Aviatrix Controller and Gateway Software Release Notes
Important Notices for Upgrading to Aviatrix Release 7.1
Aviatrix strongly recommends you perform the tasks in the operations checklist including a dry run upgrade before upgrading your deployment of the Aviatrix network platform. Taking the time to perform dry runs and backing up your Aviatrix Platform configuration reduces the potential for issues during the upgrade and allows you to easily restore your configuration if there are issues after the upgrade. Correct any issues you find during your preparation before proceeding with an Aviatrix upgrade. For more information, see Upgrading the Aviatrix Platform and Troubleshooting your Controller and Gateway Upgrade. If you cannot resolve all issues after following the preparation and dry run procedures, please open a ticket with Aviatrix Support. |
This page provides release specific information including some upgrade limitations, known issues and corrected issues. For information about new and enhanced features, behavior changes, and deprecations, see What’s New.
Upgrade Options
This release version is available as an upgrade option only if you have already upgraded to the following:
-
7.1.3956 or 7.1.4101 (older Linux OS)
-
7.1.3958, 7.1.4105, 7.1.4139, or 7.1.4183 (newer Linux OS)
See the Aviatrix Upgrade documentation for more information.
See Upgrade your Controller and Gateways to the Latest Aviatrix Supported Images (AWS and Azure Only) for more information.
Upgrade on Aviatrix Edge Platform
On the Aviatrix Edge Platform, after you have upgraded the image to the latest Aviatrix base image with the newer Linux OS, you cannot roll back to a previous image based on the older Linux OS.
Disable Deprecated Controller-Logging Configurations
You cannot upgrade from any Controller 7.0 version to any Controller 7.1 or 7.2 version until you have disabled the deprecated logging configurations. See Disable Deprecated Controller-Logging Configurations for details.
Do Not Apply Existing Patches to Newly Upgraded Controllers
The Controller and Gateway images shipped with the 7.1.3958 release track (newer Linux OS) include all previously released software patches. Therefore, you do not need to reapply the old software patches to Controllers and Gateways updated to this release. If any new software patches are released in the future, and if they apply to the new Controller and Gateway images, the documentation associated with that release will clearly identify the patches and provide instructions.
Migrate Egress FQDN Filtering to Distributed Cloud Firewall
As of Controller 7.1.1710, Distributed Cloud Firewall (DCF) with WebGroups, configured in CoPilot, is the recommended method for configuring and implementing Egress Security.
Aviatrix strongly recommends migrating from Egress FQDN Filtering (Legacy) to Distributed Cloud Firewall to enforce Egress network security policy.
7.1.4208 Release Notes
Release Date: 19 May 2025
Release Notes Last Updated: 22 May 2025
Corrected Issues in Aviatrix Release 7.1.4208
Issue |
Description |
||
AVX-62067 |
The following issue has been fixed in this release.
Aviatrix Transit Gateways with large number of tunnels and running for a long time could encounter an issue where in the IPSec process becomes unresponsive leading to all IPsec tunnels going into a DOWN state. The cause of this is an internal counter reaching its maximum value and overflowing. To recover, the transit gateway needs to be rebooted. While it is not possible to specify the exact number of tunnels and length of time it would take for the internal counter to overflow, the few customers who encountered this issue had greater than 800 ipsec tunnels on the transit gateway and took three to four months to encounter this issue. The number of ipsec tunnels on the gateway can be seen from Copilot UI under Diagnostics > Cloud Routes > Gateway Routes. |
Known Issues in Aviatrix Release 7.1.4208
Issue | Description |
---|---|
AVX-61310 |
In an Aviatrix multi-transit design with Transit Peering, where one of the Transit Gateways has BGP S2C enabled and learns a default route (0.0.0.0/0), an issue occurs following a controller upgrade where incorrect metrics are applied to PeerS2c routes. |
AVX-63334 |
Aviatrix Edge Gateways deployed on Equinix Network Edge and certain VMware environments may experience issues with root disk resizing during initial setup. The root filesystem might not expand to utilize the full allocated disk space. This can prevent essential cloud-init modules from executing properly. Affected Versions:
Workaround: Customers running Aviatrix Edge Gateways on Equinix Edge or VMware environments with version 7.1.4191 should contact Aviatrix Support for assistance. |
7.1.4191 Release Notes
Release Date: 19 December 2024
Corrected Issues in Aviatrix Release 7.1.4191
Issue | Description |
---|---|
AVX-57922 |
Security Notice: CVE-2024-50603 has been permanently patched. |
AVX-58286 |
An issue was fixed where gateways using Legacy Egress FQDN filtering could experience traffic interruptions when processing very large data packets (approximately 4000 bytes or larger). This could result in halting all network traffic through the affected gateway. The system would attempt to automatically restart the problematic process, but the issue could recur if the system continued sending large packets. |
AVX-58757 |
Fixed an error condition whereby upon upgrading from 7.0 to 7.1, the Controller was not able to update gateway configuration, resulting in the affected gateway being flagged as not up-to-date. |
AVX-59149 |
This release addresses a regression in 7.1 with TCP maximum segment size (MSS) clamping support, which is now supported on standalone gateways. |
Known Issues in Aviatrix Release 7.1.4191
Issue | Description |
---|---|
AVX-61310 |
In an Aviatrix multi-transit design with Transit Peering, where one of the Transit Gateways has BGP S2C enabled and learns a default route (0.0.0.0/0), an issue occurs following a controller upgrade where incorrect metrics are applied to PeerS2c routes. |
7.1.4183 Release Notes
Release Date: 15 October 2024
Release Notes updated 31 October 2024
Corrected Issues in Aviatrix Release 7.1.4183
Issue | Description |
---|---|
AVX-52626 |
There was an issue when modifying the remote subnet CIDR range of an existing Site2Cloud (S2C) connection using Terraform provider version 3.1.4 with Aviatrix Controller versions 7.1.3696 and 7.0.2239. Instead of updating the remote subnet CIDR range as specified in the Terraform configuration, the change was incorrectly applied to the local subnet CIDR range. |
AVX-53986 |
Fixed an issue where the Aviatrix Controller was using excessive memory when managing large numbers of access accounts. Customers managing large numbers of access accounts should see improved Controller stability and performance after upgrading. |
AVX-54732 |
Fixed an issue where Aviatrix Edge Platform (AEP) Gateway upgrade status displayed incorrectly. After a successful image upgrade, the Controller showed an empty upgrade status and the CoPilot interface displayed the status as “unknown”. This was only a display issue with no impact on Gateway functionality. |
AVX-55012 |
After upgrading to version 7.1, certain Source Network Address Translation (SNAT) IP addresses were not properly advertised to connected networks when manual connection summaries were configured. This has been corrected. Outbound traffic using the affected SNAT IP addresses now connects properly. This issue only affected BGP over IPSec connections between Transit Gateways and on-premises devices. |
AVX-55434 |
Resolved an issue where attaching a virtual network with both IPv4 and IPv6 address spaces could cause invalid routes to be added to the network, losing management connectivity. Data traffic was not affected. The workaround was to avoid attaching virtual networks with IPv6 enabled. |
AVX-56022 |
Fixed the following issue that resulted in loss of expected network connectivity between VNets: If an Aviatrix Gateway is originating the default route (such as customized spoke-advertised VPC CIDRs, having an FQDN gateway in its VPC, or a default route from on-premise), this route is then installed in the private subnet route tables of other spoke VNETs. However, if the originating Aviatrix Gateway experiences a disruption (such as stopping and starting the gateway, or withdrawing and adding routes by downstream routers), it can cause the advertised default route to be removed from the route tables of other spoke VNETs, leaving the default route next-hop as NONE in the private route table of the VNET/VPC thereby impacting network connectivity. |
AVX-56032 |
Fixed an issue where Security Group Orchestration was not functioning as expected in some Azure environments. If you were running multiple instances in the same Azure virtual network, Distributed Cloud Firewall (DCF) connectivity rules configured between instances might not have been applied correctly. |
AVX-56466 |
Resolved an issue affecting Azure Transit Gateways (with FireNet, VNG, or BGP over LAN enabled) where upgrading to 7.1.4139 resulted in additional routes being added to the Gateways’ secondary network interfaces. |
AVX-56779 |
Fixed an issue where restore from backup fails during controller image upgrades. |
AVX-56921 |
Resolved an issue where, during Azure service outages, resource handling incorrectly deleted all Azure resources from its database. This could cause brief interruptions in expected network traffic. |
Known Issues in Aviatrix Release 7.1.4183
Issue | Description |
---|---|
AVX-45480 |
Distributed Cloud Firewall rules are not properly applied to non-encrypted (non-TLS), non-web (non-HTTP) traffic when processed by Gateways with High Performance Encryption (HPE) enabled.To address this issue, you can configure Distributed Cloud Firewall rules for non-TLS/non-HTTP traffic with higher priority to ensure proper handling. After updating, review and adjust security policies as needed to ensure desired traffic handling. |
AVX-51456 |
Destination network address translation (DNAT) rules cannot be configured on Aviatrix Gateways using Terraform provider version 3.1.4. When setting up DNAT rules on standalone Gateways with policy-based tunnels configured, an error message indicates the interface for the connection cannot be found. To work around this issue, configure DNAT rules through the Aviatrix CoPilot interface at Cloud Fabric > Gateways. See Enabling Gateway DNAT Settings. |
AVX-53179 |
When the "Ensure TLS" setting on a Distributed Cloud Firewall rule is enabled, non-encrypted HTTP traffic is incorrectly passed to the next rule instead of being dropped. This occurs even when all other rule criteria are matched. The issue specifically affects HTTP traffic on port 80.If you want to verify that the Ensure TLS feature is performing as you expect, you can do the following:
|
AVX-55015 |
An issue can occur in handling Site2Cloud Mapped NAT connections when the local CIDR is set to 0.0.0.0/0. When a user edits or deletes a connection mapped to this CIDR, the corresponding IP table rule is not properly removed. This can cause incorrect routing behavior. |
AVX-56811 |
After restoring a Controller configuration, restarting Gateways that were offline could fail re-attestation. To address this issue, ensure that all Gateways are up before restoring a Controller configuration. |
7.1.4139 Release Notes
Release Date: 14 August 2024
Release Notes updated 16 September 2024
Corrected Issues in Aviatrix Release 7.1.4139
Issue | Description |
---|---|
AVX-55256 |
Running packet capture results in an error, preventing generation of packet captures for troubleshooting. |
AVX-55290 |
If custom DNS/NTP entries are configured in the Cloud Service Provider DHCP options, and these DNS/NTP destinations are not reachable on the local VPC/VNet, then traffic to those destinations might be blocked. |
AVX-55499 |
Software Rollback of a gateway upgrade from 7.1.4105 (newer operating system) to 7.1.3956 or 7.1.4101 (older operating system) causes gateway PKI service to go down. This results in lost communication between the gateway and Aviatrix Controller. |
Known Issues in Aviatrix Release 7.1.4139
Issue |
Description |
AVX-62067 |
All Spoke, Transit peering, and external VPN tunnels on one Transit Gateway in a High Availability (HA) deployment in a High Availability (HA) deployment pair drop simultaneously. Gateway logs show This issue occurs when the 32-bit Netlink sequence counter overflows to 0 on Gateways running strongSwan versions earlier than 5.9.14. When this happens, all IPSec security associations on the node are invalidated. The problem is addressed in strongSwan 5.9.14, which handles identifier overflows gracefully. See #2062: Handle unique identifier allocation overflows gracefully. Solutions:
|