8.1.20 Release Notes

Release Date: 22 December 2025

Corrected Issues in Aviatrix Release 8.1.20

Issue	Description
AVX-64447	Fixed an issue where toggling between Active/Active and Active/Standby modes in Site2Cloud connections was not working properly. Users can now successfully switch between these high availability modes as expected.
AVX-66324	Fixed an issue where bell notifications were missing for Distributed Cloud Firewall (DCF) L7 rules between Kubernetes pods and VMs when using HA gateways. Previously, traffic would work intermittently when DCF L7 rules were applied between Kubernetes services and VMs in different VPCs with HA gateways. The system now properly generates notifications when these rules are applied.
AVX-67530	Fixed an issue where the traffic count displayed in the Controller interface could be inaccurate when using Distributed Cloud Firewall (DCF) with external groups that include multiple IP ranges. The Controller now reports traffic statistics correctly for DCF rules involving external groups, providing accurate visibility for monitoring, analysis, and validation of firewall policy behavior.
AVX-68606	Resolved an issue where Edge gateway upgrades from version 8.1 to 8.1.10 could cause temporary traffic disruption due to service restarts during the upgrade process. The upgrade workflow now handles service restarts more effectively, reducing traffic impact during Edge gateway upgrades, including in large-scale deployments.
AVX-69733	Resolved an issue where the ESTABLISHED rule disappeared after a Public Subnet Filtering (PSF) gateway image upgrade. This issue affected PSF gateways using the legacy stateful firewall on Controller versions 7.1 and later, and could result in traffic disruption after the upgrade. The rule is now preserved during PSF gateway image upgrades.
AVX-70123	Fixed an issue with database schema type definitions that could trigger migration errors during the Controller upgrade process. The schema now uses the correct database type definition, ensuring compatibility with migration logic and preventing upgrade failures.
AVX-70253	Fixed an issue where FireNet deployments with bootstrap enabled could fail in Google Cloud due to changes in how GCP credentials were handled during the bootstrap process. The bootstrap workflow has been updated to correctly retrieve and use GCP credentials, ensuring FireNet deployments with bootstrap complete successfully in Google Cloud environments.
AVX-70506	Fixed an issue where deploying multiple GCP gateways through Terraform resulted in ResourceDuplicateId errors. The system now properly handles concurrent gateway deployments in different GCP zones, preventing resource ID conflicts during the creation process.
AVX-71087	Fixed an issue where the default access control rules did not properly allow ICMP traffic used for debugging. The updated rules ensure ICMP-based troubleshooting continues to work after upgrades.
AVX-71217	Resolved an issue where the VRRP state file could become empty when upgrading AEP and self-managed Edge-as-Spoke gateways in active-active HA configurations from version 7.2 to 8.0.30. With this fix, VRRP primary and backup state information is preserved during the upgrade, and newly created Edge-as-Spoke gateways with VRRP configuration no longer remain in the Initializing state.
AVX-71784	Resolved an issue where eBPF packet marking could fail on transit gateways with Network Segmentation enabled, causing traffic to be associated with incorrect network domains. The packet marking logic has been corrected to ensure Network Segmentation policies are enforced consistently without requiring service restarts.

Issue

Description

AVX-64447

Fixed an issue where toggling between Active/Active and Active/Standby modes in Site2Cloud connections was not working properly. Users can now successfully switch between these high availability modes as expected.

AVX-66324

Fixed an issue where bell notifications were missing for Distributed Cloud Firewall (DCF) L7 rules between Kubernetes pods and VMs when using HA gateways. Previously, traffic would work intermittently when DCF L7 rules were applied between Kubernetes services and VMs in different VPCs with HA gateways. The system now properly generates notifications when these rules are applied.

AVX-67530

Fixed an issue where the traffic count displayed in the Controller interface could be inaccurate when using Distributed Cloud Firewall (DCF) with external groups that include multiple IP ranges.

The Controller now reports traffic statistics correctly for DCF rules involving external groups, providing accurate visibility for monitoring, analysis, and validation of firewall policy behavior.

AVX-68606

Resolved an issue where Edge gateway upgrades from version 8.1 to 8.1.10 could cause temporary traffic disruption due to service restarts during the upgrade process.

The upgrade workflow now handles service restarts more effectively, reducing traffic impact during Edge gateway upgrades, including in large-scale deployments.

AVX-69733

Resolved an issue where the ESTABLISHED rule disappeared after a Public Subnet Filtering (PSF) gateway image upgrade.

This issue affected PSF gateways using the legacy stateful firewall on Controller versions 7.1 and later, and could result in traffic disruption after the upgrade. The rule is now preserved during PSF gateway image upgrades.

AVX-70123

Fixed an issue with database schema type definitions that could trigger migration errors during the Controller upgrade process.

The schema now uses the correct database type definition, ensuring compatibility with migration logic and preventing upgrade failures.

AVX-70253

Fixed an issue where FireNet deployments with bootstrap enabled could fail in Google Cloud due to changes in how GCP credentials were handled during the bootstrap process.

The bootstrap workflow has been updated to correctly retrieve and use GCP credentials, ensuring FireNet deployments with bootstrap complete successfully in Google Cloud environments.

AVX-70506

Fixed an issue where deploying multiple GCP gateways through Terraform resulted in ResourceDuplicateId errors. The system now properly handles concurrent gateway deployments in different GCP zones, preventing resource ID conflicts during the creation process.

AVX-71087

Fixed an issue where the default access control rules did not properly allow ICMP traffic used for debugging. The updated rules ensure ICMP-based troubleshooting continues to work after upgrades.

AVX-71217

Resolved an issue where the VRRP state file could become empty when upgrading AEP and self-managed Edge-as-Spoke gateways in active-active HA configurations from version 7.2 to 8.0.30.

With this fix, VRRP primary and backup state information is preserved during the upgrade, and newly created Edge-as-Spoke gateways with VRRP configuration no longer remain in the Initializing state.

AVX-71784

Resolved an issue where eBPF packet marking could fail on transit gateways with Network Segmentation enabled, causing traffic to be associated with incorrect network domains.

The packet marking logic has been corrected to ensure Network Segmentation policies are enforced consistently without requiring service restarts.

Known Issues in Aviatrix Release 8.1.20

Issue Description

Issue	Description
AVX-62003	Azure gateway image upgrades may fail when the Controller does not have the required Azure image subscription access. During the upgrade, the system deletes the existing gateway before validating subscription availability, which can result in gateway deletion without a replacement being created. This leaves dangling gateways in the Controller and can cause potential service outages. Impact: Existing gateways may be deleted during image upgrade Replacement gateway creation fails due to missing subscription Customers may experience connectivity loss and dangling gateway entries in the Controller Manual intervention required, leading to support escalations Workaround: None. To avoid outages, ensure the Controller subscription includes access to the required Azure image before attempting upgrades.
AVX-62299	When upgrading from Controller version 7.1 to 7.2 or 8.0, Spoke Gateways with routing through a Public Subnet Filtering (PSF) Gateway may fail to upgrade and become unreachable if the PSF Gateway has not been upgraded first. This issue affects AWS environments where Spoke Gateway route tables are configured to point to a PSF Gateway. To avoid this issue, follow the correct upgrade sequence: Upgrade the PSF Gateway first. Wait for the PSF Gateway upgrade to complete successfully. Then upgrade the dependent Spoke Gateways.
AVX-62506	During a gateway software upgrade, traffic matching DCF WebGroup rules may be briefly dropped during the upgrade. This impacts both Layer 7 (HTTP/HTTPS) and Layer 4 traffic and occurs across all supported cloud providers (AWS, Azure, and GCP). The disruption typically lasts a few seconds but may vary depending on gateway load and policy complexity. Workaround: None Recommendations: Schedule gateway upgrades during maintenance windows or low-traffic periods. Use HA deployments and upgrade gateways one at a time in HA pairs. Monitor logs for "Failed to load policy" messages to confirm when policies are reloaded.
AVX-64868	In some scenarios involving rapid VRRP state transitions, the keepalived VRRP state may not be reported accurately to the Controller. This can result in temporary discrepancies between the actual VRRP status and what is displayed in the Controller UI, leading to confusion and difficulties during troubleshooting. Impact: Controller UI may show incorrect VRRP status such as both peers reporting `Primary` or `Initializing` No impact on actual VRRP traffic handling or failover behavior. Workaround: Use diagnostic logs to verify actual VRRP state
AVX-65016	In some environments, the Firewall state may not recover from Unaccessible after the first vendor integration failure. This issue has been observed when integrating with third-party firewall vendors, leaving the gateway firewall state stuck even after the environment stabilizes. Impact: Firewall integration appears stuck in Unaccessible state Recovery does not occur automatically after initial failure May require manual intervention to restore proper firewall state reporting Workaround: Contact Aviatrix Support for manual correction.
AVX-66631	Transit gateways with large-scale tunnel deployments (1300+ tunnels) may experience extended traffic loss during image upgrades. Although the image upgrade completes successfully, traffic may remain down for several minutes afterward due to delayed tunnel reconfiguration. Impact: Traffic loss may persist after image upgrade completes Route service startup is blocked until all tunnels are sequentially reconfigured Configuration push may time out with `Context cancelled during Phase 1 Create` error Workaround: Schedule maintenance windows to account for potential traffic loss beyond upgrade completion. Consider staggering upgrades across transit gateways to reduce impact. Monitor tunnel and route service status post-upgrade through the CoPilot UI.
AVX-67126	Dry-run validation may fail when upgrading the Controller from version 8.0.10 to 8.1.0 due to a gateway version mismatch error. This occurs when the upgrade path starts from 8.0.0, progresses to 8.0.10 successfully, but encounters a dry-run failure when proceeding to 8.1.0.
AVX-67571	In Oracle Cloud Infrastructure (OCI) environments, OpenVPN clients cannot connect to VPN gateways configured with DUO multi-factor authentication (MFA). Connection attempts fail with `ECONNREFUSED` errors during tunnel establishment, preventing authentication from completing. Impact: VPN tunnels cannot be established to DUO-enabled OCI gateways Only affects OCI deployments with DUO MFA Other authentication methods (OKTA, LDAP) work normally Workaround: No current workaround. Users may temporarily switch to OKTA or LDAP authentication if feasible.
AVX-68108	When upgrading the Controller from version 8.0.30 to 8.1.10, the UI may display a misleading "Service temporarily unavailable" error message immediately after the upgrade begins. This message can persist for 5–10 minutes but does not indicate upgrade failure. The upgrade continues normally in the background and the Controller becomes accessible again once the upgrade finishes. Impact: Users may believe the upgrade has failed. Error message persists for 5–10 minutes, especially in larger deployments (50+ gateways). No effect on upgrade success or Controller functionality. Workaround: Ignore the message during upgrade. Wait 10–15 minutes for the process to complete. Refresh the browser and verify the new Controller version after reconnection.
AVX-68561	In large-scale deployments with 1300+ gateways, enabling Distributed Cloud Firewall Site-to-Cloud (DCF S2C) can cause gateway configurations to become out of sync with the Controller. Even after disabling DCF S2C, the issue may persist and lead to elevated Controller resource usage. Impact: Gateway configurations may show as out of sync in the Controller UI Controller CPU utilization (conduit process) increases significantly Performance degradation may occur during DCF S2C operations Issue may persist after disabling DCF S2C Workaround: Monitor Controller CPU usage before enabling DCF S2C in large-scale environments. Consider enabling DCF S2C during scheduled maintenance windows. For deployments with 1300+ gateways, evaluate the necessity of DCF S2C functionality.
AVX-68887	When attaching VPN users to profiles using the `attach_vpn_user_to_profile` API, the CoPilot or Controller UI may continue to display the user profile as N/A even though the attachment operation completes successfully. In some cases, users later reappear as active but still show no profile association in the UI. This results in a display inconsistency between the UI and the backend state. Impact: VPN user profile assignments may appear unsuccessful in the UI, which can cause confusion during profile management. There is no functional impact: the VPN profile is correctly assigned in the backend, and users can connect to the VPN as expected. Affected Scenario: OpenVPN profile management operations that use API-based user-to-profile attachment. Workaround: None.
AVX-69342	When a Controller experiences out-of-memory conditions followed by upsizing and restart, duplicate resource ID entries may be created in the database. This prevents the Controller from starting properly and blocks access to the web UI. Impact: Controller fails to start after restart Web UI becomes inaccessible Database contains duplicate resource entries for GCE networks and other resources Affected Scenario: Controllers that have experienced memory issues, been upsized, and restarted may encounter this database corruption. Workaround: Connect directly to the Controller database and manually remove the duplicate resource ID entries to restore normal operation.
AVX-70543	When DPI/IDS or Layer7 policies are configured with "Destination: Anywhere" on HA-enabled spoke gateways where the destination smart group contains private CIDRs, the policies become invalid and cause traffic drops. Affected Scenario: Spoke gateways with HA enabled using DPI/IDS or Layer7 policies that have destination smart groups containing private CIDR ranges and "Destination: Anywhere" configuration. Impact: All egress traffic matching the policy rules gets dropped Network connectivity loss for affected traffic flows Policy validation failures preventing proper traffic inspection Workaround: Modify the policy destination from "Anywhere" to specific target destinations that exclude conflicting private CIDR ranges, or disable HA on the affected spoke gateway if operationally acceptable.
AVX-70958	When clients use HTTP/2 protocol, Trafficserver incorrectly reuses origin connections, which can cause SSL/TLS verification issues and potential security concerns with SNI (Server Name Indication) handling. Affected Scenario: HTTP/2 client connections through Trafficserver proxy Impact: SSL/TLS certificate verification may fail SNI matching issues between client requests and origin servers Potential security vulnerabilities due to connection reuse Workaround: Configure records.yaml to match on both IP address and SNI to ensure proper connection handling.
AVX-70995	When a gateway is downsized in environments with IPS (Intrusion Prevention System) enabled, L7 traffic (HTTP/HTTPS) is dropped instead of being allowed through. The system blocks traffic when it detects that security policies cannot be properly enforced due to insufficient gateway resources, preventing the traffic-server from running. Affected Scenario: Gateways with IPS enabled that undergo downsizing operations. Impact: HTTP and HTTPS traffic is completely blocked Security policies cannot be enforced on downsized gateways Service disruption for applications relying on L7 traffic Workaround: Resize the gateway back to adequate specifications that support IPS functionality and traffic-server operations.
AVX-71122	In some environments, after the Identity Provider (IdP) rotates its SAML signing certificate, the Aviatrix Controller may fail to fetch and update the new certificate from the configured metadata URL. As a result, the Controller continues to use a stale certificate, which causes signature verification errors during SAML authentication. Impact: SAML single sign-on (SSO) authentication fails. Users may experience repeated login failures or timeouts and are unable to access the Controller dashboard using SAML. Workaround: Contact Aviatrix Support to manually update the SAML certificate on the Controller.
AVX-71719	When ICMP traffic passes through Suricata inspection on gateways, alert rules trigger only once until the Suricata process restarts. This limitation affects the eBPF → proxyPcap → Suricata traffic path and likely impacts UDP and other non-TCP protocols as well. Impact: Security alerts may not fire for subsequent ICMP traffic Potential gaps in threat detection for non-TCP protocols Reduced visibility into network security events Affected Scenario: Gateways with Suricata-based security inspection enabled for ICMP and potentially UDP traffic. Workaround: Contact Aviatrix Support to restore the alert functionality for ICMP traffic.
AVX-71720	When processing decrypted POST traffic through the ATS tee plugin, PSF gateways may experience crashes during request body processing. This occurs specifically with decrypted traffic that contains POST requests being processed by the tee plugin’s request body handling path. Impact: Gateway crashes affecting traffic processing Service disruption for decrypted POST requests Potential data loss during crash events Affected Scenario: PSF gateways processing decrypted POST traffic through ATS tee plugin Workaround: Avoid routing decrypted POST traffic through affected PSF gateways until the fix is implemented. Consider using alternative routing paths or temporarily disabling tee plugin functionality for POST request processing if operationally feasible.
AVX-71820	When deploying a load balancer–enabled VPN gateway with an overlapping VPN CIDR on Controller versions 8.0, 8.1, or 8.2, the gateway creation fails. Impact: VPN gateway deployment fails Error message does not clearly indicate the root cause Affected Scenario: Load balancer–enabled VPN gateway deployments on Controller versions 8.0, 8.1, and 8.2. Workaround: Ensure that the VPN CIDR does not overlap with existing gateways behind the load balancer before deployment. Contact Aviatrix Support for assistance.
AVX-72835	When upgrading to Controller 8.1, the database migration may fail if a High Availability Gateway (HAGW) entry appeared before its corresponding primary gateway in the database collection. During migration, the process relies on a strict ordering — primary gateway data must be initialized before the HAGW is processed to correctly populate gateway group data. The migration may fail or leave behind gateway entries in the wrong order in the database, which can lead to further issues. Impact: The upgrade to Controller 8.1 may fail to complete Gateway entries may be stored in an incorrect order in the database Workaround: Contact Aviatrix Support for assistance.
AVX-73061	The Cloud Asset Inventory (CAI) service has a memory leak in its L1 cache. When cloud instances such as VMs are removed from the cloud provider, the associated network interfaces remain cached and are never cleaned up. Impact: In environments that regularly cycle VMs (such as those using spot instances), the CAI service memory consumption grows over time and is never reclaimed. This can lead to high memory usage by the CAI service, potentially affecting Controller performance. Workaround: Contact Aviatrix Support for assistance with periodic CAI service restarts to reclaim memory.
AVX-74739	For Controllers with large-scale deployments (for example, several thousand gateways and tunnels), the database migration during upgrade can exceed the current hard-coded 15-minute timeout, causing the Controller upgrade to fail and roll back. The migration timeout is not configurable in affected versions, so customers with very large environments are more likely to encounter this issue during Controller upgrades. Impact: Controller upgrade fails and rolls back due to migration timeout Large-scale environments with thousands of gateways and tunnels are most affected Workaround: Contact Aviatrix Support for assistance with adjusting the migration timeout for large-scale deployments.
AVX-74990	Controller software upgrade from version 8.0.40/8.0.50 to 8.1.20 may cause Controller CPU utilization to spike due to a schema migration being skipped during the upgrade. This can result in sluggish Controller UI performance. Impact: CPU utilization spikes after upgrading from 8.0.40/8.0.50 to 8.1.20 Controller UI may show sluggish performance Workaround: Contact Aviatrix Support for assistance with applying the workaround to fix the skipped schema migration.
AVX-75256	After upgrading the Aviatrix Controller from version 7.2.x to 8.0 or later, gateways with FQDN tags attached may no longer be visible in the Egress FQDN Gateway View tab. The list_fqdn_gateways API returns an empty list despite the gateways being present and properly associated with their FQDN tags. Impact: Egress FQDN-enabled gateways are not displayed in the Controller UI after upgrade The list_fqdn_gateways API returns an empty list Gateways remain operational and FQDN tag associations are intact Workaround: Contact Aviatrix Support for assistance.
AVX-75944	When migrating an existing Controller to a new Controller VM, a database migration issue can cause configuration changes to be applied to gateways too early during the migration process. Impact: Gateways with NAT configured may experience a temporary datapath disruption during Controller migration. Workaround: There is no workaround. Upgrade to a version that includes the fix (8.0.60, 8.1.30, 8.2.10, or 9.0.0). Contact Aviatrix Support for assistance.
AVX-77088	On Controller and gateway running 8.1.x or 8.2.x, editing legacy FQDN domain name filters can cause all FQDN filtering processes on the gateway to stop simultaneously. Gateway monitoring restarts the processes automatically, but a brief filtering outage may occur during the restart. Impact: FQDN filtering on the gateway may experience a short interruption when domain name filters are edited. Traffic that depends on FQDN filtering may be briefly affected until the filtering processes restart. Workaround: Schedule edits to legacy FQDN filters during a maintenance window. Contact Aviatrix Support for assistance.

AVX-62003

Azure gateway image upgrades may fail when the Controller does not have the required Azure image subscription access. During the upgrade, the system deletes the existing gateway before validating subscription availability, which can result in gateway deletion without a replacement being created. This leaves dangling gateways in the Controller and can cause potential service outages.

Impact:

Existing gateways may be deleted during image upgrade
Replacement gateway creation fails due to missing subscription
Customers may experience connectivity loss and dangling gateway entries in the Controller
Manual intervention required, leading to support escalations

Workaround:

None. To avoid outages, ensure the Controller subscription includes access to the required Azure image before attempting upgrades.

AVX-62299

When upgrading from Controller version 7.1 to 7.2 or 8.0, Spoke Gateways with routing through a Public Subnet Filtering (PSF) Gateway may fail to upgrade and become unreachable if the PSF Gateway has not been upgraded first. This issue affects AWS environments where Spoke Gateway route tables are configured to point to a PSF Gateway.

To avoid this issue, follow the correct upgrade sequence:

Upgrade the PSF Gateway first.
Wait for the PSF Gateway upgrade to complete successfully.
Then upgrade the dependent Spoke Gateways.

AVX-62506

During a gateway software upgrade, traffic matching DCF WebGroup rules may be briefly dropped during the upgrade. This impacts both Layer 7 (HTTP/HTTPS) and Layer 4 traffic and occurs across all supported cloud providers (AWS, Azure, and GCP). The disruption typically lasts a few seconds but may vary depending on gateway load and policy complexity.

Workaround:

None

Recommendations:

Schedule gateway upgrades during maintenance windows or low-traffic periods.
Use HA deployments and upgrade gateways one at a time in HA pairs.
Monitor logs for "Failed to load policy" messages to confirm when policies are reloaded.

AVX-64868

In some scenarios involving rapid VRRP state transitions, the keepalived VRRP state may not be reported accurately to the Controller. This can result in temporary discrepancies between the actual VRRP status and what is displayed in the Controller UI, leading to confusion and difficulties during troubleshooting.

Impact:

Controller UI may show incorrect VRRP status such as both peers reporting Primary or Initializing
No impact on actual VRRP traffic handling or failover behavior.

Workaround:

Use diagnostic logs to verify actual VRRP state

AVX-65016

In some environments, the Firewall state may not recover from Unaccessible after the first vendor integration failure. This issue has been observed when integrating with third-party firewall vendors, leaving the gateway firewall state stuck even after the environment stabilizes.

Impact:

Firewall integration appears stuck in Unaccessible state
Recovery does not occur automatically after initial failure
May require manual intervention to restore proper firewall state reporting

Workaround:

Contact Aviatrix Support for manual correction.

AVX-66631

Transit gateways with large-scale tunnel deployments (1300+ tunnels) may experience extended traffic loss during image upgrades. Although the image upgrade completes successfully, traffic may remain down for several minutes afterward due to delayed tunnel reconfiguration.

Impact:

Traffic loss may persist after image upgrade completes
Route service startup is blocked until all tunnels are sequentially reconfigured
Configuration push may time out with Context cancelled during Phase 1 Create error

Workaround:

Schedule maintenance windows to account for potential traffic loss beyond upgrade completion.
Consider staggering upgrades across transit gateways to reduce impact.
Monitor tunnel and route service status post-upgrade through the CoPilot UI.

AVX-67126

Dry-run validation may fail when upgrading the Controller from version 8.0.10 to 8.1.0 due to a gateway version mismatch error. This occurs when the upgrade path starts from 8.0.0, progresses to 8.0.10 successfully, but encounters a dry-run failure when proceeding to 8.1.0.

AVX-67571

In Oracle Cloud Infrastructure (OCI) environments, OpenVPN clients cannot connect to VPN gateways configured with DUO multi-factor authentication (MFA). Connection attempts fail with ECONNREFUSED errors during tunnel establishment, preventing authentication from completing.

Impact:

VPN tunnels cannot be established to DUO-enabled OCI gateways
Only affects OCI deployments with DUO MFA
Other authentication methods (OKTA, LDAP) work normally

Workaround:

No current workaround. Users may temporarily switch to OKTA or LDAP authentication if feasible.

AVX-68108

When upgrading the Controller from version 8.0.30 to 8.1.10, the UI may display a misleading "Service temporarily unavailable" error message immediately after the upgrade begins. This message can persist for 5–10 minutes but does not indicate upgrade failure. The upgrade continues normally in the background and the Controller becomes accessible again once the upgrade finishes.

Impact:

Users may believe the upgrade has failed.
Error message persists for 5–10 minutes, especially in larger deployments (50+ gateways).
No effect on upgrade success or Controller functionality.

Workaround:

Ignore the message during upgrade.
Wait 10–15 minutes for the process to complete.
Refresh the browser and verify the new Controller version after reconnection.

AVX-68561

In large-scale deployments with 1300+ gateways, enabling Distributed Cloud Firewall Site-to-Cloud (DCF S2C) can cause gateway configurations to become out of sync with the Controller. Even after disabling DCF S2C, the issue may persist and lead to elevated Controller resource usage.

Impact:

Gateway configurations may show as out of sync in the Controller UI
Controller CPU utilization (conduit process) increases significantly
Performance degradation may occur during DCF S2C operations
Issue may persist after disabling DCF S2C

Workaround:

Monitor Controller CPU usage before enabling DCF S2C in large-scale environments.
Consider enabling DCF S2C during scheduled maintenance windows.
For deployments with 1300+ gateways, evaluate the necessity of DCF S2C functionality.

AVX-68887

When attaching VPN users to profiles using the attach_vpn_user_to_profile API, the CoPilot or Controller UI may continue to display the user profile as N/A even though the attachment operation completes successfully.

In some cases, users later reappear as active but still show no profile association in the UI. This results in a display inconsistency between the UI and the backend state.

Impact: VPN user profile assignments may appear unsuccessful in the UI, which can cause confusion during profile management. There is no functional impact: the VPN profile is correctly assigned in the backend, and users can connect to the VPN as expected.

Affected Scenario: OpenVPN profile management operations that use API-based user-to-profile attachment.

Workaround: None.

AVX-69342

When a Controller experiences out-of-memory conditions followed by upsizing and restart, duplicate resource ID entries may be created in the database. This prevents the Controller from starting properly and blocks access to the web UI.

Impact:

Controller fails to start after restart
Web UI becomes inaccessible
Database contains duplicate resource entries for GCE networks and other resources

Affected Scenario: Controllers that have experienced memory issues, been upsized, and restarted may encounter this database corruption.

Workaround: Connect directly to the Controller database and manually remove the duplicate resource ID entries to restore normal operation.

AVX-70543

When DPI/IDS or Layer7 policies are configured with "Destination: Anywhere" on HA-enabled spoke gateways where the destination smart group contains private CIDRs, the policies become invalid and cause traffic drops.

Affected Scenario: Spoke gateways with HA enabled using DPI/IDS or Layer7 policies that have destination smart groups containing private CIDR ranges and "Destination: Anywhere" configuration.

Impact:

All egress traffic matching the policy rules gets dropped
Network connectivity loss for affected traffic flows
Policy validation failures preventing proper traffic inspection

Workaround: Modify the policy destination from "Anywhere" to specific target destinations that exclude conflicting private CIDR ranges, or disable HA on the affected spoke gateway if operationally acceptable.

AVX-70958

When clients use HTTP/2 protocol, Trafficserver incorrectly reuses origin connections, which can cause SSL/TLS verification issues and potential security concerns with SNI (Server Name Indication) handling.

Affected Scenario: HTTP/2 client connections through Trafficserver proxy

Impact:

SSL/TLS certificate verification may fail
SNI matching issues between client requests and origin servers
Potential security vulnerabilities due to connection reuse

Workaround: Configure records.yaml to match on both IP address and SNI to ensure proper connection handling.

AVX-70995

When a gateway is downsized in environments with IPS (Intrusion Prevention System) enabled, L7 traffic (HTTP/HTTPS) is dropped instead of being allowed through. The system blocks traffic when it detects that security policies cannot be properly enforced due to insufficient gateway resources, preventing the traffic-server from running.

Affected Scenario: Gateways with IPS enabled that undergo downsizing operations.

Impact:

HTTP and HTTPS traffic is completely blocked
Security policies cannot be enforced on downsized gateways
Service disruption for applications relying on L7 traffic Workaround: Resize the gateway back to adequate specifications that support IPS functionality and traffic-server operations.

AVX-71122

In some environments, after the Identity Provider (IdP) rotates its SAML signing certificate, the Aviatrix Controller may fail to fetch and update the new certificate from the configured metadata URL.

As a result, the Controller continues to use a stale certificate, which causes signature verification errors during SAML authentication.

Impact: SAML single sign-on (SSO) authentication fails. Users may experience repeated login failures or timeouts and are unable to access the Controller dashboard using SAML.

Workaround: Contact Aviatrix Support to manually update the SAML certificate on the Controller.

AVX-71719

When ICMP traffic passes through Suricata inspection on gateways, alert rules trigger only once until the Suricata process restarts. This limitation affects the eBPF → proxyPcap → Suricata traffic path and likely impacts UDP and other non-TCP protocols as well.

Impact:

Security alerts may not fire for subsequent ICMP traffic
Potential gaps in threat detection for non-TCP protocols
Reduced visibility into network security events Affected Scenario: Gateways with Suricata-based security inspection enabled for ICMP and potentially UDP traffic.

Workaround: Contact Aviatrix Support to restore the alert functionality for ICMP traffic.

AVX-71720

When processing decrypted POST traffic through the ATS tee plugin, PSF gateways may experience crashes during request body processing. This occurs specifically with decrypted traffic that contains POST requests being processed by the tee plugin’s request body handling path.

Impact:

Gateway crashes affecting traffic processing
Service disruption for decrypted POST requests
Potential data loss during crash events

Affected Scenario: PSF gateways processing decrypted POST traffic through ATS tee plugin

Workaround: Avoid routing decrypted POST traffic through affected PSF gateways until the fix is implemented. Consider using alternative routing paths or temporarily disabling tee plugin functionality for POST request processing if operationally feasible.

AVX-71820

When deploying a load balancer–enabled VPN gateway with an overlapping VPN CIDR on Controller versions 8.0, 8.1, or 8.2, the gateway creation fails.

Impact:

VPN gateway deployment fails
Error message does not clearly indicate the root cause

Affected Scenario: Load balancer–enabled VPN gateway deployments on Controller versions 8.0, 8.1, and 8.2.

Workaround:

Ensure that the VPN CIDR does not overlap with existing gateways behind the load balancer before deployment. Contact Aviatrix Support for assistance.

AVX-72835

When upgrading to Controller 8.1, the database migration may fail if a High Availability Gateway (HAGW) entry appeared before its corresponding primary gateway in the database collection. During migration, the process relies on a strict ordering — primary gateway data must be initialized before the HAGW is processed to correctly populate gateway group data. The migration may fail or leave behind gateway entries in the wrong order in the database, which can lead to further issues.

Impact:

The upgrade to Controller 8.1 may fail to complete
Gateway entries may be stored in an incorrect order in the database

Workaround:

Contact Aviatrix Support for assistance.

AVX-73061

The Cloud Asset Inventory (CAI) service has a memory leak in its L1 cache. When cloud instances such as VMs are removed from the cloud provider, the associated network interfaces remain cached and are never cleaned up.

Impact:

In environments that regularly cycle VMs (such as those using spot instances), the CAI service memory consumption grows over time and is never reclaimed.
This can lead to high memory usage by the CAI service, potentially affecting Controller performance.

Workaround:

Contact Aviatrix Support for assistance with periodic CAI service restarts to reclaim memory.

AVX-74739

For Controllers with large-scale deployments (for example, several thousand gateways and tunnels), the database migration during upgrade can exceed the current hard-coded 15-minute timeout, causing the Controller upgrade to fail and roll back. The migration timeout is not configurable in affected versions, so customers with very large environments are more likely to encounter this issue during Controller upgrades.

Impact:

Controller upgrade fails and rolls back due to migration timeout
Large-scale environments with thousands of gateways and tunnels are most affected Workaround:

Contact Aviatrix Support for assistance with adjusting the migration timeout for large-scale deployments.

AVX-74990

Controller software upgrade from version 8.0.40/8.0.50 to 8.1.20 may cause Controller CPU utilization to spike due to a schema migration being skipped during the upgrade. This can result in sluggish Controller UI performance.

Impact:

CPU utilization spikes after upgrading from 8.0.40/8.0.50 to 8.1.20
Controller UI may show sluggish performance

Workaround:

Contact Aviatrix Support for assistance with applying the workaround to fix the skipped schema migration.

AVX-75256

After upgrading the Aviatrix Controller from version 7.2.x to 8.0 or later, gateways with FQDN tags attached may no longer be visible in the Egress FQDN Gateway View tab. The list_fqdn_gateways API returns an empty list despite the gateways being present and properly associated with their FQDN tags.

Impact:

Egress FQDN-enabled gateways are not displayed in the Controller UI after upgrade
The list_fqdn_gateways API returns an empty list
Gateways remain operational and FQDN tag associations are intact Workaround:

Contact Aviatrix Support for assistance.

AVX-75944

When migrating an existing Controller to a new Controller VM, a database migration issue can cause configuration changes to be applied to gateways too early during the migration process.

Impact:

Gateways with NAT configured may experience a temporary datapath disruption during Controller migration.

Workaround:

There is no workaround. Upgrade to a version that includes the fix (8.0.60, 8.1.30, 8.2.10, or 9.0.0). Contact Aviatrix Support for assistance.

AVX-77088

On Controller and gateway running 8.1.x or 8.2.x, editing legacy FQDN domain name filters can cause all FQDN filtering processes on the gateway to stop simultaneously. Gateway monitoring restarts the processes automatically, but a brief filtering outage may occur during the restart.

Impact:

FQDN filtering on the gateway may experience a short interruption when domain name filters are edited.
Traffic that depends on FQDN filtering may be briefly affected until the filtering processes restart. Workaround:

Schedule edits to legacy FQDN filters during a maintenance window. Contact Aviatrix Support for assistance.