Aviatrix Controller and Gateway Software Release Notes

8.0.0 Release Notes

Release Date: 19 May, 2025

Corrected Issues in Aviatrix Release 8.0.0

Issue	Description
AVX-51763	Improved the gateway keepalive handling to account for scenarios where the Controller instance hangs.
AVX-53207	Fixed an issue where an Azure Account could be deleted even though the Controller-deployed Azure VNET peerings were still active.
AVX-55661	Fixed an issue where gateway initialization could fail within 900 seconds due to misconfiguration and attempts to access external networks.
AVX-56050	Fixed an issue where Azure HA Gateway creation did not use the supplied HA_EIP in Terraform, resulting in the creation of a new EIP.
AVX-57450	Fixed an issue where WebGroups in firewall rules could not be used in conjunction with Custom SNAT configurations on a gateway.
AVX-58660	Corrected the Terraform import ID format for aviatrix_edge_platform_device_onboarding.
AVX-59226	Resolved an issue where applying a DNAT rule on a spoke gateway did not take effect, preventing access to workloads using the DNAT IP.
AVX-59416	Addressed an issue where resizing two Spoke VPCs with fast keepalive using CoPilot caused an extended traffic outage. This issue occurred during sequential resize operations on multiple spoke gateways.
AVX-60068	Changed the tunnel status email notification logic to be based on the combined status of tunnel endpoints. Previously, notifications were only sent when the updated statuses of the two endpoints differed, which could cause missed alerts. This change ensures more accurate notifications by reflecting the actual tunnel status.
AVX-60598	Addressed potential disk space issues caused by persistent log files from auditd.
AVX-60616	Corrected the tunnel source and destination in syslog messages and email notifications to avoid confusion and difficulty in matching Up and Down events.
AVX-60722	Resolved an issue where stale route entries in AWS TGW were not properly cleared after custom route advertisements were removed.
AVX-61070	When Aviatrix releases new gateway images for OCI Gov, there is typically a delay in publishing to the OCI Marketplace due to cloud service provider timelines. This means that 8.0 image will not be available right away in OCI Gov. Previously, after the image was published to the marketplace, a manual update was required to enable gateway launches with the new image. With this release, that manual step is no longer necessary—gateways can now automatically launch with the updated image once it becomes available in the OCI Marketplace. This is applicable for 7.2 images. Please note that the OCI Gov image publishing timeline itself remains unchanged.
AVX-61310	In an Aviatrix multi-transit design with Transit Peering, where one of the Transit Gateways has BGP S2C enabled and learns a default route (0.0.0.0/0), an issue occurs following a controller upgrade where incorrect metrics are applied to PeerS2c routes.
AVX-61396	Resolved an issue where Edge as a Spoke (EaS) did not install all ECMP routes for prefixes learned from an attached transit with an external connection.
AVX-61401	Resolved an issue where VPN connectivity using Okta integration failed post-upgrade due to signature verification errors. Signature verification now functions correctly.
AVX-61404	Resolved an issue where Aviatrix incorrectly added RFC1918 rules to all Spoke VCN Security Lists, including application subnets. RFC1918 rules are now only applied to gateway subnets.
AVX-61702	Resolved an issue where Azure gateway image upgrades failed when customer-provided public IPs were used. The Controller was expecting a specific naming convention (av-ip-[gateway-name]) and could not locate custom-named IPs, resulting in upgrade errors. The upgrade logic has been fixed to support any naming convention for public IPs.
AVX-61793	Resolved an issue where Transit Edge could not add a secondary IP and did not support removing the underlay configuration.
AVX-61803	Fixed an issue where the Controller did not correctly tag resources created through CFT and Lambda. It now tags all associated resources, including Lambda functions, Lambda roles, Launch Templates, Auto Scaling Groups, and SNS topics.
AVX-61981	When using RFC6598 Shared Address Space (100.64.0.0/10) in VPC/VNet CIDRs, traffic from these addresses to the public internet may have been incorrectly matched by the Public Internet security group. This could result in 100.64.0.0/10 being mistakenly classified as internet traffic. The 100.64.0.0/10 is commonly used for Kubernetes deployments. The Public Internet security group CIDR ranges have been updated to correctly exclude the shared address space. This enhancement improves the Kubernetes experience.
AVX-62067	The following issue has been fixed in this release. Aviatrix Transit Gateways with large number of tunnels and running for a long time could encounter an issue where in the IPSec process becomes unresponsive leading to all IPsec tunnels going into a DOWN state. The cause of this is an internal counter reaching its maximum value and overflowing. To recover, the transit gateway needs to be rebooted. While it is not possible to specify the exact number of tunnels and length of time it would take for the internal counter to overflow, the few customers who encountered this issue had greater than 800 ipsec tunnels on the transit gateway and took three to four months to encounter this issue. The number of ipsec tunnels on the gateway can be seen from Copilot UI under Diagnostics > Cloud Routes > Gateway Routes.
AVX-62795	Fixed an issue where rules using a SmartGroup were configured on both gateways when the SmartGroup included GCP cloud resources such as virtual machines with overlapping IP addresses. This caused unexpected policy enforcement on gateways where the rules should not apply.

Issue

Description

AVX-51763

Improved the gateway keepalive handling to account for scenarios where the Controller instance hangs.

AVX-53207

Fixed an issue where an Azure Account could be deleted even though the Controller-deployed Azure VNET peerings were still active.

AVX-55661

Fixed an issue where gateway initialization could fail within 900 seconds due to misconfiguration and attempts to access external networks.

AVX-56050

Fixed an issue where Azure HA Gateway creation did not use the supplied HA_EIP in Terraform, resulting in the creation of a new EIP.

AVX-57450

Fixed an issue where WebGroups in firewall rules could not be used in conjunction with Custom SNAT configurations on a gateway.

AVX-58660

Corrected the Terraform import ID format for aviatrix_edge_platform_device_onboarding.

AVX-59226

Resolved an issue where applying a DNAT rule on a spoke gateway did not take effect, preventing access to workloads using the DNAT IP.

AVX-59416

Addressed an issue where resizing two Spoke VPCs with fast keepalive using CoPilot caused an extended traffic outage. This issue occurred during sequential resize operations on multiple spoke gateways.

AVX-60068

Changed the tunnel status email notification logic to be based on the combined status of tunnel endpoints. Previously, notifications were only sent when the updated statuses of the two endpoints differed, which could cause missed alerts. This change ensures more accurate notifications by reflecting the actual tunnel status.

AVX-60598

Addressed potential disk space issues caused by persistent log files from auditd.

AVX-60616

Corrected the tunnel source and destination in syslog messages and email notifications to avoid confusion and difficulty in matching Up and Down events.

AVX-60722

Resolved an issue where stale route entries in AWS TGW were not properly cleared after custom route advertisements were removed.

AVX-61070

When Aviatrix releases new gateway images for OCI Gov, there is typically a delay in publishing to the OCI Marketplace due to cloud service provider timelines. This means that 8.0 image will not be available right away in OCI Gov. Previously, after the image was published to the marketplace, a manual update was required to enable gateway launches with the new image. With this release, that manual step is no longer necessary—gateways can now automatically launch with the updated image once it becomes available in the OCI Marketplace. This is applicable for 7.2 images. Please note that the OCI Gov image publishing timeline itself remains unchanged.

AVX-61310

In an Aviatrix multi-transit design with Transit Peering, where one of the Transit Gateways has BGP S2C enabled and learns a default route (0.0.0.0/0), an issue occurs following a controller upgrade where incorrect metrics are applied to PeerS2c routes.

AVX-61396

Resolved an issue where Edge as a Spoke (EaS) did not install all ECMP routes for prefixes learned from an attached transit with an external connection.

AVX-61401

Resolved an issue where VPN connectivity using Okta integration failed post-upgrade due to signature verification errors. Signature verification now functions correctly.

AVX-61404

Resolved an issue where Aviatrix incorrectly added RFC1918 rules to all Spoke VCN Security Lists, including application subnets. RFC1918 rules are now only applied to gateway subnets.

AVX-61702

Resolved an issue where Azure gateway image upgrades failed when customer-provided public IPs were used. The Controller was expecting a specific naming convention (av-ip-[gateway-name]) and could not locate custom-named IPs, resulting in upgrade errors. The upgrade logic has been fixed to support any naming convention for public IPs.

AVX-61793

Resolved an issue where Transit Edge could not add a secondary IP and did not support removing the underlay configuration.

AVX-61803

Fixed an issue where the Controller did not correctly tag resources created through CFT and Lambda. It now tags all associated resources, including Lambda functions, Lambda roles, Launch Templates, Auto Scaling Groups, and SNS topics.

AVX-61981

When using RFC6598 Shared Address Space (100.64.0.0/10) in VPC/VNet CIDRs, traffic from these addresses to the public internet may have been incorrectly matched by the Public Internet security group. This could result in 100.64.0.0/10 being mistakenly classified as internet traffic. The 100.64.0.0/10 is commonly used for Kubernetes deployments. The Public Internet security group CIDR ranges have been updated to correctly exclude the shared address space. This enhancement improves the Kubernetes experience.

AVX-62067

The following issue has been fixed in this release.

Aviatrix Transit Gateways with large number of tunnels and running for a long time could encounter an issue where in the IPSec process becomes unresponsive leading to all IPsec tunnels going into a DOWN state. The cause of this is an internal counter reaching its maximum value and overflowing. To recover, the transit gateway needs to be rebooted.

While it is not possible to specify the exact number of tunnels and length of time it would take for the internal counter to overflow, the few customers who encountered this issue had greater than 800 ipsec tunnels on the transit gateway and took three to four months to encounter this issue. The number of ipsec tunnels on the gateway can be seen from Copilot UI under Diagnostics > Cloud Routes > Gateway Routes.

AVX-62795

Fixed an issue where rules using a SmartGroup were configured on both gateways when the SmartGroup included GCP cloud resources such as virtual machines with overlapping IP addresses. This caused unexpected policy enforcement on gateways where the rules should not apply.

Known Issues in Aviatrix Release 8.0.0

Issue Description

Issue	Description
AVX-58696	TCP MSS clamping is not supported on Standalone Gateways in Release 7.1 and later.
AVX-59376	When using Controller High Availability (HA) with Controllers version 8.0 and later, the standby Controller will fail to launch correctly. This is because the HA mechanism relies on a fixed software version specified in the Auto Scaling Group (ASG) launch template, but with Controllers version 8.0 and later now require the version to be passed dynamically through `cloud-init` during instance creation. This issue occurs only in environments that use: Controller HA for with Controllers version 8.0 and later AWS Auto Scaling Group (ASG) launch templates The default CloudFormation HA deployment method Workaround: Use the new CloudFormation template to enable AWS Controller High Availability. This template supports dynamic version injection and restores compatibility with Controllers version 8.0 and later in supported regions. For versions 7.x and earlier, use the existing CloudFormation script (without the v3 suffix). Note: This solution is not available in AWS regions that do not support Lambda Function URLs.
AVX-62011	Auto migration will not work from 7.2 to 8.0 when proxy is enabled. You must use a manual backup and restore process to perform the upgrade. Follow the steps below to back up and restore during the upgrade: If your Controller software version is 7.2.5012 or older, upgrade both the Controller and Gateways to the latest 7.2 build. Delete the proxy configuration from Controller UI > Settings > Advanced > Proxy. Back up the Controller from Controller UI > Settings > Maintenance > Backup & Restore > Backup. Shut down the old Controller. Launch the new 8.0 Controller and transfer the EIP. Once the 8.0 Controller is up, restore the Controller using the backup config from Controller UI > Settings > Maintenance > Backup & Restore > Restore. Add back the proxy configuration from Controller UI > Settings > Advanced > Proxy. Software upgrade the Gateways from version 7.2 to 8.0.
AVX-62299	When upgrading from Controller version 7.1 to 7.2 or 8.0, Spoke Gateways with routing through a Public Subnet Filtering (PSF) Gateway may fail to upgrade and become unreachable if the PSF Gateway has not been upgraded first. This issue affects AWS environments where Spoke Gateway route tables are configured to point to a PSF Gateway. To avoid this issue, follow the correct upgrade sequence: Upgrade the PSF Gateway first. Wait for the PSF Gateway upgrade to complete successfully. Then upgrade the dependent Spoke Gateways.
AVX-63224	In Controller release 8.0, gateway software upgrades take longer to complete compared to earlier versions. On average, the upgrade rate drops from approximately 14 gateways per minute in version 7.2 to approximately 11 gateways per minute in 8.0, which is an increase of about 20% in execution time. Affected Scenarios: Upgrading from version 7.2.x to 8.0.x Upgrading between 8.0.x versions Impact: Only the upgrade duration is affected. Gateway functionality remains unaffected after a successful upgrade. Recommendations: Allocate approximately 20% more time for gateway upgrades. For large environments (for example, 1,000+ gateways), plan for 90–120 minutes of upgrade time. Schedule upgrades during maintenance windows to accommodate the longer duration.
AVX-63334	Aviatrix Edge Gateways deployed on Equinix Network Edge and certain VMware environments may experience issues with root disk resizing during initial setup. The root filesystem might not expand to utilize the full allocated disk space. This can prevent essential cloud-init modules from executing properly. Affected Versions: Aviatrix Controller 7.1.4191 with Edge Gateway image `avx-gateway-avx-g3-202407091338` All Edge deployments on Equinix Network Edge and specific VMware configurations Workaround: Customers running Aviatrix Edge Gateways on Equinix Edge or VMware environments with version 7.1.4191 should contact Aviatrix Support for assistance.

AVX-58696

TCP MSS clamping is not supported on Standalone Gateways in Release 7.1 and later.

AVX-59376

When using Controller High Availability (HA) with Controllers version 8.0 and later, the standby Controller will fail to launch correctly. This is because the HA mechanism relies on a fixed software version specified in the Auto Scaling Group (ASG) launch template, but with Controllers version 8.0 and later now require the version to be passed dynamically through cloud-init during instance creation.

This issue occurs only in environments that use:

Controller HA for with Controllers version 8.0 and later
AWS Auto Scaling Group (ASG) launch templates
The default CloudFormation HA deployment method

Workaround: Use the new CloudFormation template to enable AWS Controller High Availability. This template supports dynamic version injection and restores compatibility with Controllers version 8.0 and later in supported regions. For versions 7.x and earlier, use the existing CloudFormation script (without the v3 suffix).

Note: This solution is not available in AWS regions that do not support Lambda Function URLs.

AVX-62011

Auto migration will not work from 7.2 to 8.0 when proxy is enabled. You must use a manual backup and restore process to perform the upgrade. Follow the steps below to back up and restore during the upgrade:

If your Controller software version is 7.2.5012 or older, upgrade both the Controller and Gateways to the latest 7.2 build.
Delete the proxy configuration from Controller UI > Settings > Advanced > Proxy.
Back up the Controller from Controller UI > Settings > Maintenance > Backup & Restore > Backup.
Shut down the old Controller.
Launch the new 8.0 Controller and transfer the EIP.
Once the 8.0 Controller is up, restore the Controller using the backup config from Controller UI > Settings > Maintenance > Backup & Restore > Restore.
Add back the proxy configuration from Controller UI > Settings > Advanced > Proxy.
Software upgrade the Gateways from version 7.2 to 8.0.

AVX-62299

When upgrading from Controller version 7.1 to 7.2 or 8.0, Spoke Gateways with routing through a Public Subnet Filtering (PSF) Gateway may fail to upgrade and become unreachable if the PSF Gateway has not been upgraded first. This issue affects AWS environments where Spoke Gateway route tables are configured to point to a PSF Gateway.

To avoid this issue, follow the correct upgrade sequence:

Upgrade the PSF Gateway first.
Wait for the PSF Gateway upgrade to complete successfully.
Then upgrade the dependent Spoke Gateways.

AVX-63224

In Controller release 8.0, gateway software upgrades take longer to complete compared to earlier versions. On average, the upgrade rate drops from approximately 14 gateways per minute in version 7.2 to approximately 11 gateways per minute in 8.0, which is an increase of about 20% in execution time.

Affected Scenarios:

Upgrading from version 7.2.x to 8.0.x
Upgrading between 8.0.x versions

Impact:

Only the upgrade duration is affected. Gateway functionality remains unaffected after a successful upgrade.

Recommendations:

Allocate approximately 20% more time for gateway upgrades.
For large environments (for example, 1,000+ gateways), plan for 90–120 minutes of upgrade time.
Schedule upgrades during maintenance windows to accommodate the longer duration.

AVX-63334

Aviatrix Edge Gateways deployed on Equinix Network Edge and certain VMware environments may experience issues with root disk resizing during initial setup. The root filesystem might not expand to utilize the full allocated disk space. This can prevent essential cloud-init modules from executing properly.

Affected Versions:

Aviatrix Controller 7.1.4191 with Edge Gateway image avx-gateway-avx-g3-202407091338
All Edge deployments on Equinix Network Edge and specific VMware configurations

Workaround:

Customers running Aviatrix Edge Gateways on Equinix Edge or VMware environments with version 7.1.4191 should contact Aviatrix Support for assistance.