Aviatrix Controller and Gateway Software Release Notes
Aviatrix strongly recommends you perform the tasks in the operations checklist including a dry run upgrade before upgrading your deployment of the Aviatrix network platform. Taking the time to perform dry runs and backing up your Aviatrix Platform configuration reduces the potential for issues during the upgrade and allows you to easily restore your configuration if there are issues after the upgrade. Correct any issues you find during your preparation before proceeding with an Aviatrix upgrade. For more information, see Upgrading the Aviatrix Platform and Troubleshooting your Controller and Gateway Upgrade. If you cannot resolve all issues after following the preparation and dry run procedures, please open a ticket with Aviatrix Support. |
This page provides release specific information including known and corrected issues. For information about new and enhanced features and behaviors see What’s New.
Important Notices for Upgrading to Aviatrix Release 7.1
Disable Deprecated Controller-Logging Configurations
If you have logging configurations enabled in Controller for the following external log servers, the out-of-the box logging services for these external log servers were deprecated in previous Controller releases and are removed in Controller 7.1 versions - that is, any Controller version that begins with 7.1:
-
Elastic Filebeat
-
Splunk Enterprise/Cloud
-
Sumo Logic
You cannot upgrade from any Controller 7.0 version to any Controller 7.1 version until you have disabled these deprecated logging configurations.
To disable the deprecated logging configurations:
-
Depending on your environment, you might want to enable your log forwarding under rsyslog and verify the functionality is working before disabling the deprecated logging configurations. For information about using rsyslog as the logging mechanism to forward Aviatrix platform logs to your external log server, see Aviatrix Controller Logging.
-
Disable the deprecated logging configurations for Elastic Filebeat/Splunk Enterprise or Cloud/Sumo Logic, as applicable, in the Controller > Settings > Logging page. Locate the applicable external log server’s respective option and switch its toggle from Enabled to Disabled.
Upgrading Aviatrix Secure Edge Gateways
Due to an architecture change in Controller 7.1 release, there are limitations with upgrading Edge Gateways from Controller 7.0 to 7.1. If you have two or more Edge Gateways deployed in the same Site and perform an upgrade to Controller 7.1 release, the upgrade will not be allowed.
These limitations will be addressed in an upcoming patch release. The patch release will allow you to upgrade your Edge Gateways from Controller 7.0 release to 7.1. If you have deployed more than two Edge Gateways in the same Site, or you have a requirement for two Edge Gateways in the same Site, Aviatrix strongly recommends upgrading from Controller 7.0 directly to the patch release, when the patch release becomes available.
In the interim, if you require an upgrade of your Edge Gateways from Controller 7.0 to 7.1 release or require high availability Edge Gateways in the upgraded network, please contact Aviatrix Support for further assistance.
7.1.4139 Release Notes
Release Date: 14 August 2024
Release Notes updated 16 September 2024
Corrected Issues in Aviatrix Release 7.1.4139
Issue | Description |
---|---|
AVX-55256 |
Running packet capture results in an error, preventing generation of packet captures for troubleshooting. |
AVX-55290 |
If custom DNS/NTP entries are configured in the Cloud Service Provider DHCP options, and these DNS/NTP destinations are not reachable on the local VPC/VNet, then traffic to those destinations might be blocked. |
AVX-55499 |
Software Rollback of a gateway upgrade from 7.1.4105 (newer operating system) to 7.1.3956 or 7.1.4101 (older operating system) causes gateway PKI service to go down. This results in lost communication between the gateway and Aviatrix Controller. |
7.1.4105 Release Notes
Release Date: 18 July 2024
Release Notes updated on 09 August 2024
Corrected Issues in Aviatrix Release 7.1.4105
Issue | Description | ||
---|---|---|---|
AVX-37706 |
(GCP) An issue that could cause gateway image upgrades to fail if Aviatrix Gateways were configured as Router Appliance spokes in the GCP Network Connectivity Center (NCC) is resolved. |
||
AVX-37982 |
Clearing the bell notifications no longer results in the error, “Command to execute is too long”. |
||
AVX-42518 |
An issue where adding and deleting a large number of stateful firewalls increased memory usage to more than 80% has been resolved. |
||
AVX-48386 |
(OCI Gov) An issue where gateway creation in OCI Gov failed, has been resolved. |
||
AVX-48707 |
(AWS) AWS has released configurable timeouts for security group connection tracking. Previously, the default timeouts were too long and in some routing topologies that could lead to packet drops. With this release, the timeout value will be set to an appropriate value on the gateway’s interfaces. This feature is only supported for AWS Nitro-based instance types, and when resizing between two Nitro instance sizes.
|
||
AVX-48764 |
Product telemetry corrected for intra tunnels count. No workarounds or corrective actions needed by customer. |
||
AVX-48903 |
An issue is resolved where an upgrade can fail when you upgrade an image for a non-HPE (High Performance Encryption) Transit Gateway that has a Site2Cloud GRE connection and Jumbo Frame. |
||
AVX-48917 |
Resolved an issue where traffic from the Spoke CIDR was incorrectly routed to FireNet, despite exclusion of the Spoke CIDR from the Inspection Policy. |
||
AVX-50194 |
(GCP) Resolved an issue with FireNet BGP over LAN on GCP by correcting the routing for the firewall_rtb table, ensuring proper mapping of routes to interfaces. |
||
AVX-50752 |
Product telemetry corrected in private mode implementations. No workarounds or corrective actions needed by customer. |
||
AVX-50897 |
An issue is resolved where the Controller did not restore the peered tunnels that were deleted during the resizing process. This issue was the result of errors returned by the Cloud Service Provider (CSP) when resizing a High Performance Encryption (HPE) Gateway. |
||
AVX-50941 |
(Azure) When a new Azure HPE gateway is provisioned, the Controller now creates a gateway route table with the name <vnet_name>-avx-gw-public associated with the gateway subnet. If there are subnets without any route tables associated, an optional public route table with name <vnet_name>-avx-public is also created. These route tables will be deleted when the gateway is torn down. |
||
AVX-51027 |
The VPC Tracker Overlap Detection tool in Aviatrix CoPilot now works correctly with Edge devices. |
||
AVX-51147 |
An issue is resolved that could cause Site2Cloud connection disruptions. External Site2Cloud connections (such as those with CloudN or standalone gateways with legacy route-based Site2Cloud connections) could have tunnel interfaces with overlapping Site2Cloud IPs. New tunnel IPs are now validated prior to assignment to ensure they do not overlap with existing Site2Cloud connections. |
||
AVX-51314 |
(Azure) Resolved an issue where Azure VNets that were created out-of-band (OOB) were not populating on the Controller when creating a Gateway. This was due to changes in the Azure API. |
||
AVX-51407 |
An issue was resolved that caused disruptions in Site2Cloud tunnel configurations. Specifically, the local IP address was incorrectly changed to the standby gateway IP after upgrading the image on the standby gateway. This behavior occurred in environments using Site2Cloud configurations with single IP HA and public IP as the gateway identifier. |
||
AVX-51703 |
Previously, an extra route table was created when a gateway without High Performance Encryption (HPE) was initially deployed. This route table had no function and was creating issues during the deletion of the gateway. This issue has been resolved and the extra route table is no longer created during the deployment of a non-HPE gateway. |
||
AVX-52360 |
Disabling Controller Security Group Management after a Controller image upgrade no longer causes a dependency violation error. |
||
AVX-52640 |
Resolved an issue where Security Group Orchestration incorrectly counted existing user security groups. This led to the creation of new groups, exceeding the Security Group mapping limit of 5. Exceeding the limit posed a potential risk of gateway outage due to insufficient security rules for gateway communication with the Controller. |
||
AVX-52808 |
The eth1 interface no longer goes down after upgrade to Controller 7.0. |
||
AVX-53450 |
Corrected an issue that, during migration, sometimes resulted in receiving an email about an exception in export_tf. This did not affect the actual migration, which completed successfully. |
||
AVX-54729 |
Resolved an issue where deploying Layer 7 Distributed Cloud Firewall rules to a gateway will slowly leak memory. |
Known Issues in Aviatrix Release 7.1.4105
Issue | Description |
---|---|
AVX-54874 |
(Azure) The message "Agent status: Not ready" might display in the Azure portal when viewing the Aviatrix Controller. This occurs because the Controller does not have the Azure VM agent running. This behavior is by design and does not affect the Controller’s functionality or performance. No action is required from users; this message can be safely ignored. |
AVX-55256 |
Running packet capture results in an error, preventing generation of packet captures for troubleshooting. If you encounter this issue, please contact Aviatrix Support for assistance. |
AVX-55290 |
If custom DNS/NTP entries are configured in the Cloud Service Provider DHCP options, and those DNS/NTP destinations are not reachable on the local VPC/VNet, then traffic to those destinations might be blocked. If you encounter this issue, please contact Aviatrix Support for assistance. |
AVX-55499 |
Software rollback of a gateway upgrade from 7.1.4105 (newer operating system) to 7.1.3956 or 7.1.4101 (older operating system) causes gateway PKI service to go down. This results in lost communication between the gateway and Aviatrix Controller. If you need to rollback a gateway upgrade from 7.1.4105 to 7.1.3956 or 7.1.4101, contact Aviatrix Support for assistance. This issue does not apply to 7.1.3958. |
7.1.4101 Release Notes
Release Date: 22 July 2024
Release Notes updated on 09 August 2024
Corrected Issues in Aviatrix Release 7.1.4101
Issue | Description |
---|---|
AVX-51314 |
(Azure) Resolved an issue where Azure VNets that were created out-of-band (OOB) were not populating on the Controller when creating a Gateway. This was due to changes in the Azure API. |
AVX-54470 |
(Azure) Resolved an issue where all Security Group rules were not removed when disabling Access Security from Aviatrix Controller. Security Group rules still showed up in the Network Security Group list for the Controller in the Azure Portal (Console). |
AVX-54729 |
Resolved an issue where deploying Layer 7 Distributed Cloud Firewall rules to a gateway will slowly leak memory. |
Known Issues in Aviatrix Release 7.1.4101
Issue | Description |
---|---|
AVX-54480 |
(Azure) Manually aborting an Azure migration might not remove the new Controller instance. If that happens, delete the new Controller instance manually. |
AVX-54886 |
(Azure) After migrating to the new 7.1.3958 or 7.1.4105 Controller releases, the storage disk IOPS setting is not retained from the old 7.1.3956 or 7.1.4101 Controllers. |
AVX-55499 |
Software rollback of a gateway upgrade from 7.1.4105 (newer operating system) to 7.1.3956 or 7.1.4101 (older operating system) causes gateway PKI service to go down. This results in lost communication between the gateway and Aviatrix Controller. If you need to rollback a gateway upgrade from 7.1.4105 to 7.1.3956 or 7.1.4101, contact Aviatrix Support for assistance. This issue does not apply to 7.1.3958. |
7.1.3958 Release Notes
Release Date: 06 June 2024
Corrected Issues in Aviatrix Release 7.1.3958
Issue | Description |
---|---|
AVX-38433 |
If you see error messages like “MemoryUsageLimitExceeded” or “RequestLimitExceeded” when you try to access the Controller, this could be caused by high memory usage. You can verify memory usage from Aviatrix Copilot on the Monitor > Performance tab. To resolve this issue, please contact Aviatrix Support. |
AVX-45386 |
On a gateway with multiple mapped Site2Cloud connections and with Forward Traffic to Transit Gateway enabled, after a successful gateway image upgrade, some of the Site2Cloud connections might not work. To resolve this issue, go to CoPilot > Networking > Connectivity > External Connections (S2C), select a connection and click Settings. Disable, and then re-enable, “Forward Traffic to Transit Gateway” for each impacted Site2Cloud connection. |
AVX-53623 |
7.1.3958 fixes an issue where, if you were on a version of the Aviatrix Controller older than 7.0 and attempted to launch a gateway on OCI, the gateway launch would fail due to a bug in OCI. |
Known Issues in Aviatrix Release 7.1.3958
Issue | Description |
---|---|
AVX-37706 |
(GCP) if an Aviatrix Gateway is configured as a Router Appliance spoke in the GCP Network Connectivity Center (NCC), gateway image upgrades might fail. To resolve this issue, temporarily disassociate the gateway from the GCP NCC, run the image upgrade, and then re-associate the gateway. |
AVX-37913 |
(AWS) Controllers with a large number of onboarded AWS access accounts can experience high memory usage. The system will detect this situation and restart affected services if memory usage is too high. Contact Aviatrix Support if you need more information. |
AVX-47065 |
(Azure) An Azure gateway instance might display the message “agent status is not ready” after the gateway image is updated. This is cosmetic only and does not have any effect on the functionality of the Aviatrix gateway. |
AVX-48386 |
(OCI) The new Aviatrix base image is not available on OCI Gov in the current Controller release. |
AVX-50897 |
When resizing a High Performance Encryption (HPE) Gateway, if the resizing operation fails due to errors returned by the Cloud Service Provider (CSP), the Controller does not restore the peered tunnels that were deleted during the resizing process. Reach out to Aviatrix Support for assistance if you run into this issue. |
AVX-52048 |
(AWS) Auto-migration does not inherit volume values for IOPS on the new gp3 volume. If the volume IOPS settings on the old Controller were modified, those changes might not be retained after the migration. The modified settings might need to be re-created for the new gp3 volume after migration. |
AVX-52360 |
After Controller image upgrade, disabling Controller Security Group Management might cause a dependency violation error. If this happens, delete the old Controller, and then retry disabling Security Group Management. |
AVX-52587 |
Changes to the certificate domain fail on gateways. To resolve this issue, configure the same certificate domain name again or repeat the configuration steps, and the second time the gateways should properly update. |
AVX-53025 |
On Controller’s Settings > Maintenance page, the kernel version is missing for newly launched Edge Gateways on Aviatrix Edge Platform. |
AVX-53027 |
On Aviatrix Edge Platform, after you have upgraded the image to the latest Aviatrix base image, you cannot roll back to the previous image. |
AVX-53450 |
During migration, you might receive an email about an exception in export_tf. This does not affect the actual migration, which will complete successfully. |
7.1.3956 Release Notes
Release Date: 28 May 2024
Known Issues in Aviatrix Release 7.1.3956
Issue | Description |
---|---|
AVX-52048 |
(AWS) Auto-migration does not inherit volume values for IOPS on the new gp3 volume. If the volume IOPS settings on the old Controller were modified, those changes might not be retained after the migration. The modified settings might need to be re-created for the new gp3 volume after migration. |
AVX-52095 |
If your Controller is running release 7.1.3956 or earlier, you will not be able to upgrade directly to 7.2 or later releases, when they become available. You will need to upgrade to release 7.1.3958 or a later 7.1 release before proceeding to any 7.2 releases. |
AVX-52360 |
After Controller image upgrade, disabling Controller Security Group Management might cause a dependency violation error. If this happens, delete the old Controller, and then retry disabling Security Group Management. |
AVX-52587 |
Changes to the certificate domain fail on gateways. To resolve this issue, configure the same certificate domain name again or repeat the configuration steps. The gateways should be properly updated the second time. |
AVX-52360 |
After Controller image upgrade, disabling Controller Security Group Management might cause a dependency violation error. If this happens, delete the old Controller, and then retry disabling Security Group Management. |
AVX-53030 |
When doing a dry run prior to doing a gateway software upgrade to 7.1.3956, the dry run might report errors. This could happen because of backend dependencies. Please wait 15 minutes and attempt the dry run again. |
AVX-53116 |
If you detach an IAM role from the Controller instance in the AWS Console, but do not update the Onboarded Account on the Controller, the Controller is not aware of the change made in AWS Console and still maintains the IAM role association with the Onboarded Account. This will result in a failed dry run. You must reattach an IAM role to the Controller in your cloud service provider (CSP) account. |
AVX-53583 |
The Certificate Domain (required for China region) is not updated for Edge Gateways, so the Edge Gateway cannot connect to the Controller. To resolve this issue, restore the Certificate Domain to its previous value. You can reset this in Controller by going to Onboarding and scrolling to Enter Certificate Domain. |
7.1.3176 Release Notes
Release Date: 26 Feb 2024
Release Notes updated 09 Oct 2024
Corrected Issues in Aviatrix Release 7.1.3176
Issue | Description |
---|---|
AVX-50895 |
Customers using an Aviatrix Controller to orchestrate AWS Transit Gateways (TGWs), can encounter a software defect wherein the Aviatrix software might raise a false positive warning about duplicated CIDRs which could impact route propagation. This issue occurs when you have two or more AWS TGWs and have TGW peering between them. The false positive warning can be raised on unrelated VPCs. If there are duplicated CIDRs in any TGW attachments in peered TGWs, routing propagation could be impacted. |
Known Issues in Aviatrix Release 7.1.3176
Issue | Description |
---|---|
AVX-47437 |
The traceroute for an Edge Gateway may display an incorrect value for the Edge Gateway Interface. |
AVX-48456 |
When you use network segmentation on an Edge site with multiple gateways using VLAN, you must use the same VLAN value for all gateways. A bug is preventing the addition of new gateways to an existing network segmentation even when the VLAN value matches the VLANs of the other gateways. To add a new gateway to an existing network segmentation:
|
AVX-49015 |
If you change your Jumbo Frame configuration for Edge Gateways, that configuration change is not propagated to existing VLAN sub-interfaces. If you experience this issue and need to change your Jumbo Frame configuration, make the configuration change and then delete and recreate all existing VLAN sub-interfaces. |
AVX-49375 |
When you try to create a GCP Palo Alto firewall instance using a certain version of a Palo Alto image, the instance creation fails. The affected versions are versions of the Palo Alto Networks Next-Generation Firewall BUNDLE that contain the letter “h,” such as “8.1.25-h1.” If you experience this issue, choose a Palo Alto Networks image version that does not contain the letter “h.” New Check Point and FortiGate Fortinet instance deployments are unaffected. |
AVX-50076 |
The Aviatrix Controller now only displays the metrics for the last hour, in Dashboard > Controller Metrics or Gateway Metrics. For detailed Gateway metrics, please use Aviatrix CoPilot. |
7.1.3006 Release Notes
Release Date: 10 Jan 2024
Release Notes updated 09 Oct 2024
Corrected Issues in Aviatrix Release 7.1.3006
Issue | Description |
---|---|
AVX-26567 |
A FireNet Egress FQDN gateway was dropping traffic. |
AVX-36054 |
A gateway created in a newer Controller software version might have been rolled back to an older software version if:
|
AVX-36996 |
(Azure) After an Azure FireNet FQDN Egress gateway image upgrade, the gateway goes into the “config_fail” state. To resolve this issue, try restarting the gateway. If the gateway state does not change, please contact Aviatrix Support. |
AVX-38843 |
In a Site2Cloud connection with a single IP HA Gateway, the standby gateway continuously sent out an IPsec connection requests to a remote peer even though the connection would never get established. This issue created a stale state in the CSP underlay, which may have caused IPsec tunnel flaps between the active gateway and remote peer. This issue has been resolved by blocking the HA gateway from sending IPsec connection requests to remote peers for these Site2Cloud connections. |
AVX-39477 |
When you tried to do an image upgrade or a software rollback for a BGP-enabled gateway on which you applied the “remove-unnecessary-packages-from-gateway” software patch, the operation may have failed. |
AVX-39662 |
(GCP) Upgrading a GCP Transit Gateway with BGPoLAN and Firenet features enabled might have resulted in the loss of direct connectivity to the on-site firewall appliance. |
AVX-41223 |
At the early stage of the gateway initialization, if you configured SSM agents to patch your Ubuntu servers automatically, the gateway initialization process may have failed. |
AVX-41361 |
If a domain name used in an Egress FQDN tag had a long DNS record, attaching that FQDN tag to a gateway could fail. The error given was “command hostname_filter failed due to exception errors invalid IPNetwork.” An email notification was sent. |
AVX-41555 |
When a Controller was in Private Mode and you opened the Firewall page and tried to select a subnet, nothing appeared in the dropdown menu. |
AVX-41680 |
If a Gateway Transit-Spoke attachment was deployed before version 6.2.1742 and one of the Transit Gateway tunnels went down, then the connected Spoke Gateway CIDRs would be removed from the Transit Gateway’s routing tables, causing a traffic outage. |
AVX-41693 |
Linux auditd logs filled the disk space of some instances. |
AVX-42269 |
(GCP) In GCP, if the gateway deployment fails due to CSP (Cloud Service Provider) errors, the rollback fails due to the configuration being in an inconsistent state. |
AVX-42706 |
FortiGate Firewalls failed to launch due to using an incorrect template on the Controller. |
AVX-42789 |
Increased the length of time before an attempt to Encrypt Existing Gateways times out. This improvement helps avoid an encryption failure you would receive if the encryption timed out too soon. The warning message for that encryption failure was: Encryption failed. Waiter SnapshotCompleted failed: Max attempts exceeded. |
AVX-43028 |
On a newly registered CloudN, users could not create attachments to multiple transits from a single CloudN Gateway. |
AVX-43362 |
Aviatrix’s Single AZ HA (Availability Zone High Availability HA) feature would restart a gateway if it found that the gateway had gone down. Due to a timing issue between the process handling the feature and detecting the gateway state, it was possible for the gateway to go into a repeated stop-and-start loop. Disabling the Single AZ HA feature would break the loop. |
AVX-43663 |
There was a memory leak in a firewall monitoring task. The memory leak was proportional to the number of firewalls in the network. |
AVX-44022 |
In Distributed Cloud Firewall, rules inserted by Terraform or by API call were incorrectly evaluated in order of entry instead of order of priority. This issue only affected accounts that used the preview features WebGroups or decrypted IDS. Note that with this fix, the rules may be rearranged as they are reordered by priority. This correction may change the behavior in your account. Action required: To determine whether your configuration is affected, please check the ordering of the rules in your Terraform definition or API call. If they are not ordered by priority, reorder them by priority and check affected traffic and expected behavior. |
AVX-44023 |
When running Aviatrix Edge on a Dell R450 device, when you configured a Transit Gateway attachment with HPE (High Performance Encryption) mode, you could not set the tunnel count to more than two. |
AVX-44255 |
When you tried to do a dry run for a Controller software version upgrade with more than one version in the pending list for upgrading and chose “latest” as the default version for the upgrade, the Controller incorrectly ran the dry run for the last version to upgrade to instead of the next upgrade version. For example, if you ran a dry run for 6.9 > 7.0 > 7.1, the Controller ran the dry run for 7.1 instead of 7.0. |
AVX-44526 |
VPN NAT for gateway traffic did not work as expected due to a NAT-related misconfiguration in the iptable rules. Action required: If you experience a VPN NAT issue after upgrading to this software version, disable and reenable your UserVPN NAT configuration. |
AVX-44673 |
When you changed the tunnel count for an existing Spoke-Transit HPE (High-Performance Encryption) peering, some tunnels may not have come up. |
AVX-44812 |
Deployments with a Utility license were unable to view some license details. |
AVX-44974 |
(Azure) When Transit Gateways had Active-Standby enabled and the Active Transit Gateway was down, the attached Azure Native Spoke VNet route tables failed to switchover routes. |
AVX-45598 |
(AWS) When you added a UserVPN Load Balancer to the UserVPN User Accelerator in the Aviatrix Controller before the Load Balancer state became active in the Cloud Service Provider, the Controller might have throw an exception: “command vpn_user_xlr failed due to exception errors 'HealthState'<p></p>. An email notification with exception reason and trace log was sent to exceptions@aviatrix.com for troubleshooting. |
AVX-45782 |
In some of the previous releases, a Controller backup did not save configurations for logging, such as Remote Syslog, Datadog agent, Netflow Agent, and Cloudwatch agent. Due to this issue, if you restored from a backup that was created in a prior release, these log configurations would not be restored. |
AVX-45853 |
A Controller web page loading issue occurred when you tried to edit any FQDN tag other than the first one in the row table. |
AVX-45873 |
When you used a link local address as an IPSec peer address, a Controller upgrade to release 6.8.1148 would drop traffic. |
AVX-45897 |
On the Site2Cloud Details page in the Controller, the message “Authentication Type: null” was displayed for Site2Cloud connections even though there was a PSK authentication. Now, the page correctly displays “Authentication Type: psk” where PSK is the Authentication Type. |
AVX-46098 |
When an Egress Filtering Gateway had a base Stateful Firewall policy of DENY, the gateway added the DROP rule from the base policy instead of letting the packets flow to the egress filter. The Egress Filtering Gateway should not have the DROP rule from the Stateful Firewall base policy. Instead, the packets should be allowed to flow to the egress filter. |
AVX-46462 |
An HPE gateway resize could fail if the gateway had a peering with a gateway from release 6.7.1148 or earlier, as the new peering had additional fields in the structure. |
AVX-46788 |
The Controller would not disable the Access Security feature during a Controller restore if the feature was not enabled in the backup configuration. |
AVX-47027 |
(OCI Gov) OCI Gov gateways failed to launch. |
AVX-47234 |
Previously, the S2C RX Balancing feature was supported only on AWS C5 and C5n gateway sizes. S2C RX Balancing now supports AWS C6in instances. Now, you can upgrade your gateway instance size to C6in and enable S2C RX Balancing. |
AVX-47361 |
(AWS) A rare race condition caused the AWS TGW (AWS Transit Gateway) data migration in the Controller database to fail during a gateway upgrade. This issue caused a problem with route programming. |
AVX-47486 |
(AWS) Starting with software release 7.0.1307, AWS Gateways enabled tags in the instance metadata service. As a result, the tag keys used on the instance had to match this pattern: ([0-9a-zA-Z\\-_+=,.@:]{1,255}), and could not be a reserved name ('.', ‘..', '_index'). Image upgrades and new gateway creations would fail if tag keys in the instance metadata did not manage the requirements above. |
AVX-47764 |
(AWS) When a VPC was attached to an AWS Transit Gateway (TGW), if you deleted one of the Spoke VPC Advertised CIDRs, the routes in associated Transit Gateways were not correctly updated. |
AVX-47795 |
An issue with reading the Controller time zone caused the Controller to send false alerts about an expired PKI agent certificate on gateways. |
AVX-48007 |
(Azure) When a VNet is created with intra-VPC resources enabled, any Aviatrix resources created (NSG or ASG), had a tag with the key “Aviatrix-Created-Resource Value.” Now, Aviatrix-created NSGs or ASGs have tags with the key “Aviatrix-Created-Resource.” Action required: For NSG/ASGs created before this software release, you must fix the tag manually in your Azure account. |
AVX-48193 |
When a Transit Gateway had a Stateful Firewall policy configured that uses tags, creating or deleting BGP connections on the Transit Gateway could fail. The BGP connection change may have appeared to have completed successfully, but the updated configuration was not applied on the gateway. |
AVX-48337 |
(AWS) The Controller was sending too many API requests to AWS to query route tables. AWS could respond with duplicate route table information. |
AVX-48457 |
(AWS) AWS Gateways with tags that did not match new AWS requirements caused metadata service to fail to turn on. |
AVX-48931 |
When you detached and reattached a CloudN attachment to an Aviatrix Transit Gateway that had any Stateful Firewall rules that used Stateful Firewall Tags, the BGP configuration incorrectly remained on the gateways. |
AVX-49236 |
(OCI) After an OCI gateway image upgrade, several routing tables within several VCNs were missing the default route, 0.0.0.0/0. |
Known Issues in Aviatrix Release 7.1.3006
Issue | Description |
---|---|
AVX-45386 |
On a gateway with multiple mapped Site2Cloud connections with Forward Traffic to Transit Gateway enabled, after a successful gateway image upgrade, some of these connections may not work. To resolve this issue, go to Controller > Site2Cloud > Setup and disable and re-enable "Forward Traffic to Transit Gateway" for each impacted Site2Cloud connection. |
AVX-47437 |
The traceroute for an Edge Gateway may display an incorrect value for the Edge Gateway Interface. |
AVX-48456 |
When you use network segmentation on an Edge site with multiple gateways using VLAN, you must use the same VLAN value for all gateways. A bug is preventing the addition of new gateways to an existing network segmentation even when the VLAN value matches the VLANs of the other gateways. To add a new gateway to an existing network segmentation: . Remove the network segmentation association from all gateways. . Make sure the new gateway has a VLAN identical with the rest of the gateways. . Re-associate all the gateways in the network segmentation. |
AVX-49015 |
If you change your Jumbo Frame configuration for Edge Gateways, that configuration change is not propagated to existing VLAN sub-interfaces. If you experience this issue and need to change your Jumbo Frame configuration, make the configuration change and then delete and recreate all existing VLAN sub-interfaces. |
AVX-49375 |
When you try to create a GCP Palo Alto firewall instance using a certain version of a Palo Alto image, the instance creation fails. The affected versions are versions of the Palo Alto Networks Next-Generation Firewall BUNDLE that contain the letter “h,” such as “8.1.25-h1.” If you experience this issue, choose a Palo Alto Networks image version that does not contain the letter “h.” New Check Point and FortiGate Fortinet instance deployments are unaffected. |
AVX-50076 |
The Aviatrix Controller now only displays the metrics for the last hour, in Dashboard > Controller Metrics or Gateway Metrics. For detailed Gateway metrics, please use Aviatrix CoPilot. |
7.1.2131 Release Notes
Release Date: 29 August 2023
Important Notices in Aviatrix Release 7.1.2131
AVX-43682 - Disable Deprecated Controller-Logging Configurations
If you have logging configurations enabled in Controller for the following external log servers, the out-of-the box logging services for these external log servers were deprecated in previous Controller releases and are removed in Controller 7.1.1307:
-
Elastic Filebeat
-
Splunk Enterprise/Cloud
-
Sumo Logic
You cannot upgrade to Controller 7.1.1307 until you have disabled these deprecated logging configurations.
To disable the deprecated logging configurations:
-
Depending on your environment, you may want to enable your log forwarding under rsyslog and verify the functionality is working before disabling the deprecated logging configurations. For information about using rsyslog as the logging mechanism to forward Aviatrix platform logs to your external log server, see Aviatrix Controller Logging.
-
Disable the deprecated logging configurations for Elastic Filebeat/Splunk Enterprise or Cloud/Sumo Logic, as applicable, in the Controller > Settings > Logging page. Locate the applicable external log server’s respective option and switch its toggle from Enabled to Disabled.
Issues Corrected in Aviatrix Release 7.1.2131
Issue | Description |
---|---|
AVX-39662 |
(GCP) Upgrading a GCP Transit Gateway with BGPoLAN and Firenet features enabled might have resulted in the loss of direct connectivity to firewall appliance management. |
AVX-43013 |
A previous method for adding new metrics to interface RRD files caused unnecessary delay and decreased performance. Resolved this issue so that the new metrics are available without the extra expense of time and performance. You must upgrade to software version 7.0.2004 or 7.1.2131 or later to access the new metrics. |
AVX-43547 |
On a newly registered CloudN, users could not create attachments to multiple transits from a single CloudN Gateway. |
AVX-43545 |
When you updated the credentials of your cloud access accounts, the Aviatrix Controller could no longer get the latest status of the resources (for example, instances or VPCs) in your Cloud Service Providers: AWS, Azure, or GCP. |
AVX-43549 |
Removing the Egress FQDN tag from a gateway could result in the uninstalling of the hostname filtering service (avx-hostname-filter). Adding the tag back didn’t reinstall the service and the feature did not work. |
AVX-43550 |
A Stateful Firewall rule allowing reverse-path traffic flows was temporarily removed during a software upgrade. |
AVX-43863 |
(GCP) A tag issue prevented the Global VPC feature for Spoke Gateways from being enabled or disabled properly. |
AVX-44022 |
In Distributed Cloud Firewalling, rules inserted by Terraform or by API call were incorrectly evaluated in order of entry instead of order of priority. This issue only affected accounts that used the preview features WebGroups or decrypted IDS. Note that with this fix, the rules may be rearranged as they are reordered by priority. This correction may change the behavior in your account. Action required: To determine whether your configuration is affected, please check the ordering of the rules in your Terraform definition or API call. If they are not ordered by priority, reorder them by priority and check affected traffic and expected behavior. |
AVX-44298 |
Bootstrap configuration for a firewall took longer than expected, causing traffic loss from the Transit Gateway. Use the following two attributes in Terraform to provide sufficient time for the firewalls to be configured via Bootstrap so that the configuration is applied to the firewalls. Note that the specific values for these attributes
|
AVX-45566 |
VPN NAT for gateway traffic didn’t work as expected because one of the NAT-related chains is missing in the iptables. Action required: Upgrade your gateway image. |
AVX-45569 |
Linux auditd logs filled the disk space of some instances. |
AVX-45571 |
(Azure) After an Azure FireNet-enabled gateway image upgrade, the gateway went into the “config_fail” state. |
AVX-45630 |
(GCP and AWS) There was a connectivity issue between workloads behind Aviatrix Gateways within GCP and workloads in GCP VPCs and AWS gateways. GCP has a default MTU of 1460, while AWS has a default MTU of 1500. |
AVX-48199 |
(GCP) Controllers that manage GCP resources may run into errors when a new Controller instance is started (via Controller High Availability or Controller Migration) or when a new GCP account is onboarded. |
Known Issues in Aviatrix Release 7.1.2131
Issue | Description |
---|---|
AVX-44987 |
After multiple Controller migrations and upgrades, the Spire Nodes page (Controller > Troubleshoot > Diagnostics > mTLS > Spire Nodes) may have duplicate gateway entries. To re-attest a gateway with duplicate entries, select the gateway and click Re-Attest. |
AVX-45156 |
On an AEP Dell device, when you configure a Transit Gateway attachment with HPE (High Performance Encryption) mode, you could not set the tunnel count to more than 2. If you have a higher bandwidth/performance requirement which requires more tunnels, please contact Aviatrix Support for help. |
AVX-45682 |
A rare issue with a gateway software upgrade may cause the BGP neighbor status to go down. To resolve this issue, restart the gateway. |
AVX-45684 |
This issue occurs when you try to do a dry run for a Controller software version upgrade with more than one version in the pending list for upgrading. When you choose “latest” as the default version for the upgrade, the Controller incorrectly runs the dry run for the last version to upgrade to instead of the next upgrade version. For example, if you are running a dry run for 6.8 > 6.9 > 7.0 > 7.1, the Controller ran the dry run for 7.1 instead of 6.9. To resolve this issue, when you do a dry run, make sure to manually enter the next upgrade version instead of leaving the default, “latest.” For example, when you upgrade from 6.8 > 6.9 > 7.0 > 7.1, enter “6.9” as the version for the dry run. |
AVX-45685 |
If an Egress FQDN gateway has an HA (High Availability) pair added, the HA gateway will not have Egress Control enabled. To enable Egress Control on both gateways, temporarily remove the Egress FQDN Filter tag from the primary gateway and then re-add it. To avoid this issue, create the HA gateway before assigning an Egress FQDN Filter tag. |
7.1.1710 Release Notes
Release Date: 11 May 2023
Important Notices in Aviatrix Release 7.1.1710
Disable Deprecated Controller-Logging Configurations
If you have logging configurations enabled in Controller for the following external log servers, the out-of-the box logging services for these external log servers were deprecated in previous Controller releases and are removed in Controller 7.1 versions - that is, any Controller version that begins with 7.1:
-
Elastic Filebeat
-
Splunk Enterprise/Cloud
-
Sumo Logic
You cannot upgrade from any Controller 7.0 version to any Controller 7.1 version until you have disabled these deprecated logging configurations.
To disable the deprecated logging configurations:
-
Depending on your environment, you may want to enable your log forwarding under rsyslog and verify the functionality is working before disabling the deprecated logging configurations. For information about using rsyslog as the logging mechanism to forward Aviatrix platform logs to your external log server, see Aviatrix Controller Logging.
-
Disable the deprecated logging configurations for Elastic Filebeat/Splunk Enterprise or Cloud/Sumo Logic, as applicable, in the Controller > Settings > Logging page. Locate the applicable external log server’s respective option and switch its toggle from Enabled to Disabled.
Issues Corrected in Aviatrix Release 7.1.1710
Issue | Description |
---|---|
AVX-1470 |
During Panorama vendor integration, a configuration using the same template or template stack on both primary and HA (High Availability) gateways was blocked, as there would have been a routing issue. |
AVX-21689 |
(GCP) When two VPN gateways without ELBs (External Load Balancers) were deployed in two different regions in GCP, after adding VPN user to the first VPN GW, you could not add a VPN user to the second gateway. |
AVX-25209 |
The Aviatrix rsyslog may have unexpectedly stopped forwarding logging packets to remote server(s). |
AVX-26234 |
With inter-region HPE (High-Performance Encryption) transit peering between gateways, application traffic across the regions was failing. Packets were not getting clamped to TCP MSS 1370 for inter-region vs intra-region traffic. |
AVX-27704 |
When a gateway had too many routes, the CoPilot Cloud Routes page did not display anything. |
AVX-30518 |
After enabling CoPilot Security Group management, an error occurred: you could not enable copilot security group management. Rest API enable_copilot_sg POST failed, and then Controller was unable to initialize Aviatrix Gateways. |
AVX-32351 |
During Packet Capture, if you clicked Download multiple times, you received an error message: “Failed to open file.” Now, you can download successfully even if you click Download multiple times. |
AVX-32730 |
You could not modify a UserVPN LDAP configuration and upload CA certificate when more than one VPN Gateway was deployed behind a load-balancer. |
AVX-32904 |
If the Edge node could not access the Aviatrix release server because of a firewall setting or because the Management was over a private network, enabling the FIPS caused the Edge gateway to fail. The gateway could not be recovered. |
AVX-32921 |
Some VPN user traffic to certain destinations was dropped on the VPN Gateway. This issue could occur when the VPN Gateway was rebooted and old VPN profile rules were not cleaned up from the system iptables. |
AVX-33510 |
(GCP) All GCP gateways reached 100% CPU Utilization at the same time. |
AVX-33814 |
When a Controller account had too many Site2Cloud connections, Multicloud Transit Segmentation pages failed to load. |
AVX-33917 |
If you had set a custom NetFlow certificate domain when in Private Mode, NetFlow and Syslog data could not be sent to Aviatrix CoPilot. |
AVX-34163 |
When your Controller was deployed in Private Mode, enabling NetFlow on a gateway failed. The iptables rules associated with NetFlow would not be installed, and the gateway configuration failed. |
AVX-34401 |
After the Controller was updated to the 6.7.1376 software version with the AVX-25632 bug fix, you could not attach a CloudN as a Gateway (CaaG) to an Azure Transit Gateway. |
AVX-34487 |
A gateway upgrade may have failed if the gateway could not reach the Internet and install the Linux sysstat package. |
AVX-34540 |
When you configured NAT and NetFlow on a gateway and rebooted it, the NAT rules were accidentally removed. |
AVX-34823 |
(AWS and Azure) In AWS accounts in the Controller that were onboarded using a key and secret instead of IAM Roles, an error occurred when you tried to bring up an Azure gateway. |
AVX-34845 |
Removed a file from managed CloudN or the CaaG device during an upgrade to improve security. |
AVX-34872 |
On a newly-deployed Controller or gateways, if multiple syslog profiles were configured, data was only forwarded on the most recently saved profile. |
AVX-35096 |
(Azure) An API error may have caused the Controller to become unresponsive. |
AVX-35549 |
(Azure, US East region) A default route advertised from on-prem was not written to the VNet route table. |
AVX-35646 |
Previously, the gateway name reported in logs generated by the HTTP/HTTPS FQDN enforcer was “NA.” Now, the gateway name is correctly reported for newly created gateways. |
AVX-35728 |
If an incorrect passphrase was entered when attempting to enable SSH access to your Controller, a bug was causing all the keys for on-prem managed CloudN or CaaG devices to be removed. |
AVX-35844 |
(AWS) When you had a Transit Gateway attached to an AWS TGW and many Site2Cloud connections, the TGW list and plan page loaded slowly. |
AVX-35958 |
The primary and HA gateway shared the same remote IP configuration. |
AVX-36147 |
Configuring customized SNAT policies on a Spoke Gateway via Terraform failed. |
AVX-36249 |
In Private Mode, when the Controller’s proxy was set up, gateway diagnostics and an upgrade dry run would incorrectly show a status failure. |
AVX-36387 |
(AWS) You received a gateway error message, “Missing account or VPC,” when you tried to bring up a gateway. |
AVX-36546 |
FlightPath may have incorrectly shown Spoke and Transit Gateway routes as inactive if the Controller and Gateways were using the following software versions: 7.0.1373, 7.0.1383, 6.9.308, or 6.8.1483. |
AVX-36794 |
If a Spoke Gateway has multiple Custom Mapped or Mapped Site2Cloud connections, Forward Traffic to Transit configuration enabled, and the same virtual destination CIDRs are configured in other Site2Cloud connections, a failover in one connection will cause TCP sessions belonging to the other connections to drop. |
AVX-36893 |
A Controller restore may have failed if the Controller had some dangled files. |
AVX-36913 |
(GCP) GCP gateways may have experienced CPU spikes every 10 minutes. |
AVX-36971 |
A gateway instance could shut down as you used the Monitor Gateway Subnet feature. |
AVX-37020 |
(Azure) Upgrading certain older Azure gateways was unsuccessful because they did not have the “gw_subnet_cidr” attribute. |
AVX-37066 |
Under certain conditions, when you tried to download Egress FQDN logs or stats, the download failed and you received an error message: "… 'utf-8' codec can’t decode byte …" |
VX-37120 |
Editing the Stateful Firewall policy for a gateway could fail when a large amount of rules were added to the policy. |
AVX-37394 |
(Azure) An Azure FireNet route table would fill up and not allow any more gateways after you attached more than 400 non-HPE Spoke Gateways. |
AVX-37801 |
(Azure) Deleting an Azure Spoke Gateway incorrectly deleted user-created RFC1918 routes in the VNet route table. |
AVX-38158 |
(Alibaba Cloud) With CoPilot Security Group management enabled, when you brought up gateways in Alibaba Cloud, they would be missing Security Group rules on CoPilot. This issue meant there would be no visibility of NetFlow and syslog data from the gateways. |
AVX-38161 |
If a Spoke Gateway has multiple Custom Mapped or Mapped Site2Cloud connections, Forward Traffic to Transit configuration enabled, and the same virtual destination CIDRs are configured in other Site2Cloud connections, a failover in one connection will cause TCP sessions belonging to the other connections to drop. |
AVX-38409 |
A gateway credential could be doubly encrypted. |
AVX-38469 |
Unnecessary or irrelevant threat rules for gateways were not successfully deleted. |
AVX-38471 |
If the quagga bgp Debian packages were not installed properly, the Aviatrix Controller would try to reinstall the package instead of failing the gateway configuration. |
AVX-38682 |
(GCP) When you selected the CheckPoint BYOL image as the third-party firewall option, the CheckPoint PAYG image came up instead. |
AVX-38954 |
A Controller bug could lead to gateway crashes and traffic disruption. |
AVX-38965 |
When a gateway was deployed in Private Mode with NetFlow enabled, and you disabled NetFlow and rebooted it, NetFlow could not be reenabled. |
AVX-39037 |
If you added policy rules to Distributed Firewalling, additional and unnecessary code could always run, even if the rules were deleted. |
AVX-39040 |
Gateways reconnecting to the Controller could cause a resource leak on the gateway. |
AVX-39050 |
This fix applies to gateways deployed in Private Mode with NetFlow enabled and NAT rules configured. When you rebooted this type of gateway, NAT rules were sometimes cleared from the IP tables. This clearing could affect data traffic. |
AVX-39358 |
When you updated the CIDR range for a VPN gateway with NAT enabled, the gateway may have stopped forwarding traffic. |
Known Issues in Aviatrix Release 7.1.1710
Issue |
Description |
AVX-21547 |
Spokes using the Global VPC Routing for GCP feature cannot be connected to FireNet transit gateways. |
AVX-25000 |
(AWS) A Private Mode gateway may not have Internet access, in which case it cannot directly upload a gateway tracelog to the S3 bucket. Instead, when you need to upload a gateway tracelog to an S3 bucket, upload the gateway tracelog to the Controller. Then, your Controller uploads the gateway tracelog to the S3 bucket. |
AVX-30776 |
(Azure) Avoid upgrading your Azure gateway image on gateways with “unmanaged disks” when the Companion Gateway version is “aviatrix-companion-gateway-v8” or an earlier Companion Gateway version. Azure and Aviatrix have prepared some special images with unmanaged disk support so you can upgrade a gateway image with an unmanaged disk. These are the Companion Gateway versions you can safely upgrade with an unmanaged disk:
|
AVX-34997 |
If you deploy your Aviatrix Controller using proxy configuration and Private mode, the SMTP port does not open. In this situation, because Aviatrix accounts do not have an SMTP relay, your Controller will email Aviatrix Support about the error using port 443 via API. |
AVX-35077 |
(Azure) If the Azure Spoke Gateways were down and a Transit Gateway propagated to an Azure Spoke Gateway with the default route, the Spoke VNet could not program default routes in the route table. |
AVX-35613 |
When the Controller’s timezone was set to any other time zone than UTC (Coordinated Universal Time), a software upgrade became stuck at 99% progress. |
AVX-36138 |
Gateway initialization, including Cloud Gateway creation, Cloud Gateway Image Upgrade, or Cloud Gateway Software Rollback fails if you complete both of the operations below (regardless of order):
|
AVX-36492 |
When single-IP HA (High Availability) is enabled on Aviatrix Gateways and the HA gateway goes up, a bug may cause the security group to not be added to the gateway. To resolve this issue, manually add the security group to the HA gateway. |
AVX-37895 |
(Azure) Gateway deployment in Azure can fail if the Network Security Group (NSG) is not applied on the Controller’s Network Interface Card (NIC). If this happens, use one of two methods to resolve the issue:
|
AVX-43180 |
If your Controller is using an outdated image, a software upgrade may fail. If your Controller software upgrade fails, please contact the Aviatrix Support team for assistance. |
Deprecated Features in Aviatrix Release 7.1.1710
AVX-31334 - The Transitive Peering feature is deprecated. This feature’s functionality will be replaced by Aviatrix Multicloud Transit. Aviatrix recommends deleting Transitive Peerings from your account, and then upgrading your Controller.
The Sumo Logic logging integration, Logstash logging integration, and Splunk logging integrations are deprecated and removed in this release. Instead, use rsyslog to integrate with external logging systems.
AVX-36220 - The Change Timezone button in the Controller will be removed. This button will be removed because it caused discrepancies in log timestamping. The Controller always operates in UTC (Coordinated Universal Time). If this feature was enabled and a new time zone selected, trace logs would no longer be associated with the UTC time zone, which added complexity to troubleshooting. Other timezone-related functions like scheduling were also affected during the timezone change period.
A banner will be added in your Controller to notify you about this upcoming change. This change has no functional impact on the Controller or gateways. No action is required.
Note: Log exporting from the Controller will have timestamps with the UTC timezone. You can edit or convert time zone data through your log collector.