 8.1.9.6
ID: 46607. EC-V with SR-IOV adds double VLAN tags. 8.1.9.6
ID: 50012. When BGP branch route flapped, subnet shared default route was removed from peers. 8.1.9.5
ID: 49466. CVE-2019-11477, CVE-2019-5599, CVE-2019-11479 vulnerabilities. 8.1.9.5
ID: 49371, Appliance reset in network with 10,000+ tunnels and large differential latency. 8.1.9.5
ID: 49339. Some TCP non-accelerated flows did not timeout. 8.1.9.5
ID: 49318. Some UDP traffic was incorrectly sent pass through. 8.1.9.5
ID: 49297. Bonded tunnel incorrectly set to fail state causing traffic to be routed incorrectly. 8.1.9.5
ID: 49252. AVC compound classification is not functioning correctly with DSCP. 8.1.9.5
ID: 49250. Unexpected reset when changing virtual interface. 8.1.9.5
ID: 49194. IPSec UDP tunnel down after upgrade to 8.1.9.4. 8.1.9.5
ID: 49046. Appliance reset when processing IPSec packet with no ESP header. 8.1.9.5
ID: 49036. When BGP and OSPF are both disabled the learned protocol information (AS path, 8.1.9.5
communities, route tags) is not persisted and is therefore not available when BGP or OSPF are
later enabled.
ID: 48988. When switching from DHCP server to DHCP relay then back to DHCP server, the process 8.1.9.5
fails.
ID: 48987. Custom SAAS application NAT failed. 8.1.9.5
ID: 48948. Tunnel health retry count defaults to 30 secs after reboot. 8.1.9.5
ID: 48889. Subnet sharing failed to redistribute to OSPF with very large routing table. 8.1.9.5
ID: 48510. There is no CLI to display the routing table for debug. 8.1.9.5
ID: 48464. Improve the precision of the formula used to calculate tunnel metric for sorting overlay 8.1.9.5
tunnels.
ID: 48463. DHCP server intermittent performance under load. 8.1.9.5
ID: 48433. Appliance manager does not correctly validate VLAN IDs. 8.1.9.5
ID: 48412. Traffic flow failed to route correctly when a WAN label was changed. 8.1.9.5


Resolve
ID: 48363. DSCP value appears “na” in Flows report. 8.1.9.5
ID: 48352. Appliance manager route policy page is slow to load with 100’s of entries. 8.1.9.5
ID: 48316. EC-V appliance reboot when applying pre-configuration script. 8.1.9.5
ID: 48315. PPPoE fails to initialize when configured using a tagged interface. 8.1.9.5
ID: 48307. Portal unreachable alarm should not be generated if portal string is empty. 8.1.9.5
ID: 48301. Flows should remain “sticky” to peers. 8.1.9.5
ID: 48286. BGP stops advertising OSPF-redistributed routes after AS number change, until 8.1.9.5
appliance is rebooted.
ID: 48275. Traffic routed incorrectly when the set action of an existing ACL is modified 8.1.9.5
(permit/deny).
ID: 48262. Appliance reset due to invalid length in UDP header. 8.1.9.5
ID: 48254. Backup tunnels should not send unnecessary data. 8.1.9.5
ID: 48224. CLI command to add routes should default to BGP and OSPF advertisement disabled. 8.1.9.5
ID: 48204. Unexpected reset when applying multiple route updates simultaneously. 8.1.9.5
ID: 48164. Every other ICMP packet sent at 30 second intervals gets dropped. 8.1.9.5
ID: 48161. IPSec UDP tunnel stuck in NATD complete and down state. 8.1.9.5
ID: 48135. Mgmt0 interface flapping up/down after changing to a new, dedicated management 8.1.9.5
VLAN.
ID: 48054. IPSLA failed to disqualify breakout tunnel. 8.1.9.5
ID: 48004. IPsec tunnel is down due to packet loss from 'IPsec rx replay’. 8.1.9.5
ID: 46236. When remote authentication fails, the appliance should not fallback to local 8.1.9.5
authentication.
Resolution: When remote authentication server is unavailable/unreachable (could be
radius/tacacs), fallback to local authentication. When remote authentication server fails to login
the user, DO NOT fallback to local authentication, just fail to login user.
ID: 46120. Appliance reset when processing new application classification definitions. 8.1.9.5
ID: 44196. Eliminate hard-coded brownout thresholds in HA mode. 8.1.9.5
ID: 49347. Unexpected appliance reset when updating application classification definitions. 8.1.9.4
ID: 48933. Unexpected appliance reset when updating application classification. 8.1.9.4
ID: 48262. Appliance reset due to invalid length in UDP header. 8.1.9.4
ID: 48175. Link Integrity Test matches application definition “Oracle” rather than “Silverpeak_iperf". 8.1.9.4
ID: 48169. Upgrade to 8.1.9.3 potentially disables NAT. 8.1.9.4
ID: 48165. "Generate Show Tech" button should be removed from GUI. 8.1.9.4
ID: 48107. BGP not advertising route to BGP neighbor when same route also learnt from that 8.1.9.4
neighbor.


Resolve
ID: 48034. Appliance reboot when SNMP traps fail to get sent due to physical interface mis 8.1.9.4
configuration.
ID: 48014. Unanticipated network-wide reports of high latency. 8.1.9.4
ID: 47926. IPSLA tracking for VRRP failed between two appliances. 8.1.9.4
ID: 47908. Unexpected packet loss on appliances with 2,000+ tunnels. 8.1.9.4
ID: 47899. Flows and flow details fail to display custom defined application definition. 8.1.9.4
ID: 47894. Rarely, BGP communities did not populate on remote routers. 8.1.9.4
ID: 47868. OSPF incorrectly learns route on the same interface it is advertising that route. 8.1.9.4
ID: 47841. Unexpected appliance reset when processing route updates. 8.1.9.4
ID: 47820. When modifying flow system limits on an EC-V, tunnel limits will be reset to 50. 8.1.9.4
ID: 47817. All available fixed wan interfaces should support ZTP. 8.1.9.4
Resolution: wan1 interfaces on all appliances support ZTP. Additionally, wan2 on the EC-S, twan0
on the EC-M and EC-L, and twan1 on the EC-XL support ZTP.
ID: 47812. Packets are dropped (ifdown drop) when route map policy is set to passthrough 8.1.9.4
(shaped or unshaped).
ID: 47790. When mgmt0 is statically configured and appliance is rebooted, the static routes for 8.1.9.4
mgmt0 are removed.
ID: 47760. Appliance reset due to malformed IPSec packet. 8.1.9.4
ID: 47737. Appliance reset when cross-connect tunnels have different IPSec authentication 8.1.9.4
algorithms configured.
ID: 47735. Global OSPF redistribution tags should overwrite remotely learned OSPF tags. 8.1.9.4
ID: 47710. Improve performance of route lookups. 8.1.9.4
ID: 47703. Appliance reset when processing http get requests with null hostname for domain 8.1.9.4
name matching.
ID: 46875. Shaper should process multiple packets in a row. 8.1.9.4
ID: 47671. Under heavy load some traffic classes dropped packets early. 8.1.9.4
ID: 47623. VRRP caused appliance reset upon initialization. 8.1.9.4
ID: 47600. LAN-side packet drops in very high throughput scenarios. 8.1.9.4
ID: 47550. All virtual appliances (except ESXi) should follow RFC by using virtual MAC address as 8.1.9.4
master.
ID: 47533. Orchestrator temporarily lost connectivity to appliance. 8.1.9.3
ID: 47520. After upgrading hub to 8.1.9.2 IPSEC tunnels to spoke sites running 8.1.5.x won’t 8.1.9.3
establish.
ID: 47498. Appliance reset after upgrade to 8.1.9.2. 8.1.9.3
ID: 47464. Unexpected reset when processing application classification updates. 8.1.9.3


Resolve
ID: 47462. Underlay tunnels sourced from HA link are down (orphaned DNAT). 8.1.9.3
ID: 47391. Tunnel version mismatch alarm description is misleading. 8.1.9.3
ID: 47229. Reset due to invalid tunnel encapsulation mode. 8.1.9.3
ID: 47182. High latency was experienced at some sites. 8.1.9.3
ID: 46872. Performance degradation when using > 100 ACLs. 8.1.9.3
ID: 46806. Adding interface labels on Orchestrator resets IP SLA on appliances. 8.1.9.3
ID: 46764. Setting management IP via cli is not persistent across reboots. 8.1.9.3
ID: 46751. New "Peer/Service" details are not displayed in route policies set actions "Destination" 8.1.9.3
field when "Destination Type" is set as peer.
ID: 46583. Spurious NTP server unreachable alarm. 8.1.9.3
ID: 46458, Unable to modify deployment bandwidth of HA device when peer is offline. 8.1.9.3
ID: 46422. Internal hairpinning failed for traceroute traffic. 8.1.9.3
ID: 46386. Previously idle IPSec or IPSec UDP tunnels took more than ten minutes to re-establish 8.1.9.3
after appliance reboot.
ID: 46382. Subnet directed broadcast not supported. 8.1.9.3
ID: 46362. IP SLA subnet metric manipulation incorrectly uses the configured subnet metric and 8.1.9.3
not the current subnet metric value.
ID: 46203. Tunnel state “Down – Brownout” is misleading. 8.1.9.3
ID: 46096. Internal hair pinning should honor the incoming overlay. 8.1.9.3
ID: 45546. Default route to mgmt0 persisted after interface was down. 8.1.9.3
ID: 44900. Add default routes for ZTP on tagged interfaces. 8.1.9.3
ID: 44829. EdgeConnect should prefer LAN-side interfaces when connecting to Orchestrator. 8.1.9.3
ID: 43572. Increase supported VLANs from 20 to 64 in router mode and 32 in bridge mode. 8.1.9.3
ID: 47166. Appliance reset when port scanning protection feature processed redirected flows. 8.1.9.2
ID: 46796. Unexpected appliance reset due to null application pointer. 8.1.9.2
ID: 46732. Unexpected reset due to memory leak in SSL proxy feature. 8.1.9.2
ID: 46506. Unexpected reset when parsing DNS packets. 8.1.9.2
ID: 46386. Previously idle IPSec UDP tunnels took more than ten minutes to re- establish after 8.1.9.2
appliance reboot.
ID: 44899. Inbound 3rd-party IPSec tunnel traffic should be allowed when the WAN interface 8.1.9.0
firewall mode is Stateful.
ID: 44646. Upgrade to 8.1.8.1 failed to load configuration database. 8.1.9.0
ID: 44386. ECOS should permit the user to statically configure a Public IP for tunnel creation. 8.1.9.0

Need Help?
If you have any questions, contact your Silver Peak sales representative.
For product and technical support, contact Silver Peak Systems using any of the methods below:
• 1.877.210.7325 (toll-free in USA)
• +1.408.935.1850
• www.silver-peak.com/support
Revision History
Aug 28, 2020 Rev A: Initial document revision.
Sept 16, 2020 Rev B: Released a new build to fix an issue in the multiple IP ranges for DHCP feature.
Oct 12, 2020 Rev C: Released a new build to fix issues 55421, 55317, 51738, and 48409.
Copyright
Copyright © 2020 Silver Peak Systems, Inc. All rights reserved. Information in this document is subject to change at any time. Use of this documentation is restricted as specified
in the End User License Agreement. No part of this documentation can be reproduced, except as noted in the End User License Agreement, in whole or in part, without the
written consent of Silver Peak Systems, Inc.
Trademark Notification
Silver Peak, the Silver Peak logo, and all Silver Peak product names, logos, and brands are trademarks or registered trademarks of Silver Peak Systems, Inc. In the United States
and/or other countries. All other product names, logos, and brands are property of their respective owners.
Warranties and Disclaimers

This documentation is provided “as is” without warranty of any kind, either expressed or implied, including, but not limited to, the implied warranties of merchantability, fitness for
a particular purpose, or non-infringement. Silver Peak Systems, Inc. assumes no responsibility for errors or omissions in this documentation or other documents which are
referenced by or linked to this documentation. References to corporations, their services and products, are provided “as is” without warranty of any kind, either expressed or
implied. In no event shall Silver Peak Systems, Inc. be liable for any special, incidental, indirect or consequential damages of any kind, or any damages whatsoever, including,
without limitation, those resulting from loss of use, data or profits, whether or not advised of the possibility of damage, and on any theory of liability, arising out of or in
connection with the use of this documentation. This documentation may include technical or other inaccuracies or typographical errors. Changes are periodically added to the
information herein; these changes will be incorporated in new editions of the documentation. Silver Peak Systems, Inc. may make improvements and/or changes in the product(s)
and/or the program(s) described in this documentation at any time.

ECOS 8.1.9.14 Release Notes RevC

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ECOS 8.1.9.14 Release Notes RevC

Uploaded by

Copyright:

Available Formats

Silver Peak Unity ECOSTM (ECOS)

Top Items for this Release

Silver Peak Systems, Inc. Strictly Confidential Page 1 of 29

New Features and Enhancements

Multiple Ranges for DHCP Server

Silver Peak Systems, Inc. Strictly Confidential Page 2 of 29

Silver Peak Systems, Inc. Strictly Confidential Page 3 of 29

Upgrades from ECOS 6.2

Removal of Weak Cyphers

Limited Support for Inline Router Mode on x600

Removal of ip datapath route Command

No Support for Specific NX-1700 Appliances

10Gbps Default for Auto-sensing Fiber Interfaces

Change Admin Distance if PE-router is Configured

Change Duplicate Routes Advertisement

Silver Peak Systems, Inc. Strictly Confidential Page 4 of 29

Upgrade Considerations (continued)

• The EBGP AD will be the previously configured BGP-PE AD

• The IBGP AD will be the previously configured BGP-Branch AD.

For new installations the following are the default ADs:

VLANs Supported on Hyper-V

Silver Peak Systems, Inc. Strictly Confidential Page 5 of 29

ID: 48490 Loopback interfaces do not support firewall zones.

Silver Peak Systems, Inc. Strictly Confidential Page 6 of 29

Known Issues (continued)

Silver Peak Systems, Inc. Strictly Confidential Page 7 of 29

Hardware Compatibilities and Dependencies

Software Compatibilities and Dependencies

Silver Peak Systems, Inc. Strictly Confidential Page 8 of 29

New Features from Past Releases

Feature Description Earliest Release

Appliance Fiber Card Part Number

spsadmin Account The spsadmin account has been removed. 8.1.9.12

Reject Self-signed Appliances can now be configured to reject self-signed 8.1.9.12

Silver Peak Systems, Inc. Strictly Confidential Page 9 of 29

Feature Description Earliest Release

• The EBGP AD will be the previously configured BGP-

• The IBGP AD will be the previously configured BGP-

For new installations the following are the default ADs:

Silver Peak Systems, Inc. Strictly Confidential Page 10 of 29

Feature Description Earliest Release

ECOS 8.1.9 adds a metric column to Configuration > Routes

Silver Peak Systems, Inc. Strictly Confidential Page 11 of 29

Feature Description Earliest Release

Multicast ECOS 8.1.9 introduces support for Protocol Independent 8.1.9.0

• pim interface <name of intf> enable/disable

• show pim neighbors

• show pim mroute

• show igmp groups

• show pim interfaces

• igmp interface <name of intf> enable/disable

Multicast is a Beta feature.

Enhancements to SaaS SaaS optimization now supports: 8.1.9.0

• Configuration of SaaS optimization probe interface

Silver Peak Systems, Inc. Strictly Confidential Page 12 of 29

Feature Description Earliest Release

The zone-based firewall provides complete segmentation

Zones can be defined based on physical interfaces, logical

The zone-based firewall is fully automated via the

IPSec service chaining can be configured via the Orchestrator

IP SLA is fully automated via the Orchestrator “IP SLA” tab.

• Soft-Reset: Soft reset is a manual trigger to request

• Input Metric: Input metric provides the capability to