8.0.30 Release Notes

Release Date: 16 September 2025

Release Notes Last Updated: 25 September 2025

Corrected Issues in Aviatrix Release 8.0.30

Issue

Description

AVX-58696

Fixed an issue where TCP MSS clamping was not supported on Standalone Gateways in Release 7.1 and later. Gateways now properly apply MSS clamping to prevent fragmentation issues in TCP traffic flows.

AVX-59298

Fixed an issue where Edge Spoke or Edge Transit Gateways deployed in Megaport Virtual Edge (MVE) with fewer than five VNICs failed to initialize. The deployment process now handles fewer VNICs correctly, ensuring successful gateway initialization.

AVX-59376

Fixed an issue where Controller High Availability (HA) standby instances failed to launch in Controllers version 8.0 and later. The HA deployment workflow now supports dynamic version injection during instance creation, restoring compatibility with AWS Auto Scaling Group launch templates.

AVX-61355

Fixed a performance issue where Azure Standard_B1ms SNAT-enabled Egress Spoke Gateways experienced throughput drops under high connection loads. The gateway logic was updated to optimize performance on smaller instance types.

AVX-62542

Fixed an issue where Distributed Cloud Firewall (DCF) rules did not correctly evaluate traffic when customized SNAT was configured with the same SmartGroups in both source and destination fields. Rule evaluation now accounts for translated source addresses.

AVX-62712

Fixed an issue where recreating a policy-based Site-to-Cloud (S2C) VPN connection after deleting one with the same remote CIDR incorrectly triggered a CIDR overlap error. The system now fully clears deleted CIDRs to allow re-creation of connections.

AVX-62719

Fixed an issue where Distributed Cloud Firewall (DCF) policy writer created unnecessary 40KB configuration snapshots per gateway regardless of changes, increasing Controller database load. Snapshot logic was optimized to reduce redundant write operations.

AVX-63175

Fixed an issue where Edge Gateway version numbers in the Controller UI were incorrectly updated after a gateway returned from a down state. The UI now preserves the actual version running on the gateway.

AVX-63334

Fixed an issue where Aviatrix Edge Gateways deployed on Equinix Network Edge and VMware environments failed to resize root disks during setup, preventing cloud-init modules from executing. Disk resizing logic was updated to ensure proper root filesystem allocation.

AVX-63816

Fixed an issue where the RFC6598 Shared Address Space (100.64.0.0/10) remained in the Public Internet SmartGroup after upgrade to version 8.0.0, allowing traffic to bypass Layer 7 inspection. The upgrade process now removes this range as expected.

AVX-63846

Fixed an issue where CoPilot UI SmartGroups and ExternalGroups with multiple filters were not displayed correctly after saving. The UI now preserves all configured filter sets.

AVX-63883

Fixed an issue where Distributed Cloud Firewall (DCF) rules created via CoPilot UI or Terraform failed to commit, blocking new policies. The API and UI now correctly display and commit new rule sets.

AVX-64015

Fixed an issue where Jumbo Frame support could not be enabled on BGPoLAN connections for AWS HPE gateways. Configuration updates now allow enabling Jumbo Frames as expected.

AVX-64136

Fixed an issue where newly added OCI VCN CIDRs were not recognized in the Controller, preventing gateway creation in new ranges. The Controller now correctly reflects new OCI CIDRs without manual configuration.

AVX-64196

Fixed an issue where IPSec diagnostics did not display logs for AEP and self-managed Edge Gateways. The Controller UI now correctly shows IPSec logs across all supported Edge platforms.

AVX-64213

Fixed an issue where certain Edge Gateway images (g3-202504251522, g3-202504251525) incorrectly sized root disks to 12GB instead of full capacity. The boot process now correctly allocates full disk size.

AVX-64483

Fixed an issue where creating Secondary or HA Transit/Spoke Edge Gateways on Dell appliances failed. The backend workflow has been updated to allow successful HA gateway creation.

AVX-64767

Fixed an issue where using Site-to-Cloud (S2C) mapped NAT at scale caused performance regressions and packet drops after gateway upgrades. Packet handling and NAT translation logic have been optimized to restore performance.

AVX-65252

Fixed an issue where WebGroups combining both Domains and URLs caused configuration pushes to fail. Validation has been added to prevent mixing unsupported entry types.

AVX-65386

Fixed an issue where upgrades to Controller version 8.0.0 failed if Distributed Cloud Firewall (DCF) policies contained duplicate names. The upgrade process now validates and handles duplicate policy names.

AVX-66630

Fixed an issue where SSL certificate uploads containing a Unicode Byte Order Mark (BOM) failed and could crash the Controller application server. Certificates are now validated and BOMs are correctly handled during upload.

Known Issues in Aviatrix Release 8.0.30

Issue Description

Issue	Description
AVX-62003	Azure gateway image upgrades may fail when the Controller does not have the required Azure image subscription access. During the upgrade, the system deletes the existing gateway before validating subscription availability, which can result in gateway deletion without a replacement being created. This leaves dangling gateways in the Controller and can cause potential service outages. Impact: Existing gateways may be deleted during image upgrade Replacement gateway creation fails due to missing subscription Customers may experience connectivity loss and dangling gateway entries in the Controller Manual intervention required, leading to support escalations Workaround: None. To avoid outages, ensure the Controller subscription includes access to the required Azure image before attempting upgrades.
AVX-62230	When upgrading Aviatrix Gateways from version 7.2.x to 8.0.0 with TLS decryption enabled in Distributed Cloud Firewall (DCF), the Gateway automatically regenerates its TLS decryption certificate authority (CA). Because each Gateway maintains its own unique CA for security, the regenerated CA no longer matches the CA previously trusted by clients. As a result, you may experience the following issues after the upgrade: Failed TLS connections for decrypted traffic Certificate trust errors in browsers or applications Traffic disruption for services that rely on TLS inspection Affected Scenario: Gateways with TLS decryption enabled in DCF being upgraded from 7.2.x to 8.0.0 Workaround: If you have imported your own proxy CA and key, you can re-import the same certificate and key after the Gateway upgrade to maintain trust continuity. If you rely on the Aviatrix-generated CA: After the Gateway upgrade, export the newly generated CA certificate and add it to the trust bundles on client systems to restore trust and resume decrypted connections.
AVX-62299	When upgrading from Controller version 7.1 to 7.2 or 8.0, Spoke Gateways with routing through a Public Subnet Filtering (PSF) Gateway may fail to upgrade and become unreachable if the PSF Gateway has not been upgraded first. This issue affects AWS environments where Spoke Gateway route tables are configured to point to a PSF Gateway. To avoid this issue, follow the correct upgrade sequence: Upgrade the PSF Gateway first. Wait for the PSF Gateway upgrade to complete successfully. Then upgrade the dependent Spoke Gateways.
AVX-62506	During a gateway software upgrade, traffic matching DCF WebGroup rules may be briefly dropped during the upgrade. This impacts both Layer 7 (HTTP/HTTPS) and Layer 4 traffic and occurs across all supported cloud providers (AWS, Azure, and GCP). The disruption typically lasts a few seconds but may vary depending on gateway load and policy complexity. Workaround: None Recommendations: Schedule gateway upgrades during maintenance windows or low-traffic periods. Use HA deployments and upgrade gateways one at a time in HA pairs. Monitor logs for “Failed to load policy” messages to confirm when policies are reloaded.
AVX-62636	DCF rules pushed to Edge gateways may not account for NAT translations, leading to incorrect rule behavior and potential traffic filtering issues. Affected Deployments: Edge gateways with DCF rules applied Environments using NAT to manage overlapping IP address spaces Traffic flows between cloud resources and Edge sites with DCF enforcement Workaround: Avoid applying DCF rules to Edge gateways in environments with NAT or overlapping IP ranges. Explicitly exclude Edge from DCF deployment by using the following Provider Deployment API: `POST /v2.5/api/microseg/deploy-policy { "providers": ["AWS", "AZURE", "GCP"] // Include all desired cloud providers EXCEPT "EDGE" }`
AVX-63224	In Controller release 8.0, gateway software upgrades take longer to complete compared to earlier versions. On average, the upgrade rate drops from approximately 14 gateways per minute in version 7.2 to approximately 11 gateways per minute in 8.0, which is an increase of about 20% in execution time. Affected Scenarios: Upgrading from version 7.2.x to 8.0.x Upgrading between 8.0.x versions Impact: Only the upgrade duration is affected. Gateway functionality remains unaffected after a successful upgrade. Recommendations: Allocate approximately 20% more time for gateway upgrades. For large environments (for example, 1,000+ gateways), plan for 90–120 minutes of upgrade time. Schedule upgrades during maintenance windows to accommodate the longer duration.
AVX-64447	Site2Cloud High Availability (HA) tunnels may not behave correctly when toggling between Active/Active and Active/Standby modes. Problem 1: When disabling Active/Active HA, the HA Gateway (HAGW) may retain metric 100 routes pointing to tunnel interfaces in the Gateway Route table, even though they should be removed. Problem 2: When enabling Active/Active HA from Active/Standby, the HA Gateway tunnel may not be properly enabled. This can result in missing routes despite the UI showing Active/Active status. Impact: Inconsistent routes on the gateway while switching the s2c HA Mode. Potential routing gaps on the gateway lead to incorrect traffic distribution. Workaround: If you encounter this issue, contact Aviatrix Support for assistance.
AVX-64794	When Distributed Cloud Firewall (DCF) is enabled, policy-based Site-to-Cloud (S2C) traffic may be misclassified due to how the traffic flows through the gateway. This can lead to unintended blocking or incorrect policy enforcement. Workaround: Consider using route-based S2C VPNs, where plaintext traffic traverses a dedicated tunnel interface and is classified correctly by DCF Temporarily disable DCF on gateways handling policy-based S2C connections if misclassification impacts production traffic Impact: Policy-based S2C traffic may be incorrectly evaluated against VPC or internet DCF rules Unexpected traffic drops or policy mismatches Inconsistent DCF behavior between policy-based and route-based S2C configurations
AVX-64868	In some scenarios involving rapid VRRP state transitions, the keepalived VRRP state may not be reported accurately to the Controller. This can result in temporary discrepancies between the actual VRRP status and what is displayed in the Controller UI, leading to confusion and difficulties during troubleshooting. Workaround: Use diagnostic logs to verify actual VRRP state Impact: Controller UI may show incorrect VRRP status such as both peers reporting `Primary` or `Initializing` No impact on actual VRRP traffic handling or failover behavior.
AVX-65016	In some environments, the Firewall state may not recover from Unaccessible after the first vendor integration failure. This issue has been observed when integrating with third-party firewall vendors, leaving the gateway firewall state stuck even after the environment stabilizes. Impact: Firewall integration appears stuck in Unaccessible state Recovery does not occur automatically after initial failure May require manual intervention to restore proper firewall state reporting Workaround: Contact Aviatrix Support for manual correction.
AVX-66190	When using Threat Intelligence (ThreatIQ) external groups in Distributed Cloud Firewall (DCF), gateways may log `field threat_severity not found` errors if unsupported selectors (such as `threat_severity`) are used. These configurations are currently accepted by the Controller without validation, but the unsupported selectors are ignored during policy enforcement, and repeated error messages are logged. Workaround: Remove unsupported selectors (e.g., `threat_severity`) from threat group configurations Use only supported fields when defining ThreatIQ external groups Monitor DCF gateway logs for error messages to identify invalid selectors Impact: DCF policies continue to function as expected, but administrators may be unaware that some threat selectors are not being applied. The repeated log entries may also affect log analysis and monitoring. Resolution:** Future enhancements will add validation during configuration and UI notifications when unsupported selectors are used.
AVX-66324	When using Distributed Cloud Firewall (DCF) Layer 7 rules with Smart Groups that contain tagged resources, no bell notifications appear when configuration issues potentially block traffic. This affects deployments where Smart Groups match resources by tags (such as AWS instance tags) rather than static IPs or CIDRs. Although traffic is enforced correctly, administrators may not be alerted to the problematic configuration. Affected Scenario: DCF Layer 7 rules configured between Smart Groups based on resource tags (for example, Kubernetes pods and VMs) Both VPCs use RFC1918 IP addresses Gateways are deployed in High Availability (HA) mode Workaround: Monitor traffic flow manually Use Smart Groups with static IPs or CIDRs if alerting is critical Impact: Only affects notifications. Traffic enforcement continues to function as expected.
AVX-68102	When upgrading from Controller version 8.0.10 to 8.0.30, the Controller UI becomes temporarily inaccessible while containers reload. During this time, users cannot view progress or upgrade status messages. The UI becomes available again once the upgrade completes successfully. Impact: Controller UI is unavailable during the upgrade No upgrade status is displayed in the browser Behavior differs from previous versions Workaround: Wait for the upgrade to finish in the background. Refresh the browser after a few minutes to reconnect once the UI is available.

AVX-62003

Azure gateway image upgrades may fail when the Controller does not have the required Azure image subscription access. During the upgrade, the system deletes the existing gateway before validating subscription availability, which can result in gateway deletion without a replacement being created. This leaves dangling gateways in the Controller and can cause potential service outages.

Impact:

Existing gateways may be deleted during image upgrade
Replacement gateway creation fails due to missing subscription
Customers may experience connectivity loss and dangling gateway entries in the Controller
Manual intervention required, leading to support escalations

Workaround:

None. To avoid outages, ensure the Controller subscription includes access to the required Azure image before attempting upgrades.

AVX-62230

When upgrading Aviatrix Gateways from version 7.2.x to 8.0.0 with TLS decryption enabled in Distributed Cloud Firewall (DCF), the Gateway automatically regenerates its TLS decryption certificate authority (CA). Because each Gateway maintains its own unique CA for security, the regenerated CA no longer matches the CA previously trusted by clients.

As a result, you may experience the following issues after the upgrade:

Failed TLS connections for decrypted traffic
Certificate trust errors in browsers or applications
Traffic disruption for services that rely on TLS inspection

Affected Scenario:

Gateways with TLS decryption enabled in DCF being upgraded from 7.2.x to 8.0.0

Workaround: If you have imported your own proxy CA and key, you can re-import the same certificate and key after the Gateway upgrade to maintain trust continuity.

If you rely on the Aviatrix-generated CA:

After the Gateway upgrade, export the newly generated CA certificate and add it to the trust bundles on client systems to restore trust and resume decrypted connections.

AVX-62299

When upgrading from Controller version 7.1 to 7.2 or 8.0, Spoke Gateways with routing through a Public Subnet Filtering (PSF) Gateway may fail to upgrade and become unreachable if the PSF Gateway has not been upgraded first. This issue affects AWS environments where Spoke Gateway route tables are configured to point to a PSF Gateway.

To avoid this issue, follow the correct upgrade sequence:

Upgrade the PSF Gateway first.
Wait for the PSF Gateway upgrade to complete successfully.
Then upgrade the dependent Spoke Gateways.

AVX-62506

During a gateway software upgrade, traffic matching DCF WebGroup rules may be briefly dropped during the upgrade. This impacts both Layer 7 (HTTP/HTTPS) and Layer 4 traffic and occurs across all supported cloud providers (AWS, Azure, and GCP). The disruption typically lasts a few seconds but may vary depending on gateway load and policy complexity.

Workaround:

None

Recommendations:

Schedule gateway upgrades during maintenance windows or low-traffic periods.
Use HA deployments and upgrade gateways one at a time in HA pairs.
Monitor logs for “Failed to load policy” messages to confirm when policies are reloaded.

AVX-62636

DCF rules pushed to Edge gateways may not account for NAT translations, leading to incorrect rule behavior and potential traffic filtering issues.

Affected Deployments:

Edge gateways with DCF rules applied
Environments using NAT to manage overlapping IP address spaces
Traffic flows between cloud resources and Edge sites with DCF enforcement

Workaround:

Avoid applying DCF rules to Edge gateways in environments with NAT or overlapping IP ranges.
Explicitly exclude Edge from DCF deployment by using the following Provider Deployment API:

POST /v2.5/api/microseg/deploy-policy
{
  "providers": ["AWS", "AZURE", "GCP"]  // Include all desired cloud providers EXCEPT "EDGE"
}

AVX-63224

In Controller release 8.0, gateway software upgrades take longer to complete compared to earlier versions. On average, the upgrade rate drops from approximately 14 gateways per minute in version 7.2 to approximately 11 gateways per minute in 8.0, which is an increase of about 20% in execution time.

Affected Scenarios:

Upgrading from version 7.2.x to 8.0.x
Upgrading between 8.0.x versions

Impact:

Only the upgrade duration is affected. Gateway functionality remains unaffected after a successful upgrade.

Recommendations:

Allocate approximately 20% more time for gateway upgrades.
For large environments (for example, 1,000+ gateways), plan for 90–120 minutes of upgrade time.
Schedule upgrades during maintenance windows to accommodate the longer duration.

AVX-64447

Site2Cloud High Availability (HA) tunnels may not behave correctly when toggling between Active/Active and Active/Standby modes.

Problem 1: When disabling Active/Active HA, the HA Gateway (HAGW) may retain metric 100 routes pointing to tunnel interfaces in the Gateway Route table, even though they should be removed.

Problem 2: When enabling Active/Active HA from Active/Standby, the HA Gateway tunnel may not be properly enabled. This can result in missing routes despite the UI showing Active/Active status.

Impact:

Inconsistent routes on the gateway while switching the s2c HA Mode.
Potential routing gaps on the gateway lead to incorrect traffic distribution.

Workaround:

If you encounter this issue, contact Aviatrix Support for assistance.

AVX-64794

When Distributed Cloud Firewall (DCF) is enabled, policy-based Site-to-Cloud (S2C) traffic may be misclassified due to how the traffic flows through the gateway. This can lead to unintended blocking or incorrect policy enforcement.

Workaround:

Consider using route-based S2C VPNs, where plaintext traffic traverses a dedicated tunnel interface and is classified correctly by DCF
Temporarily disable DCF on gateways handling policy-based S2C connections if misclassification impacts production traffic

Impact:

Policy-based S2C traffic may be incorrectly evaluated against VPC or internet DCF rules
Unexpected traffic drops or policy mismatches
Inconsistent DCF behavior between policy-based and route-based S2C configurations

AVX-64868

In some scenarios involving rapid VRRP state transitions, the keepalived VRRP state may not be reported accurately to the Controller. This can result in temporary discrepancies between the actual VRRP status and what is displayed in the Controller UI, leading to confusion and difficulties during troubleshooting.

Workaround:

Use diagnostic logs to verify actual VRRP state

Impact:

Controller UI may show incorrect VRRP status such as both peers reporting Primary or Initializing
No impact on actual VRRP traffic handling or failover behavior.

AVX-65016

In some environments, the Firewall state may not recover from Unaccessible after the first vendor integration failure. This issue has been observed when integrating with third-party firewall vendors, leaving the gateway firewall state stuck even after the environment stabilizes.

Impact:

Firewall integration appears stuck in Unaccessible state
Recovery does not occur automatically after initial failure
May require manual intervention to restore proper firewall state reporting

Workaround:

Contact Aviatrix Support for manual correction.

AVX-66190

When using Threat Intelligence (ThreatIQ) external groups in Distributed Cloud Firewall (DCF), gateways may log field threat_severity not found errors if unsupported selectors (such as threat_severity) are used.

These configurations are currently accepted by the Controller without validation, but the unsupported selectors are ignored during policy enforcement, and repeated error messages are logged.

Workaround:

Remove unsupported selectors (e.g., threat_severity) from threat group configurations
Use only supported fields when defining ThreatIQ external groups
Monitor DCF gateway logs for error messages to identify invalid selectors

Impact:

DCF policies continue to function as expected, but administrators may be unaware that some threat selectors are not being applied.
The repeated log entries may also affect log analysis and monitoring.**

Resolution:

Future enhancements will add validation during configuration and UI notifications when unsupported selectors are used.

AVX-66324

When using Distributed Cloud Firewall (DCF) Layer 7 rules with Smart Groups that contain tagged resources, no bell notifications appear when configuration issues potentially block traffic. This affects deployments where Smart Groups match resources by tags (such as AWS instance tags) rather than static IPs or CIDRs. Although traffic is enforced correctly, administrators may not be alerted to the problematic configuration.

Affected Scenario:

DCF Layer 7 rules configured between Smart Groups based on resource tags (for example, Kubernetes pods and VMs)
Both VPCs use RFC1918 IP addresses
Gateways are deployed in High Availability (HA) mode

Workaround:

Monitor traffic flow manually
Use Smart Groups with static IPs or CIDRs if alerting is critical

Impact: Only affects notifications. Traffic enforcement continues to function as expected.

AVX-68102

When upgrading from Controller version 8.0.10 to 8.0.30, the Controller UI becomes temporarily inaccessible while containers reload. During this time, users cannot view progress or upgrade status messages. The UI becomes available again once the upgrade completes successfully.

Impact:

Controller UI is unavailable during the upgrade
No upgrade status is displayed in the browser
Behavior differs from previous versions

Workaround:

Wait for the upgrade to finish in the background.
Refresh the browser after a few minutes to reconnect once the UI is available.