8.1.11 Release Notes

Release Date: 08 October 2025

Release Notes Last Updated: 22 December 2025

Corrected Issues in Aviatrix Release 8.1.11

Fixed several internal issues that improved overall stability and performance.

Known Issues in Aviatrix Release 8.1.11

Issue Description

Issue	Description
AVX-62003	Azure gateway image upgrades may fail when the Controller does not have the required Azure image subscription access. During the upgrade, the system deletes the existing gateway before validating subscription availability, which can result in gateway deletion without a replacement being created. This leaves dangling gateways in the Controller and can cause potential service outages. Impact: Existing gateways may be deleted during image upgrade Replacement gateway creation fails due to missing subscription Customers may experience connectivity loss and dangling gateway entries in the Controller Manual intervention required, leading to support escalations Workaround: None. To avoid outages, ensure the Controller subscription includes access to the required Azure image before attempting upgrades.
AVX-62299	When upgrading from Controller version 7.1 to 7.2 or 8.0, Spoke Gateways with routing through a Public Subnet Filtering (PSF) Gateway may fail to upgrade and become unreachable if the PSF Gateway has not been upgraded first. This issue affects AWS environments where Spoke Gateway route tables are configured to point to a PSF Gateway. To avoid this issue, follow the correct upgrade sequence: Upgrade the PSF Gateway first. Wait for the PSF Gateway upgrade to complete successfully. Then upgrade the dependent Spoke Gateways.
AVX-62506	During a gateway software upgrade, traffic matching DCF WebGroup rules may be briefly dropped during the upgrade. This impacts both Layer 7 (HTTP/HTTPS) and Layer 4 traffic and occurs across all supported cloud providers (AWS, Azure, and GCP). The disruption typically lasts a few seconds but may vary depending on gateway load and policy complexity. Workaround: None Recommendations: Schedule gateway upgrades during maintenance windows or low-traffic periods. Use HA deployments and upgrade gateways one at a time in HA pairs. Monitor logs for “Failed to load policy” messages to confirm when policies are reloaded.
AVX-64447	Site2Cloud High Availability (HA) tunnels may not behave correctly when toggling between Active/Active and Active/Standby modes. Problem 1: When disabling Active/Active HA, the HA Gateway (HAGW) may retain metric 100 routes pointing to tunnel interfaces in the Gateway Route table, even though they should be removed. Problem 2: When enabling Active/Active HA from Active/Standby, the HA Gateway tunnel may not be properly enabled. This can result in missing routes despite the UI showing Active/Active status. Impact: Inconsistent routes on the gateway while switching the s2c HA Mode. Potential routing gaps on the gateway lead to incorrect traffic distribution. Workaround: If you encounter this issue, contact Aviatrix Support for assistance.
AVX-64868	In some scenarios involving rapid VRRP state transitions, the keepalived VRRP state may not be reported accurately to the Controller. This can result in temporary discrepancies between the actual VRRP status and what is displayed in the Controller UI, leading to confusion and difficulties during troubleshooting. Impact: Controller UI may show incorrect VRRP status such as both peers reporting `Primary` or `Initializing` No impact on actual VRRP traffic handling or failover behavior. Workaround: Use diagnostic logs to verify actual VRRP state
AVX-65016	In some environments, the Firewall state may not recover from Unaccessible after the first vendor integration failure. This issue has been observed when integrating with third-party firewall vendors, leaving the gateway firewall state stuck even after the environment stabilizes. Impact: Firewall integration appears stuck in Unaccessible state Recovery does not occur automatically after initial failure May require manual intervention to restore proper firewall state reporting Workaround: Contact Aviatrix Support for manual correction.
AVX-66324	When using Distributed Cloud Firewall (DCF) Layer 7 rules with Smart Groups that contain tagged resources, no bell notifications appear when configuration issues potentially block traffic. This affects deployments where Smart Groups match resources by tags (such as AWS instance tags) rather than static IPs or CIDRs. Although traffic is enforced correctly, administrators may not be alerted to the problematic configuration. Affected Scenario: DCF Layer 7 rules configured between Smart Groups based on resource tags (for example, Kubernetes pods and VMs) Both VPCs use RFC1918 IP addresses Gateways are deployed in High Availability (HA) mode Impact: Only affects notifications. Traffic enforcement continues to function as expected. Workaround: Monitor traffic flow manually Use Smart Groups with static IPs or CIDRs if alerting is critical
AVX-66631	Transit gateways with large-scale tunnel deployments (1300+ tunnels) may experience extended traffic loss during image upgrades. Although the image upgrade completes successfully, traffic may remain down for several minutes afterward due to delayed tunnel reconfiguration. Impact: Traffic loss may persist after image upgrade completes Route service startup is blocked until all tunnels are sequentially reconfigured Configuration push may time out with `Context cancelled during Phase 1 Create` error Workaround: Schedule maintenance windows to account for potential traffic loss beyond upgrade completion. Consider staggering upgrades across transit gateways to reduce impact. Monitor tunnel and route service status post-upgrade through the CoPilot UI.
AVX-67126	Dry-run validation may fail when upgrading the Controller from version 8.0.10 to 8.1.0 due to a gateway version mismatch error. This occurs when the upgrade path starts from 8.0.0, progresses to 8.0.10 successfully, but encounters a dry-run failure when proceeding to 8.1.0.
AVX-67530	When Distributed Cloud Firewall (DCF) rules are configured with external groups as sources or destinations, the traffic count displayed in the Security > Distributed Cloud Firewall > Policies page may be significantly lower than the actual traffic volume shown in the Security > Distributed Cloud Firewall > Monitor page. Impact: DCF UI traffic counters underreport hits for rules using external groups. Discrepancy can occur for both deny and permit rules. May affect deployments using selective spoke VPCs. Analysis may be misleading if relying solely on DCF UI counters. Workaround: Use the Security > Distributed Cloud Firewall > Monitor page logs for accurate traffic counts
AVX-67571	In Oracle Cloud Infrastructure (OCI) environments, OpenVPN clients cannot connect to VPN gateways configured with DUO multi-factor authentication (MFA). Connection attempts fail with `ECONNREFUSED` errors during tunnel establishment, preventing authentication from completing. Impact: VPN tunnels cannot be established to DUO-enabled OCI gateways Only affects OCI deployments with DUO MFA Other authentication methods (OKTA, LDAP) work normally Workaround: No current workaround. Users may temporarily switch to OKTA or LDAP authentication if feasible.
AVX-68108	When upgrading the Controller from version 8.0.30 to 8.1.10, the UI may display a misleading "Service temporarily unavailable" error message immediately after the upgrade begins. This message can persist for 5–10 minutes but does not indicate upgrade failure. The upgrade continues normally in the background and the Controller becomes accessible again once the upgrade finishes. Impact: Users may believe the upgrade has failed. Error message persists for 5–10 minutes, especially in larger deployments (50+ gateways). No effect on upgrade success or Controller functionality. Workaround: Ignore the message during upgrade. Wait 10–15 minutes for the process to complete. Refresh the browser and verify the new Controller version after reconnection.
AVX-68561	In large-scale deployments with 1300+ gateways, enabling Distributed Cloud Firewall Site-to-Cloud (DCF S2C) can cause gateway configurations to become out of sync with the Controller. Even after disabling DCF S2C, the issue may persist and lead to elevated Controller resource usage. Impact: Gateway configurations may show as out of sync in the Controller UI Controller CPU utilization (conduit process) increases significantly Performance degradation may occur during DCF S2C operations Issue may persist after disabling DCF S2C Workaround: Monitor Controller CPU usage before enabling DCF S2C in large-scale environments. Consider enabling DCF S2C during scheduled maintenance windows. For deployments with 1300+ gateways, evaluate the necessity of DCF S2C functionality.
AVX-68606	During software upgrades of Edge gateways from 8.1 to 8.1.10, services may restart as part of the upgrade process, which can cause temporary traffic disruption. Impact: Temporary traffic loss during Edge gateway upgrades Service disruption due to container restarts More noticeable in large-scale deployments Workaround: None. Users should plan for possible disruption during upgrades. Recommendations: Schedule upgrades during maintenance windows Notify stakeholders of expected downtime Monitor gateway status during upgrades
AVX-69733	When upgrading Public Subnet Filtering (PSF) gateway images on Controller version 7.1 or later, the ESTABLISHED iptables firewall rule may be removed during the upgrade process. This issue occurs on PSF gateways using the legacy stateful firewall and can alter existing firewall behavior after the upgrade. Impacted Scenario: PSF gateway traffic filtering becomes incomplete Network security policies may not be enforced correctly Existing connections may be disrupted Affected Scenario: PSF gateways using the legacy stateful firewall on Controller version 7.1 or later that undergo image upgrades. Workaround: Contact Aviatrix Support for assistance.
AVX-70253	FireNet deployment with bootstrap enabled may fail in Google Cloud due to changes in how GCP credentials are handled. The system no longer reads GCP credentials from local files during bootstrap. Instead, credentials are retrieved as encoded data from the database, which causes bootstrap operations to fail in certain FireNet deployment workflows. Impact: FireNet deployment with bootstrap fails in the Google Cloud environment. Affected Scenario: FireNet deployments with bootstrap enabled in Google Cloud. Workaround: Do not use bootstrap when deploying FireNet in Google Cloud. Alternatively, perform the bootstrap process directly from the GCP cloud.
AVX-70506	When deploying multiple GCP gateways in parallel, such as through Terraform, the deployment may create a duplicate ID in the database. When the Controller later experiences a restart, the duplicate resource ID will prevent the Controller from starting properly and block access to the web UI. Impact: Controller fails to start after restart Web UI becomes inaccessible Database contains duplicate resource entries for GCP resources Workaround: Deploy GCP gateways sequentially instead of in parallel. If duplicate resource IDs already exist, contact Aviatrix Support for assistance in cleaning up the database and restoring normal operation.
AVX-71087	When upgrading to Controller versions 8.0 or 8.1, ICMP traffic may be blocked by default due to updated access control rules that do not include allowances for ICMP-based debugging. Affected Scenario: Environments where ICMP is used for network troubleshooting and diagnostic workflows. Impact: ICMP-based debugging tools may stop functioning Network troubleshooting capabilities may be limited Existing workflows that depend on ICMP may be disrupted Workaround: Manually add access control rules to the Controller to explicitly allow ICMP traffic for debugging. Contact Aviatrix Support for assistance if needed.
AVX-71135	When upgrading to Controller 8.1, the database migration may fail if VPC tunnel records contain string values in the timestamp field instead of numeric values. During migration, the process attempts to convert these non-numeric timestamp strings to floating-point values, which results in a conversion error and causes the upgrade to fail. Impact: The upgrade to Controller 8.1 cannot complete and the system remains on the previous version. Workaround: Contact Aviatrix Support for assistance.
AVX-71672	When upgrading the Controller to version 8.1, the database migration may fail if the tunnel `rtt_avg` field contains `None` values. The migration logic expects either a numeric value or the string `"N/A"`, and encountering a `None` value causes the upgrade to stop. Impact: Upgrade to 8.1 cannot complete Controller remains on the previous version Workaround: Contact Aviatrix Support for assistance in correcting the database values before retrying the upgrade.
AVX-71784	On transit gateways with Network Segmentation enabled, eBPF packet marking for network domains may fail under certain conditions. This can affect the correct enforcement of Network Segmentation policies. Impact: Traffic segmentation using multi-cloud transit Network Segmentation may not function as expected. Workaround: Follow the steps below to restart the conduit service on the affected gateway: From Controller UI > Troubleshoot > Diagnostics > Gateway From Service Actions, select the affected gateway, choose Conduit as the service name, and then choose Restart Service as the action. Click OK to restart the service.
AVX-71820	When deploying a load balancer–enabled VPN gateway with an overlapping VPN CIDR on Controller versions 8.0, 8.1, or 8.2, the gateway creation fails. Impact: VPN gateway deployment fails Error message does not clearly indicate the root cause Affected Scenario: Load balancer–enabled VPN gateway deployments on Controller versions 8.0, 8.1, and 8.2. Workaround: Ensure that the VPN CIDR does not overlap with existing gateways behind the load balancer before deployment. Contact Aviatrix Support for assistance.
AVX-72835	When upgrading to Controller 8.1, the database migration may fail if a High Availability Gateway (HAGW) entry appeared before its corresponding primary gateway in the database collection. During migration, the process relies on a strict ordering — primary gateway data must be initialized before the HAGW is processed to correctly populate gateway group data. The migration may fail or leave behind gateway entries in the wrong order in the database, which can lead to further issues. Impact: The upgrade to Controller 8.1 may fail to complete Gateway entries may be stored in an incorrect order in the database Workaround: Contact Aviatrix Support for assistance.
AVX-73061	The Cloud Asset Inventory (CAI) service has a memory leak in its L1 cache. When cloud instances such as VMs are removed from the cloud provider, the associated network interfaces remain cached and are never cleaned up. Impact: In environments that regularly cycle VMs (such as those using spot instances), the CAI service memory consumption grows over time and is never reclaimed. This can lead to high memory usage by the CAI service, potentially affecting Controller performance. Workaround: Contact Aviatrix Support for assistance with periodic CAI service restarts to reclaim memory.
AVX-75256	After upgrading the Aviatrix Controller from version 7.2.x to 8.0 or later, gateways with FQDN tags attached may no longer be visible in the Egress FQDN Gateway View tab. The list_fqdn_gateways API returns an empty list despite the gateways being present and properly associated with their FQDN tags. Impact: Egress FQDN-enabled gateways are not displayed in the Controller UI after upgrade The list_fqdn_gateways API returns an empty list Gateways remain operational and FQDN tag associations are intact Workaround: Contact Aviatrix Support for assistance.
AVX-77088	On Controller and gateway running 8.1.x or 8.2.x, editing legacy FQDN domain name filters can cause all FQDN filtering processes on the gateway to stop simultaneously. Gateway monitoring restarts the processes automatically, but a brief filtering outage may occur during the restart. Impact: FQDN filtering on the gateway may experience a short interruption when domain name filters are edited. Traffic that depends on FQDN filtering may be briefly affected until the filtering processes restart. Workaround: Schedule edits to legacy FQDN filters during a maintenance window. Contact Aviatrix Support for assistance.

AVX-62003

Azure gateway image upgrades may fail when the Controller does not have the required Azure image subscription access. During the upgrade, the system deletes the existing gateway before validating subscription availability, which can result in gateway deletion without a replacement being created. This leaves dangling gateways in the Controller and can cause potential service outages.

Impact:

Existing gateways may be deleted during image upgrade
Replacement gateway creation fails due to missing subscription
Customers may experience connectivity loss and dangling gateway entries in the Controller
Manual intervention required, leading to support escalations

Workaround:

None. To avoid outages, ensure the Controller subscription includes access to the required Azure image before attempting upgrades.

AVX-62299

When upgrading from Controller version 7.1 to 7.2 or 8.0, Spoke Gateways with routing through a Public Subnet Filtering (PSF) Gateway may fail to upgrade and become unreachable if the PSF Gateway has not been upgraded first. This issue affects AWS environments where Spoke Gateway route tables are configured to point to a PSF Gateway.

To avoid this issue, follow the correct upgrade sequence:

Upgrade the PSF Gateway first.
Wait for the PSF Gateway upgrade to complete successfully.
Then upgrade the dependent Spoke Gateways.

AVX-62506

During a gateway software upgrade, traffic matching DCF WebGroup rules may be briefly dropped during the upgrade. This impacts both Layer 7 (HTTP/HTTPS) and Layer 4 traffic and occurs across all supported cloud providers (AWS, Azure, and GCP). The disruption typically lasts a few seconds but may vary depending on gateway load and policy complexity.

Workaround:

None

Recommendations:

Schedule gateway upgrades during maintenance windows or low-traffic periods.
Use HA deployments and upgrade gateways one at a time in HA pairs.
Monitor logs for “Failed to load policy” messages to confirm when policies are reloaded.

AVX-64447

Site2Cloud High Availability (HA) tunnels may not behave correctly when toggling between Active/Active and Active/Standby modes.

Problem 1: When disabling Active/Active HA, the HA Gateway (HAGW) may retain metric 100 routes pointing to tunnel interfaces in the Gateway Route table, even though they should be removed.

Problem 2: When enabling Active/Active HA from Active/Standby, the HA Gateway tunnel may not be properly enabled. This can result in missing routes despite the UI showing Active/Active status.

Impact:

Inconsistent routes on the gateway while switching the s2c HA Mode.
Potential routing gaps on the gateway lead to incorrect traffic distribution.

Workaround:

If you encounter this issue, contact Aviatrix Support for assistance.

AVX-64868

In some scenarios involving rapid VRRP state transitions, the keepalived VRRP state may not be reported accurately to the Controller. This can result in temporary discrepancies between the actual VRRP status and what is displayed in the Controller UI, leading to confusion and difficulties during troubleshooting.

Impact:

Controller UI may show incorrect VRRP status such as both peers reporting Primary or Initializing
No impact on actual VRRP traffic handling or failover behavior.

Workaround:

Use diagnostic logs to verify actual VRRP state

AVX-65016

In some environments, the Firewall state may not recover from Unaccessible after the first vendor integration failure. This issue has been observed when integrating with third-party firewall vendors, leaving the gateway firewall state stuck even after the environment stabilizes.

Impact:

Firewall integration appears stuck in Unaccessible state
Recovery does not occur automatically after initial failure
May require manual intervention to restore proper firewall state reporting

Workaround:

Contact Aviatrix Support for manual correction.

AVX-66324

When using Distributed Cloud Firewall (DCF) Layer 7 rules with Smart Groups that contain tagged resources, no bell notifications appear when configuration issues potentially block traffic. This affects deployments where Smart Groups match resources by tags (such as AWS instance tags) rather than static IPs or CIDRs. Although traffic is enforced correctly, administrators may not be alerted to the problematic configuration.

Affected Scenario:

DCF Layer 7 rules configured between Smart Groups based on resource tags (for example, Kubernetes pods and VMs)
Both VPCs use RFC1918 IP addresses
Gateways are deployed in High Availability (HA) mode

Impact: Only affects notifications. Traffic enforcement continues to function as expected.

Workaround:

Monitor traffic flow manually
Use Smart Groups with static IPs or CIDRs if alerting is critical

AVX-66631

Transit gateways with large-scale tunnel deployments (1300+ tunnels) may experience extended traffic loss during image upgrades. Although the image upgrade completes successfully, traffic may remain down for several minutes afterward due to delayed tunnel reconfiguration.

Impact:

Traffic loss may persist after image upgrade completes
Route service startup is blocked until all tunnels are sequentially reconfigured
Configuration push may time out with Context cancelled during Phase 1 Create error

Workaround:

Schedule maintenance windows to account for potential traffic loss beyond upgrade completion.
Consider staggering upgrades across transit gateways to reduce impact.
Monitor tunnel and route service status post-upgrade through the CoPilot UI.

AVX-67126

Dry-run validation may fail when upgrading the Controller from version 8.0.10 to 8.1.0 due to a gateway version mismatch error. This occurs when the upgrade path starts from 8.0.0, progresses to 8.0.10 successfully, but encounters a dry-run failure when proceeding to 8.1.0.

AVX-67530

When Distributed Cloud Firewall (DCF) rules are configured with external groups as sources or destinations, the traffic count displayed in the Security > Distributed Cloud Firewall > Policies page may be significantly lower than the actual traffic volume shown in the Security > Distributed Cloud Firewall > Monitor page.

Impact:

DCF UI traffic counters underreport hits for rules using external groups.
Discrepancy can occur for both deny and permit rules.
May affect deployments using selective spoke VPCs.
Analysis may be misleading if relying solely on DCF UI counters.

Workaround:

Use the Security > Distributed Cloud Firewall > Monitor page logs for accurate traffic counts

AVX-67571

In Oracle Cloud Infrastructure (OCI) environments, OpenVPN clients cannot connect to VPN gateways configured with DUO multi-factor authentication (MFA). Connection attempts fail with ECONNREFUSED errors during tunnel establishment, preventing authentication from completing.

Impact:

VPN tunnels cannot be established to DUO-enabled OCI gateways
Only affects OCI deployments with DUO MFA
Other authentication methods (OKTA, LDAP) work normally

Workaround: No current workaround. Users may temporarily switch to OKTA or LDAP authentication if feasible.

AVX-68108

When upgrading the Controller from version 8.0.30 to 8.1.10, the UI may display a misleading "Service temporarily unavailable" error message immediately after the upgrade begins. This message can persist for 5–10 minutes but does not indicate upgrade failure. The upgrade continues normally in the background and the Controller becomes accessible again once the upgrade finishes.

Impact:

Users may believe the upgrade has failed.
Error message persists for 5–10 minutes, especially in larger deployments (50+ gateways).
No effect on upgrade success or Controller functionality.

Workaround:

Ignore the message during upgrade.
Wait 10–15 minutes for the process to complete.
Refresh the browser and verify the new Controller version after reconnection.

AVX-68561

In large-scale deployments with 1300+ gateways, enabling Distributed Cloud Firewall Site-to-Cloud (DCF S2C) can cause gateway configurations to become out of sync with the Controller. Even after disabling DCF S2C, the issue may persist and lead to elevated Controller resource usage.

Impact:

Gateway configurations may show as out of sync in the Controller UI
Controller CPU utilization (conduit process) increases significantly
Performance degradation may occur during DCF S2C operations
Issue may persist after disabling DCF S2C

Workaround:

Monitor Controller CPU usage before enabling DCF S2C in large-scale environments.
Consider enabling DCF S2C during scheduled maintenance windows.
For deployments with 1300+ gateways, evaluate the necessity of DCF S2C functionality.

AVX-68606

During software upgrades of Edge gateways from 8.1 to 8.1.10, services may restart as part of the upgrade process, which can cause temporary traffic disruption.

Impact:

Temporary traffic loss during Edge gateway upgrades
Service disruption due to container restarts
More noticeable in large-scale deployments

Workaround:

None. Users should plan for possible disruption during upgrades.

Recommendations:

Schedule upgrades during maintenance windows
Notify stakeholders of expected downtime
Monitor gateway status during upgrades

AVX-69733

When upgrading Public Subnet Filtering (PSF) gateway images on Controller version 7.1 or later, the ESTABLISHED iptables firewall rule may be removed during the upgrade process.

This issue occurs on PSF gateways using the legacy stateful firewall and can alter existing firewall behavior after the upgrade.

Impacted Scenario:

PSF gateway traffic filtering becomes incomplete
Network security policies may not be enforced correctly
Existing connections may be disrupted Affected Scenario: PSF gateways using the legacy stateful firewall on Controller version 7.1 or later that undergo image upgrades.

Workaround:

Contact Aviatrix Support for assistance.

AVX-70253

FireNet deployment with bootstrap enabled may fail in Google Cloud due to changes in how GCP credentials are handled.

The system no longer reads GCP credentials from local files during bootstrap. Instead, credentials are retrieved as encoded data from the database, which causes bootstrap operations to fail in certain FireNet deployment workflows.

Impact: FireNet deployment with bootstrap fails in the Google Cloud environment.

Affected Scenario: FireNet deployments with bootstrap enabled in Google Cloud.

Workaround: Do not use bootstrap when deploying FireNet in Google Cloud. Alternatively, perform the bootstrap process directly from the GCP cloud.

AVX-70506

When deploying multiple GCP gateways in parallel, such as through Terraform, the deployment may create a duplicate ID in the database. When the Controller later experiences a restart, the duplicate resource ID will prevent the Controller from starting properly and block access to the web UI.

Impact:

Controller fails to start after restart
Web UI becomes inaccessible
Database contains duplicate resource entries for GCP resources

Workaround:

Deploy GCP gateways sequentially instead of in parallel. If duplicate resource IDs already exist, contact Aviatrix Support for assistance in cleaning up the database and restoring normal operation.

AVX-71087

When upgrading to Controller versions 8.0 or 8.1, ICMP traffic may be blocked by default due to updated access control rules that do not include allowances for ICMP-based debugging.

Affected Scenario: Environments where ICMP is used for network troubleshooting and diagnostic workflows.

Impact:

ICMP-based debugging tools may stop functioning
Network troubleshooting capabilities may be limited
Existing workflows that depend on ICMP may be disrupted

Workaround: Manually add access control rules to the Controller to explicitly allow ICMP traffic for debugging. Contact Aviatrix Support for assistance if needed.

AVX-71135

When upgrading to Controller 8.1, the database migration may fail if VPC tunnel records contain string values in the timestamp field instead of numeric values.

During migration, the process attempts to convert these non-numeric timestamp strings to floating-point values, which results in a conversion error and causes the upgrade to fail.

Impact: The upgrade to Controller 8.1 cannot complete and the system remains on the previous version.

Workaround: Contact Aviatrix Support for assistance.

AVX-71672

When upgrading the Controller to version 8.1, the database migration may fail if the tunnel rtt_avg field contains None values. The migration logic expects either a numeric value or the string "N/A", and encountering a None value causes the upgrade to stop.

Impact:

Upgrade to 8.1 cannot complete
Controller remains on the previous version

Workaround: Contact Aviatrix Support for assistance in correcting the database values before retrying the upgrade.

AVX-71784

On transit gateways with Network Segmentation enabled, eBPF packet marking for network domains may fail under certain conditions. This can affect the correct enforcement of Network Segmentation policies.

Impact:

Traffic segmentation using multi-cloud transit Network Segmentation may not function as expected.

Workaround: Follow the steps below to restart the conduit service on the affected gateway:

From Controller UI > Troubleshoot > Diagnostics > Gateway
From Service Actions, select the affected gateway, choose Conduit as the service name, and then choose Restart Service as the action.
Click OK to restart the service.

AVX-71820

When deploying a load balancer–enabled VPN gateway with an overlapping VPN CIDR on Controller versions 8.0, 8.1, or 8.2, the gateway creation fails.

Impact:

VPN gateway deployment fails
Error message does not clearly indicate the root cause

Affected Scenario: Load balancer–enabled VPN gateway deployments on Controller versions 8.0, 8.1, and 8.2.

Workaround:

Ensure that the VPN CIDR does not overlap with existing gateways behind the load balancer before deployment. Contact Aviatrix Support for assistance.

AVX-72835

When upgrading to Controller 8.1, the database migration may fail if a High Availability Gateway (HAGW) entry appeared before its corresponding primary gateway in the database collection. During migration, the process relies on a strict ordering — primary gateway data must be initialized before the HAGW is processed to correctly populate gateway group data. The migration may fail or leave behind gateway entries in the wrong order in the database, which can lead to further issues.

Impact:

The upgrade to Controller 8.1 may fail to complete
Gateway entries may be stored in an incorrect order in the database

Workaround:

Contact Aviatrix Support for assistance.

AVX-73061

The Cloud Asset Inventory (CAI) service has a memory leak in its L1 cache. When cloud instances such as VMs are removed from the cloud provider, the associated network interfaces remain cached and are never cleaned up.

Impact:

In environments that regularly cycle VMs (such as those using spot instances), the CAI service memory consumption grows over time and is never reclaimed.
This can lead to high memory usage by the CAI service, potentially affecting Controller performance.

Workaround:

Contact Aviatrix Support for assistance with periodic CAI service restarts to reclaim memory.

AVX-75256

After upgrading the Aviatrix Controller from version 7.2.x to 8.0 or later, gateways with FQDN tags attached may no longer be visible in the Egress FQDN Gateway View tab. The list_fqdn_gateways API returns an empty list despite the gateways being present and properly associated with their FQDN tags.

Impact:

Egress FQDN-enabled gateways are not displayed in the Controller UI after upgrade
The list_fqdn_gateways API returns an empty list
Gateways remain operational and FQDN tag associations are intact Workaround:

Contact Aviatrix Support for assistance.

AVX-77088

On Controller and gateway running 8.1.x or 8.2.x, editing legacy FQDN domain name filters can cause all FQDN filtering processes on the gateway to stop simultaneously. Gateway monitoring restarts the processes automatically, but a brief filtering outage may occur during the restart.

Impact:

FQDN filtering on the gateway may experience a short interruption when domain name filters are edited.
Traffic that depends on FQDN filtering may be briefly affected until the filtering processes restart. Workaround:

Schedule edits to legacy FQDN filters during a maintenance window. Contact Aviatrix Support for assistance.