Aviatrix Controller and Gateway Software Release Notes

Important Notices for Upgrading to Aviatrix Release 7.1

Aviatrix strongly recommends you perform the tasks in the operations checklist including a dry run upgrade before upgrading your deployment of the Aviatrix network platform. Taking the time to perform dry runs and backing up your Aviatrix Platform configuration reduces the potential for issues during the upgrade and allows you to easily restore your configuration if there are issues after the upgrade.

Correct any issues you find during your preparation before proceeding with an Aviatrix upgrade. For more information, see Upgrading the Aviatrix Platform and Troubleshooting your Controller and Gateway Upgrade.

If you cannot resolve all issues after following the preparation and dry run procedures, please open a ticket with Aviatrix Support.

This page provides release specific information including some upgrade limitations, known issues and corrected issues. For information about new and enhanced features, behavior changes, and deprecations, see What’s New.

Upgrade Options

This release version is available as an upgrade option only if you have already upgraded to the following:

7.1.3956 or 7.1.4101 (older Linux OS)
7.1.3958, 7.1.4105, 7.1.4139, or 7.1.4183 (newer Linux OS)

See the Aviatrix Upgrade documentation for more information.

See Upgrade your Controller and Gateways to the Latest Aviatrix Supported Images (AWS and Azure Only) for more information.

Upgrade on Aviatrix Edge Platform

On the Aviatrix Edge Platform, after you have upgraded the image to the latest Aviatrix base image with the newer Linux OS, you cannot roll back to a previous image based on the older Linux OS.

Disable Deprecated Controller-Logging Configurations

You cannot upgrade from any Controller 7.0 version to any Controller 7.1 or 7.2 version until you have disabled the deprecated logging configurations. See Disable Deprecated Controller-Logging Configurations for details.

Do Not Apply Existing Patches to Newly Upgraded Controllers

The Controller and Gateway images shipped with the 7.1.3958 release track (newer Linux OS) include all previously released software patches. Therefore, you do not need to reapply the old software patches to Controllers and Gateways updated to this release. If any new software patches are released in the future, and if they apply to the new Controller and Gateway images, the documentation associated with that release will clearly identify the patches and provide instructions.

Migrate Egress FQDN Filtering to Distributed Cloud Firewall

As of Controller 7.1.1710, Distributed Cloud Firewall (DCF) with WebGroups, configured in CoPilot, is the recommended method for configuring and implementing Egress Security.

Aviatrix strongly recommends migrating from Egress FQDN Filtering (Legacy) to Distributed Cloud Firewall to enforce Egress network security policy.

7.1.4208 Release Notes

Release Date: 19 May 2025

Release Notes Last Updated: 22 May 2025

Corrected Issues in Aviatrix Release 7.1.4208

Issue

Description

AVX-62067

The following issue has been fixed in this release.

This fix also requires an image upgrade of the Transit gateway.

Aviatrix Transit Gateways with large number of tunnels and running for a long time could encounter an issue where in the IPSec process becomes unresponsive leading to all IPsec tunnels going into a DOWN state. The cause of this is an internal counter reaching its maximum value and overflowing. To recover, the transit gateway needs to be rebooted.

While it is not possible to specify the exact number of tunnels and length of time it would take for the internal counter to overflow, the few customers who encountered this issue had greater than 800 ipsec tunnels on the transit gateway and took three to four months to encounter this issue. The number of ipsec tunnels on the gateway can be seen from Copilot UI under Diagnostics > Cloud Routes > Gateway Routes.

Known Issues in Aviatrix Release 7.1.4208

Issue Description

Issue	Description
AVX-61310	In an Aviatrix multi-transit design with Transit Peering, where one of the Transit Gateways has BGP S2C enabled and learns a default route (0.0.0.0/0), an issue occurs following a controller upgrade where incorrect metrics are applied to PeerS2c routes.
AVX-63334	Aviatrix Edge Gateways deployed on Equinix Network Edge and certain VMware environments may experience issues with root disk resizing during initial setup. The root filesystem might not expand to utilize the full allocated disk space. This can prevent essential cloud-init modules from executing properly. Affected Versions: Aviatrix Controller 7.1.4191 with Edge Gateway image `avx-gateway-avx-g3-202407091338` All Edge deployments on Equinix Network Edge and specific VMware configurations Workaround: Customers running Aviatrix Edge Gateways on Equinix Edge or VMware environments with version 7.1.4191 should contact Aviatrix Support for assistance.

AVX-61310

In an Aviatrix multi-transit design with Transit Peering, where one of the Transit Gateways has BGP S2C enabled and learns a default route (0.0.0.0/0), an issue occurs following a controller upgrade where incorrect metrics are applied to PeerS2c routes.

AVX-63334

Aviatrix Edge Gateways deployed on Equinix Network Edge and certain VMware environments may experience issues with root disk resizing during initial setup. The root filesystem might not expand to utilize the full allocated disk space. This can prevent essential cloud-init modules from executing properly.

Affected Versions:

Aviatrix Controller 7.1.4191 with Edge Gateway image avx-gateway-avx-g3-202407091338
All Edge deployments on Equinix Network Edge and specific VMware configurations

Workaround:

Customers running Aviatrix Edge Gateways on Equinix Edge or VMware environments with version 7.1.4191 should contact Aviatrix Support for assistance.

7.1.4191 Release Notes

Release Date: 19 December 2024

Corrected Issues in Aviatrix Release 7.1.4191

Issue	Description
AVX-57922	Security Notice: CVE-2024-50603 has been permanently patched.
AVX-58286	An issue was fixed where gateways using Legacy Egress FQDN filtering could experience traffic interruptions when processing very large data packets (approximately 4000 bytes or larger). This could result in halting all network traffic through the affected gateway. The system would attempt to automatically restart the problematic process, but the issue could recur if the system continued sending large packets.
AVX-58757	Fixed an error condition whereby upon upgrading from 7.0 to 7.1, the Controller was not able to update gateway configuration, resulting in the affected gateway being flagged as not up-to-date.
AVX-59149	This release addresses a regression in 7.1 with TCP maximum segment size (MSS) clamping support, which is now supported on standalone gateways.

Issue

Description

AVX-57922

Security Notice: CVE-2024-50603 has been permanently patched.

AVX-58286

An issue was fixed where gateways using Legacy Egress FQDN filtering could experience traffic interruptions when processing very large data packets (approximately 4000 bytes or larger). This could result in halting all network traffic through the affected gateway. The system would attempt to automatically restart the problematic process, but the issue could recur if the system continued sending large packets.

AVX-58757

Fixed an error condition whereby upon upgrading from 7.0 to 7.1, the Controller was not able to update gateway configuration, resulting in the affected gateway being flagged as not up-to-date.

AVX-59149

This release addresses a regression in 7.1 with TCP maximum segment size (MSS) clamping support, which is now supported on standalone gateways.

Known Issues in Aviatrix Release 7.1.4191

Issue	Description
AVX-61310	In an Aviatrix multi-transit design with Transit Peering, where one of the Transit Gateways has BGP S2C enabled and learns a default route (0.0.0.0/0), an issue occurs following a controller upgrade where incorrect metrics are applied to PeerS2c routes.

Issue

Description

AVX-61310

7.1.4183 Release Notes

Release Date: 15 October 2024

Release Notes updated 31 October 2024

Corrected Issues in Aviatrix Release 7.1.4183

Issue	Description
AVX-52626	There was an issue when modifying the remote subnet CIDR range of an existing Site2Cloud (S2C) connection using Terraform provider version 3.1.4 with Aviatrix Controller versions 7.1.3696 and 7.0.2239. Instead of updating the remote subnet CIDR range as specified in the Terraform configuration, the change was incorrectly applied to the local subnet CIDR range.
AVX-53986	Fixed an issue where the Aviatrix Controller was using excessive memory when managing large numbers of access accounts. Customers managing large numbers of access accounts should see improved Controller stability and performance after upgrading.
AVX-54732	Fixed an issue where Aviatrix Edge Platform (AEP) Gateway upgrade status displayed incorrectly. After a successful image upgrade, the Controller showed an empty upgrade status and the CoPilot interface displayed the status as “unknown”. This was only a display issue with no impact on Gateway functionality.
AVX-55012	After upgrading to version 7.1, certain Source Network Address Translation (SNAT) IP addresses were not properly advertised to connected networks when manual connection summaries were configured. This has been corrected. Outbound traffic using the affected SNAT IP addresses now connects properly. This issue only affected BGP over IPSec connections between Transit Gateways and on-premises devices.
AVX-55434	Resolved an issue where attaching a virtual network with both IPv4 and IPv6 address spaces could cause invalid routes to be added to the network, losing management connectivity. Data traffic was not affected. The workaround was to avoid attaching virtual networks with IPv6 enabled.
AVX-56022	Fixed the following issue that resulted in loss of expected network connectivity between VNets: If an Aviatrix Gateway is originating the default route (such as customized spoke-advertised VPC CIDRs, having an FQDN gateway in its VPC, or a default route from on-premise), this route is then installed in the private subnet route tables of other spoke VNETs. However, if the originating Aviatrix Gateway experiences a disruption (such as stopping and starting the gateway, or withdrawing and adding routes by downstream routers), it can cause the advertised default route to be removed from the route tables of other spoke VNETs, leaving the default route next-hop as NONE in the private route table of the VNET/VPC thereby impacting network connectivity.
AVX-56032	Fixed an issue where Security Group Orchestration was not functioning as expected in some Azure environments. If you were running multiple instances in the same Azure virtual network, Distributed Cloud Firewall (DCF) connectivity rules configured between instances might not have been applied correctly.
AVX-56466	Resolved an issue affecting Azure Transit Gateways (with FireNet, VNG, or BGP over LAN enabled) where upgrading to 7.1.4139 resulted in additional routes being added to the Gateways’ secondary network interfaces.
AVX-56779	Fixed an issue where restore from backup fails during controller image upgrades.
AVX-56921	Resolved an issue where, during Azure service outages, resource handling incorrectly deleted all Azure resources from its database. This could cause brief interruptions in expected network traffic.

Issue

Description

AVX-52626

There was an issue when modifying the remote subnet CIDR range of an existing Site2Cloud (S2C) connection using Terraform provider version 3.1.4 with Aviatrix Controller versions 7.1.3696 and 7.0.2239. Instead of updating the remote subnet CIDR range as specified in the Terraform configuration, the change was incorrectly applied to the local subnet CIDR range.

AVX-53986

Fixed an issue where the Aviatrix Controller was using excessive memory when managing large numbers of access accounts. Customers managing large numbers of access accounts should see improved Controller stability and performance after upgrading.

AVX-54732

Fixed an issue where Aviatrix Edge Platform (AEP) Gateway upgrade status displayed incorrectly.

After a successful image upgrade, the Controller showed an empty upgrade status and the CoPilot interface displayed the status as “unknown”. This was only a display issue with no impact on Gateway functionality.

AVX-55012

After upgrading to version 7.1, certain Source Network Address Translation (SNAT) IP addresses were not properly advertised to connected networks when manual connection summaries were configured. This has been corrected. Outbound traffic using the affected SNAT IP addresses now connects properly.

This issue only affected BGP over IPSec connections between Transit Gateways and on-premises devices.

AVX-55434

Resolved an issue where attaching a virtual network with both IPv4 and IPv6 address spaces could cause invalid routes to be added to the network, losing management connectivity. Data traffic was not affected. The workaround was to avoid attaching virtual networks with IPv6 enabled.

AVX-56022

Fixed the following issue that resulted in loss of expected network connectivity between VNets: If an Aviatrix Gateway is originating the default route (such as customized spoke-advertised VPC CIDRs, having an FQDN gateway in its VPC, or a default route from on-premise), this route is then installed in the private subnet route tables of other spoke VNETs.

However, if the originating Aviatrix Gateway experiences a disruption (such as stopping and starting the gateway, or withdrawing and adding routes by downstream routers), it can cause the advertised default route to be removed from the route tables of other spoke VNETs, leaving the default route next-hop as NONE in the private route table of the VNET/VPC thereby impacting network connectivity.

AVX-56032

Fixed an issue where Security Group Orchestration was not functioning as expected in some Azure environments. If you were running multiple instances in the same Azure virtual network, Distributed Cloud Firewall (DCF) connectivity rules configured between instances might not have been applied correctly.

AVX-56466

Resolved an issue affecting Azure Transit Gateways (with FireNet, VNG, or BGP over LAN enabled) where upgrading to 7.1.4139 resulted in additional routes being added to the Gateways’ secondary network interfaces.

AVX-56779

Fixed an issue where restore from backup fails during controller image upgrades.

AVX-56921

Resolved an issue where, during Azure service outages, resource handling incorrectly deleted all Azure resources from its database. This could cause brief interruptions in expected network traffic.

Known Issues in Aviatrix Release 7.1.4183

Issue	Description
AVX-45480	Distributed Cloud Firewall rules are not properly applied to non-encrypted (non-TLS), non-web (non-HTTP) traffic when processed by Gateways with High Performance Encryption (HPE) enabled.To address this issue, you can configure Distributed Cloud Firewall rules for non-TLS/non-HTTP traffic with higher priority to ensure proper handling. After updating, review and adjust security policies as needed to ensure desired traffic handling.
AVX-51456	Destination network address translation (DNAT) rules cannot be configured on Aviatrix Gateways using Terraform provider version 3.1.4. When setting up DNAT rules on standalone Gateways with policy-based tunnels configured, an error message indicates the interface for the connection cannot be found. To work around this issue, configure DNAT rules through the Aviatrix CoPilot interface at Cloud Fabric > Gateways. See Enabling Gateway DNAT Settings.
AVX-53179	When the "Ensure TLS" setting on a Distributed Cloud Firewall rule is enabled, non-encrypted HTTP traffic is incorrectly passed to the next rule instead of being dropped. This occurs even when all other rule criteria are matched. The issue specifically affects HTTP traffic on port 80.If you want to verify that the Ensure TLS feature is performing as you expect, you can do the following: Disable the Ensure TLS option on the DCF rule. Wait awhile and then check traffic logs to see if non-TLS traffic matches the rule. Re-enable Ensure TLS or configure a new DCF Rule, as needed.
AVX-55015	An issue can occur in handling Site2Cloud Mapped NAT connections when the local CIDR is set to 0.0.0.0/0. When a user edits or deletes a connection mapped to this CIDR, the corresponding IP table rule is not properly removed. This can cause incorrect routing behavior.
AVX-56811	After restoring a Controller configuration, restarting Gateways that were offline could fail re-attestation. To address this issue, ensure that all Gateways are up before restoring a Controller configuration.

Issue

Description

AVX-45480

Distributed Cloud Firewall rules are not properly applied to non-encrypted (non-TLS), non-web (non-HTTP) traffic when processed by Gateways with High Performance Encryption (HPE) enabled.To address this issue, you can configure Distributed Cloud Firewall rules for non-TLS/non-HTTP traffic with higher priority to ensure proper handling. After updating, review and adjust security policies as needed to ensure desired traffic handling.

AVX-51456

Destination network address translation (DNAT) rules cannot be configured on Aviatrix Gateways using Terraform provider version 3.1.4. When setting up DNAT rules on standalone Gateways with policy-based tunnels configured, an error message indicates the interface for the connection cannot be found.

To work around this issue, configure DNAT rules through the Aviatrix CoPilot interface at Cloud Fabric > Gateways. See Enabling Gateway DNAT Settings.

AVX-53179

When the "Ensure TLS" setting on a Distributed Cloud Firewall rule is enabled, non-encrypted HTTP traffic is incorrectly passed to the next rule instead of being dropped. This occurs even when all other rule criteria are matched. The issue specifically affects HTTP traffic on port 80.If you want to verify that the Ensure TLS feature is performing as you expect, you can do the following:

Disable the Ensure TLS option on the DCF rule.
Wait awhile and then check traffic logs to see if non-TLS traffic matches the rule.
Re-enable Ensure TLS or configure a new DCF Rule, as needed.

AVX-55015

An issue can occur in handling Site2Cloud Mapped NAT connections when the local CIDR is set to 0.0.0.0/0. When a user edits or deletes a connection mapped to this CIDR, the corresponding IP table rule is not properly removed. This can cause incorrect routing behavior.

AVX-56811

After restoring a Controller configuration, restarting Gateways that were offline could fail re-attestation.

To address this issue, ensure that all Gateways are up before restoring a Controller configuration.

7.1.4139 Release Notes

Release Date: 14 August 2024

Release Notes updated 16 September 2024

Corrected Issues in Aviatrix Release 7.1.4139

Issue	Description
AVX-55256	Running packet capture results in an error, preventing generation of packet captures for troubleshooting.
AVX-55290	If custom DNS/NTP entries are configured in the Cloud Service Provider DHCP options, and these DNS/NTP destinations are not reachable on the local VPC/VNet, then traffic to those destinations might be blocked.
AVX-55499	Software Rollback of a gateway upgrade from 7.1.4105 (newer operating system) to 7.1.3956 or 7.1.4101 (older operating system) causes gateway PKI service to go down. This results in lost communication between the gateway and Aviatrix Controller.

Issue

Description

AVX-55256

Running packet capture results in an error, preventing generation of packet captures for troubleshooting.

AVX-55290

If custom DNS/NTP entries are configured in the Cloud Service Provider DHCP options, and these DNS/NTP destinations are not reachable on the local VPC/VNet, then traffic to those destinations might be blocked.

AVX-55499

Software Rollback of a gateway upgrade from 7.1.4105 (newer operating system) to 7.1.3956 or 7.1.4101 (older operating system) causes gateway PKI service to go down. This results in lost communication between the gateway and Aviatrix Controller.

Known Issues in Aviatrix Release 7.1.4139

Issue

Description

AVX-62067

All Spoke, Transit peering, and external VPN tunnels on one Transit Gateway in a High Availability (HA) deployment in a High Availability (HA) deployment pair drop simultaneously. Gateway logs show netlink: received unknown seq 0, ignored.

This issue occurs when the 32-bit Netlink sequence counter overflows to 0 on Gateways running strongSwan versions earlier than 5.9.14. When this happens, all IPSec security associations on the node are invalidated.

The problem is addressed in strongSwan 5.9.14, which handles identifier overflows gracefully. See #2062: Handle unique identifier allocation overflows gracefully.

Solutions:

Reboot the affected Gateway to re-establish the tunnels.
Upgrade Gateways to the latest version.

Corrected Issues in Aviatrix Release 7.1.XXXx

Issue	Description
AVX-

Issue

Description

AVX-

Release Notes updated 09 Oct 2024 Tickets avx-45654, -47750, -48285 24oct2024 avx-50897