8.0.60 Release Notes

Release Date: 12 May 2026

Corrected Issues in Aviatrix Release 8.0.60

Issue Description

Issue	Description
AVX-70253	Fixed an issue where FireNet deployment with bootstrap configuration failed in Google Cloud due to a change in how the credential JSON file is read.
AVX-71087	Fixed an issue where the default access control rules did not properly allow ICMP traffic used for debugging. The updated rules ensure ICMP-based troubleshooting continues to work after upgrades.
AVX-71217	Fixed an issue where the VRRP state file became empty on AEP edge gateways configured in active-active HA pairs after upgrading gateway software from version 7.2 to 8.0.30. The VRRP state file now correctly retains primary/backup state information after upgrades.
AVX-71630	Resolved an issue where incorrect eBPF filters could be applied to the `eth1` interface on Azure gateways with Accelerated Networking enabled during upgrades from versions earlier than 7.2.2994. The upgrade process now properly handles interface filter configuration to prevent unintended traffic drops.
AVX-72847	Resolved an issue where the `avx-gw-state-sync` service leaked D-Bus connections on gateways. The implementation has been updated to use a shared D-Bus connection that is properly managed and cleaned up, preventing connection exhaustion during gateway operations.
AVX-73036	Fixed an issue where mapped standby tunnels had cleanup issues with mangle rules and route tables during tunnel failover operations.
AVX-73463	Fixed an issue where the gateway state sync service required a restart prior to upgrading gateways to version 7.2 or 8.0, which could cause upgrade failures if not performed.
AVX-74719	Fixed an issue where performing a Controller backup restore could cause a temporary traffic outage of approximately 40 seconds due to all routes being deleted and re-added during the etcd route reconvergence process. Routes are now preserved during backup restore to prevent traffic disruption.
AVX-74739	Fixed an issue where the database migration timeout during Controller upgrade was hard-coded at 15 minutes, causing upgrades to fail and roll back in large-scale deployments with thousands of gateways and tunnels. The migration timeout is now user-configurable.
AVX-74988	Fixed an issue where Edge-as-a-Transit (EaT) gateways with HPE peering using many-to-one IP addressing could fail to report tunnel status to the Controller due to duplicate tunnel ping IP pairs in the monitoring job.
AVX-75256	Fixed an issue where FQDN gateway data was not correctly displayed after upgrading from version 7.2.x to 8.0 or later, causing the Egress FQDN Gateway View to appear empty. Gateways with FQDN tags now display correctly in the UI and are returned properly by the `list_fqdn_gateways` API.
AVX-75301	Fixed an issue where certain license types were unable to enable Distributed Cloud Firewall (DCF) on Controller versions 8.0.10 through 8.0.50. A license validation check that was removed in 8.1+ had not been backported to the 8.0.x branch, causing a controller error when users with affected license types attempted to enable DCF.

AVX-70253

Fixed an issue where FireNet deployment with bootstrap configuration failed in Google Cloud due to a change in how the credential JSON file is read.

AVX-71087

Fixed an issue where the default access control rules did not properly allow ICMP traffic used for debugging. The updated rules ensure ICMP-based troubleshooting continues to work after upgrades.

AVX-71217

Fixed an issue where the VRRP state file became empty on AEP edge gateways configured in active-active HA pairs after upgrading gateway software from version 7.2 to 8.0.30. The VRRP state file now correctly retains primary/backup state information after upgrades.

AVX-71630

Resolved an issue where incorrect eBPF filters could be applied to the eth1 interface on Azure gateways with Accelerated Networking enabled during upgrades from versions earlier than 7.2.2994. The upgrade process now properly handles interface filter configuration to prevent unintended traffic drops.

AVX-72847

Resolved an issue where the avx-gw-state-sync service leaked D-Bus connections on gateways. The implementation has been updated to use a shared D-Bus connection that is properly managed and cleaned up, preventing connection exhaustion during gateway operations.

AVX-73036

Fixed an issue where mapped standby tunnels had cleanup issues with mangle rules and route tables during tunnel failover operations.

AVX-73463

Fixed an issue where the gateway state sync service required a restart prior to upgrading gateways to version 7.2 or 8.0, which could cause upgrade failures if not performed.

AVX-74719

Fixed an issue where performing a Controller backup restore could cause a temporary traffic outage of approximately 40 seconds due to all routes being deleted and re-added during the etcd route reconvergence process. Routes are now preserved during backup restore to prevent traffic disruption.

AVX-74739

Fixed an issue where the database migration timeout during Controller upgrade was hard-coded at 15 minutes, causing upgrades to fail and roll back in large-scale deployments with thousands of gateways and tunnels. The migration timeout is now user-configurable.

AVX-74988

Fixed an issue where Edge-as-a-Transit (EaT) gateways with HPE peering using many-to-one IP addressing could fail to report tunnel status to the Controller due to duplicate tunnel ping IP pairs in the monitoring job.

AVX-75256

Fixed an issue where FQDN gateway data was not correctly displayed after upgrading from version 7.2.x to 8.0 or later, causing the Egress FQDN Gateway View to appear empty. Gateways with FQDN tags now display correctly in the UI and are returned properly by the list_fqdn_gateways API.

AVX-75301

Fixed an issue where certain license types were unable to enable Distributed Cloud Firewall (DCF) on Controller versions 8.0.10 through 8.0.50. A license validation check that was removed in 8.1+ had not been backported to the 8.0.x branch, causing a controller error when users with affected license types attempted to enable DCF.

Known Issues in Aviatrix Release 8.0.60

Issue Description

Issue	Description
AVX-62003	Azure gateway image upgrades may fail when the Controller does not have the required Azure image subscription access. During the upgrade, the system deletes the existing gateway before validating subscription availability, which can result in gateway deletion without a replacement being created. This leaves dangling gateways in the Controller and can cause potential service outages. Impact: Existing gateways may be deleted during image upgrade Replacement gateway creation fails due to missing subscription Customers may experience connectivity loss and dangling gateway entries in the Controller Manual intervention required, leading to support escalations Workaround: None. To avoid outages, ensure the Controller subscription includes access to the required Azure image before attempting upgrades.
AVX-62299	When upgrading from Controller version 7.1 to 7.2 or 8.0, Spoke Gateways with routing through a Public Subnet Filtering (PSF) Gateway may fail to upgrade and become unreachable if the PSF Gateway has not been upgraded first. This issue affects AWS environments where Spoke Gateway route tables are configured to point to a PSF Gateway. To avoid this issue, follow the correct upgrade sequence: Upgrade the PSF Gateway first. Wait for the PSF Gateway upgrade to complete successfully. Then upgrade the dependent Spoke Gateways.
AVX-62506	During a gateway software upgrade, traffic matching DCF WebGroup rules may be briefly dropped during the upgrade. This impacts both Layer 7 (HTTP/HTTPS) and Layer 4 traffic and occurs across all supported cloud providers (AWS, Azure, and GCP). The disruption typically lasts a few seconds but may vary depending on gateway load and policy complexity. Workaround: None Recommendations: Schedule gateway upgrades during maintenance windows or low-traffic periods. Use HA deployments and upgrade gateways one at a time in HA pairs. Monitor logs for "Failed to load policy" messages to confirm when policies are reloaded.
AVX-64868	In some scenarios involving rapid VRRP state transitions, the keepalived VRRP state may not be reported accurately to the Controller. This can result in temporary discrepancies between the actual VRRP status and what is displayed in the Controller UI, leading to confusion and difficulties during troubleshooting. Impact: Controller UI may show incorrect VRRP status such as both peers reporting `Primary` or `Initializing` No impact on actual VRRP traffic handling or failover behavior. Workaround: Use diagnostic logs to verify actual VRRP state
AVX-65016	In some environments, the Firewall state may not recover from Unaccessible after the first vendor integration failure. This issue has been observed when integrating with third-party firewall vendors, leaving the gateway firewall state stuck even after the environment stabilizes. Impact: Firewall integration appears stuck in Unaccessible state Recovery does not occur automatically after initial failure May require manual intervention to restore proper firewall state reporting Workaround: Contact Aviatrix Support for manual correction.
AVX-66631	Transit gateways with large-scale tunnel deployments (1300+ tunnels) may experience extended traffic loss during image upgrades. Although the image upgrade completes successfully, traffic may remain down for several minutes afterward due to delayed tunnel reconfiguration. Impact: Traffic loss may persist after image upgrade completes Route service startup is blocked until all tunnels are sequentially reconfigured Configuration push may time out with `Context cancelled during Phase 1 Create` error Workaround: Schedule maintenance windows to account for potential traffic loss beyond upgrade completion. Consider staggering upgrades across transit gateways to reduce impacts. Monitor tunnel and route service status post-upgrade through the CoPilot UI.
AVX-67126	Dry-run validation may fail when upgrading the Controller from version 8.0.10 to 8.1.0 due to a gateway version mismatch error. This occurs when the upgrade path starts from 8.0.0, progresses to 8.0.10 successfully, but encounters a dry-run failure when proceeding to 8.1.0.
AVX-67571	OpenVPN clients could not connect to VPN gateways configured with DUO multi-factor authentication (MFA) in Oracle Cloud Infrastructure (OCI) environments due to `ECONNREFUSED` errors during tunnel establishment. Workaround: Contact Aviatrix Support for assistance.
AVX-68013	In Controller version 8.0.10, Spoke-to-Transit attachments initiated through Terraform may fail with a `decode check_task_status failed` error during gateway creation. This issue occurs when multiple API calls are executed in rapid succession, causing the Controller to occasionally return an empty response body for the `check_task_status` API. Affected Scenario: Spoke-to-Transit attachments created using the Aviatrix Terraform provider. More likely during parallel or batch gateway deployments across any cloud (AWS, Azure, GCP, OCI). Impact: Terraform reports an error such as `unexpected end of JSON input`. The Spoke-to-Transit attachment may still succeed, but Terraform marks the operation as failed. Workaround: Retry the Terraform operation. Reduce parallelism for Terraform runs if possible.
AVX-68561	In large-scale deployments with 1300+ gateways, enabling Distributed Cloud Firewall Site-to-Cloud (DCF S2C) can cause gateway configurations to become out of sync with the Controller. Even after disabling DCF S2C, the issue may persist and lead to elevated Controller resource usage. Impact: Gateway configurations may show as out of sync in the Controller UI Controller CPU utilization (conduit process) increases significantly Performance degradation may occur during DCF S2C operations Issue may persist after disabling DCF S2C Workaround: Monitor Controller CPU usage before enabling DCF S2C in large-scale environments. Consider enabling DCF S2C during scheduled maintenance windows. For deployments with 1300+ gateways, evaluate the necessity of DCF S2C functionality.
AVX-68606	Traffic loss may occur through AEP Edge-as-Spoke gateways during a gateway software upgrade. Impact: Traffic flowing through AEP Edge-as-Spoke gateways may be disrupted during software upgrade The disruption may persist beyond the expected upgrade window Workaround: Schedule gateway software upgrades during maintenance windows. Contact Aviatrix Support for assistance.
AVX-68726	On Azure Controllers with Controller Security Group Management enabled, existing gateway might go to keepalive fail status while creating a new gateway. Due to this bug, while creating a new gateway the Controller may automatically disable Controller Security Group Management, which impacts the connectivity between gateway and controller. Impact: Controller Security Group Management may be disabled unexpectedly. Security group rules of the SG attached to controller might get deleted Workaround: Enable "Controller Security Group Management" manually, or contact Aviatrix Support for assistance.
AVX-68887	When attaching VPN users to profiles using the `attach_vpn_user_to_profile` API, the CoPilot or Controller UI may continue to display the user profile as N/A even though the attachment operation completes successfully. Impact: VPN user profile assignments may appear unsuccessful in the UI, which can cause confusion during profile management. There is no functional impact: the VPN profile is correctly assigned in the backend, and users can connect to the VPN as expected. Workaround: None.
AVX-69649	The migration dry-run EIP accounting does not include public IPs that are not part of the Elastic IP quota, potentially producing inaccurate dry-run results. Impact: Dry-run migration reports may show incorrect EIP usage Actual migration may encounter unexpected EIP limitations Workaround: Manually verify EIP allocation and quotas before performing the migration. Contact Aviatrix Support for assistance.
AVX-71057	The CoPilot UI may not accurately reflect real-time Controller migration progress, potentially showing stale or incomplete status information. Impact: Migration progress may not be displayed accurately in CoPilot Users may not have visibility into the current migration state Workaround: Monitor migration progress through Controller logs or API. Contact Aviatrix Support for assistance.
AVX-71122	The Controller failed to fetch and update new SAML signing certificates after Identity Provider (IdP) certificate rotation, causing SAML single sign-on (SSO) authentication failures. Workaround: Contact Aviatrix Support for assistance.
AVX-71135	The AM4.0 database migration may fail when the tunnel database `timestamp` field contains string values instead of the expected integer type. This can block Controller upgrades that include the AM4.0 migration step. Impact: Controller upgrade may fail during database migration The Controller will remain on the previous version Workaround: Contact Aviatrix Support for assistance with correcting the database field values before retrying the upgrade.
AVX-71280	The `traffic_ctl` process may consume 100% CPU, potentially causing traffic processing disruptions on affected gateways. Impact: Gateway CPU utilization may spike due to `traffic_ctl` process Traffic processing may be degraded or disrupted Workaround: Contact Aviatrix Support for assistance.
AVX-71453	Azure HPE Transit HA Gateway resize may fail when there is insufficient secondary IP address space available in the subnet. Impact: HA Gateway resize operation fails The gateway remains at its current size Workaround: Ensure sufficient IP address space is available in the gateway subnet before attempting a resize. Contact Aviatrix Support for assistance.
AVX-71489	The Controller’s inventory table grew excessively large due to duplicate entries being inserted for each inventory operation instead of updating existing records. The inventory process now correctly updates matching records, preventing unnecessary database bloat. Workaround: Contact Aviatrix Support for assistance.
AVX-71494	When CoPilot Asset Inventory (CAI) performs queries on the inventory table, the existing database indexes are not utilized effectively, causing performance degradation during inventory operations. Impact: Delayed inventory data retrieval and reporting Increased database load during CAI operations Slower CoPilot dashboard performance when displaying asset information Workaround: None.
AVX-71672	Upgrading the Controller to version 8.1 could fail during database migration if the tunnel `rtt_avg` field contained `None` values. The migration logic now correctly handles these values, preventing conversion errors and allowing the upgrade to complete successfully. Workaround: Contact Aviatrix Support for assistance.
AVX-71686	Azure Controllers using disks with IOPS less than 500 may experience performance issues. This limitation can lead to system instability and processing delays during high I/O operations. Affected Scenario: Azure Controllers deployed with disk types that provide less than 500 IOPS Impact: System instability during high I/O operations Processing delays and performance degradation Potential service disruptions in production environments Workaround: Upgrade the Azure controller disk tier to minimum 500 IOPS through Azure portal disk configuration settings.
AVX-71820	When deploying a load balancer–enabled VPN gateway with an overlapping VPN CIDR on Controller versions 8.0, 8.1, or 8.2, the gateway creation fails. Impact: VPN gateway deployment fails Error message does not clearly indicate the root cause Workaround: Ensure that the VPN CIDR does not overlap with existing gateways behind the load balancer before deployment. Contact Aviatrix Support for assistance.
AVX-72207	Upgrading OpenVPN gateways to Controller version 8.1 with profiles containing FQDN-based policies resulted in service disruption due to a DNS resolution limitation. Users can now access whitelisted FQDNs in OpenVPN Profiles after upgrading. Workaround: Contact Aviatrix Support for assistance.
AVX-72369	When multiple syslog profiles are configured on the Controller, performing a gateway image upgrade results in gateways being removed from syslog profiles that have only a subset of gateways specified in the include list. Impact: Remote syslog logs are no longer forwarded to the configured syslog servers for the affected gateways Workaround: Manually re-add the required gateways to the affected syslog profiles after the upgrade.
AVX-72553	The SAML Endpoint field is not displayed when creating a VPN user for GeoVPN configurations with a SAML-enabled gateway. Impact: VPN user creation for GeoVPN with SAML may not display the required SAML Endpoint field Administrators may not be able to configure SAML endpoints during user creation Workaround: Contact Aviatrix Support for assistance.
AVX-72835	The database migration during Controller upgrade to 8.1 could fail if a High Availability Gateway (HAGW) entry appeared before its corresponding primary gateway in the `vpc_info` database collection. The migration logic now correctly handles HAGW records regardless of document ordering in the database. Workaround: Contact Aviatrix Support for assistance.
AVX-72871	Controller software upgrade to version 8.1 may fail with the error "Please reload the page in order to upgrade" due to an issue with the database migration when the database contains string values instead of integers for the `cloud_type` field. Impact: The upgrade to version 8.1 will not be completed The Controller will remain on the previous version Workaround: Contact Aviatrix Support for assistance in correcting the database values before retrying the upgrade.
AVX-73001	Upgrading Spoke Gateways to version 8.1.20 in environments using Transit FireNet with Egress through Firewall and customized SNAT policies could result in loss of the default route, causing traffic disruption. Workaround: Contact Aviatrix Support for assistance.
AVX-73433	After changing `rx_queue_size` on a gateway interface, creating a new interface does not apply the updated `rx_queue_size` value. Impact: New interfaces may use default queue sizes instead of the configured value Network performance may not match expected configuration Workaround: Contact Aviatrix Support for assistance.
AVX-73436	When using the `update_spoke_vpc_route_table` API to onboard an Azure route table in environments where a Spoke Gateway learns the default route (0.0.0.0/0) from an attached egress transit, the default route is not programmed in the spoke VNET route table. This affects deployments using transit with egress functionality where spoke gateways need to propagate the learned default route to their associated Azure route tables. Impact: Default route (0.0.0.0/0) is not installed in the onboarded Azure spoke VNET route table. Traffic that depends on the default route through the transit egress path may not be routed correctly Workaround: Manually add the default route to the Azure route table. Contact Aviatrix Support for assistance.
AVX-73629	The VPC name field could be overwritten with incorrect data during the AM4.0 migration, causing affected VPC records to become unfindable via index lookups. The migration logic now correctly preserves the VPC name field. Workaround: Contact Aviatrix Support for assistance.
AVX-73742	Two issues with single IP HA tunnel failover in Site-to-Cloud deployments. The Controller no longer sends stale IPsec session teardown messages to gateways that temporarily lost connectivity, and now stops failover of pending tunnels to the HA gateway if the active gateway reconnects quickly, reducing unnecessary tunnel downtime. Workaround: Contact Aviatrix Support for assistance.
AVX-73836	DUO-integrated OpenVPN users may experience intermittent connection failures to VPN gateways due to a deprecated DUO client version. Impact: VPN connections using DUO MFA may fail intermittently Users may receive 403 errors during DUO authentication Workaround: Contact Aviatrix Support for assistance with updating the DUO client configuration.
AVX-74226	CoPilot deployments and migrations may fail with "Unsupported instance size" errors when selecting valid instance types. The instance type validation incorrectly blocks supported sizes during CoPilot deployment or migration operations. Impact: CoPilot deployment or migration may fail when selecting certain valid instance types Error message "Unsupported instance size" is displayed even for supported sizes Workaround: Contact Aviatrix Support for assistance with CoPilot deployment using the affected instance types.
AVX-74465	Aviatrix HPE gateway (including HA gateway) creation failed in OCI VCNs with DNS disabled. Gateways can now be created regardless of VCN DNS configuration. Workaround: Contact Aviatrix Support for assistance.
AVX-74577	Users are unable to modify tags on third-party firewall instances when those tags contain values with multiple colons (for example, `team:iac:module.version:v1.5.3`). Attempts to update tags after deployment fail with a `too many values to unpack` error. Initial deployment is unaffected because tags are passed via a different code path during creation. Impact: Third-party firewall instance tag updates fail when tag values contain multiple colons Initial deployment with multi-colon tags is not affected Workaround: Avoid using multiple colons in tag values when modifying tags after deployment. Use alternative delimiters such as hyphens or underscores.
AVX-75869	In OCI environments, security list rules may not be restored when a spoke gateway re-joins a transit gateway after a leave operation. Impact: Network security rules may be missing after spoke-transit re-attachment Traffic may not be properly filtered by OCI security lists Workaround: Manually verify and restore security list rules after re-joining. Contact Aviatrix Support for assistance.
AVX-75872	A locking race condition between initial setup and post-upgrade actions may cause gateway configuration issues after upgrade. Impact: Gateway may not complete post-upgrade configuration correctly Manual intervention may be required Workaround: Contact Aviatrix Support for assistance.
AVX-76132	Deploying more than one OpenVPN gateway behind a UDP load balancer is not supported and may fail. Impact: Only one OpenVPN gateway can be placed behind a UDP load balancer Attempts to add additional gateways may fail Workaround: Use a single OpenVPN gateway behind each UDP load balancer. Contact Aviatrix Support for assistance.
AVX-76296	During routine gateway operations (such as resize or image upgrade) in GCP global VPC environments, traffic may be blackholed due to incorrect route handling. Impact: Traffic through the affected gateway may be dropped during operations GCP global VPC routing may be temporarily disrupted Workaround: Schedule gateway operations during maintenance windows. Contact Aviatrix Support for assistance.
AVX-76413	After a Controller restart or recovery, gateways that were temporarily unreachable may not be given sufficient time to reconnect before being marked as permanently down. Impact: Gateways that are temporarily unreachable during a Controller restart may be incorrectly treated as permanently down Unnecessary gateway replacement or failover actions may be triggered for gateways that would have reconnected given more time Workaround: None.

AVX-62003

Azure gateway image upgrades may fail when the Controller does not have the required Azure image subscription access. During the upgrade, the system deletes the existing gateway before validating subscription availability, which can result in gateway deletion without a replacement being created. This leaves dangling gateways in the Controller and can cause potential service outages.

Impact:

Existing gateways may be deleted during image upgrade
Replacement gateway creation fails due to missing subscription
Customers may experience connectivity loss and dangling gateway entries in the Controller
Manual intervention required, leading to support escalations

Workaround:

None. To avoid outages, ensure the Controller subscription includes access to the required Azure image before attempting upgrades.

AVX-62299

When upgrading from Controller version 7.1 to 7.2 or 8.0, Spoke Gateways with routing through a Public Subnet Filtering (PSF) Gateway may fail to upgrade and become unreachable if the PSF Gateway has not been upgraded first. This issue affects AWS environments where Spoke Gateway route tables are configured to point to a PSF Gateway.

To avoid this issue, follow the correct upgrade sequence:

Upgrade the PSF Gateway first.
Wait for the PSF Gateway upgrade to complete successfully.
Then upgrade the dependent Spoke Gateways.

AVX-62506

During a gateway software upgrade, traffic matching DCF WebGroup rules may be briefly dropped during the upgrade. This impacts both Layer 7 (HTTP/HTTPS) and Layer 4 traffic and occurs across all supported cloud providers (AWS, Azure, and GCP). The disruption typically lasts a few seconds but may vary depending on gateway load and policy complexity.

Workaround:

None

Recommendations:

Schedule gateway upgrades during maintenance windows or low-traffic periods.
Use HA deployments and upgrade gateways one at a time in HA pairs.
Monitor logs for "Failed to load policy" messages to confirm when policies are reloaded.

AVX-64868

In some scenarios involving rapid VRRP state transitions, the keepalived VRRP state may not be reported accurately to the Controller. This can result in temporary discrepancies between the actual VRRP status and what is displayed in the Controller UI, leading to confusion and difficulties during troubleshooting.

Impact:

Controller UI may show incorrect VRRP status such as both peers reporting Primary or Initializing
No impact on actual VRRP traffic handling or failover behavior.

Workaround:

Use diagnostic logs to verify actual VRRP state

AVX-65016

In some environments, the Firewall state may not recover from Unaccessible after the first vendor integration failure. This issue has been observed when integrating with third-party firewall vendors, leaving the gateway firewall state stuck even after the environment stabilizes.

Impact:

Firewall integration appears stuck in Unaccessible state

Recovery does not occur automatically after initial failure

May require manual intervention to restore proper firewall state reporting

Workaround:

Contact Aviatrix Support for manual correction.

AVX-66631

Transit gateways with large-scale tunnel deployments (1300+ tunnels) may experience extended traffic loss during image upgrades. Although the image upgrade completes successfully, traffic may remain down for several minutes afterward due to delayed tunnel reconfiguration.

Impact:

Traffic loss may persist after image upgrade completes
Route service startup is blocked until all tunnels are sequentially reconfigured
Configuration push may time out with Context cancelled during Phase 1 Create error

Workaround:

Schedule maintenance windows to account for potential traffic loss beyond upgrade completion.
Consider staggering upgrades across transit gateways to reduce impacts.
Monitor tunnel and route service status post-upgrade through the CoPilot UI.

AVX-67126

Dry-run validation may fail when upgrading the Controller from version 8.0.10 to 8.1.0 due to a gateway version mismatch error. This occurs when the upgrade path starts from 8.0.0, progresses to 8.0.10 successfully, but encounters a dry-run failure when proceeding to 8.1.0.

AVX-67571

OpenVPN clients could not connect to VPN gateways configured with DUO multi-factor authentication (MFA) in Oracle Cloud Infrastructure (OCI) environments due to ECONNREFUSED errors during tunnel establishment.

Workaround:

Contact Aviatrix Support for assistance.

AVX-68013

In Controller version 8.0.10, Spoke-to-Transit attachments initiated through Terraform may fail with a decode check_task_status failed error during gateway creation.

This issue occurs when multiple API calls are executed in rapid succession, causing the Controller to occasionally return an empty response body for the check_task_status API.

Affected Scenario:

Spoke-to-Transit attachments created using the Aviatrix Terraform provider.
More likely during parallel or batch gateway deployments across any cloud (AWS, Azure, GCP, OCI).

Impact:

Terraform reports an error such as unexpected end of JSON input.
The Spoke-to-Transit attachment may still succeed, but Terraform marks the operation as failed.

Workaround:

Retry the Terraform operation.
Reduce parallelism for Terraform runs if possible.

AVX-68561

In large-scale deployments with 1300+ gateways, enabling Distributed Cloud Firewall Site-to-Cloud (DCF S2C) can cause gateway configurations to become out of sync with the Controller. Even after disabling DCF S2C, the issue may persist and lead to elevated Controller resource usage.

Impact:

Gateway configurations may show as out of sync in the Controller UI

Controller CPU utilization (conduit process) increases significantly

Performance degradation may occur during DCF S2C operations

Issue may persist after disabling DCF S2C

Workaround:

Monitor Controller CPU usage before enabling DCF S2C in large-scale environments.

Consider enabling DCF S2C during scheduled maintenance windows.

For deployments with 1300+ gateways, evaluate the necessity of DCF S2C functionality.

AVX-68606

Traffic loss may occur through AEP Edge-as-Spoke gateways during a gateway software upgrade.

Impact:

Traffic flowing through AEP Edge-as-Spoke gateways may be disrupted during software upgrade
The disruption may persist beyond the expected upgrade window

Workaround:

Schedule gateway software upgrades during maintenance windows. Contact Aviatrix Support for assistance.

AVX-68726

On Azure Controllers with Controller Security Group Management enabled, existing gateway might go to keepalive fail status while creating a new gateway.

Due to this bug, while creating a new gateway the Controller may automatically disable Controller Security Group Management, which impacts the connectivity between gateway and controller.

Impact:

Controller Security Group Management may be disabled unexpectedly.
Security group rules of the SG attached to controller might get deleted

Workaround:

Enable "Controller Security Group Management" manually, or contact Aviatrix Support for assistance.

AVX-68887

When attaching VPN users to profiles using the attach_vpn_user_to_profile API, the CoPilot or Controller UI may continue to display the user profile as N/A even though the attachment operation completes successfully.

Impact:

VPN user profile assignments may appear unsuccessful in the UI, which can cause confusion during profile management. There is no functional impact: the VPN profile is correctly assigned in the backend, and users can connect to the VPN as expected.

Workaround:

None.

AVX-69649

The migration dry-run EIP accounting does not include public IPs that are not part of the Elastic IP quota, potentially producing inaccurate dry-run results.

Impact:

Dry-run migration reports may show incorrect EIP usage
Actual migration may encounter unexpected EIP limitations

Workaround:

Manually verify EIP allocation and quotas before performing the migration. Contact Aviatrix Support for assistance.

AVX-71057

The CoPilot UI may not accurately reflect real-time Controller migration progress, potentially showing stale or incomplete status information.

Impact:

Migration progress may not be displayed accurately in CoPilot
Users may not have visibility into the current migration state

Workaround:

Monitor migration progress through Controller logs or API. Contact Aviatrix Support for assistance.

AVX-71122

The Controller failed to fetch and update new SAML signing certificates after Identity Provider (IdP) certificate rotation, causing SAML single sign-on (SSO) authentication failures.

Workaround:

Contact Aviatrix Support for assistance.

AVX-71135

The AM4.0 database migration may fail when the tunnel database timestamp field contains string values instead of the expected integer type. This can block Controller upgrades that include the AM4.0 migration step.

Impact:

Controller upgrade may fail during database migration
The Controller will remain on the previous version

Workaround:

Contact Aviatrix Support for assistance with correcting the database field values before retrying the upgrade.

AVX-71280

The traffic_ctl process may consume 100% CPU, potentially causing traffic processing disruptions on affected gateways.

Impact:

Gateway CPU utilization may spike due to traffic_ctl process
Traffic processing may be degraded or disrupted

Workaround:

Contact Aviatrix Support for assistance.

AVX-71453

Azure HPE Transit HA Gateway resize may fail when there is insufficient secondary IP address space available in the subnet.

Impact:

HA Gateway resize operation fails
The gateway remains at its current size

Workaround:

Ensure sufficient IP address space is available in the gateway subnet before attempting a resize. Contact Aviatrix Support for assistance.

AVX-71489

The Controller’s inventory table grew excessively large due to duplicate entries being inserted for each inventory operation instead of updating existing records. The inventory process now correctly updates matching records, preventing unnecessary database bloat.

Workaround:

Contact Aviatrix Support for assistance.

AVX-71494

When CoPilot Asset Inventory (CAI) performs queries on the inventory table, the existing database indexes are not utilized effectively, causing performance degradation during inventory operations.

Impact:

Delayed inventory data retrieval and reporting
Increased database load during CAI operations
Slower CoPilot dashboard performance when displaying asset information

Workaround:

None.

AVX-71672

Upgrading the Controller to version 8.1 could fail during database migration if the tunnel rtt_avg field contained None values. The migration logic now correctly handles these values, preventing conversion errors and allowing the upgrade to complete successfully.

Workaround:

Contact Aviatrix Support for assistance.

AVX-71686

Azure Controllers using disks with IOPS less than 500 may experience performance issues. This limitation can lead to system instability and processing delays during high I/O operations.

Affected Scenario:

Azure Controllers deployed with disk types that provide less than 500 IOPS

Impact:

System instability during high I/O operations
Processing delays and performance degradation
Potential service disruptions in production environments

Workaround:

Upgrade the Azure controller disk tier to minimum 500 IOPS through Azure portal disk configuration settings.

AVX-71820

When deploying a load balancer–enabled VPN gateway with an overlapping VPN CIDR on Controller versions 8.0, 8.1, or 8.2, the gateway creation fails.

Impact:

VPN gateway deployment fails
Error message does not clearly indicate the root cause

Workaround:

Ensure that the VPN CIDR does not overlap with existing gateways behind the load balancer before deployment. Contact Aviatrix Support for assistance.

AVX-72207

Upgrading OpenVPN gateways to Controller version 8.1 with profiles containing FQDN-based policies resulted in service disruption due to a DNS resolution limitation. Users can now access whitelisted FQDNs in OpenVPN Profiles after upgrading.

Workaround:

Contact Aviatrix Support for assistance.

AVX-72369

When multiple syslog profiles are configured on the Controller, performing a gateway image upgrade results in gateways being removed from syslog profiles that have only a subset of gateways specified in the include list.

Impact:

Remote syslog logs are no longer forwarded to the configured syslog servers for the affected gateways

Workaround:

Manually re-add the required gateways to the affected syslog profiles after the upgrade.

AVX-72553

The SAML Endpoint field is not displayed when creating a VPN user for GeoVPN configurations with a SAML-enabled gateway.

Impact:

VPN user creation for GeoVPN with SAML may not display the required SAML Endpoint field
Administrators may not be able to configure SAML endpoints during user creation

Workaround:

Contact Aviatrix Support for assistance.

AVX-72835

The database migration during Controller upgrade to 8.1 could fail if a High Availability Gateway (HAGW) entry appeared before its corresponding primary gateway in the vpc_info database collection. The migration logic now correctly handles HAGW records regardless of document ordering in the database.

Workaround:

Contact Aviatrix Support for assistance.

AVX-72871

Controller software upgrade to version 8.1 may fail with the error "Please reload the page in order to upgrade" due to an issue with the database migration when the database contains string values instead of integers for the cloud_type field.

Impact:

The upgrade to version 8.1 will not be completed
The Controller will remain on the previous version

Workaround:

Contact Aviatrix Support for assistance in correcting the database values before retrying the upgrade.

AVX-73001

Upgrading Spoke Gateways to version 8.1.20 in environments using Transit FireNet with Egress through Firewall and customized SNAT policies could result in loss of the default route, causing traffic disruption.

Workaround:

Contact Aviatrix Support for assistance.

AVX-73433

After changing rx_queue_size on a gateway interface, creating a new interface does not apply the updated rx_queue_size value.

Impact:

New interfaces may use default queue sizes instead of the configured value
Network performance may not match expected configuration

Workaround:

Contact Aviatrix Support for assistance.

AVX-73436

When using the update_spoke_vpc_route_table API to onboard an Azure route table in environments where a Spoke Gateway learns the default route (0.0.0.0/0) from an attached egress transit, the default route is not programmed in the spoke VNET route table. This affects deployments using transit with egress functionality where spoke gateways need to propagate the learned default route to their associated Azure route tables.

Impact:

Default route (0.0.0.0/0) is not installed in the onboarded Azure spoke VNET route table.
Traffic that depends on the default route through the transit egress path may not be routed correctly

Workaround:

Manually add the default route to the Azure route table. Contact Aviatrix Support for assistance.

AVX-73629

The VPC name field could be overwritten with incorrect data during the AM4.0 migration, causing affected VPC records to become unfindable via index lookups. The migration logic now correctly preserves the VPC name field.

Workaround:

Contact Aviatrix Support for assistance.

AVX-73742

Two issues with single IP HA tunnel failover in Site-to-Cloud deployments. The Controller no longer sends stale IPsec session teardown messages to gateways that temporarily lost connectivity, and now stops failover of pending tunnels to the HA gateway if the active gateway reconnects quickly, reducing unnecessary tunnel downtime.

Workaround:

Contact Aviatrix Support for assistance.

AVX-73836

DUO-integrated OpenVPN users may experience intermittent connection failures to VPN gateways due to a deprecated DUO client version.

Impact:

VPN connections using DUO MFA may fail intermittently
Users may receive 403 errors during DUO authentication

Workaround:

Contact Aviatrix Support for assistance with updating the DUO client configuration.

AVX-74226

CoPilot deployments and migrations may fail with "Unsupported instance size" errors when selecting valid instance types. The instance type validation incorrectly blocks supported sizes during CoPilot deployment or migration operations.

Impact:

CoPilot deployment or migration may fail when selecting certain valid instance types

Error message "Unsupported instance size" is displayed even for supported sizes

Workaround:

Contact Aviatrix Support for assistance with CoPilot deployment using the affected instance types.

AVX-74465

Aviatrix HPE gateway (including HA gateway) creation failed in OCI VCNs with DNS disabled. Gateways can now be created regardless of VCN DNS configuration.

Workaround:

Contact Aviatrix Support for assistance.

AVX-74577

Users are unable to modify tags on third-party firewall instances when those tags contain values with multiple colons (for example, team:iac:module.version:v1.5.3). Attempts to update tags after deployment fail with a too many values to unpack error. Initial deployment is unaffected because tags are passed via a different code path during creation.

Impact:

Third-party firewall instance tag updates fail when tag values contain multiple colons
Initial deployment with multi-colon tags is not affected

Workaround:

Avoid using multiple colons in tag values when modifying tags after deployment. Use alternative delimiters such as hyphens or underscores.

AVX-75869

In OCI environments, security list rules may not be restored when a spoke gateway re-joins a transit gateway after a leave operation.

Impact:

Network security rules may be missing after spoke-transit re-attachment
Traffic may not be properly filtered by OCI security lists

Workaround:

Manually verify and restore security list rules after re-joining. Contact Aviatrix Support for assistance.

AVX-75872

A locking race condition between initial setup and post-upgrade actions may cause gateway configuration issues after upgrade.

Impact:

Gateway may not complete post-upgrade configuration correctly
Manual intervention may be required

Workaround:

Contact Aviatrix Support for assistance.

AVX-76132

Deploying more than one OpenVPN gateway behind a UDP load balancer is not supported and may fail.

Impact:

Only one OpenVPN gateway can be placed behind a UDP load balancer
Attempts to add additional gateways may fail

Workaround:

Use a single OpenVPN gateway behind each UDP load balancer. Contact Aviatrix Support for assistance.

AVX-76296

During routine gateway operations (such as resize or image upgrade) in GCP global VPC environments, traffic may be blackholed due to incorrect route handling.

Impact:

Traffic through the affected gateway may be dropped during operations
GCP global VPC routing may be temporarily disrupted

Workaround:

Schedule gateway operations during maintenance windows. Contact Aviatrix Support for assistance.

AVX-76413

After a Controller restart or recovery, gateways that were temporarily unreachable may not be given sufficient time to reconnect before being marked as permanently down.

Impact:

Gateways that are temporarily unreachable during a Controller restart may be incorrectly treated as permanently down
Unnecessary gateway replacement or failover actions may be triggered for gateways that would have reconnected given more time

Workaround:

None.