8.0.60 Release Notes

Release Date: 12 May 2026

Release Notes Last Updated: 20 May 2026

Corrected Issues in Aviatrix Release 8.0.60

Issue Description

Issue	Description
AVX-70253	Fixed an issue where FireNet deployment with bootstrap configuration failed in Google Cloud due to a change in how the credential JSON file is read.
AVX-71087	Fixed an issue where the default access control rules did not properly allow ICMP traffic used for debugging. The updated rules ensure ICMP-based troubleshooting continues to work after upgrades.
AVX-71217	Fixed an issue where the VRRP state file became empty on AEP edge gateways configured in active-active HA pairs after upgrading gateway software from version 7.2 to 8.0.30. The VRRP state file now correctly retains primary/backup state information after upgrades.
AVX-71630	Resolved an issue where incorrect eBPF filters could be applied to the `eth1` interface on Azure gateways with Accelerated Networking enabled during upgrades from versions earlier than 7.2.2994. The upgrade process now properly handles interface filter configuration to prevent unintended traffic drops.
AVX-72847	Resolved an issue where the `avx-gw-state-sync` service leaked D-Bus connections on gateways. The implementation has been updated to use a shared D-Bus connection that is properly managed and cleaned up, preventing connection exhaustion during gateway operations.
AVX-73036	Fixed an issue where mapped standby tunnels had cleanup issues with mangle rules and route tables during tunnel failover operations.
AVX-73463	Fixed an issue where the gateway state sync service required a restart prior to upgrading gateways to version 7.2 or 8.0, which could cause upgrade failures if not performed.
AVX-74719	Fixed an issue where performing a Controller backup restore could cause a temporary traffic outage of approximately 40 seconds due to all routes being deleted and re-added during the etcd route reconvergence process. Routes are now preserved during backup restore to prevent traffic disruption.
AVX-74739	Fixed an issue where the database migration timeout during Controller upgrade was hard-coded at 15 minutes, causing upgrades to fail and roll back in large-scale deployments with thousands of gateways and tunnels. The migration timeout is now user-configurable.
AVX-74988	Fixed an issue where Edge-as-a-Transit (EaT) gateways with HPE peering using many-to-one IP addressing could fail to report tunnel status to the Controller due to duplicate tunnel ping IP pairs in the monitoring job.
AVX-75256	Fixed an issue where FQDN gateway data was not correctly displayed after upgrading from version 7.2.x to 8.0 or later, causing the Egress FQDN Gateway View to appear empty. Gateways with FQDN tags now display correctly in the UI and are returned properly by the `list_fqdn_gateways` API.
AVX-75301	Fixed an issue where certain license types were unable to enable Distributed Cloud Firewall (DCF) on Controller versions 8.0.10 through 8.0.50. A license validation check that was removed in 8.1+ had not been backported to the 8.0.x branch, causing a controller error when users with affected license types attempted to enable DCF.
AVX-75944	Fixed an issue where migrating an existing Controller to a new Controller VM could temporarily disrupt datapath on gateways with NAT configured due to configuration changes being applied too early during database migration.

AVX-70253

Fixed an issue where FireNet deployment with bootstrap configuration failed in Google Cloud due to a change in how the credential JSON file is read.

AVX-71087

Fixed an issue where the default access control rules did not properly allow ICMP traffic used for debugging. The updated rules ensure ICMP-based troubleshooting continues to work after upgrades.

AVX-71217

Fixed an issue where the VRRP state file became empty on AEP edge gateways configured in active-active HA pairs after upgrading gateway software from version 7.2 to 8.0.30. The VRRP state file now correctly retains primary/backup state information after upgrades.

AVX-71630

Resolved an issue where incorrect eBPF filters could be applied to the eth1 interface on Azure gateways with Accelerated Networking enabled during upgrades from versions earlier than 7.2.2994. The upgrade process now properly handles interface filter configuration to prevent unintended traffic drops.

AVX-72847

Resolved an issue where the avx-gw-state-sync service leaked D-Bus connections on gateways. The implementation has been updated to use a shared D-Bus connection that is properly managed and cleaned up, preventing connection exhaustion during gateway operations.

AVX-73036

Fixed an issue where mapped standby tunnels had cleanup issues with mangle rules and route tables during tunnel failover operations.

AVX-73463

Fixed an issue where the gateway state sync service required a restart prior to upgrading gateways to version 7.2 or 8.0, which could cause upgrade failures if not performed.

AVX-74719

Fixed an issue where performing a Controller backup restore could cause a temporary traffic outage of approximately 40 seconds due to all routes being deleted and re-added during the etcd route reconvergence process. Routes are now preserved during backup restore to prevent traffic disruption.

AVX-74739

Fixed an issue where the database migration timeout during Controller upgrade was hard-coded at 15 minutes, causing upgrades to fail and roll back in large-scale deployments with thousands of gateways and tunnels. The migration timeout is now user-configurable.

AVX-74988

Fixed an issue where Edge-as-a-Transit (EaT) gateways with HPE peering using many-to-one IP addressing could fail to report tunnel status to the Controller due to duplicate tunnel ping IP pairs in the monitoring job.

AVX-75256

Fixed an issue where FQDN gateway data was not correctly displayed after upgrading from version 7.2.x to 8.0 or later, causing the Egress FQDN Gateway View to appear empty. Gateways with FQDN tags now display correctly in the UI and are returned properly by the list_fqdn_gateways API.

AVX-75301

Fixed an issue where certain license types were unable to enable Distributed Cloud Firewall (DCF) on Controller versions 8.0.10 through 8.0.50. A license validation check that was removed in 8.1+ had not been backported to the 8.0.x branch, causing a controller error when users with affected license types attempted to enable DCF.

AVX-75944

Fixed an issue where migrating an existing Controller to a new Controller VM could temporarily disrupt datapath on gateways with NAT configured due to configuration changes being applied too early during database migration.

Known Issues in Aviatrix Release 8.0.60

Issue Description

Issue	Description
AVX-62003	Azure gateway image upgrades may fail when the Controller does not have the required Azure image subscription access. During the upgrade, the system deletes the existing gateway before validating subscription availability, which can result in gateway deletion without a replacement being created. This leaves dangling gateways in the Controller and can cause potential service outages. Impact: Existing gateways may be deleted during image upgrade Replacement gateway creation fails due to missing subscription Customers may experience connectivity loss and dangling gateway entries in the Controller Manual intervention required, leading to support escalations Workaround: None. To avoid outages, ensure the Controller subscription includes access to the required Azure image before attempting upgrades.
AVX-62299	When upgrading from Controller version 7.1 to 7.2 or 8.0, Spoke Gateways with routing through a Public Subnet Filtering (PSF) Gateway may fail to upgrade and become unreachable if the PSF Gateway has not been upgraded first. This issue affects AWS environments where Spoke Gateway route tables are configured to point to a PSF Gateway. To avoid this issue, follow the correct upgrade sequence: Upgrade the PSF Gateway first. Wait for the PSF Gateway upgrade to complete successfully. Then upgrade the dependent Spoke Gateways.
AVX-62506	During a gateway software upgrade, traffic matching DCF WebGroup rules may be briefly dropped during the upgrade. This impacts both Layer 7 (HTTP/HTTPS) and Layer 4 traffic and occurs across all supported cloud providers (AWS, Azure, and GCP). The disruption typically lasts a few seconds but may vary depending on gateway load and policy complexity. Workaround: None Recommendations: Schedule gateway upgrades during maintenance windows or low-traffic periods. Use HA deployments and upgrade gateways one at a time in HA pairs. Monitor logs for "Failed to load policy" messages to confirm when policies are reloaded.
AVX-64868	In some scenarios involving rapid VRRP state transitions, the keepalived VRRP state may not be reported accurately to the Controller. This can result in temporary discrepancies between the actual VRRP status and what is displayed in the Controller UI, leading to confusion and difficulties during troubleshooting. Impact: Controller UI may show incorrect VRRP status such as both peers reporting `Primary` or `Initializing` No impact on actual VRRP traffic handling or failover behavior. Workaround: Use diagnostic logs to verify actual VRRP state
AVX-65016	In some environments, the Firewall state may not recover from Unaccessible after the first vendor integration failure. This issue has been observed when integrating with third-party firewall vendors, leaving the gateway firewall state stuck even after the environment stabilizes. Impact: Firewall integration appears stuck in Unaccessible state Recovery does not occur automatically after initial failure May require manual intervention to restore proper firewall state reporting Workaround: Contact Aviatrix Support for manual correction.
AVX-66631	Transit gateways with large-scale tunnel deployments (1300+ tunnels) may experience extended traffic loss during image upgrades. Although the image upgrade completes successfully, traffic may remain down for several minutes afterward due to delayed tunnel reconfiguration. Impact: Traffic loss may persist after image upgrade completes Route service startup is blocked until all tunnels are sequentially reconfigured Configuration push may time out with `Context cancelled during Phase 1 Create` error Workaround: Schedule maintenance windows to account for potential traffic loss beyond upgrade completion. Consider staggering upgrades across transit gateways to reduce impacts. Monitor tunnel and route service status post-upgrade through the CoPilot UI.
AVX-67126	Dry-run validation may fail when upgrading the Controller from version 8.0.10 to 8.1.0 due to a gateway version mismatch error. This occurs when the upgrade path starts from 8.0.0, progresses to 8.0.10 successfully, but encounters a dry-run failure when proceeding to 8.1.0.
AVX-67571	OpenVPN clients could not connect to VPN gateways configured with DUO multi-factor authentication (MFA) in Oracle Cloud Infrastructure (OCI) environments due to `ECONNREFUSED` errors during tunnel establishment. Workaround: Contact Aviatrix Support for assistance.
AVX-68013	In Controller version 8.0.10, Spoke-to-Transit attachments initiated through Terraform may fail with a `decode check_task_status failed` error during gateway creation. This issue occurs when multiple API calls are executed in rapid succession, causing the Controller to occasionally return an empty response body for the `check_task_status` API. Affected Scenario: Spoke-to-Transit attachments created using the Aviatrix Terraform provider. More likely during parallel or batch gateway deployments across any cloud (AWS, Azure, GCP, OCI). Impact: Terraform reports an error such as `unexpected end of JSON input`. The Spoke-to-Transit attachment may still succeed, but Terraform marks the operation as failed. Workaround: Retry the Terraform operation. Reduce parallelism for Terraform runs if possible.
AVX-68561	In large-scale deployments with 1300+ gateways, enabling Distributed Cloud Firewall Site-to-Cloud (DCF S2C) can cause gateway configurations to become out of sync with the Controller. Even after disabling DCF S2C, the issue may persist and lead to elevated Controller resource usage. Impact: Gateway configurations may show as out of sync in the Controller UI Controller CPU utilization (conduit process) increases significantly Performance degradation may occur during DCF S2C operations Issue may persist after disabling DCF S2C Workaround: Monitor Controller CPU usage before enabling DCF S2C in large-scale environments. Consider enabling DCF S2C during scheduled maintenance windows. For deployments with 1300+ gateways, evaluate the necessity of DCF S2C functionality.
AVX-68606	Traffic loss may occur through AEP Edge-as-Spoke gateways during a gateway software upgrade. Impact: Traffic flowing through AEP Edge-as-Spoke gateways may be disrupted during software upgrade The disruption may persist beyond the expected upgrade window Workaround: Schedule gateway software upgrades during maintenance windows. Contact Aviatrix Support for assistance.
AVX-68726	On Azure Controllers with Controller Security Group Management enabled, existing gateway might go to keepalive fail status while creating a new gateway. Due to this bug, while creating a new gateway the Controller may automatically disable Controller Security Group Management, which impacts the connectivity between gateway and controller. Impact: Controller Security Group Management may be disabled unexpectedly. Security group rules of the SG attached to controller might get deleted Workaround: Enable "Controller Security Group Management" manually, or contact Aviatrix Support for assistance.
AVX-68887	When attaching VPN users to profiles using the `attach_vpn_user_to_profile` API, the CoPilot or Controller UI may continue to display the user profile as N/A even though the attachment operation completes successfully. Impact: VPN user profile assignments may appear unsuccessful in the UI, which can cause confusion during profile management. There is no functional impact: the VPN profile is correctly assigned in the backend, and users can connect to the VPN as expected. Workaround: None.
AVX-69649	The migration dry-run EIP accounting does not include public IPs that are not part of the Elastic IP quota, potentially producing inaccurate dry-run results. Impact: Dry-run migration reports may show incorrect EIP usage Actual migration may encounter unexpected EIP limitations Workaround: Manually verify EIP allocation and quotas before performing the migration. Contact Aviatrix Support for assistance.
AVX-71057	The CoPilot UI may not accurately reflect real-time Controller migration progress, potentially showing stale or incomplete status information. Impact: Migration progress may not be displayed accurately in CoPilot Users may not have visibility into the current migration state Workaround: Monitor migration progress through Controller logs or API. Contact Aviatrix Support for assistance.
AVX-71122	The Controller failed to fetch and update new SAML signing certificates after Identity Provider (IdP) certificate rotation, causing SAML single sign-on (SSO) authentication failures. Workaround: Contact Aviatrix Support for assistance.
AVX-71135	The AM4.0 database migration may fail when the tunnel database `timestamp` field contains string values instead of the expected integer type. This can block Controller upgrades that include the AM4.0 migration step. Impact: Controller upgrade may fail during database migration The Controller will remain on the previous version Workaround: Contact Aviatrix Support for assistance with correcting the database field values before retrying the upgrade.
AVX-71280	The `traffic_ctl` process may consume 100% CPU, potentially causing traffic processing disruptions on affected gateways. Impact: Gateway CPU utilization may spike due to `traffic_ctl` process Traffic processing may be degraded or disrupted Workaround: Contact Aviatrix Support for assistance.
AVX-71672	Upgrading the Controller to version 8.1 could fail during database migration if the tunnel `rtt_avg` field contained `None` values. The migration logic now correctly handles these values, preventing conversion errors and allowing the upgrade to complete successfully. Workaround: Contact Aviatrix Support for assistance.
AVX-71820	When deploying a load balancer–enabled VPN gateway with an overlapping VPN CIDR on Controller versions 8.0, 8.1, or 8.2, the gateway creation fails. Impact: VPN gateway deployment fails Error message does not clearly indicate the root cause Workaround: Ensure that the VPN CIDR does not overlap with existing gateways behind the load balancer before deployment. Contact Aviatrix Support for assistance.
AVX-72207	Upgrading OpenVPN gateways to Controller version 8.1 with profiles containing FQDN-based policies resulted in service disruption due to a DNS resolution limitation. Users can now access whitelisted FQDNs in OpenVPN Profiles after upgrading. Workaround: Contact Aviatrix Support for assistance.
AVX-72369	When multiple syslog profiles are configured on the Controller, performing a gateway image upgrade results in gateways being removed from syslog profiles that have only a subset of gateways specified in the include list. Impact: Remote syslog logs are no longer forwarded to the configured syslog servers for the affected gateways Workaround: Manually re-add the required gateways to the affected syslog profiles after the upgrade.
AVX-72553	The SAML Endpoint field is not displayed when creating a VPN user for GeoVPN configurations with a SAML-enabled gateway. Impact: VPN user creation for GeoVPN with SAML may not display the required SAML Endpoint field Administrators may not be able to configure SAML endpoints during user creation Workaround: Contact Aviatrix Support for assistance.
AVX-72835	The database migration during Controller upgrade to 8.1 could fail if a High Availability Gateway (HAGW) entry appeared before its corresponding primary gateway in the `vpc_info` database collection. The migration logic now correctly handles HAGW records regardless of document ordering in the database. Workaround: Contact Aviatrix Support for assistance.
AVX-72871	Controller software upgrade to version 8.1 may fail with the error "Please reload the page in order to upgrade" due to an issue with the database migration when the database contains string values instead of integers for the `cloud_type` field. Impact: The upgrade to version 8.1 will not be completed The Controller will remain on the previous version Workaround: Contact Aviatrix Support for assistance in correcting the database values before retrying the upgrade.
AVX-73001	Upgrading Spoke Gateways to version 8.1.20 in environments using Transit FireNet with Egress through Firewall and customized SNAT policies could result in loss of the default route, causing traffic disruption. Workaround: Contact Aviatrix Support for assistance.
AVX-73061	The Cloud Asset Inventory (CAI) service has a memory leak in its L1 cache. When cloud instances such as VMs are removed from the cloud provider, the associated network interfaces remain cached and are never cleaned up. Impact: In environments that regularly cycle VMs (such as those using spot instances), the CAI service memory consumption grows over time and is never reclaimed. This can lead to high memory usage by the CAI service, potentially affecting Controller performance. Workaround: Contact Aviatrix Support for assistance with periodic CAI service restarts to reclaim memory.
AVX-73433	After changing `rx_queue_size` on a gateway interface, creating a new interface does not apply the updated `rx_queue_size` value. Impact: New interfaces may use default queue sizes instead of the configured value Network performance may not match expected configuration Workaround: Contact Aviatrix Support for assistance.
AVX-73436	When using the `update_spoke_vpc_route_table` API to onboard an Azure route table in environments where a Spoke Gateway learns the default route (0.0.0.0/0) from an attached egress transit, the default route is not programmed in the spoke VNET route table. This affects deployments using transit with egress functionality where spoke gateways need to propagate the learned default route to their associated Azure route tables. Impact: Default route (0.0.0.0/0) is not installed in the onboarded Azure spoke VNET route table. Traffic that depends on the default route through the transit egress path may not be routed correctly Workaround: Manually add the default route to the Azure route table. Contact Aviatrix Support for assistance.
AVX-73629	The VPC name field could be overwritten with incorrect data during the AM4.0 migration, causing affected VPC records to become unfindable via index lookups. The migration logic now correctly preserves the VPC name field. Workaround: Contact Aviatrix Support for assistance.
AVX-73742	Two issues with single IP HA tunnel failover in Site-to-Cloud deployments. The Controller no longer sends stale IPsec session teardown messages to gateways that temporarily lost connectivity, and now stops failover of pending tunnels to the HA gateway if the active gateway reconnects quickly, reducing unnecessary tunnel downtime. Workaround: Contact Aviatrix Support for assistance.
AVX-73836	DUO-integrated OpenVPN users may experience intermittent connection failures to VPN gateways due to a deprecated DUO client version. Impact: VPN connections using DUO MFA may fail intermittently Users may receive 403 errors during DUO authentication Workaround: Contact Aviatrix Support for assistance with updating the DUO client configuration.
AVX-74226	CoPilot deployments and migrations may fail with "Unsupported instance size" errors when selecting valid instance types. The instance type validation incorrectly blocks supported sizes during CoPilot deployment or migration operations. Impact: CoPilot deployment or migration may fail when selecting certain valid instance types Error message "Unsupported instance size" is displayed even for supported sizes Workaround: Contact Aviatrix Support for assistance with CoPilot deployment using the affected instance types.
AVX-74465	Aviatrix HPE gateway (including HA gateway) creation failed in OCI VCNs with DNS disabled. Gateways can now be created regardless of VCN DNS configuration. Workaround: Contact Aviatrix Support for assistance.
AVX-74577	Users are unable to modify tags on third-party firewall instances when those tags contain values with multiple colons (for example, `team:iac:module.version:v1.5.3`). Attempts to update tags after deployment fail with a `too many values to unpack` error. Initial deployment is unaffected because tags are passed via a different code path during creation. Impact: Third-party firewall instance tag updates fail when tag values contain multiple colons Initial deployment with multi-colon tags is not affected Workaround: Avoid using multiple colons in tag values when modifying tags after deployment. Use alternative delimiters such as hyphens or underscores.
AVX-75869	In OCI environments, security list rules may not be restored when a spoke gateway re-joins a transit gateway after a leave operation. Impact: Network security rules may be missing after spoke-transit re-attachment Traffic may not be properly filtered by OCI security lists Workaround: Manually verify and restore security list rules after re-joining. Contact Aviatrix Support for assistance.
AVX-75872	During a Controller upgrade, a locking race condition between the initial setup process and post-upgrade actions can cause post-upgrade configuration steps to fail or require manual intervention. Impact: Post-upgrade configuration may not complete automatically. Manual intervention may be required to bring the Controller to a fully configured state after the upgrade. Workaround: Contact Aviatrix Support to manually complete the post-upgrade configuration.
AVX-76132	Unable to configure more than one OpenVPN gateway behind a UDP Load Balancer. Only the first gateway is retained while additional gateways are incorrectly excluded. This issue affects versions 6.9, 7.x, 8.x, and 9.0.0. Impact: Multi-gateway VPN deployments relying on UDP load balancing for redundancy or scale are affected. No impact on single-gateway deployments or data plane traffic. Existing multi-gateway configurations set up in 6.x continue to function after upgrading to 7.x or 8.x. Only new deployments or modifications to existing configurations are affected. Workaround: Contact Aviatrix Support for assistance in applying the workaround.
AVX-76296	During routine gateway operations (such as resize or image upgrade) in GCP global VPC environments, traffic may be blackholed due to incorrect route handling. Impact: Traffic through the affected gateway may be dropped during operations GCP global VPC routing may be temporarily disrupted Workaround: Schedule gateway operations during maintenance windows. Contact Aviatrix Support for assistance.
AVX-76413	When the `avx-ctrl-state-sync` service starts up and finds gateways stored as "Down" in etcd, the controller reprograms the network as if those gateways are down, without allowing time for the gateways to connect and prove they are up. This can occur when the controller has previously lost connectivity to gateways (for example, during a transient network issue) and the service then restarts while the gateways themselves remain healthy and continue forwarding traffic. Impact: A temporary dataplane disruption occurs while the controller has the gateways marked as down. The controller automatically detects the gateways are up and reprograms the network correctly immediately afterward. In a large-scale user deployment (~1,400 gateways), full recovery completed in approximately 6 minutes. The underlying behavior has existed for 4+ years and has been observed in a user environment only once. Workaround: Not applicable. The system recovers automatically, no user action required. Recovery typically completes within minutes (~6 min observed in a ~1,400-gateway deployment; smaller deployments recover faster).
AVX-77487	On Site-to-Cloud (S2C) gateways running 8.0.x, customized NAT rules configured on S2C interfaces may not be applied by the gateway’s NAT translator. Impact: Customer-defined NAT rules on S2C interfaces are not honored, leading to incorrect or missing address translation on traffic traversing those tunnels Workloads that depend on these custom NAT rules may experience connectivity disruptions Workaround: Contact Aviatrix Support for assistance.

AVX-62003

Azure gateway image upgrades may fail when the Controller does not have the required Azure image subscription access. During the upgrade, the system deletes the existing gateway before validating subscription availability, which can result in gateway deletion without a replacement being created. This leaves dangling gateways in the Controller and can cause potential service outages.

Impact:

Existing gateways may be deleted during image upgrade
Replacement gateway creation fails due to missing subscription
Customers may experience connectivity loss and dangling gateway entries in the Controller
Manual intervention required, leading to support escalations

Workaround:

None. To avoid outages, ensure the Controller subscription includes access to the required Azure image before attempting upgrades.

AVX-62299

When upgrading from Controller version 7.1 to 7.2 or 8.0, Spoke Gateways with routing through a Public Subnet Filtering (PSF) Gateway may fail to upgrade and become unreachable if the PSF Gateway has not been upgraded first. This issue affects AWS environments where Spoke Gateway route tables are configured to point to a PSF Gateway.

To avoid this issue, follow the correct upgrade sequence:

Upgrade the PSF Gateway first.
Wait for the PSF Gateway upgrade to complete successfully.
Then upgrade the dependent Spoke Gateways.

AVX-62506

During a gateway software upgrade, traffic matching DCF WebGroup rules may be briefly dropped during the upgrade. This impacts both Layer 7 (HTTP/HTTPS) and Layer 4 traffic and occurs across all supported cloud providers (AWS, Azure, and GCP). The disruption typically lasts a few seconds but may vary depending on gateway load and policy complexity.

Workaround:

None

Recommendations:

Schedule gateway upgrades during maintenance windows or low-traffic periods.
Use HA deployments and upgrade gateways one at a time in HA pairs.
Monitor logs for "Failed to load policy" messages to confirm when policies are reloaded.

AVX-64868

In some scenarios involving rapid VRRP state transitions, the keepalived VRRP state may not be reported accurately to the Controller. This can result in temporary discrepancies between the actual VRRP status and what is displayed in the Controller UI, leading to confusion and difficulties during troubleshooting.

Impact:

Controller UI may show incorrect VRRP status such as both peers reporting Primary or Initializing
No impact on actual VRRP traffic handling or failover behavior.

Workaround:

Use diagnostic logs to verify actual VRRP state

AVX-65016

In some environments, the Firewall state may not recover from Unaccessible after the first vendor integration failure. This issue has been observed when integrating with third-party firewall vendors, leaving the gateway firewall state stuck even after the environment stabilizes.

Impact:

Firewall integration appears stuck in Unaccessible state

Recovery does not occur automatically after initial failure

May require manual intervention to restore proper firewall state reporting

Workaround:

Contact Aviatrix Support for manual correction.

AVX-66631

Transit gateways with large-scale tunnel deployments (1300+ tunnels) may experience extended traffic loss during image upgrades. Although the image upgrade completes successfully, traffic may remain down for several minutes afterward due to delayed tunnel reconfiguration.

Impact:

Traffic loss may persist after image upgrade completes
Route service startup is blocked until all tunnels are sequentially reconfigured
Configuration push may time out with Context cancelled during Phase 1 Create error

Workaround:

Schedule maintenance windows to account for potential traffic loss beyond upgrade completion.
Consider staggering upgrades across transit gateways to reduce impacts.
Monitor tunnel and route service status post-upgrade through the CoPilot UI.

AVX-67126

Dry-run validation may fail when upgrading the Controller from version 8.0.10 to 8.1.0 due to a gateway version mismatch error. This occurs when the upgrade path starts from 8.0.0, progresses to 8.0.10 successfully, but encounters a dry-run failure when proceeding to 8.1.0.

AVX-67571

OpenVPN clients could not connect to VPN gateways configured with DUO multi-factor authentication (MFA) in Oracle Cloud Infrastructure (OCI) environments due to ECONNREFUSED errors during tunnel establishment.

Workaround:

Contact Aviatrix Support for assistance.

AVX-68013

In Controller version 8.0.10, Spoke-to-Transit attachments initiated through Terraform may fail with a decode check_task_status failed error during gateway creation.

This issue occurs when multiple API calls are executed in rapid succession, causing the Controller to occasionally return an empty response body for the check_task_status API.

Affected Scenario:

Spoke-to-Transit attachments created using the Aviatrix Terraform provider.
More likely during parallel or batch gateway deployments across any cloud (AWS, Azure, GCP, OCI).

Impact:

Terraform reports an error such as unexpected end of JSON input.
The Spoke-to-Transit attachment may still succeed, but Terraform marks the operation as failed.

Workaround:

Retry the Terraform operation.
Reduce parallelism for Terraform runs if possible.

AVX-68561

In large-scale deployments with 1300+ gateways, enabling Distributed Cloud Firewall Site-to-Cloud (DCF S2C) can cause gateway configurations to become out of sync with the Controller. Even after disabling DCF S2C, the issue may persist and lead to elevated Controller resource usage.

Impact:

Gateway configurations may show as out of sync in the Controller UI

Controller CPU utilization (conduit process) increases significantly

Performance degradation may occur during DCF S2C operations

Issue may persist after disabling DCF S2C

Workaround:

Monitor Controller CPU usage before enabling DCF S2C in large-scale environments.

Consider enabling DCF S2C during scheduled maintenance windows.

For deployments with 1300+ gateways, evaluate the necessity of DCF S2C functionality.

AVX-68606

Traffic loss may occur through AEP Edge-as-Spoke gateways during a gateway software upgrade.

Impact:

Traffic flowing through AEP Edge-as-Spoke gateways may be disrupted during software upgrade
The disruption may persist beyond the expected upgrade window

Workaround:

Schedule gateway software upgrades during maintenance windows. Contact Aviatrix Support for assistance.

AVX-68726

On Azure Controllers with Controller Security Group Management enabled, existing gateway might go to keepalive fail status while creating a new gateway.

Due to this bug, while creating a new gateway the Controller may automatically disable Controller Security Group Management, which impacts the connectivity between gateway and controller.

Impact:

Controller Security Group Management may be disabled unexpectedly.
Security group rules of the SG attached to controller might get deleted

Workaround:

Enable "Controller Security Group Management" manually, or contact Aviatrix Support for assistance.

AVX-68887

When attaching VPN users to profiles using the attach_vpn_user_to_profile API, the CoPilot or Controller UI may continue to display the user profile as N/A even though the attachment operation completes successfully.

Impact:

VPN user profile assignments may appear unsuccessful in the UI, which can cause confusion during profile management. There is no functional impact: the VPN profile is correctly assigned in the backend, and users can connect to the VPN as expected.

Workaround:

None.

AVX-69649

The migration dry-run EIP accounting does not include public IPs that are not part of the Elastic IP quota, potentially producing inaccurate dry-run results.

Impact:

Dry-run migration reports may show incorrect EIP usage
Actual migration may encounter unexpected EIP limitations

Workaround:

Manually verify EIP allocation and quotas before performing the migration. Contact Aviatrix Support for assistance.

AVX-71057

The CoPilot UI may not accurately reflect real-time Controller migration progress, potentially showing stale or incomplete status information.

Impact:

Migration progress may not be displayed accurately in CoPilot
Users may not have visibility into the current migration state

Workaround:

Monitor migration progress through Controller logs or API. Contact Aviatrix Support for assistance.

AVX-71122

The Controller failed to fetch and update new SAML signing certificates after Identity Provider (IdP) certificate rotation, causing SAML single sign-on (SSO) authentication failures.

Workaround:

Contact Aviatrix Support for assistance.

AVX-71135

The AM4.0 database migration may fail when the tunnel database timestamp field contains string values instead of the expected integer type. This can block Controller upgrades that include the AM4.0 migration step.

Impact:

Controller upgrade may fail during database migration
The Controller will remain on the previous version

Workaround:

Contact Aviatrix Support for assistance with correcting the database field values before retrying the upgrade.

AVX-71280

The traffic_ctl process may consume 100% CPU, potentially causing traffic processing disruptions on affected gateways.

Impact:

Gateway CPU utilization may spike due to traffic_ctl process
Traffic processing may be degraded or disrupted

Workaround:

Contact Aviatrix Support for assistance.

AVX-71672

Upgrading the Controller to version 8.1 could fail during database migration if the tunnel rtt_avg field contained None values. The migration logic now correctly handles these values, preventing conversion errors and allowing the upgrade to complete successfully.

Workaround:

Contact Aviatrix Support for assistance.

AVX-71820

When deploying a load balancer–enabled VPN gateway with an overlapping VPN CIDR on Controller versions 8.0, 8.1, or 8.2, the gateway creation fails.

Impact:

VPN gateway deployment fails
Error message does not clearly indicate the root cause

Workaround:

Ensure that the VPN CIDR does not overlap with existing gateways behind the load balancer before deployment. Contact Aviatrix Support for assistance.

AVX-72207

Upgrading OpenVPN gateways to Controller version 8.1 with profiles containing FQDN-based policies resulted in service disruption due to a DNS resolution limitation. Users can now access whitelisted FQDNs in OpenVPN Profiles after upgrading.

Workaround:

Contact Aviatrix Support for assistance.

AVX-72369

When multiple syslog profiles are configured on the Controller, performing a gateway image upgrade results in gateways being removed from syslog profiles that have only a subset of gateways specified in the include list.

Impact:

Remote syslog logs are no longer forwarded to the configured syslog servers for the affected gateways

Workaround:

Manually re-add the required gateways to the affected syslog profiles after the upgrade.

AVX-72553

The SAML Endpoint field is not displayed when creating a VPN user for GeoVPN configurations with a SAML-enabled gateway.

Impact:

VPN user creation for GeoVPN with SAML may not display the required SAML Endpoint field
Administrators may not be able to configure SAML endpoints during user creation

Workaround:

Contact Aviatrix Support for assistance.

AVX-72835

The database migration during Controller upgrade to 8.1 could fail if a High Availability Gateway (HAGW) entry appeared before its corresponding primary gateway in the vpc_info database collection. The migration logic now correctly handles HAGW records regardless of document ordering in the database.

Workaround:

Contact Aviatrix Support for assistance.

AVX-72871

Controller software upgrade to version 8.1 may fail with the error "Please reload the page in order to upgrade" due to an issue with the database migration when the database contains string values instead of integers for the cloud_type field.

Impact:

The upgrade to version 8.1 will not be completed
The Controller will remain on the previous version

Workaround:

Contact Aviatrix Support for assistance in correcting the database values before retrying the upgrade.

AVX-73001

Upgrading Spoke Gateways to version 8.1.20 in environments using Transit FireNet with Egress through Firewall and customized SNAT policies could result in loss of the default route, causing traffic disruption.

Workaround:

Contact Aviatrix Support for assistance.

AVX-73061

The Cloud Asset Inventory (CAI) service has a memory leak in its L1 cache. When cloud instances such as VMs are removed from the cloud provider, the associated network interfaces remain cached and are never cleaned up.

Impact:

In environments that regularly cycle VMs (such as those using spot instances), the CAI service memory consumption grows over time and is never reclaimed.
This can lead to high memory usage by the CAI service, potentially affecting Controller performance.

Workaround:

Contact Aviatrix Support for assistance with periodic CAI service restarts to reclaim memory.

AVX-73433

After changing rx_queue_size on a gateway interface, creating a new interface does not apply the updated rx_queue_size value.

Impact:

New interfaces may use default queue sizes instead of the configured value
Network performance may not match expected configuration

Workaround:

Contact Aviatrix Support for assistance.

AVX-73436

When using the update_spoke_vpc_route_table API to onboard an Azure route table in environments where a Spoke Gateway learns the default route (0.0.0.0/0) from an attached egress transit, the default route is not programmed in the spoke VNET route table. This affects deployments using transit with egress functionality where spoke gateways need to propagate the learned default route to their associated Azure route tables.

Impact:

Default route (0.0.0.0/0) is not installed in the onboarded Azure spoke VNET route table.
Traffic that depends on the default route through the transit egress path may not be routed correctly

Workaround:

Manually add the default route to the Azure route table. Contact Aviatrix Support for assistance.

AVX-73629

The VPC name field could be overwritten with incorrect data during the AM4.0 migration, causing affected VPC records to become unfindable via index lookups. The migration logic now correctly preserves the VPC name field.

Workaround:

Contact Aviatrix Support for assistance.

AVX-73742

Two issues with single IP HA tunnel failover in Site-to-Cloud deployments. The Controller no longer sends stale IPsec session teardown messages to gateways that temporarily lost connectivity, and now stops failover of pending tunnels to the HA gateway if the active gateway reconnects quickly, reducing unnecessary tunnel downtime.

Workaround:

Contact Aviatrix Support for assistance.

AVX-73836

DUO-integrated OpenVPN users may experience intermittent connection failures to VPN gateways due to a deprecated DUO client version.

Impact:

VPN connections using DUO MFA may fail intermittently
Users may receive 403 errors during DUO authentication

Workaround:

Contact Aviatrix Support for assistance with updating the DUO client configuration.

AVX-74226

CoPilot deployments and migrations may fail with "Unsupported instance size" errors when selecting valid instance types. The instance type validation incorrectly blocks supported sizes during CoPilot deployment or migration operations.

Impact:

CoPilot deployment or migration may fail when selecting certain valid instance types

Error message "Unsupported instance size" is displayed even for supported sizes

Workaround:

Contact Aviatrix Support for assistance with CoPilot deployment using the affected instance types.

AVX-74465

Aviatrix HPE gateway (including HA gateway) creation failed in OCI VCNs with DNS disabled. Gateways can now be created regardless of VCN DNS configuration.

Workaround:

Contact Aviatrix Support for assistance.

AVX-74577

Users are unable to modify tags on third-party firewall instances when those tags contain values with multiple colons (for example, team:iac:module.version:v1.5.3). Attempts to update tags after deployment fail with a too many values to unpack error. Initial deployment is unaffected because tags are passed via a different code path during creation.

Impact:

Third-party firewall instance tag updates fail when tag values contain multiple colons
Initial deployment with multi-colon tags is not affected

Workaround:

Avoid using multiple colons in tag values when modifying tags after deployment. Use alternative delimiters such as hyphens or underscores.

AVX-75869

In OCI environments, security list rules may not be restored when a spoke gateway re-joins a transit gateway after a leave operation.

Impact:

Network security rules may be missing after spoke-transit re-attachment
Traffic may not be properly filtered by OCI security lists

Workaround:

Manually verify and restore security list rules after re-joining. Contact Aviatrix Support for assistance.

AVX-75872

During a Controller upgrade, a locking race condition between the initial setup process and post-upgrade actions can cause post-upgrade configuration steps to fail or require manual intervention.

Impact:

Post-upgrade configuration may not complete automatically.
Manual intervention may be required to bring the Controller to a fully configured state after the upgrade. Workaround:

Contact Aviatrix Support to manually complete the post-upgrade configuration.

AVX-76132

Unable to configure more than one OpenVPN gateway behind a UDP Load Balancer. Only the first gateway is retained while additional gateways are incorrectly excluded. This issue affects versions 6.9, 7.x, 8.x, and 9.0.0.

Impact:

Multi-gateway VPN deployments relying on UDP load balancing for redundancy or scale are affected.
No impact on single-gateway deployments or data plane traffic.
Existing multi-gateway configurations set up in 6.x continue to function after upgrading to 7.x or 8.x. Only new deployments or modifications to existing configurations are affected.

Workaround:

Contact Aviatrix Support for assistance in applying the workaround.

AVX-76296

During routine gateway operations (such as resize or image upgrade) in GCP global VPC environments, traffic may be blackholed due to incorrect route handling.

Impact:

Traffic through the affected gateway may be dropped during operations
GCP global VPC routing may be temporarily disrupted

Workaround:

Schedule gateway operations during maintenance windows. Contact Aviatrix Support for assistance.

AVX-76413

When the avx-ctrl-state-sync service starts up and finds gateways stored as "Down" in etcd, the controller reprograms the network as if those gateways are down, without allowing time for the gateways to connect and prove they are up. This can occur when the controller has previously lost connectivity to gateways (for example, during a transient network issue) and the service then restarts while the gateways themselves remain healthy and continue forwarding traffic.

Impact:

A temporary dataplane disruption occurs while the controller has the gateways marked as down. The controller automatically detects the gateways are up and reprograms the network correctly immediately afterward. In a large-scale user deployment (~1,400 gateways), full recovery completed in approximately 6 minutes. The underlying behavior has existed for 4+ years and has been observed in a user environment only once.

Workaround:

Not applicable. The system recovers automatically, no user action required. Recovery typically completes within minutes (~6 min observed in a ~1,400-gateway deployment; smaller deployments recover faster).

AVX-77487

On Site-to-Cloud (S2C) gateways running 8.0.x, customized NAT rules configured on S2C interfaces may not be applied by the gateway’s NAT translator.

Impact:

Customer-defined NAT rules on S2C interfaces are not honored, leading to incorrect or missing address translation on traffic traversing those tunnels
Workloads that depend on these custom NAT rules may experience connectivity disruptions Workaround:

Contact Aviatrix Support for assistance.