| CGSDW-38592 | Resolved an issue where the TLS connection between ION devices and the controller did not verify the server hostname during certificate validation. This occurred because hostname verification was disabled in the TLS wrapper implementation. With this fix, hostname verification is enabled for all controller connections, ensuring that the device only connects to legitimate controller endpoints. |
| CGSDW-38388 | Resolved an issue where virtual Data Center (DC) IONs stopped advertising Border Gateway Protocol (BGP) prefixes to the core peer when overlapping prefixes were withdrawn from a site. This occurred when only the overlapping prefix was removed, causing all site prefixes to be withdrawn incorrectly. With this fix, a safe check prevents site prefixes from being withdrawn when overlap prefixes are removed from a site. |
| CGSDW-38184 | Resolved an issue where the fp-rte process restarted when you continuously performed site disable and enable operations with a 20-second interval on a hub. This occurred due to memory corruption in the QoS bandwidth control module. With this fix, the process handles site state changes without restarting. |
| CGSDW-38138 | Resolved an issue where Quality of Service (QoS) packet size updates were being processed on hub devices when they should only apply to spoke devices. With this fix, QoS packet size calculations are no longer applied to hub device configurations. |
| CGSDW-38018 | Resolved an issue where Open Shortest Path First (OSPF) default route advertisement towards the LAN was not available. With this fix, you can configure OSPF to advertise the fabric default route towards the OSPF LAN with a configurable metric. |
| CGSDW-37944 | (ION 1200-s only) Resolved an issue where dynamic entries added to the forwarding database after 802.1X authentication were not refreshed with data traffic, causing the switch to delete them. This occurred because dynamic entries timed out consistently after authentication. With this fix, dynamic entries are properly refreshed when data traffic flows through authenticated ports. |
| CGSDW-37857 | Resolved an issue where the routesync process restarted on branch ION 3200H devices due to goroutine leaks that accumulated over time. With this fix, goroutines are properly managed and cleaned up, preventing the process from restarting. |
| CGSDW-37825 | Resolved an issue where some global prefixes learned via the Prisma SD-WAN Secure Fabric stopped being advertised at spoke locations with BGP configured after upgrading from software version 6.5.2-b7 to 6.5.3-b5. This occurred when two BGP peers were configured in the same view or VRF, causing a fix from an earlier release to block installation of all prefixes. With this fix, all valid prefixes are installed and advertised correctly regardless of peer configuration. |
| CGSDW-37823 | Resolved an issue where the High Availability (HA) state flapped when packets from the LAN attempted to connect to the ION's internal HA transfer port 8765. This occurred because the HA transfer code accepted any TCP connection without validating the source IP address, causing the active HA connection to be disrupted. With this fix, the HA transfer port only accepts connections from the configured HA peer IP address. |
| CGSDW-37817 | Resolved an issue where the flow control process became unresponsive for more than 30 minutes after an upgrade when you configured a large number of conflicting custom applications. This occurred because flow control logs were flooded with conflict warnings for each application pair, consuming all processing resources. With this fix, conflict logging is optimized to prevent resource exhaustion. |
| CGSDW-37778 | (ION 1200-s only) Resolved an issue where IP phones successfully authenticated using 802.1X or MAC authentication but then lost network connectivity when configured with a Voice VLAN. This occurred because the switch used untagged mode for dynamic VLAN assignment after successful authentication, sending untagged frames to the IP phone even though the phone required tagged frames for Voice VLAN traffic. With this fix, voice traffic remains properly tagged on the Voice VLAN after authentication, allowing IP phones to make and receive calls. |
| CGSDW-37749 | Resolved an issue where the flow control (fc) and interface speed daemon (ifspd) processes restarted at multiple branch sites, causing traffic outages. This occurred when you modified QoS bandwidth control settings while an interface was re-inserted with a different parent, triggering an assertion failure. With this fix, QoS bandwidth control properly handles interface parent changes without process restarts. |
| CGSDW-37706 | Resolved an issue where the VRF-specific routing table failed to populate on a LAN interface after the EMIF service restarted, preventing ARP packets from being sent out. This occurred because a malformed address check during the active-to-backup switchover skipped the state update, causing improper IP and route programming. With this fix, routing tables are properly populated after EMIF service restarts. To enable this fix, if you observe missing routes after an EMIF service restart, bounce the affected interface. |
| CGSDW-37501 | Resolved an issue where HA preemption functionality stopped working after a failover, preventing the branch ION from becoming active again. This occurred because the HA management process never cleared the keepalived PID file before spawning a new keepalived instance, and when Linux reused the freed PID for an unrelated process, keepalived detected it as a duplicate and exited immediately. With this fix, the PID file is properly cleared before starting keepalived. |
| CGSDW-37458 | Resolved an issue where IPv6 route advertisements on subinterfaces stopped working after the ION rebooted, even though IPv6 prefix distribution was enabled. This occurred when the ION had IPv6 addresses configured on subinterfaces in L3 mode. With this fix, IPv6 route advertisements resume automatically after reboot. To enable this fix, if route advertisements do not resume after reboot, disable and re-enable IPv6 prefix distribution or bounce the subinterface. |
| CGSDW-37411 | Resolved an issue where spokes advertising LAN-learned prefixes to the DC via the WAN path received the same prefixes back from the WAN peer, causing a routing loop that withdrew and re-advertised prefixes every 10 seconds. This occurred when global LAN peer-learned prefixes were published to both the controller and WAN peers simultaneously. With this fix, prefixes received on the WAN side that were discovered on the global LAN peer are not marked as best path, preventing the routing loop. |
| CGSDW-37382 | Resolved an issue where in a serial inline HA setup, the new active ION did not respond to ARP requests after a failover, causing all traffic to fail. This occurred because the state update for the bypass pair LAN interface IP address removal was skipped during the active-to-backup switchover, preventing proper IP and route programming. With this fix, ARP responses resume immediately after failover. To enable this fix, if ARP responses do not resume after failover, bounce the LAN interface. |
| CGSDW-37115 | Resolved an issue where ServiceLink Maximum Transmission Unit (MTU) behavior on Public WAN interfaces was unclear after the parent interface MTU limit was increased from 1500 to 2000 bytes. With this fix, ServiceLinks over Public WAN are restricted to a maximum MTU of 1500 bytes to prevent fragmentation issues, while parent WAN interfaces can use up to 2000 bytes. |
| CGSDW-36983 | Resolved an issue where SSH traffic from an IPv6 LAN host to an IPv4 Direct Internet Access (DIA) server received responses on the WAN port but the responses were not forwarded to the LAN host, while ICMP traffic worked correctly. This occurred because the address difference calculation for IPv6/NAT64 flows was incorrect, causing response packets not to match the flow hash. With this fix, NAT64 SSH traffic flows correctly in both directions. |
| CGSDW-36702 | Resolved an issue where the maximum MTU was limited to 1500 bytes across all interface types. With this fix, ION devices now support MTU values up to 2000 bytes for supported interface types when enabled by a tenant feature flag. |
| CGSDW-36671 | Resolved an issue where only a single host could authenticate behind a switch port using 802.1X client authentication. With this fix, up to 4 hosts can authenticate behind a single switch port by default, with support for higher limits through configuration. |
| CGSDW-36510 | Resolved an issue where connections between ION devices and the controller did not meet Common Criteria certification requirements. This occurred because TLS renegotiation was enabled, reference ID checks in certificates were not performed, and IPSec audit logs did not provide intuitive messages when the configured remote ID did not match the Subject Alternative Name (SAN) in the certificate. With this fix, TLS renegotiation is disabled for controller connections, certificate reference ID validation is enforced, and IPSec audit logs display clear messages for certificate mismatches. |
| CGSDW-36474 | Resolved an issue where a service link continued to reference the original VRF route table even after you migrated it to a different VRF. This occurred because the system did not remove the older VRF IP rules or add new rules for the updated VRF. With this fix, service links properly update their routing table references when migrated between VRFs. |
| CGSDW-35515 | Resolved an issue where vpnd logs could not be filtered by specific VPN endpoints, making troubleshooting difficult in large-scale deployments. With this fix, you can enable log filtering for the vpnd module based on VPN endpoint ID. |
| CGSDW-34682 | Resolved an issue where DNS Security traffic appeared in flow records as incoming WAN flows with the DNS server as the source, even though the traffic originated from the LAN. This occurred because non-NAT DNS traffic generated by the ION did not properly aggregate the flow key when the DNS reply returned, causing the request and reply to be handled by different processing threads and creating two flows instead of one. With this fix, DNS traffic is correctly classified as LAN-to-WAN flows with proper source attribution. |
| CGSDW-32258 | Resolved an issue where both the active and backup devices in a Spoke HA configuration sent IPv6 Router Advertisement messages when IPv6 prefix distribution was enabled on LAN interfaces, instead of only the active device sending advertisements. This occurred because there was no check to disable IPv6 router advertisements on the backup ION. With this fix, only the active device sends IPv6 router advertisements. |
| CGSDW-30804 | Resolved an issue where Branch Gateway forwarding decisions did not account for hop count when multiple Branch Gateways learned the same prefix, potentially causing sub-optimal routing or ping-ponging between gateways. This occurred when Branch Gateways were configured in a full-mesh topology for Data Center Interconnect (DCI). With this fix, Branch Gateway mode now prefers VPN paths with lower hop count (hop count 1 over hop count 2) before performing active/backup split. |
