SD-WAN Release Notes for Release 3.3.0 & 3.3.1.
The Orchestrator now supports using OpenID Connect to connect to third-party identity and access
management providers. This feature has been tested and confirmed to work with Okta, OneLogin,
PingID, and Microsoft Azure AD Connect.
Automated Azure Virtual WAN Connectivity via VeloCloud Gateway
The Orchestrator adds support for configuration of IaaS provider service principals (or “Subscriptions”),
the first supported use case for which is that they may be used to configure Non-VeloCloud Sites
corresponding to Microsoft Azure Virtual Hubs.
Cloud Security Service
In previous releases, when connecting directly from an Edge to a Cloud Security Service, the only
options for traffic routing were to send “All Internet” or “All Web” traffic to the Cloud Security Service.
In Release 3.3.1, backhauling internet traffic to a Cloud Security Service can be controlled by Business
Policy. This allows full split tunneling support with Edge to Cloud Security Service integration.
Additionally, in previous releases, the Orchestrator web UI permitted users to configure Zscaler VPN
credentials on only the Global Segment. These credentials were implicitly shared across other network
segments where an Edge was configured for cloud security. The 3.3.1 Orchestrator release eliminates
this sharing mechanism to alleviate some of the resulting confusion and to deliver cloud security
functionality in a more consistent, predictable manner. When the Orchestrator is upgraded to Release
3.3.1, the Orchestrator applies a system patch that creates discrete instances of previously shared VPN
credentials on segments where cloud security is enabled. The patch is designed to avoid any
modifications to Edge control plane configurations that would impact traffic bound to, or from Zscaler
PoPs. Following the upgrade, users configuring new Edges for cloud security are advised to provision
discrete VPN credentials on each network segment where Edge to Zscaler connectivity is desired.
OSPF Point-to-Point Mode
Users can now select either Broadcast or Point-to-Point mode for OSPF neighbors.
Note: The default mode is Broadcast.
Non-VeloCloud Site Templates
A new template is provided to connect to Checkpoint Network Security-as-a-Service.
In addition to standard subnet masks, wildcard masks are now supported when creating Business
Policies and Firewall Rules.
Support for New Hardware Platforms
Three new hardware models are supported: the VeloCloud Edge 3400, Edge 3800, and Edge 510-LTE.
Please contact your sales team for further details about these new hardware models.
Last Known Good Device Settings
When the Edge is successfully connected to the Orchestrator (i.e. “online”), it now saves a copy of the
Device Settings policy in place as the “known good” device settings. If a user makes a Device Settings
change which causes the Edge to lose connectivity to the Orchestrator (i.e. “go offline”), for example:
• Invalid static route
• Incorrect IP address or next hop
• Incorrect VLAN tag
The Edge will automatically revert back to the previous Device Settings to reconnect to the Orchestrator
and will log a critical event alerting the user that the Device Settings change impacted Orchestrator
Self-Service Password Reset
The Orchestrator login page now provides users with an option to have a password reset link emailed
to them, rather than requiring Customer Support or another administrator to reset it for them.
Orchestrator Diagnostic Bundle
In order to enable easier diagnosis of issues with the Orchestrator, Operator users now have the ability
to generate an Orchestrator Diagnostic Bundle to provide to Customer Support – similar to the Edge
Multi-Segment DHCP Relay
DHCP relay can now be used on multiple segments simultaneously, even if those segments have
overlapping IP addresses.
L2 Loop Detection
If the Edge receives a packet on a LAN switch port with its own MAC address as the source, an event
will be generated and sent to the Orchestrator.
Additional Remote Diagnostics
Remote Diagnostics have been added to aid in the troubleshooting of OSPF and BGP issues.
Edge and Gateway Health Statistics
The Orchestrator now provides graphs over time for critical counts indicating the health of the device:
• CPU usage of the dataplane service
• Memory usage of the dataplane service
• Flow Count
• Tunnel Count
• Handoff Queue Drops
Packet and byte counts are now available for DPDK-enabled interfaces, allowing users to monitor the
throughput for these interfaces (e.g. via SNMP).
NetFlow data has been enriched to provide more insight into the flows traversing the Edge.
The logging infrastructure has been completely rewritten to improve performance and simplify log
• The dataplane service no longer logs directly to disk, preventing any chance of a storage issue
causing the dataplane to stall.
• Dataplane logs have been consolidated into a single log file (edged.log and gwd.log) rather than
the various logs in prior versions (e.g. route.log, ike.log, etc.)
• Many unnecessary or uninformative log messages have been removed or updated to aid
In Standard HA (with a WAN switch present), heartbeats are sent via the WAN-side switch (using
ethertype 0x9999) in addition to the HA cable to maintain HA connectivity and prevent a split-brain
In Enhanced HA (without a WAN switch present), the Gateway will ensure only one Edge is active at a
time while the HA cable is disconnected. If the active Edge loses connectivity to the Gateway while the
HA cable is disconnected, the Gateway will signal the standby Edge to take over.
VLAN tagged WAN links via HA Proxy
VLAN-tagged WAN links are now supported when connected to the standby Edge in an Enhanced HA
LAN-side failure detection
In a clustered topology with dynamic routing enabled, if a Hub in the cluster loses all dynamic routes on
the LAN and the other Hub(s) in the cluster do not, the Gateway will rebalance Edges from the Hub that
has lost its dynamic routes.
ICMP Echo Responder
The ICMP Echo Responder on the Edge has been greatly enhanced.
• All interfaces on a segment are now reachable from anywhere in the network (e.g. pinging the
LAN IP from across the VPN).
• ICMP Echo Response can be disabled on the Orchestrator for any VLAN, interface, sub-
interface or secondary IP address for security purposes.
• The Edge IPs are now pingable from clients that are not directly connected to the LAN interface
(i.e. one or more hops away).
Path MTU Discovery
Previous versions of the VeloCloud software use RFC 1191 Path MTU Discovery, which relies on
receiving an ICMP error (fragmentation needed) from an upstream device in order to discover the MTU.
In some cases (e.g. USB modems), this response is not received and the MTU must be manually
configured. The Path MTU Discovery has been enhanced to fall back to packet layer Path MTU
Discovery (RFC 4821) in these scenarios to ensure manual setting of the MTU is not required.
Two common issues with Bandwidth Testing have been addressed:
1. If the bandwidth test measures a bandwidth that is significantly lower than the previous
measurement, it is treated as a suspect measurement. The previous measurement is
preserved, and the test is re-scheduled for a random time between 5 minutes and 3 hours in the
future. This prevents, for instance, an erroneous low measurement during overnight ISP
2. The default bandwidth test for wired links is the “Slow Start” bandwidth test, which has a
maximum capacity of 200 Mbps. If “Slow Start” measures more than 175 Mbps, the Edge will
now automatically switch to the “Burst Mode” measurement test – which can measure up to the
capacity of the Edge. This prevents, for instance, an Edge with a 1 Gbps WAN link erroneously
measuring the link as only 200 Mbps.
The Orchestrator now automatically assigns a unique, redundant Super Gateway for all Cloud Gateway
deployments – guaranteeing Control Plane redundancy for all Edges.
OSPF Route Match
OSPF’s outbound and inbound filters will now support exact/non-exact subnet matches similar to BGP.
This can be specified as a setting on the Orchestrator in the form of “Exact Match” checkbox available
at per route prefix level under route filters (advanced OSPF settings).
BGP MD5 authentication can now be enabled for BGP neighbors on the Edge. Gateway support will be
provided in a future release.
Route Map “Community Additive” Support
The BGP route map “set community” action will now support the additive property. This can be
specified using a checkbox on the Orchestrator and is available per route prefix under the BGP route
map. Previously, BGP community was non-additive and the Edge or Gateway would replace incoming
community strings with the one configured in the route map. Now it is possible to have the community
string specified in the route map appended with the incoming community string, thus providing a means
to preserve and cascade all community strings appended together to the BGP neighbor.
DSCP marking of Underlay Traffic
If DSCP marking is configured in the Business Policy and “Underlay Accounting” is enabled for a given
WAN link, the Edge will now properly DSCP tag traffic routed via the underlay.
The VeloCloud Orchestrator has been qualified to support up to 10,000 Edges.
The VeloCloud Gateway has been qualified to support:
• 100,000 routes per customer
• 1,000,000 routes per Gateway (verified with 100 customers having 10,000 routes each)