8.0.10 Release Notes

Fixed an issue where BGP gateways could crash when receiving route updates containing AS-SET information in the AS-PATH attribute. The system now rejects AS-SET and AS_CONFED_SET using default configuration, improving BGP stability and aligning with industry standards.

Fixed an issue where OpenVPN gateways in split tunnel mode did not propagate newly added Additional CIDRs to clients. The problem occurred because the OpenVPN service was not automatically restarted after CIDR updates, requiring manual restarts. The fix ensures that route and DNS configuration changes now properly trigger service restarts, so Additional CIDRs and DNS settings are pushed to clients without manual intervention.

Fixed an issue where GCP gateways with FireNet or BGPoLAN enabled were incorrectly configured with subnet-based netmasks instead of the required /32 prefix. This caused routing failures and connectivity issues with firewall appliances.

Fixed an issue where gateway resize operations could fail with a KeyError: 'src' during validation. This occurred when resizing gateways, including attempts to resize to the same instance size for recovery. The fix improves peer data handling to ensure resize operations complete successfully.

Fixed an issue where transit peering status was shown as UNKNOWN in the Controller even though tunnels were established. The problem was caused by Edge gateways sending invalid peer values (“<nil>”), which blocked route exchange. The fix adds proper validation of peer IP values so that transit status is reported correctly and routes are exchanged as expected.

Site2Cloud High Availability (HA) tunnels may not behave correctly when toggling between Active/Active and Active/Standby modes.

Problem 1: When disabling Active/Active HA, the HA Gateway (HAGW) may retain metric 100 routes pointing to tunnel interfaces in the Gateway Route table, even though they should be removed.

Problem 2: When enabling Active/Active HA from Active/Standby, the HA Gateway tunnel may not be properly enabled. This can result in missing routes despite the UI showing Active/Active status.

Impact:

Workaround:

If you encounter this issue, contact Aviatrix Support for assistance.

Fixed an issue where backup restoration failed on GCP controllers when restoring from earlier versions (such as 7.2.5090) to 8.0.0 and later. The issue was caused by a Google Cloud Storage API error during the upload phase. The fix includes a library update and improved error handling to ensure successful restoration.

In some environments, the Firewall state may not recover from Unaccessible after the first vendor integration failure. This issue has been observed when integrating with third-party firewall vendors, leaving the gateway firewall state stuck even after the environment stabilizes.

Impact:

Workaround:

Contact Aviatrix Support for manual correction.

Fixed an issue where DCF policies failed to apply to Azure gateways due to Cloud Asset Inventory (CAI) not resolving Azure subnets correctly. This was caused by missing Azure VNET GUID metadata during upgrades, resulting in Smart Group resolution failures and incorrect policy rule enforcement. The fix improves Azure metadata handling and ensures consistent DCF policy application.

Fixed an issue where system diagnostics could fail with an AttributeError during Controller operations. The error occurred when collecting CloudXD process data that unexpectedly returned None. The fix adds proper null checks to ensure the diagnostic collection completes successfully.

Fixed an issue where Distributed Cloud Firewall (DCF) eBPF programs were not fully cleaned up from gateway interfaces when DCF features were disabled. The cleanup logic has been improved to ensure all interfaces are properly cleared, preventing residual eBPF programs from remaining after disabling Site-to-Cloud DCF or other DCF features.

Fixed a memory leak in the DCF Traffic Server (TS_MAIN process) that could cause gateway reboots during high-volume threat IP traffic processing. The issue occurred when multiple DCF rules with ThreatIQ external groups were triggered by continuous probing to inactive threat IPs. Memory usage now stabilizes under sustained load.

Fixed an issue where DNAT and SNAT configuration updates failed on gateways with policy-based Site2Cloud tunnels. The NAT validation logic has been corrected to properly resolve interfaces, ensuring DNAT and SNAT rules can now be created, modified, or deleted through the Controller UI without errors.

Fixed a memory leak in the DCF Traffic Server (TS_MAIN process) that could cause gateway memory exhaustion and potential traffic impact. The issue occurred on gateways running Distributed Cloud Firewall (DCF) with WebGroups enabled.

Fixed an issue where user-uploaded SSL certificates were not automatically restored during Controller migration to version 8.0.0. This caused FQDN-based secure access to the Controller UI to fail post-migration. The fix ensures that existing certificates are now retained and restored during the migration process.

Fixed an issue in UserConnect 7.2 where gateway resize operations could fail with a KeyError: 'src' exception. This occurred in deployments upgraded from version 6.6 with non-HPE peering configurations and prevented users from resizing gateways once they entered a config_fail state.

TCP MSS clamping is not supported on Standalone Gateways in Release 7.1 and later.

When using Controller High Availability (HA) with Controllers version 8.0 and later, the standby Controller will fail to launch correctly. This is because the HA mechanism relies on a fixed software version specified in the Auto Scaling Group (ASG) launch template, but with Controllers version 8.0 and later now require the version to be passed dynamically through cloud-init during instance creation.

This issue occurs only in environments that use:

Workaround:

Use the new CloudFormation template to enable AWS Controller High Availability. This template supports dynamic version injection and restores compatibility with Controllers version 8.0 and later in supported regions. For versions 7.x and earlier, use the existing CloudFormation script (without the v3 suffix).

Note: This solution is not available in AWS regions that do not support Lambda Function URLs.

Azure Standard_B1ms SNAT-enabled Egress Spoke Gateways may experience significant throughput drops under high connection loads. This limitation is caused by the Azure Standard_B1ms instance type, which has limited compute and network resources.

Affected Scenario:

Workaround:

Upsize the Spoke Gateway to a larger Azure instance type for workloads that require more than 10K concurrent connections or consistent network throughput.

Azure gateway image upgrades may fail when the Controller does not have the required Azure image subscription access. During the upgrade, the system deletes the existing gateway before validating subscription availability, which can result in gateway deletion without a replacement being created. This leaves dangling gateways in the Controller and can cause potential service outages.

Impact:

Workaround:

None. To avoid outages, ensure the Controller subscription includes access to the required Azure image before attempting upgrades.

Auto migration will not work from 7.2 to 8.0 when proxy is enabled. You must use a manual backup and restore process to perform the upgrade. Follow the steps below to back up and restore during the upgrade:

The Controller auto-migration and Gateway upgrade features do not function properly when the Aviatrix Controller has proxy settings enabled. In such environments, migration may fail, and you must follow a manual backup and restore process instead of using the standard auto-migration workflow. This limitation is due to current backend behavior that does not support migration through proxy-enabled setups.

Affected Scenario:

Check Whether You Are Affected:

If proxy configurations are present in either location, your deployment is affected.

Workaround:

Follow the manual backup and restore steps below to upgrade the Aviatrix Controller and Gateways:

When upgrading from Controller version 7.1 to 7.2 or 8.0, Spoke Gateways with routing through a Public Subnet Filtering (PSF) Gateway may fail to upgrade and become unreachable if the PSF Gateway has not been upgraded first. This issue affects AWS environments where Spoke Gateway route tables are configured to point to a PSF Gateway.

To avoid this issue, follow the correct upgrade sequence:

During a gateway software upgrade, traffic matching DCF WebGroup rules may be briefly dropped during the upgrade. This impacts both Layer 7 (HTTP/HTTPS) and Layer 4 traffic and occurs across all supported cloud providers (AWS, Azure, and GCP). The disruption typically lasts a few seconds but may vary depending on gateway load and policy complexity.

Workaround:

None

Recommendations:

In environments where Distributed Cloud Firewall (DCF) and customized SNAT are used together, DCF rules may fail to match traffic correctly when the same SmartGroups are specified in both the source and destination fields. This is because the system does not account for the translated source address during rule evaluation.

As a result, traffic may be unintentionally blocked by the DefaultDenyAll rule, and policies may not apply as expected—particularly in cross-cloud or cross-region scenarios.

Affected Configurations:

Workaround:

In earlier versions, avoid using 0.0.0.0/0 as the destination in SNAT rules. Instead, specify only the required destination CIDRs.

When recreating a policy-based Site-to-Cloud (S2C) VPN connection after deleting a previous one with the same remote CIDR, the system may incorrectly report a CIDR overlap error, even though the original connection has been removed. This occurs because the system does not fully clean up the remote CIDR information, causing it to believe the CIDR is still in use.

Affected Scenario:

Workaround:

Contact Aviatrix Support to manually clear the cached CIDR information.

In Aviatrix Controller version 8.0, Edge Gateway version numbers may be incorrectly updated in the Controller UI after the gateway comes back online from a down state. This occurs even when no new software installation has taken place.

Instead of preserving the actual version running on the Edge Gateway, the Controller may incorrectly overwrite it with its own version. This can lead to confusion during troubleshooting, upgrade planning, or compliance checks.

Affected Environments:

Workaround:

Note:

This issue only affects Edge Gateways. Cloud provider (CSP) Gateways in AWS, Azure, GCP, or OCI are not affected.

In the CoPilot UI, Groups > SmartGroups and Groups > ExternalGroups with multiple filters may not appear as originally configured after being saved. This issue occurs when creating groups with multiple sets of any resource type. While policy enforcement is correct, the UI may display missing or merged filter sets, leading to ambiguity and confusion during review or editing.

Affected Scenario:

Workaround:

There is no workaround at this time. If possible, avoid using multiple filter sets in a single group until the issue is resolved.

In Aviatrix Controller version 8.0.0, you may encounter a problem when creating or modifying Distributed Cloud Firewall (DCF) rules using either the CoPilot UI or Terraform. In the CoPilot UI, the ruleset may not display correctly and the "Commit" button may be non-functional. When using Terraform, an error may occur indicating that the DCF policy API is unavailable.

This issue prevents you from applying new or updated DCF rules, impacting network security policy management.

Affected Scenario:

Workaround:

Contact Aviatrix Support. They can run a script to restore the missing policy list without requiring a full upgrade.

Jumbo Frame support cannot be enabled on BGPoLAN (BGP over LAN) connections for AWS HPE gateways. Attempts to enable this feature may result in an error indicating that Jumbo Frames are not supported.

This affects environments where high-throughput performance is critical, such as large-scale or latency-sensitive deployments.

Affected Scenario:

Limitation:

In version 8.0.0, Jumbo Frame support can only be enabled when creating a new BGPoLAN connection on AWS HPE gateways. Editing an existing connection to enable Jumbo Frames is not supported.

Workaround:

None.

To enable Jumbo Frame support, delete the existing connection and recreate it with the setting enabled.

In OCI environments, new CIDRs added to a VCN via the OCI console may not be reflected in the Controller after the initial spoke-transit attachment. As a result, users cannot create gateways in the newly added CIDRs, and the CIDR will not appear in the subnet selection dropdown.

Impact:

Workaround:

AWS t3.small and t3.medium instances used for Egress Spoke Gateways have limited connection tracking capacity, which can affect performance in high-connection environments.

Impact:

Workaround:

Resolution:

This is a documented platform limitation. No product fix is required. Refer to Aviatrix Best Practices for gateway sizing guidance.

Resolved an issue where, under certain conditions, the eth0 interface on an HPE-enabled Azure gateway could go down, causing the DHCP-assigned primary IP address to be released and a static IP to be promoted as the primary address, which causes traffic disruption.

With this fix, the primary IP address is retained even if the interface temporarily goes down, preventing traffic disruption and gateway connectivity issues.

In some scenarios involving rapid VRRP state transitions, the keepalived VRRP state may not be reported accurately to the Controller. This can result in temporary discrepancies between the actual VRRP status and what is displayed in the Controller UI, leading to confusion and difficulties during troubleshooting.

Impact:

Workaround:

When using Threat Intelligence (ThreatIQ) external groups in Distributed Cloud Firewall (DCF), gateways may log field threat_severity not found errors if unsupported selectors (such as threat_severity) are used.

These configurations are currently accepted by the Controller without validation, but the unsupported selectors are ignored during policy enforcement, and repeated error messages are logged.

Impact:

Workaround:

Resolution:

Future enhancements will add validation during configuration and UI notifications when unsupported selectors are used.

When using Distributed Cloud Firewall (DCF) Layer 7 rules with Smart Groups that contain tagged resources, no bell notifications appear when configuration issues potentially block traffic. This affects deployments where Smart Groups match resources by tags (such as AWS instance tags) rather than static IPs or CIDRs. Although traffic is enforced correctly, administrators may not be alerted to the problematic configuration.

Affected Scenario:

Impact:

Only affects notifications. Traffic enforcement continues to function as expected.

Workaround:

Uploading SSL certificates from some providers (such as GoDaddy) could fail if the PEM file included a Unicode Byte Order Mark (BOM). The certificate might appear to upload successfully but would not take effect, and could cause the Controller’s application server to crash with a "missing private key" error.

Impact:

Workaround:

When upgrading from Controller 8.0.x to 8.1.x, the upgrade may fail to complete due to incorrect database schema type definitions.

As a result, the controller remains on version 8.0.x and the upgrade process does not finish successfully.

Impact: Controller upgrade from 8.0.x to 8.1.x fails.

Workaround: Contact Aviatrix Support for a manual fix to complete the upgrade.

FireNet deployment with bootstrap enabled may fail in Google Cloud due to changes in how GCP credentials are handled.

The system no longer reads GCP credentials from local files during bootstrap. Instead, credentials are retrieved as encoded data from the database, which causes bootstrap operations to fail in certain FireNet deployment workflows.

Impact: FireNet deployment with bootstrap fails in the Google Cloud environment.

Affected Scenario: FireNet deployments with bootstrap enabled in Google Cloud.

Workaround: Do not use bootstrap when deploying FireNet in Google Cloud. Alternatively, perform the bootstrap process directly from the GCP cloud.

When upgrading to Controller versions 8.0 or 8.1, ICMP traffic may be blocked by default due to updated access control rules that do not include allowances for ICMP-based debugging.

Affected Scenario: Environments where ICMP is used for network troubleshooting and diagnostic workflows.

Impact:

When deploying a load balancer–enabled VPN gateway with an overlapping VPN CIDR on Controller versions 8.0, 8.1, or 8.2, the gateway creation fails.

Impact:

Affected Scenario: Load balancer–enabled VPN gateway deployments on Controller versions 8.0, 8.1, and 8.2.

Workaround:

Ensure that the VPN CIDR does not overlap with existing gateways behind the load balancer before deployment. Contact Aviatrix Support for assistance.

The Cloud Asset Inventory (CAI) service has a memory leak in its L1 cache. When cloud instances such as VMs are removed from the cloud provider, the associated network interfaces remain cached and are never cleaned up.

Impact:

Workaround:

Contact Aviatrix Support for assistance with periodic CAI service restarts to reclaim memory.