diff --git a/roles/firewall/files/fw_quic_plug-3.0.3.1422b36-2.el7.x86_64.rpm b/roles/firewall/files/fw_quic_plug-3.0.3.1422b36-2.el7.x86_64.rpm
new file mode 100644
index 0000000..0892988
Binary files /dev/null and b/roles/firewall/files/fw_quic_plug-3.0.3.1422b36-2.el7.x86_64.rpm differ
diff --git a/roles/firewall/files/quic-1.1.12.409501c-2.el7.x86_64.rpm b/roles/firewall/files/quic-1.1.12.409501c-2.el7.x86_64.rpm
new file mode 100644
index 0000000..201872b
Binary files /dev/null and b/roles/firewall/files/quic-1.1.12.409501c-2.el7.x86_64.rpm differ
diff --git a/roles/firewall/tasks/main.yml b/roles/firewall/tasks/main.yml
index 8e809e8..0d5317b 100644
--- a/roles/firewall/tasks/main.yml
+++ b/roles/firewall/tasks/main.yml
@@ -19,11 +19,11 @@
       - /tmp/ansible_deploy/fw_ftp_plug-3.0.1.0a78573-2.el7.x86_64.rpm
       - /tmp/ansible_deploy/fw_http_plug-3.0.1.0c7e082-2.el7.x86_64.rpm
       - /tmp/ansible_deploy/fw_mail_plug-3.0.1.02465eb-2.el7.x86_64.rpm
-      - /tmp/ansible_deploy/fw_quic_plug-3.0.2.2122de5-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/fw_quic_plug-3.0.3.1422b36-2.el7.x86_64.rpm
       - /tmp/ansible_deploy/fw_ssl_plug-3.0.4.a0b19ee-2.el7.x86_64.rpm
       - /tmp/ansible_deploy/http-2.0.5.c61ad9a-2.el7.x86_64.rpm
       - /tmp/ansible_deploy/mail-1.0.9.c1d3bde-2.el7.x86_64.rpm
-      - /tmp/ansible_deploy/quic-1.1.11.d7385a1-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/quic-1.1.12.409501c-2.el7.x86_64.rpm
       - /tmp/ansible_deploy/ssl-1.0.9.69f3742-2.el7.x86_64.rpm
       - /tmp/ansible_deploy/tsg_conn_sketch-2.0.8.515835a-2.el7.x86_64.rpm
 
diff --git a/roles/mrzcpd/files/mrzcpd-4.3.29.7c73322-1.el7.x86_64.rpm b/roles/mrzcpd/files/mrzcpd-4.3.29.7c73322-1.el7.x86_64.rpm
new file mode 100644
index 0000000..a214261
Binary files /dev/null and b/roles/mrzcpd/files/mrzcpd-4.3.29.7c73322-1.el7.x86_64.rpm differ
diff --git a/roles/mrzcpd/tasks/main.yml b/roles/mrzcpd/tasks/main.yml
index 5715f82..adcb669 100644
--- a/roles/mrzcpd/tasks/main.yml
+++ b/roles/mrzcpd/tasks/main.yml
@@ -6,7 +6,7 @@
 
 - name: "install mrzcpd"
   yum:
-    name: /tmp/ansible_deploy/mrzcpd-4.3.28.2d13de4-1.el7.x86_64.rpm
+    name: /tmp/ansible_deploy/mrzcpd-4.3.29.7c73322-1.el7.x86_64.rpm
     state: present
 
 - name: "update sysconfig/mrzcpd"
@@ -148,7 +148,7 @@
 - name: "enable mrtunnat on master"
   systemd:
     name: mrtunnat
-    enabled: yes
+    enabled: no
     daemon_reload: yes
   when: 
     - nic_traffic_mirror is not defined
diff --git a/roles/sapp/files/sapp-4.2.5.d8bc307-2.el7.x86_64.rpm b/roles/sapp/files/sapp-4.2.5.d8bc307-2.el7.x86_64.rpm
new file mode 100644
index 0000000..601e7c4
Binary files /dev/null and b/roles/sapp/files/sapp-4.2.5.d8bc307-2.el7.x86_64.rpm differ
diff --git a/roles/sapp/tasks/main.yml b/roles/sapp/tasks/main.yml
index 41a7f72..a3108f7 100644
--- a/roles/sapp/tasks/main.yml
+++ b/roles/sapp/tasks/main.yml
@@ -13,7 +13,7 @@
 - name: "install sapp rpms from localhost"
   yum:
     name:
-      - /tmp/ansible_deploy/sapp-4.1.13.ed89137-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/sapp-4.2.5.d8bc307-2.el7.x86_64.rpm
     state: present
     skip_broken: yes
 
@@ -51,8 +51,13 @@
     src: "{{ role_path }}/templates/gdev.conf.j2"
     dest: /home/mesasoft/sapp_run/etc/gdev.conf
   when: tsg_access_type == 1
-  
 
+- name: Template the vlan_flipping_map.conf
+  template:
+    src: "{{ role_path }}/templates/vlan_flipping_map.conf.j2"
+    dest: /home/mesasoft/sapp_run/etc/vlan_flipping_map.conf
+  when: tsg_access_type == 2
+  
 - name: "Template sapp.service destination server"
   template:
     src: "{{ role_path }}/templates/sapp.service.j2"
diff --git a/roles/sapp/templates/conflist.inf.j2 b/roles/sapp/templates/conflist.inf.j2
index aed719b..870644f 100644
--- a/roles/sapp/templates/conflist.inf.j2
+++ b/roles/sapp/templates/conflist.inf.j2
@@ -2,9 +2,6 @@
 {% if tsg_access_type == 1 %}
 ./plug/platform/g_device_plug/g_device_plug.inf
 #./plug/platform/http_healthcheck/http_healthcheck.inf
-{% elif tsg_access_type == 2 %}
-#./plug/platform/g_device_plug/g_device_plug.inf
-./plug/platform/http_healthcheck/http_healthcheck.inf
 {% else %}
 #./plug/platform/g_device_plug/g_device_plug.inf
 #./plug/platform/http_healthcheck/http_healthcheck.inf
@@ -38,3 +35,6 @@
 ./plug/business/app_sketch_local/app_sketch_local.inf
 ./plug/business/app_control_plug/app_control_plug.inf
 {% endif %}
+{% if tsg_access_type == 2 %}
+./plug/platform/http_healthcheck/http_healthcheck.inf
+{% endif %}
diff --git a/roles/sapp/templates/sapp.service.j2 b/roles/sapp/templates/sapp.service.j2
index e69b5fd..5bcf18d 100644
--- a/roles/sapp/templates/sapp.service.j2
+++ b/roles/sapp/templates/sapp.service.j2
@@ -5,9 +5,18 @@ Requires=mrzcpd.service
 After=mrzcpd.service
 {% endif %}
 [Service]
+Type=notify
 WorkingDirectory=/home/mesasoft/sapp_run
 ExecStart=/home/mesasoft/sapp_run/sapp
+TimeoutSec=300s
+RestartSec=10s
 Restart=always
-RestartSec=5s
+LimitNOFILE=524288
+LimitNPROC=infinity
+LimitCORE=infinity
+TasksMax=infinity
+Delegate=yes
+KillMode=process
+
 [Install]
 WantedBy=multi-user.target
diff --git a/roles/sapp/templates/sapp.toml.j2 b/roles/sapp/templates/sapp.toml.j2
index 191c300..82ae092 100644
--- a/roles/sapp/templates/sapp.toml.j2
+++ b/roles/sapp/templates/sapp.toml.j2
@@ -22,16 +22,54 @@ bind_mask=[]
 bind_mask=[{{ sapp.bind_mask }}]
 {% endif %}
 
+[MEM]
+dictator_enable=0
+
 [PACKET_IO]
-{% if tsg_access_type == 4 %}
-### note, used to represent inbound or outbound direction value,
-##### because it comes from other device, so it needs to be specified manually,
-##### if inbound_route_dir=1, then outbound_route_dir=0, vice versa,
-##### in other words, outbound_route_dir = 1 ^ inbound_route_dir;
-inbound_route_dir={{ sapp.inbound_route_dir }}
-{% endif %}
+
+    [overlay_tunnel_definition]
+### note, since 2020-10-01, L2-L3 tunnel(VLAN,MPLS,PPPOE,etc.) is process and offload by mrtunnat, 	
+### after 2020-10-01, sapp support L2-L3 tunnel(VLAN,MPLS,PPPOE,etc.) without mrtunnat.
+    l2_l3_tunnel_support=1
+
+### note, optional value is [none, vxlan]
+    overlay_mode=none
+    stream_compare_layer_cfg_file="etc/stream_compare_layer.conf"
+    vlan_flipping_cfg_file="etc/vlan_flipping_map.conf"
+    asymmetric_presence_layer_cfg_file="etc/asymmetric_presence_layer.conf"
+    asymmetric_addr_layer_cfg_file="etc/asymmetric_addr_layer.conf"
+    prune_inject_layer_cfg_file="etc/prune_inject_layer.conf"
+	
+	{% if tsg_access_type == 4 %}
+	### note, used to represent inbound or outbound direction value,
+	### because it comes from Third party device, so it needs to be specified manually,
+	### if inbound_route_dir=1, then outbound_route_dir=0, vice versa,
+	### in other words, outbound_route_dir = 1 ^ inbound_route_dir;
+	inbound_route_dir={{ sapp.inbound_route_dir }}
+	{% endif %}
+	
 ### note, BSD_packet_filter, if you do not want to set any filter rule, keep it empty as ""
-BSD_packet_filter=""
+    BSD_packet_filter=""
+
+### note, same as tcpdump -Q/-P arg, possible values are `in', `out' and `inout', default is "in"
+    pcap_capture_direction="in"
+
+
+### note, depolyment.mode options: [sys_route, vxlan_by_inline_device, raw_ethernet_single_gateway, raw_ethernet_multi_gateway]
+### sys_route: send ip(ipv6) packet by system route table, this is default mode in mirror mode;
+### vxlan_by_inline_device: encapsulation inject packet with vxlan, and then send to inline device by udp socket.
+### raw_ethernet_single_gateway: send layer2 ethernet packet to specific gateway in same broadcast domain. 
+### raw_ethernet_multi_gateway: send layer2 ethernet packet to multiple gateway in same broadcast domain. 
+    inject_pkt_mode=sys_route
+
+### note, this config is valid if inject_pkt_mode==vxlan_by_inline_device, means udp socket src port.
+    inject_mode_inline_device_sport=54789
+
+### note, this config is valid if inject_pkt_mode==raw_ethernet_single_gateway.
+    inject_mode_single_gateway_device="eth1"
+### inject_mode_single_gateway_src_mac has lower priority than get smac from inject_mode_single_gateway_device
+    inject_mode_single_gateway_src_mac="00:11:22:77:88:99"
+    inject_mode_single_gateway_dst_mac="00:11:22:33:44:55"
    
 ### note, depolyment.mode options: [mirror, inline, transparent]
     [packet_io.depolyment]
@@ -48,7 +86,7 @@ BSD_packet_filter=""
     name={{packet_io.internal_interface}}
     {% else %}
     type=marsio
-    name=vxlan_user
+    name={{nic_data_incoming.name}}
     {% endif %}
 
     [packet_io.external.interface]
@@ -64,25 +102,47 @@ BSD_packet_filter=""
 ### note, polling_priority = call sapp_recv_pkt every call polling_entry times,     
     polling_priority=1
 
+[PROTOCOL_FEATURE]
+    ipv6_decapsulation_enabled=1
+    ipv6_send_packet_enabled=1
+    tcp_drop_pure_ack_pkt=0
+    tcp_syn_option_parse_enabled=1 
+    skip_not_ip_layer_over_eth=0
+    treat_vlan_as_mac_in_mac=0
+    reverse_ethernet_addr=1
+
+	
 [STREAM]
+### note, stream_id_base_time format is "%Y-%m-%d %H:%M:%S" 
+    stream_id_base_time="2018-08-08 08:00:00"
     [stream.tcp]
     max=100000
     timeout=30
     syn_mandatory=0
     reorder_pkt_max=5
     analyse_option_enabled=1
+    tuple4_reuse_time_interval=30
+
+    meaningful_statistics_minimum_pkt=3
+    meaningful_statistics_minimum_byte=5
+    
         [stream.tcp.inject]
         link_mss=1460
 	  
         [stream.tcp.inject.rst]
+        auto_remedy=0
         number=3
         signature_enabled=1
         signature_seed1=65535
         signature_seed2=13
+        remedy_kill_tcp_by_inline_device=0
 	
     [stream.udp]
     max=100000
     timeout=60
+    meaningful_statistics_minimum_pkt=3
+    meaningful_statistics_minimum_byte=5
+    
 
 [PROFILING]
     [profiling.pkt_latency]
@@ -95,7 +155,7 @@ BSD_packet_filter=""
     symbol_conflict_enabled=0
   
     [profiling.log]
-    level=20
+    level=10
     interval=5
     
         [profiling.log.local]
@@ -148,3 +208,10 @@ BSD_packet_filter=""
     entrylist_path="./etc/entrylist.conf"
     send_raw_pkt_path="./etc/send_raw_pkt.conf"
     vxlan_sport_service_map_path="./etc/vxlan_sport_service_map.conf"
+
+[breakpad]
+    disable_coredump=0
+    enable_breakpad=0
+    breakpad_minidump_dir="/tmp/crashreport"
+    enable_breakpad_upload=0
+    breakpad_upload_url="http://127.0.0.1/"
diff --git a/roles/sapp/templates/vlan_flipping_map.conf.j2 b/roles/sapp/templates/vlan_flipping_map.conf.j2
new file mode 100644
index 0000000..599e8f8
--- /dev/null
+++ b/roles/sapp/templates/vlan_flipping_map.conf.j2
@@ -0,0 +1,11 @@
+#for inline a device vlan flipping 
+#数据包来自C路由器端, 即C2I(I2E)方向, 
+#数据包来自I路由器端, 即I2C(E2I)方向, 
+#平台会根据vlan_id,设置当前包route_dir的值, 以便上层业务插件做两个方向的流量统计,
+#如果一对vlan_id写反了, 网络是通的, 但是I2E,E2I的流量统计就颠倒了.
+#配置文件格式, pattern:
+#来自C路由器vlan_id	  	来自I路由器vlan_id   	是否开启mac地址翻转
+#C_router_vlan_id  I_router_vlan_id mac_flipping_enable
+1301	1302	1
+1201	1202	1
+4000	4001	0
diff --git a/roles/tfe/files/tfe-4.3.19.6e80fc6-1.el7.x86_64.rpm b/roles/tfe/files/tfe-4.3.19.6e80fc6-1.el7.x86_64.rpm
new file mode 100644
index 0000000..cc1e644
Binary files /dev/null and b/roles/tfe/files/tfe-4.3.19.6e80fc6-1.el7.x86_64.rpm differ
diff --git a/roles/tfe/tasks/main.yml b/roles/tfe/tasks/main.yml
index f8a34bd..c493b34 100644
--- a/roles/tfe/tasks/main.yml
+++ b/roles/tfe/tasks/main.yml
@@ -14,7 +14,7 @@
   yum:
     name:
       - /tmp/ansible_deploy/tfe-kmod-v1.0.5.20200408-1dkms.noarch.rpm
-      - /tmp/ansible_deploy/tfe-4.3.17.897ff3f-1.el7.x86_64.rpm
+      - /tmp/ansible_deploy/tfe-4.3.19.6e80fc6-1.el7.x86_64.rpm
     state: present
 
 - name: "template tfe-env config"