| Issue ID | Issue | Description |
|---|---|---|
| CFD-12779 | AP Aware does not assign a VLAN. | AP Aware was enabling "auth-override" on the policy, with no ability to specify VLAN egress on the port for the Access Point. All traffic was mapped to the existing VLAN ID on the port or the untagged VLAN that was configured in the policy. To resolve this issue VLAN assignment logic has been updated for better reliability. To allow additional VLAN IDs to be tagged in an AP Aware policy, add the following RADIUS Attributes to the Advanced Section of the Network Policy: FA-VLAN-ISID=1:1, 10:10, 13:13 In this example VLAN 1 is the Untagged VLAN assigned in the policy. This should match what is assigned above. The rest of the VLAN IDs, i.e. 10 and 13, will be added as tagged VLANs. Fabric mode is not required for this functionality to work. |
| CFD-13097 | When adding 4000+ new mac addresses to the devices and then adding them to a group, the authentications are not matching in the group. |
Within the device group, editing by adding or removing devices (mac addresses) works. However, within the Identities table, when you select Add to Device Group there is an issue. In this case, the event sends down only the selected device ID, that ID is added and all others are deleted. The fix is for the UI to send down the entire updated list, or we need a new event so policy can handle it correctly when it is an incremental add only. |
| UZ-3897 | When Universal ZTNA policies are created and deleted continuously through automation, Dynamic Policy push to the access point freezes. | Creating a Network Service with a Custom IP in ExtremeCloud IQ causes Universal ZTNA enforcement to fail for ExtremeCloud IQ Wireless devices with an "UNKNOWN" reason in the Activity Log.
Note: It is not likely that a customer will create a Custom IP Network Service in ExtremeCloud IQ if Universal ZTNA is managing Network Policies for ExtremeCloud IQ Wireless devices. However, if such a case occurs then CloudOps could apply the following SQL patch to the database.
UPDATE hm_base_serv SET port_number = 0 WHERE service_type = 'NETWORK' AND ip_protocol = 'CUSTOM';
|
| UZ-4085 | Issue with DNS server status. | Configured DNS servers/policies require a manual Disconnect & Connect of the tunnel when updated or when a DNS server's status changes. |
| UZ-4393 | Wireless authentication fails via BYOD in Linux for a slider enabled SSID. | In a future release of IDM, all eap-ttls requests will be proxied over to a RaaS FR server, which should eliminate this issue. Until then, BYOD with UZ-Slider turned ON is not supported. |
| UZ-4827 | Peers fluctuating on Service Connector Recovery mechanism: user can disconnect/connect to recover. | Certain peers are not being created on Service Connector due to an error in the IPsec logs, which is preventing connections from being established. |
| UZ-4904 | The unique together constraint on the devices table was preventing another entry for the same MAC address and user ID. | When a user installs the ZTNA agent on their machine and later changes the OS on that same machine, it causes an issue. After installing the ZTNA agent on the new OS, the device registration fails because the API tries to create a new entry in the database as the unique identifier was different. An entry already exists in the database with that Mac address and user ID, causing a database error as we currently have a unique together constraint for mac_address and created_by_id in the devices table. Removing this constraint allows the creation of another entry for that device in the database when the device registration API is called. Note: Currently this solution is not supported on dual-boot systems (any system with more than 1 OS partially or completely installed on it). In the event that the ZTA agent is run on such a system the results will be unpredictable.
|
| UZ-4987 | Synced user removed from local user group when using JIT provisioning. | When using Just-In-Time (JIT) provisioning, adding a synced user to a local user group may lead to an unexpected behavior. If the user logs into the agentless portal, they are automatically removed from the local user group. |
| UZ-5501 | Default certificates deployment has failed when creating new workspaces. | When a workspace is created, if the default certificates transition to a failed state as noticed in some environments. The user can use the reset option on UI to activate the default certificates again or upload their own CA and server certificate, including the private key. Same issue occurred on SE RDC as well. |
| UZ-5941 | Linux agent troubleshooting is failing for applications even though the applications are accessible. |
The troubleshooting process on the Linux agent occasionally fails with a timeout error. Note: Before executing the solution, upgrade connectors across all the workspaces.
Existing Limitations
once a DNS policy is updated or DNS server's status changes, you need to Disconnect & Connect the tunnel again. Tenant administrators can set two DNS servers, both should resolve all authorized application FQDNs.
|
| UZ-5942 | Tunnel disconnects when accessing Remote Desktop Applications. | When a user accesses a remote desktop app (RDP/VNC), our app goes to the background, and the RDP/VNC app comes to the foreground. Due to iOS limitations, the socket connection is terminated when our app is in the background. Upon returning to our app, the tunnel reconnects. However, during the reconnection process, the UI remains accessible, and if the user quickly tries to access the RDP app again, the connection fails because the tunnel is not yet reestablished. This background-to-foreground transition disrupts the connection, which is not immediately reflected in the UI. While the DNS feature introduced in version 25.1.0 partially addresses this scenario, this is the case with every aws and non aws environment |
| UZ-6361 |
| |
| ZTNA-27150 & ZTNA-27145 | Wireless authentication fails on SSIDs that have 'UZTNA Managed' and BYOD Enabled' enabled. | Wireless authentication fails on SSIDs that have 'UZTNA Managed' and BYOD Enabled' enabled. |