8.2.10 Release Notes

Release Date: 12 May 2026

Corrected Issues in Aviatrix Release 8.2.10

Issue Description

Issue	Description
AVX-62506	Fixed an issue where during a gateway software upgrade, traffic matching DCF WebGroup rules may be briefly dropped during the upgrade. This impacts both Layer 7 (HTTP/HTTPS) and Layer 4 traffic and occurs across all supported cloud providers (AWS, Azure, and GCP). The disruption typically lasts a few seconds but may vary depending on gateway load and policy complexity.
AVX-67571	Fixed an issue where OpenVPN clients could not connect to VPN gateways configured with DUO multi-factor authentication (MFA) in Oracle Cloud Infrastructure (OCI) environments due to `ECONNREFUSED` errors during tunnel establishment.
AVX-68013	Fixed an issue where spoke-to-transit gateway attachment could fail with a `check_task_status` decode error, preventing successful attachment completion.
AVX-68108	Fixed an issue where when upgrading the Controller from version 8.0.30 to 8.1.10, the UI may display a misleading "Service temporarily unavailable" error message immediately after the upgrade begins. This message can persist for 5–10 minutes but does not indicate upgrade failure. The upgrade continues normally in the background and the Controller becomes accessible again once the upgrade finishes.
AVX-68561	Fixed an issue where enabling Distributed Cloud Firewall Site-to-Cloud (DCF S2C) in large-scale deployments with 1300+ gateways caused gateway configurations to become out of sync with the Controller and elevated Controller CPU utilization.
AVX-68726	Fixed an issue where Azure Controller Security Group management operations could fail, preventing proper network security group rule updates.
AVX-69342	Fixed an issue where duplicate resource ID entries could be created in the database when a Controller experienced out-of-memory conditions followed by upsizing and restart, preventing the Controller from starting properly. The database now handles resource IDs correctly to avoid duplicates.
AVX-70253	Fixed an issue where FireNet deployment with bootstrap configuration failed in Google Cloud due to a change in how the credential JSON file is read.
AVX-71087	Fixed an issue with Controller access control ICMP handling that could cause incorrect ICMP traffic behavior on Controllers running version 8.0 and 8.1.
AVX-71122	Fixed an issue in some environments where the Aviatrix Controller failed to fetch and update a rotated SAML signing certificate from the configured Identity Provider (IdP) metadata URL, which caused SAML single sign-on (SSO) authentication failures. The Controller now correctly retrieves and applies updated SAML certificates after IdP rotation.
AVX-71135	Resolved an issue where upgrading to Controller 8.1 failed during database migration if VPC tunnel records contained non-numeric values in the `timestamp` field. The migration logic now correctly handles timestamp values, preventing conversion errors and allowing the upgrade to complete successfully.
AVX-71217	Fixed an issue where the VRRP state file became empty on AEP edge gateways configured in active-active HA pairs after upgrading gateway software from version 7.2 to 8.0.30. The VRRP state file now correctly retains primary/backup state information after upgrades.
AVX-71630	Resolved an issue where incorrect eBPF filters could be applied to the `eth1` interface on Azure gateways with Accelerated Networking enabled during upgrades from versions earlier than 7.2.2994. The upgrade process now properly handles interface filter configuration to prevent unintended traffic drops.
AVX-71672	Fixed an issue where upgrading the Controller to version 8.1 could fail during database migration when the tunnel `rtt_avg` field contained `None` values. The migration logic now correctly handles `None` values, allowing the upgrade to complete successfully.
AVX-71719	Fixed an issue where ICMP traffic passing through Suricata inspection on gateways only triggered alert rules once until the Suricata process restarted. Alert rules now fire consistently for all matching traffic.
AVX-71720	Fixed an issue where decrypted POST traffic passing through the ATS tee plugin could cause PSF gateway crashes during request body processing. The tee plugin now correctly handles POST request bodies without crashing.
AVX-71807	Fixed an issue where the packet mark eBPF program was not loaded on some gateways, potentially causing incorrect traffic classification.
AVX-71826	Fixed an issue where in Aviatrix software versions 8.1.x and 8.2.0, the VRRP state file /etc/localgateway/vrrp_state.json, may be empty on AEP and self-managed Edge-as-Spoke gateways configured in active-active HA pairs. This prevents VRRP state updates from being sent from the edge gateways to the Aviatrix Controller, and Aviatrix CoPilot will not display the updated VRRP states. This is a cosmetic issue and there will be no disruption to traffic.
AVX-72207	Fixed an issue where upgrading OpenVPN gateways to Controller version 8.1 with profiles containing FQDN-based policies resulted in service disruption due to a DNS resolution limitation. Users can now access whitelisted FQDNs in OpenVPN Profiles after upgrading.
AVX-72369	Fixed an issue where gateways included in custom syslog profiles were removed from those profiles after a gateway image upgrade, causing syslog forwarding configurations to be lost.
AVX-72835	Fixed an issue where the database migration during Controller upgrade to 8.1 could fail if a High Availability Gateway (HAGW) entry appeared before its corresponding primary gateway in the `vpc_info` database collection. The migration logic now correctly handles HAGW records regardless of document ordering in the database.
AVX-72847	Fixed an issue where the `avx-gw-state-sync` service leaked D-Bus connections over time, which could lead to resource exhaustion and degraded gateway state synchronization.
AVX-72871	Fixed an issue where upgrading the Controller from version 8.0.x to 8.1.x could fail with the error "Please reload the page in order to upgrade" due to a database migration issue with incorrectly typed field values. The migration logic now includes proper type checking to handle these records.
AVX-72881	Fixed an issue where during upgrades from older Aviatrix Controller versions to versions 8.1.20 and 8.2.0, the NetflowMode migration may fail due to incomplete NetflowMode records in the database. Older Controller versions allowed NetflowMode records with missing or empty fields, such as an empty port value. Newer releases enforce stricter validation and fail when encountering these incomplete records.
AVX-73377	Fixed an issue where avx-nfq processes on FQDN-enabled gateways were killed and restarted during gateway software upgrade, causing a traffic outage of approximately 10 minutes after the upgrade completed. The upgrade process now correctly handles the nfq service transition without extended traffic interruption.
AVX-73629	Fixed an issue where the VPC name field could be overwritten with incorrect data during the AM4.0 migration, causing affected VPC records to become unfindable via index lookups. The migration logic now correctly preserves the VPC name field.
AVX-73742	Fixed two issues with single IP HA tunnel failover in Site-to-Cloud deployments. The Controller no longer sends stale IPsec session teardown messages to gateways that temporarily lost connectivity, and now stops failover of pending tunnels to the HA gateway if the active gateway reconnects quickly, reducing unnecessary tunnel downtime.
AVX-74055	Fixed an issue where duplicate iptables mangle table MARK rules could remain on gateways during mapped Site-to-Cloud tunnel failover, gateway image upgrade, or rollback scenarios.
AVX-74226	Fixed an issue where CoPilot deployments and migrations could fail with "Unsupported instance size" errors for valid instance types. Instance type validation no longer incorrectly blocks supported sizes.
AVX-74418	Fixed an issue where the Controller did not properly handle BGP route updates during transit gateway failover, causing stale routes to persist in the routing table. The Controller now correctly clears and repropagates routes after failover completes.
AVX-74465	Fixed an issue where Aviatrix HPE gateway (including HA gateway) creation failed in OCI VCNs with DNS disabled. Gateways can now be created regardless of VCN DNS configuration.
AVX-74719	Fixed an issue where performing a Controller backup restore could cause a temporary traffic outage of approximately 40 seconds due to all routes being deleted and re-added during the etcd route reconvergence process. Routes are now preserved during backup restore to prevent traffic disruption.
AVX-74739	Fixed an issue where the database migration timeout during Controller upgrade was hard-coded at 15 minutes, causing upgrades to fail and roll back in large-scale deployments with thousands of gateways and tunnels. The migration timeout is now user-configurable.
AVX-74990	Fixed an issue where controller software upgrade from version 8.0.40/8.0.50 to 8.1.20 may cause Controller CPU utilization to spike due to a schema migration being skipped during the upgrade. This can result in sluggish Controller UI performance.
AVX-75117	Fixed a memory leak in the TrafficServer (ATS) process on gateways with DCF intrusion analysis and decryption enabled under high-concurrency traffic conditions that could cause the ATS process to crash and enter a restart loop.
AVX-75135	Fixed an issue where tunnel status report processing on the Controller took longer after upgrading from version 8.0 to 8.1 due to increased database query overhead, with average processing time increasing from approximately 150ms to 230ms per report.
AVX-75256	Fixed an issue where FQDN gateway data was not correctly displayed after upgrading from version 7.2.x to 8.0 or later, causing the Egress FQDN Gateway View to appear empty. Gateways with FQDN tags now display correctly in the UI and are returned properly by the `list_fqdn_gateways` API.

AVX-62506

Fixed an issue where during a gateway software upgrade, traffic matching DCF WebGroup rules may be briefly dropped during the upgrade. This impacts both Layer 7 (HTTP/HTTPS) and Layer 4 traffic and occurs across all supported cloud providers (AWS, Azure, and GCP). The disruption typically lasts a few seconds but may vary depending on gateway load and policy complexity.

AVX-67571

Fixed an issue where OpenVPN clients could not connect to VPN gateways configured with DUO multi-factor authentication (MFA) in Oracle Cloud Infrastructure (OCI) environments due to ECONNREFUSED errors during tunnel establishment.

AVX-68013

Fixed an issue where spoke-to-transit gateway attachment could fail with a check_task_status decode error, preventing successful attachment completion.

AVX-68108

Fixed an issue where when upgrading the Controller from version 8.0.30 to 8.1.10, the UI may display a misleading "Service temporarily unavailable" error message immediately after the upgrade begins. This message can persist for 5–10 minutes but does not indicate upgrade failure. The upgrade continues normally in the background and the Controller becomes accessible again once the upgrade finishes.

AVX-68561

Fixed an issue where enabling Distributed Cloud Firewall Site-to-Cloud (DCF S2C) in large-scale deployments with 1300+ gateways caused gateway configurations to become out of sync with the Controller and elevated Controller CPU utilization.

AVX-68726

Fixed an issue where Azure Controller Security Group management operations could fail, preventing proper network security group rule updates.

AVX-69342

Fixed an issue where duplicate resource ID entries could be created in the database when a Controller experienced out-of-memory conditions followed by upsizing and restart, preventing the Controller from starting properly. The database now handles resource IDs correctly to avoid duplicates.

AVX-70253

Fixed an issue where FireNet deployment with bootstrap configuration failed in Google Cloud due to a change in how the credential JSON file is read.

AVX-71087

Fixed an issue with Controller access control ICMP handling that could cause incorrect ICMP traffic behavior on Controllers running version 8.0 and 8.1.

AVX-71122

Fixed an issue in some environments where the Aviatrix Controller failed to fetch and update a rotated SAML signing certificate from the configured Identity Provider (IdP) metadata URL, which caused SAML single sign-on (SSO) authentication failures. The Controller now correctly retrieves and applies updated SAML certificates after IdP rotation.

AVX-71135

Resolved an issue where upgrading to Controller 8.1 failed during database migration if VPC tunnel records contained non-numeric values in the timestamp field. The migration logic now correctly handles timestamp values, preventing conversion errors and allowing the upgrade to complete successfully.

AVX-71217

Fixed an issue where the VRRP state file became empty on AEP edge gateways configured in active-active HA pairs after upgrading gateway software from version 7.2 to 8.0.30. The VRRP state file now correctly retains primary/backup state information after upgrades.

AVX-71630

Resolved an issue where incorrect eBPF filters could be applied to the eth1 interface on Azure gateways with Accelerated Networking enabled during upgrades from versions earlier than 7.2.2994. The upgrade process now properly handles interface filter configuration to prevent unintended traffic drops.

AVX-71672

Fixed an issue where upgrading the Controller to version 8.1 could fail during database migration when the tunnel rtt_avg field contained None values. The migration logic now correctly handles None values, allowing the upgrade to complete successfully.

AVX-71719

Fixed an issue where ICMP traffic passing through Suricata inspection on gateways only triggered alert rules once until the Suricata process restarted. Alert rules now fire consistently for all matching traffic.

AVX-71720

Fixed an issue where decrypted POST traffic passing through the ATS tee plugin could cause PSF gateway crashes during request body processing. The tee plugin now correctly handles POST request bodies without crashing.

AVX-71807

Fixed an issue where the packet mark eBPF program was not loaded on some gateways, potentially causing incorrect traffic classification.

AVX-71826

Fixed an issue where in Aviatrix software versions 8.1.x and 8.2.0, the VRRP state file /etc/localgateway/vrrp_state.json, may be empty on AEP and self-managed Edge-as-Spoke gateways configured in active-active HA pairs. This prevents VRRP state updates from being sent from the edge gateways to the Aviatrix Controller, and Aviatrix CoPilot will not display the updated VRRP states. This is a cosmetic issue and there will be no disruption to traffic.

AVX-72207

Fixed an issue where upgrading OpenVPN gateways to Controller version 8.1 with profiles containing FQDN-based policies resulted in service disruption due to a DNS resolution limitation. Users can now access whitelisted FQDNs in OpenVPN Profiles after upgrading.

AVX-72369

Fixed an issue where gateways included in custom syslog profiles were removed from those profiles after a gateway image upgrade, causing syslog forwarding configurations to be lost.

AVX-72835

Fixed an issue where the database migration during Controller upgrade to 8.1 could fail if a High Availability Gateway (HAGW) entry appeared before its corresponding primary gateway in the vpc_info database collection. The migration logic now correctly handles HAGW records regardless of document ordering in the database.

AVX-72847

Fixed an issue where the avx-gw-state-sync service leaked D-Bus connections over time, which could lead to resource exhaustion and degraded gateway state synchronization.

AVX-72871

Fixed an issue where upgrading the Controller from version 8.0.x to 8.1.x could fail with the error "Please reload the page in order to upgrade" due to a database migration issue with incorrectly typed field values. The migration logic now includes proper type checking to handle these records.

AVX-72881

Fixed an issue where during upgrades from older Aviatrix Controller versions to versions 8.1.20 and 8.2.0, the NetflowMode migration may fail due to incomplete NetflowMode records in the database. Older Controller versions allowed NetflowMode records with missing or empty fields, such as an empty port value. Newer releases enforce stricter validation and fail when encountering these incomplete records.

AVX-73377

Fixed an issue where avx-nfq processes on FQDN-enabled gateways were killed and restarted during gateway software upgrade, causing a traffic outage of approximately 10 minutes after the upgrade completed. The upgrade process now correctly handles the nfq service transition without extended traffic interruption.

AVX-73629

Fixed an issue where the VPC name field could be overwritten with incorrect data during the AM4.0 migration, causing affected VPC records to become unfindable via index lookups. The migration logic now correctly preserves the VPC name field.

AVX-73742

Fixed two issues with single IP HA tunnel failover in Site-to-Cloud deployments. The Controller no longer sends stale IPsec session teardown messages to gateways that temporarily lost connectivity, and now stops failover of pending tunnels to the HA gateway if the active gateway reconnects quickly, reducing unnecessary tunnel downtime.

AVX-74055

Fixed an issue where duplicate iptables mangle table MARK rules could remain on gateways during mapped Site-to-Cloud tunnel failover, gateway image upgrade, or rollback scenarios.

AVX-74226

Fixed an issue where CoPilot deployments and migrations could fail with "Unsupported instance size" errors for valid instance types. Instance type validation no longer incorrectly blocks supported sizes.

AVX-74418

Fixed an issue where the Controller did not properly handle BGP route updates during transit gateway failover, causing stale routes to persist in the routing table. The Controller now correctly clears and repropagates routes after failover completes.

AVX-74465

Fixed an issue where Aviatrix HPE gateway (including HA gateway) creation failed in OCI VCNs with DNS disabled. Gateways can now be created regardless of VCN DNS configuration.

AVX-74719

Fixed an issue where performing a Controller backup restore could cause a temporary traffic outage of approximately 40 seconds due to all routes being deleted and re-added during the etcd route reconvergence process. Routes are now preserved during backup restore to prevent traffic disruption.

AVX-74739

Fixed an issue where the database migration timeout during Controller upgrade was hard-coded at 15 minutes, causing upgrades to fail and roll back in large-scale deployments with thousands of gateways and tunnels. The migration timeout is now user-configurable.

AVX-74990

Fixed an issue where controller software upgrade from version 8.0.40/8.0.50 to 8.1.20 may cause Controller CPU utilization to spike due to a schema migration being skipped during the upgrade. This can result in sluggish Controller UI performance.

AVX-75117

Fixed a memory leak in the TrafficServer (ATS) process on gateways with DCF intrusion analysis and decryption enabled under high-concurrency traffic conditions that could cause the ATS process to crash and enter a restart loop.

AVX-75135

Fixed an issue where tunnel status report processing on the Controller took longer after upgrading from version 8.0 to 8.1 due to increased database query overhead, with average processing time increasing from approximately 150ms to 230ms per report.

AVX-75256

Fixed an issue where FQDN gateway data was not correctly displayed after upgrading from version 7.2.x to 8.0 or later, causing the Egress FQDN Gateway View to appear empty. Gateways with FQDN tags now display correctly in the UI and are returned properly by the list_fqdn_gateways API.

Known Issues in Aviatrix Release 8.2.10

Issue Description

Issue	Description
AVX-62003	Azure gateway image upgrades may fail when the Controller does not have the required Azure image subscription access. During the upgrade, the system deletes the existing gateway before validating subscription availability, which can result in gateway deletion without a replacement being created. This leaves dangling gateways in the Controller and can cause potential service outages. Impact: Existing gateways may be deleted during image upgrade Replacement gateway creation fails due to missing subscription Customers may experience connectivity loss and dangling gateway entries in the Controller Manual intervention required, leading to support escalations Workaround: None. To avoid outages, ensure the Controller subscription includes access to the required Azure image before attempting upgrades.
AVX-62299	When upgrading from Controller version 7.1 to 7.2 or 8.0, Spoke Gateways with routing through a Public Subnet Filtering (PSF) Gateway may fail to upgrade and become unreachable if the PSF Gateway has not been upgraded first. This issue affects AWS environments where Spoke Gateway route tables are configured to point to a PSF Gateway. To avoid this issue, follow the correct upgrade sequence: Upgrade the PSF Gateway first. Wait for the PSF Gateway upgrade to complete successfully. Then upgrade the dependent Spoke Gateways.
AVX-64868	In some scenarios involving rapid VRRP state transitions, the keepalived VRRP state may not be reported accurately to the Controller. This can result in temporary discrepancies between the actual VRRP status and what is displayed in the Controller UI, leading to confusion and difficulties during troubleshooting. Impact: Controller UI may show incorrect VRRP status such as both peers reporting `Primary` or `Initializing` No impact on actual VRRP traffic handling or failover behavior. Workaround: Use diagnostic logs to verify actual VRRP state
AVX-65016	In some environments, the Firewall state may not recover from Unaccessible after the first vendor integration failure. This issue has been observed when integrating with third-party firewall vendors, leaving the gateway firewall state stuck even after the environment stabilizes. Impact: Firewall integration appears stuck in Unaccessible state Recovery does not occur automatically after initial failure May require manual intervention to restore proper firewall state reporting Workaround: Contact Aviatrix Support for manual correction.
AVX-65590	When editing the HPE spoke-transit peering tunnel count via API on gateways with customized SNAT configured, a traffic outage of approximately 100-120 seconds per gateway may occur. During the tunnel count change, the primary spoke gateway deletes and recreates tunnels, causing the transit gateway to temporarily remove the metric 100 route for the primary SNAT IP. The HA spoke gateway loses the metric 200 route for the primary SNAT IP during this period, leading to a traffic blackhole until tunnels are fully recreated. Affected Scenario: HPE spoke-transit peering with customized SNAT configured Editing tunnel count via API while traffic is flowing Gateways with HA enabled Impact: Approximately 100-120 seconds of traffic outage per gateway during tunnel count changes Total VPC workload outage may be 3-4 minutes as primary and HA gateways sequentially recreate tunnels Workaround: Schedule tunnel count changes during a maintenance window when traffic disruption is acceptable. Avoid editing tunnel counts during peak traffic periods.
AVX-66631	Transit gateways with large-scale tunnel deployments (1300+ tunnels) may experience extended traffic loss during image upgrades. Although the image upgrade completes successfully, traffic may remain down for several minutes afterward due to delayed tunnel reconfiguration. Impact: Traffic loss may persist after image upgrade completes Route service startup is blocked until all tunnels are sequentially reconfigured Configuration push may time out with `Context cancelled during Phase 1 Create` error Workaround: Schedule maintenance windows to account for potential traffic loss beyond upgrade completion. Consider staggering upgrades across transit gateways to reduce impacts. Monitor tunnel and route service status post-upgrade through the CoPilot UI.
AVX-67126	Dry-run validation may fail when upgrading the Controller from version 8.0.10 to 8.1.0 due to a gateway version mismatch error. This occurs when the upgrade path starts from 8.0.0, progresses to 8.0.10 successfully, but encounters a dry-run failure when proceeding to 8.1.0.
AVX-67180	Users may receive a `RequestRefused` error when attempting to log on to the Controller UI under certain conditions. Impact: Controller UI login may fail intermittently Users may need to retry login attempts Workaround: Retry the login attempt. If the issue persists, contact Aviatrix Support for assistance.
AVX-68606	Traffic loss may occur through AEP Edge-as-Spoke gateways during a gateway software upgrade. Impact: Traffic flowing through AEP Edge-as-Spoke gateways may be disrupted during software upgrade The disruption may persist beyond the expected upgrade window Workaround: Schedule gateway software upgrades during maintenance windows. Contact Aviatrix Support for assistance.
AVX-68887	When attaching VPN users to profiles using the `attach_vpn_user_to_profile` API, the CoPilot or Controller UI may continue to display the user profile as N/A even though the attachment operation completes successfully. Impact: VPN user profile assignments may appear unsuccessful in the UI, which can cause confusion during profile management. There is no functional impact: the VPN profile is correctly assigned in the backend, and users can connect to the VPN as expected. Workaround: None.
AVX-69649	The migration dry-run EIP accounting does not include public IPs that are not part of the Elastic IP quota, potentially producing inaccurate dry-run results. Impact: Dry-run migration reports may show incorrect EIP usage Actual migration may encounter unexpected EIP limitations Workaround: Manually verify EIP allocation and quotas before performing the migration. Contact Aviatrix Support for assistance.
AVX-70543	When DPI/IDS or Layer7 policies are configured with "Destination: Anywhere" on HA-enabled spoke gateways where the destination smart group contains private CIDRs, the policies become invalid and cause traffic drops. Impact: All egress traffic matching the policy rules gets dropped Network connectivity loss for affected traffic flows Workaround: Modify the policy destination from "Anywhere" to specific target destinations that exclude conflicting private CIDR ranges, or disable HA on the affected spoke gateway if operationally acceptable.
AVX-70864	DCF smart group push configuration may fail with a `context deadline exceeded` error, causing DFW configuration to not be applied correctly to gateways. Impact: DCF firewall rules may not be applied to affected gateways Traffic may not be filtered according to the configured DCF policies Workaround: Contact Aviatrix Support for assistance.
AVX-70958	When clients use HTTP/2 connections, TrafficServer incorrectly reuses origin connections, potentially causing connection handling issues in MITM SNI verification scenarios. Impact: Origin connections may be shared inappropriately between different client requests MITM SNI verification may not function as expected Workaround: Use both IP address and SNI instead of IP alone to ensure proper connection isolation.
AVX-70995	Layer 7 (L7) traffic may be dropped when a DCF policy cannot be enforced due to gateway sizing constraints. The system blocks traffic that matches policies it cannot enforce rather than allowing it to pass uninspected. Impact: L7 traffic may be unexpectedly dropped on undersized gateways Policy enforcement may fail silently Workaround: Ensure gateways meet the minimum sizing requirements for L7 policy enforcement. Contact Aviatrix Support for assistance.
AVX-71057	The CoPilot UI may not accurately reflect real-time Controller migration progress, potentially showing stale or incomplete status information. Impact: Migration progress may not be displayed accurately in CoPilot Users may not have visibility into the current migration state Workaround: Monitor migration progress through Controller logs or API. Contact Aviatrix Support for assistance.
AVX-71245	Additional Distributed Cloud Firewall (DCF) log support records end-session events for IDS and IPS signature matches. These logs include a reason field indicating the match type (`IPS_POLICY_DENY` or `IDS_POLICY_ALERT`) along with the Signature ID (SID) of the matched rule. Due to a bug, the end-session log is omitted when Decryption is not enabled for Intrusion Analysis. Impact: Missing end-session log entries for IDS/IPS signature matches when Decryption is disabled No impact to DCF policy actions No impact to existing Intrusion Analysis logs Workaround: Enable Decryption under Intrusion Analysis to ensure end-session logs are generated.
AVX-71280	The `traffic_ctl` process may consume 100% CPU, potentially causing traffic processing disruptions on affected gateways. Impact: Gateway CPU utilization may spike due to `traffic_ctl` process Traffic processing may be degraded or disrupted Workaround: Contact Aviatrix Support for assistance.
AVX-71320	Source IP translation may not work correctly for policy-based Site-to-Cloud connections with SNAT configuration when traffic is sent from cloud to site. Impact: Cloud-to-site traffic through policy-based S2C tunnels may use incorrect source IP Remote site firewalls or routing policies may drop or misroute the traffic Workaround: Contact Aviatrix Support for assistance.
AVX-71280	The `traffic_ctl` process may consume 100% CPU, potentially causing traffic processing disruptions on affected gateways. Impact: Gateway CPU utilization may spike due to `traffic_ctl` process Traffic processing may be degraded or disrupted Workaround: Contact Aviatrix Support for assistance.
AVX-71320	Source IP translation may not work correctly for policy-based Site-to-Cloud connections with SNAT configuration when traffic is sent from cloud to site. Impact: Cloud-to-site traffic through policy-based S2C tunnels may use incorrect source IP Remote site firewalls or routing policies may drop or misroute the traffic Workaround: Contact Aviatrix Support for assistance.
AVX-71441	When upgrading gateways from version 8.1.20 to 8.2.0 in rare cases, the gateway could enter an infinite retry loop attempting to download a non-existent configuration file from the Controller, causing the upgrade process to fail completely. Impact: Gateway upgrade fails and cannot be completed. Gateway becomes stuck in upgrade state. Network connectivity through the affected gateway will be disrupted. Workaround: Retry the gateway upgrade operation from the Controller UI or CoPilot UI. If the issue persists, perform an image upgrade of the impacted gateway.
AVX-71453	Azure HPE Transit HA Gateway resize may fail when there is insufficient secondary IP address space available in the subnet. Impact: HA Gateway resize operation fails The gateway remains at its current size Workaround: Ensure sufficient IP address space is available in the gateway subnet before attempting a resize. Contact Aviatrix Support for assistance.
AVX-71453	Azure HPE Transit HA Gateway resize may fail when there is insufficient secondary IP address space available in the subnet. Impact: HA Gateway resize operation fails The gateway remains at its current size Workaround: Ensure sufficient IP address space is available in the gateway subnet before attempting a resize. Contact Aviatrix Support for assistance.
AVX-71494	When CoPilot Asset Inventory (CAI) performs queries on the inventory table, the existing database indexes are not utilized effectively, causing performance degradation during inventory operations. Impact: Delayed inventory data retrieval and reporting Increased database load during CAI operations Slower CoPilot dashboard performance when displaying asset information Workaround: None.
AVX-71559	When performing a batch gateway image upgrade in Azure, some gateways may fail during the upgrade process. Impact: Gateway image upgrades in Azure environments may partially fail, with some gateways reporting errors during the replacement process. Affected gateways may show an error indicating that gateway information cannot be retrieved in Azure ARM cloud. Workaround: Retry the gateway image upgrade for the failed gateways individually rather than as a batch operation. Contact Aviatrix Support for assistance.
AVX-71686	Azure Controllers using disks with IOPS less than 500 may experience performance issues. This limitation can lead to system instability and processing delays during high I/O operations. Affected Scenario: Azure Controllers deployed with disk types that provide less than 500 IOPS Impact: System instability during high I/O operations Processing delays and performance degradation Potential service disruptions in production environments Workaround: Upgrade the Azure controller disk tier to minimum 500 IOPS through Azure portal disk configuration settings.
AVX-71559	When performing a batch gateway image upgrade in Azure, some gateways may fail during the upgrade process. Impact: Gateway image upgrades in Azure environments may partially fail, with some gateways reporting errors during the replacement process. Affected gateways may show an error indicating that gateway information cannot be retrieved in Azure ARM cloud. Workaround: Retry the gateway image upgrade for the failed gateways individually rather than as a batch operation. Contact Aviatrix Support for assistance.
AVX-71686	Azure Controllers using disks with IOPS less than 500 may experience performance issues. This limitation can lead to system instability and processing delays during high I/O operations. Affected Scenario: Azure Controllers deployed with disk types that provide less than 500 IOPS Impact: System instability during high I/O operations Processing delays and performance degradation Potential service disruptions in production environments Workaround: Upgrade the Azure controller disk tier to minimum 500 IOPS through Azure portal disk configuration settings.
AVX-71820	When deploying a load balancer–enabled VPN gateway with an overlapping VPN CIDR on Controller versions 8.0, 8.1, or 8.2, the gateway creation fails. Impact: VPN gateway deployment fails Error message does not clearly indicate the root cause Workaround: Ensure that the VPN CIDR does not overlap with existing gateways behind the load balancer before deployment. Contact Aviatrix Support for assistance.
AVX-71922	Enabling `oslogin` in GCE instance metadata could break SSH access to GCP gateways by interfering with the gateway SSH service configuration. Workaround: Contact Aviatrix Support for assistance.
AVX-72553	The SAML Endpoint field is not displayed when creating a VPN user for GeoVPN configurations with a SAML-enabled gateway. Impact: VPN user creation for GeoVPN with SAML may not display the required SAML Endpoint field Administrators may not be able to configure SAML endpoints during user creation Workaround: Contact Aviatrix Support for assistance.
AVX-72940	Creating a new gateway with the same name as an existing gateway may cause local files of the existing gateway to be deleted when the creation fails. The existing gateway name disappears from the Controller CLI once we get into this issue. This can break SSH access (sshgw) for the existing gateway. Impact: SSH access to the existing gateway may stop working Gateway recovery may require manual intervention Affected Scenario: Gateway creation using a name that already exists Workaround: Do not reuse gateway names Contact Aviatrix Support if recovery is required
AVX-73433	After changing `rx_queue_size` on a gateway interface, creating a new interface does not apply the updated `rx_queue_size` value. Impact: New interfaces may use default queue sizes instead of the configured value Network performance may not match expected configuration Workaround: Contact Aviatrix Support for assistance.
AVX-73436	When using the `update_spoke_vpc_route_table` API to onboard an Azure route table, the default route (0.0.0.0/0) is not programmed in the spoke VNET route table if the Spoke Gateway has learned the default route from any of the following sources: An attached Egress Transit Gateway (Transit with egress functionality enabled) A Transit Gateway that learned the default route via an external Site-to-Cloud (S2C) connection (for example, from an on-premises network or third-party appliance advertising 0.0.0.0/0 over IPSec/BGP) Another Spoke Gateway that is propagating the default route within the Aviatrix network In all of the above cases, although the Spoke Gateway has successfully learned and installed the default route in its own routing table, the route is not re-programmed into the associated Azure VNET route table during the onboarding operation. Impact: Default route (0.0.0.0/0) is not installed in the onboarded Azure spoke VNET route table. Traffic that depends on the default route — whether destined for the internet via an egress transit, for on-premises via an S2C-connected transit, or toward another spoke — may not be routed correctly from the Azure VNET. Workaround: Manually add the default route to the Azure route table. Contact Aviatrix Support for assistance.
AVX-73589	In some high-traffic environments using FQDN filtering, the NFQ process may stall due to a deadlock. If the signal interrupts a thread that is already executing a non-reentrant function, the signal handler may attempt to acquire the same lock, causing a deadlock. Impact: The `avx-nfq` process may stall and stop processing traffic until the service is restarted. Workaround: Restart the instance to continue processing traffic.
AVX-73836	DUO-integrated OpenVPN users may experience intermittent connection failures to VPN gateways due to a deprecated DUO client version. Impact: VPN connections using DUO MFA may fail intermittently Users may receive 403 errors during DUO authentication Workaround: Contact Aviatrix Support for assistance with updating the DUO client configuration.
AVX-74577	Users are unable to modify tags on third-party firewall instances when those tags contain values with multiple colons (for example, `team:iac:module.version:v1.5.3`). Attempts to update tags after deployment fail with a `too many values to unpack` error. Initial deployment is unaffected because tags are passed via a different code path during creation. Impact: Third-party firewall instance tag updates fail when tag values contain multiple colons Initial deployment with multi-colon tags is not affected Workaround: Avoid using multiple colons in tag values when modifying tags after deployment. Use alternative delimiters such as hyphens or underscores.
AVX-74986	Traffic loss may occur during gateway software upgrade from version 8.1.30 to 8.2.10. Impact: Traffic flowing through gateways may be disrupted during the upgrade process The disruption may persist beyond the expected upgrade window Workaround: Schedule gateway upgrades during maintenance windows and monitor traffic after upgrade completion. Contact Aviatrix Support for assistance.
AVX-75000	Traffic loss may occur when gateways are upgraded from version 8.1.30 to 8.2.10. Impact: Traffic flowing through upgraded gateways may be disrupted Multiple gateways may be affected simultaneously Workaround: Schedule gateway upgrades during maintenance windows. Upgrade gateways one at a time in HA pairs to minimize impact. Contact Aviatrix Support for assistance.
AVX-75299	Due to a temporary Oracle Cloud Infrastructure (OCI) Marketplace partner agreement issue, new OCI gateway images cannot be published for this release. OCI gateway pointers have been reverted to previous versions to ensure stability. As a result, OCI gateways will not receive patched images as part of this release. Impact: OCI gateways will not receive the latest patched images in this release Customers using OCI gateways will remain on previous image versions until the OCI Marketplace issue is resolved Workaround: Contact Aviatrix Support for assistance with OCI gateway image updates.
AVX-75452	In Azure environments, when Distributed Cloud Firewall (DCF) Security Group Orchestration attaches a Network Security Group (NSG) to a subnet, the subnet name is changed to all lowercase. Although Azure resource names are generally case-insensitive, this modification causes issues with infrastructure-as-code tools such as Terraform, which treat resource names as case-sensitive. Terraform may flag affected subnets for replacement, potentially disrupting existing deployments. Impact: Subnet names in Azure are modified to lowercase when Security Group Orchestration attaches NSGs Terraform plans may show unexpected resource replacements for affected subnets Customer naming conventions in the cloud may be altered without consent Workaround: In Terraform, add a `lifecycle` block with `ignore_changes` for `subnet_id` (as well as `id` in the `azurerm_subnet` resource) to prevent forced resource replacement. Note that this workaround does not restore the original subnet name casing.
AVX-75582	In Azure environments, when a custom IAM policy blocks resource creation with a `RequestDisallowedByPolicy` error, the Aviatrix Controller unnecessarily retries the operation instead of failing immediately. Since this error requires manual policy changes to resolve, the repeated retries congest the Controller’s event handler, causing new gateway deployments to be delayed in reaching an operational state and spoke-to-transit attachments to fail. Impact: Gateway deployments may be significantly delayed due to unnecessary retry attempts Spoke-to-transit attachments may fail while gateways remain in a waiting state Controller event handler performance may be degraded Workaround: Update the Azure IAM policy to allow the required permissions for Aviatrix Controller resource operations before deploying new gateways.
AVX-75586	When using Terraform to create gateways and immediately attach them to transit gateways, a race condition can occur where the Terraform provider attempts to create the spoke-to-transit attachment before the gateway has fully transitioned to the "Up" state. The gateway creation API returns before the gateway is operationally ready, causing subsequent attachment operations to fail. Impact: Terraform-driven spoke-to-transit gateway attachments may fail intermittently Gateway creation appears successful but the gateway is not yet operationally ready Terraform apply operations may require re-running to complete successfully Workaround: Add a delay or polling mechanism in Terraform configurations between gateway creation and spoke-to-transit attachment resources. Use `depends_on` with a `time_sleep` resource to allow the gateway to reach the "Up" state before attempting attachment.
AVX-75607	Gateway launch may fail with a `tls: bad certificate` error when pulling container images. The Controller’s registry TTL eviction (garbage collection) may fire while images are being downloaded to the gateway, corrupting in-flight blob transfers. The gateway’s container initialization cannot complete, and the `apache-spiffe-helper` service exits with code 125. Impact: Gateway creation fails with `tls: bad certificate` or unexpected EOF errors during container image pull The `apache-spiffe-helper` service crash-loops with exit code 125 Manual intervention is required to recover Workaround: Restart the `avx-ctrl-appserver` on the Controller to reset the registry state, then retry gateway creation. Contact Aviatrix Support for assistance.
AVX-75869	In OCI environments, security list rules may not be restored when a spoke gateway re-joins a transit gateway after a leave operation. Impact: Network security rules may be missing after spoke-transit re-attachment Traffic may not be properly filtered by OCI security lists Workaround: Manually verify and restore security list rules after re-joining. Contact Aviatrix Support for assistance.
AVX-75872	A locking race condition between initial setup and post-upgrade actions may cause gateway configuration issues after upgrade. Impact: Gateway may not complete post-upgrade configuration correctly Manual intervention may be required Workaround: Contact Aviatrix Support for assistance.
AVX-76132	Deploying more than one OpenVPN gateway behind a UDP load balancer is not supported and may fail. Impact: Only one OpenVPN gateway can be placed behind a UDP load balancer Attempts to add additional gateways may fail Workaround: Use a single OpenVPN gateway behind each UDP load balancer. Contact Aviatrix Support for assistance.
AVX-76263	On Edge-as-a-Transit (EaT) gateways with IPsec peering, if the primary and secondary IP addresses on a network interface are swapped following network events such as VM reboot, cloud provider host maintenance, or gateway replacement/re-deployment, the gateway identifies itself with an incorrect source IP address to the Aviatrix Controller. As a result, the Controller generates a new pre-shared key (PSK) keyed to the incorrect IP identifier for the IPsec tunnel pair. Since the peer gateway retains the PSK associated with the original correct IP identifier, the IKE authentication exchange (IKE_AUTH) fails with an AUTHENTICATION_FAILED error, causing IPsec peering sessions to fail to establish. Impact: IPsec peering tunnels fail to come up after an interface IP swap. Affected EaT gateways cannot establish peering sessions with transit gateways. Workaround: Contact Aviatrix Support for assistance.
AVX-76296	During routine gateway operations (such as resize or image upgrade) in GCP global VPC environments, traffic may be blackholed due to incorrect route handling. Impact: Traffic through the affected gateway may be dropped during operations GCP global VPC routing may be temporarily disrupted Workaround: Schedule gateway operations during maintenance windows. Contact Aviatrix Support for assistance.
AVX-76413	After a Controller restart or recovery, gateways that were temporarily unreachable may not be given sufficient time to reconnect before being marked as permanently down. Impact: Gateways that are temporarily unreachable during a Controller restart may be incorrectly treated as permanently down Unnecessary gateway replacement or failover actions may be triggered for gateways that would have reconnected given more time Workaround: None.

AVX-62003

Azure gateway image upgrades may fail when the Controller does not have the required Azure image subscription access. During the upgrade, the system deletes the existing gateway before validating subscription availability, which can result in gateway deletion without a replacement being created. This leaves dangling gateways in the Controller and can cause potential service outages.

Impact:

Existing gateways may be deleted during image upgrade
Replacement gateway creation fails due to missing subscription
Customers may experience connectivity loss and dangling gateway entries in the Controller
Manual intervention required, leading to support escalations

Workaround:

None. To avoid outages, ensure the Controller subscription includes access to the required Azure image before attempting upgrades.

AVX-62299

When upgrading from Controller version 7.1 to 7.2 or 8.0, Spoke Gateways with routing through a Public Subnet Filtering (PSF) Gateway may fail to upgrade and become unreachable if the PSF Gateway has not been upgraded first. This issue affects AWS environments where Spoke Gateway route tables are configured to point to a PSF Gateway.

To avoid this issue, follow the correct upgrade sequence:

Upgrade the PSF Gateway first.
Wait for the PSF Gateway upgrade to complete successfully.
Then upgrade the dependent Spoke Gateways.

AVX-64868

In some scenarios involving rapid VRRP state transitions, the keepalived VRRP state may not be reported accurately to the Controller. This can result in temporary discrepancies between the actual VRRP status and what is displayed in the Controller UI, leading to confusion and difficulties during troubleshooting.

Impact:

Controller UI may show incorrect VRRP status such as both peers reporting Primary or Initializing
No impact on actual VRRP traffic handling or failover behavior.

Workaround:

Use diagnostic logs to verify actual VRRP state

AVX-65016

In some environments, the Firewall state may not recover from Unaccessible after the first vendor integration failure. This issue has been observed when integrating with third-party firewall vendors, leaving the gateway firewall state stuck even after the environment stabilizes.

Impact:

Firewall integration appears stuck in Unaccessible state

Recovery does not occur automatically after initial failure

May require manual intervention to restore proper firewall state reporting

Workaround:

Contact Aviatrix Support for manual correction.

AVX-65590

When editing the HPE spoke-transit peering tunnel count via API on gateways with customized SNAT configured, a traffic outage of approximately 100-120 seconds per gateway may occur. During the tunnel count change, the primary spoke gateway deletes and recreates tunnels, causing the transit gateway to temporarily remove the metric 100 route for the primary SNAT IP. The HA spoke gateway loses the metric 200 route for the primary SNAT IP during this period, leading to a traffic blackhole until tunnels are fully recreated.

Affected Scenario:

HPE spoke-transit peering with customized SNAT configured
Editing tunnel count via API while traffic is flowing
Gateways with HA enabled

Impact:

Approximately 100-120 seconds of traffic outage per gateway during tunnel count changes
Total VPC workload outage may be 3-4 minutes as primary and HA gateways sequentially recreate tunnels

Workaround:

Schedule tunnel count changes during a maintenance window when traffic disruption is acceptable. Avoid editing tunnel counts during peak traffic periods.

AVX-66631

Transit gateways with large-scale tunnel deployments (1300+ tunnels) may experience extended traffic loss during image upgrades. Although the image upgrade completes successfully, traffic may remain down for several minutes afterward due to delayed tunnel reconfiguration.

Impact:

Traffic loss may persist after image upgrade completes
Route service startup is blocked until all tunnels are sequentially reconfigured
Configuration push may time out with Context cancelled during Phase 1 Create error

Workaround:

Schedule maintenance windows to account for potential traffic loss beyond upgrade completion.
Consider staggering upgrades across transit gateways to reduce impacts.
Monitor tunnel and route service status post-upgrade through the CoPilot UI.

AVX-67126

Dry-run validation may fail when upgrading the Controller from version 8.0.10 to 8.1.0 due to a gateway version mismatch error. This occurs when the upgrade path starts from 8.0.0, progresses to 8.0.10 successfully, but encounters a dry-run failure when proceeding to 8.1.0.

AVX-67180

Users may receive a RequestRefused error when attempting to log on to the Controller UI under certain conditions.

Impact:

Controller UI login may fail intermittently
Users may need to retry login attempts

Workaround:

Retry the login attempt. If the issue persists, contact Aviatrix Support for assistance.

AVX-68606

Traffic loss may occur through AEP Edge-as-Spoke gateways during a gateway software upgrade.

Impact:

Traffic flowing through AEP Edge-as-Spoke gateways may be disrupted during software upgrade
The disruption may persist beyond the expected upgrade window

Workaround:

Schedule gateway software upgrades during maintenance windows. Contact Aviatrix Support for assistance.

AVX-68887

When attaching VPN users to profiles using the attach_vpn_user_to_profile API, the CoPilot or Controller UI may continue to display the user profile as N/A even though the attachment operation completes successfully.

Impact:

VPN user profile assignments may appear unsuccessful in the UI, which can cause confusion during profile management. There is no functional impact: the VPN profile is correctly assigned in the backend, and users can connect to the VPN as expected.

Workaround:

None.

AVX-69649

The migration dry-run EIP accounting does not include public IPs that are not part of the Elastic IP quota, potentially producing inaccurate dry-run results.

Impact:

Dry-run migration reports may show incorrect EIP usage
Actual migration may encounter unexpected EIP limitations

Workaround:

Manually verify EIP allocation and quotas before performing the migration. Contact Aviatrix Support for assistance.

AVX-70543

When DPI/IDS or Layer7 policies are configured with "Destination: Anywhere" on HA-enabled spoke gateways where the destination smart group contains private CIDRs, the policies become invalid and cause traffic drops.

Impact:

All egress traffic matching the policy rules gets dropped

Network connectivity loss for affected traffic flows

Workaround:

Modify the policy destination from "Anywhere" to specific target destinations that exclude conflicting private CIDR ranges, or disable HA on the affected spoke gateway if operationally acceptable.

AVX-70864

DCF smart group push configuration may fail with a context deadline exceeded error, causing DFW configuration to not be applied correctly to gateways.

Impact:

DCF firewall rules may not be applied to affected gateways
Traffic may not be filtered according to the configured DCF policies

Workaround:

Contact Aviatrix Support for assistance.

AVX-70958

When clients use HTTP/2 connections, TrafficServer incorrectly reuses origin connections, potentially causing connection handling issues in MITM SNI verification scenarios.

Impact:

Origin connections may be shared inappropriately between different client requests
MITM SNI verification may not function as expected

Workaround:

Use both IP address and SNI instead of IP alone to ensure proper connection isolation.

AVX-70995

Layer 7 (L7) traffic may be dropped when a DCF policy cannot be enforced due to gateway sizing constraints. The system blocks traffic that matches policies it cannot enforce rather than allowing it to pass uninspected.

Impact:

L7 traffic may be unexpectedly dropped on undersized gateways
Policy enforcement may fail silently

Workaround:

Ensure gateways meet the minimum sizing requirements for L7 policy enforcement. Contact Aviatrix Support for assistance.

AVX-71057

The CoPilot UI may not accurately reflect real-time Controller migration progress, potentially showing stale or incomplete status information.

Impact:

Migration progress may not be displayed accurately in CoPilot
Users may not have visibility into the current migration state

Workaround:

Monitor migration progress through Controller logs or API. Contact Aviatrix Support for assistance.

AVX-71245

Additional Distributed Cloud Firewall (DCF) log support records end-session events for IDS and IPS signature matches. These logs include a reason field indicating the match type (IPS_POLICY_DENY or IDS_POLICY_ALERT) along with the Signature ID (SID) of the matched rule.

Due to a bug, the end-session log is omitted when Decryption is not enabled for Intrusion Analysis.

Impact:

Missing end-session log entries for IDS/IPS signature matches when Decryption is disabled
No impact to DCF policy actions
No impact to existing Intrusion Analysis logs

Workaround: Enable Decryption under Intrusion Analysis to ensure end-session logs are generated.

AVX-71280

The traffic_ctl process may consume 100% CPU, potentially causing traffic processing disruptions on affected gateways.

Impact:

Gateway CPU utilization may spike due to traffic_ctl process
Traffic processing may be degraded or disrupted

Workaround:

Contact Aviatrix Support for assistance.

AVX-71320

Source IP translation may not work correctly for policy-based Site-to-Cloud connections with SNAT configuration when traffic is sent from cloud to site.

Impact:

Cloud-to-site traffic through policy-based S2C tunnels may use incorrect source IP
Remote site firewalls or routing policies may drop or misroute the traffic

Workaround:

Contact Aviatrix Support for assistance.

AVX-71280

The traffic_ctl process may consume 100% CPU, potentially causing traffic processing disruptions on affected gateways.

Impact:

Gateway CPU utilization may spike due to traffic_ctl process
Traffic processing may be degraded or disrupted

Workaround:

Contact Aviatrix Support for assistance.

AVX-71320

Source IP translation may not work correctly for policy-based Site-to-Cloud connections with SNAT configuration when traffic is sent from cloud to site.

Impact:

Cloud-to-site traffic through policy-based S2C tunnels may use incorrect source IP
Remote site firewalls or routing policies may drop or misroute the traffic

Workaround:

Contact Aviatrix Support for assistance.

AVX-71441

When upgrading gateways from version 8.1.20 to 8.2.0 in rare cases, the gateway could enter an infinite retry loop attempting to download a non-existent configuration file from the Controller, causing the upgrade process to fail completely.

Impact:

Gateway upgrade fails and cannot be completed.
Gateway becomes stuck in upgrade state.
Network connectivity through the affected gateway will be disrupted.

Workaround: Retry the gateway upgrade operation from the Controller UI or CoPilot UI. If the issue persists, perform an image upgrade of the impacted gateway.

AVX-71453

Azure HPE Transit HA Gateway resize may fail when there is insufficient secondary IP address space available in the subnet.

Impact:

HA Gateway resize operation fails
The gateway remains at its current size

Workaround:

Ensure sufficient IP address space is available in the gateway subnet before attempting a resize. Contact Aviatrix Support for assistance.

AVX-71453

Azure HPE Transit HA Gateway resize may fail when there is insufficient secondary IP address space available in the subnet.

Impact:

HA Gateway resize operation fails
The gateway remains at its current size

Workaround:

Ensure sufficient IP address space is available in the gateway subnet before attempting a resize. Contact Aviatrix Support for assistance.

AVX-71494

When CoPilot Asset Inventory (CAI) performs queries on the inventory table, the existing database indexes are not utilized effectively, causing performance degradation during inventory operations.

Impact:

Delayed inventory data retrieval and reporting
Increased database load during CAI operations
Slower CoPilot dashboard performance when displaying asset information

Workaround: None.

AVX-71559

When performing a batch gateway image upgrade in Azure, some gateways may fail during the upgrade process.

Impact:

Gateway image upgrades in Azure environments may partially fail, with some gateways reporting errors during the replacement process.
Affected gateways may show an error indicating that gateway information cannot be retrieved in Azure ARM cloud.

Workaround:

Retry the gateway image upgrade for the failed gateways individually rather than as a batch operation. Contact Aviatrix Support for assistance.

AVX-71686

Azure Controllers using disks with IOPS less than 500 may experience performance issues. This limitation can lead to system instability and processing delays during high I/O operations.

Affected Scenario:

Azure Controllers deployed with disk types that provide less than 500 IOPS

Impact:

System instability during high I/O operations
Processing delays and performance degradation
Potential service disruptions in production environments

Workaround:

Upgrade the Azure controller disk tier to minimum 500 IOPS through Azure portal disk configuration settings.

AVX-71559

When performing a batch gateway image upgrade in Azure, some gateways may fail during the upgrade process.

Impact:

Gateway image upgrades in Azure environments may partially fail, with some gateways reporting errors during the replacement process.
Affected gateways may show an error indicating that gateway information cannot be retrieved in Azure ARM cloud.

Workaround:

Retry the gateway image upgrade for the failed gateways individually rather than as a batch operation. Contact Aviatrix Support for assistance.

AVX-71686

Azure Controllers using disks with IOPS less than 500 may experience performance issues. This limitation can lead to system instability and processing delays during high I/O operations.

Affected Scenario:

Azure Controllers deployed with disk types that provide less than 500 IOPS

Impact:

System instability during high I/O operations
Processing delays and performance degradation
Potential service disruptions in production environments

Workaround:

Upgrade the Azure controller disk tier to minimum 500 IOPS through Azure portal disk configuration settings.

AVX-71820

When deploying a load balancer–enabled VPN gateway with an overlapping VPN CIDR on Controller versions 8.0, 8.1, or 8.2, the gateway creation fails.

Impact:

VPN gateway deployment fails
Error message does not clearly indicate the root cause

Workaround:

Ensure that the VPN CIDR does not overlap with existing gateways behind the load balancer before deployment. Contact Aviatrix Support for assistance.

AVX-71922

Enabling oslogin in GCE instance metadata could break SSH access to GCP gateways by interfering with the gateway SSH service configuration.

Workaround:

Contact Aviatrix Support for assistance.

AVX-72553

The SAML Endpoint field is not displayed when creating a VPN user for GeoVPN configurations with a SAML-enabled gateway.

Impact:

VPN user creation for GeoVPN with SAML may not display the required SAML Endpoint field
Administrators may not be able to configure SAML endpoints during user creation

Workaround:

Contact Aviatrix Support for assistance.

AVX-72940

Creating a new gateway with the same name as an existing gateway may cause local files of the existing gateway to be deleted when the creation fails. The existing gateway name disappears from the Controller CLI once we get into this issue.

This can break SSH access (sshgw) for the existing gateway.

Impact:

SSH access to the existing gateway may stop working
Gateway recovery may require manual intervention

Affected Scenario:

Gateway creation using a name that already exists

Workaround:

Do not reuse gateway names
Contact Aviatrix Support if recovery is required

AVX-73433

After changing rx_queue_size on a gateway interface, creating a new interface does not apply the updated rx_queue_size value.

Impact:

New interfaces may use default queue sizes instead of the configured value
Network performance may not match expected configuration

Workaround:

Contact Aviatrix Support for assistance.

AVX-73436

When using the update_spoke_vpc_route_table API to onboard an Azure route table, the default route (0.0.0.0/0) is not programmed in the spoke VNET route table if the Spoke Gateway has learned the default route from any of the following sources:

An attached Egress Transit Gateway (Transit with egress functionality enabled)
A Transit Gateway that learned the default route via an external Site-to-Cloud (S2C) connection (for example, from an on-premises network or third-party appliance advertising 0.0.0.0/0 over IPSec/BGP)
Another Spoke Gateway that is propagating the default route within the Aviatrix network

In all of the above cases, although the Spoke Gateway has successfully learned and installed the default route in its own routing table, the route is not re-programmed into the associated Azure VNET route table during the onboarding operation.

Impact:

Default route (0.0.0.0/0) is not installed in the onboarded Azure spoke VNET route table.
Traffic that depends on the default route — whether destined for the internet via an egress transit, for on-premises via an S2C-connected transit, or toward another spoke — may not be routed correctly from the Azure VNET.

Workaround:

Manually add the default route to the Azure route table. Contact Aviatrix Support for assistance.

AVX-73589

In some high-traffic environments using FQDN filtering, the NFQ process may stall due to a deadlock. If the signal interrupts a thread that is already executing a non-reentrant function, the signal handler may attempt to acquire the same lock, causing a deadlock.

Impact:

The avx-nfq process may stall and stop processing traffic until the service is restarted.

Workaround:

Restart the instance to continue processing traffic.

AVX-73836

DUO-integrated OpenVPN users may experience intermittent connection failures to VPN gateways due to a deprecated DUO client version.

Impact:

VPN connections using DUO MFA may fail intermittently
Users may receive 403 errors during DUO authentication

Workaround:

Contact Aviatrix Support for assistance with updating the DUO client configuration.

AVX-74577

Users are unable to modify tags on third-party firewall instances when those tags contain values with multiple colons (for example, team:iac:module.version:v1.5.3). Attempts to update tags after deployment fail with a too many values to unpack error. Initial deployment is unaffected because tags are passed via a different code path during creation.

Impact:

Third-party firewall instance tag updates fail when tag values contain multiple colons
Initial deployment with multi-colon tags is not affected

Workaround:

Avoid using multiple colons in tag values when modifying tags after deployment. Use alternative delimiters such as hyphens or underscores.

AVX-74986

Traffic loss may occur during gateway software upgrade from version 8.1.30 to 8.2.10.

Impact:

Traffic flowing through gateways may be disrupted during the upgrade process
The disruption may persist beyond the expected upgrade window

Workaround:

Schedule gateway upgrades during maintenance windows and monitor traffic after upgrade completion. Contact Aviatrix Support for assistance.

AVX-75000

Traffic loss may occur when gateways are upgraded from version 8.1.30 to 8.2.10.

Impact:

Traffic flowing through upgraded gateways may be disrupted
Multiple gateways may be affected simultaneously

Workaround:

Schedule gateway upgrades during maintenance windows. Upgrade gateways one at a time in HA pairs to minimize impact. Contact Aviatrix Support for assistance.

AVX-75299

Due to a temporary Oracle Cloud Infrastructure (OCI) Marketplace partner agreement issue, new OCI gateway images cannot be published for this release. OCI gateway pointers have been reverted to previous versions to ensure stability. As a result, OCI gateways will not receive patched images as part of this release.

Impact:

OCI gateways will not receive the latest patched images in this release
Customers using OCI gateways will remain on previous image versions until the OCI Marketplace issue is resolved

Workaround:

Contact Aviatrix Support for assistance with OCI gateway image updates.

AVX-75452

In Azure environments, when Distributed Cloud Firewall (DCF) Security Group Orchestration attaches a Network Security Group (NSG) to a subnet, the subnet name is changed to all lowercase. Although Azure resource names are generally case-insensitive, this modification causes issues with infrastructure-as-code tools such as Terraform, which treat resource names as case-sensitive. Terraform may flag affected subnets for replacement, potentially disrupting existing deployments.

Impact:

Subnet names in Azure are modified to lowercase when Security Group Orchestration attaches NSGs
Terraform plans may show unexpected resource replacements for affected subnets
Customer naming conventions in the cloud may be altered without consent

Workaround:

In Terraform, add a lifecycle block with ignore_changes for subnet_id (as well as id in the azurerm_subnet resource) to prevent forced resource replacement. Note that this workaround does not restore the original subnet name casing.

AVX-75582

In Azure environments, when a custom IAM policy blocks resource creation with a RequestDisallowedByPolicy error, the Aviatrix Controller unnecessarily retries the operation instead of failing immediately. Since this error requires manual policy changes to resolve, the repeated retries congest the Controller’s event handler, causing new gateway deployments to be delayed in reaching an operational state and spoke-to-transit attachments to fail.

Impact:

Gateway deployments may be significantly delayed due to unnecessary retry attempts
Spoke-to-transit attachments may fail while gateways remain in a waiting state
Controller event handler performance may be degraded

Workaround:

Update the Azure IAM policy to allow the required permissions for Aviatrix Controller resource operations before deploying new gateways.

AVX-75586

When using Terraform to create gateways and immediately attach them to transit gateways, a race condition can occur where the Terraform provider attempts to create the spoke-to-transit attachment before the gateway has fully transitioned to the "Up" state. The gateway creation API returns before the gateway is operationally ready, causing subsequent attachment operations to fail.

Impact:

Terraform-driven spoke-to-transit gateway attachments may fail intermittently
Gateway creation appears successful but the gateway is not yet operationally ready
Terraform apply operations may require re-running to complete successfully

Workaround:

Add a delay or polling mechanism in Terraform configurations between gateway creation and spoke-to-transit attachment resources. Use depends_on with a time_sleep resource to allow the gateway to reach the "Up" state before attempting attachment.

AVX-75607

Gateway launch may fail with a tls: bad certificate error when pulling container images. The Controller’s registry TTL eviction (garbage collection) may fire while images are being downloaded to the gateway, corrupting in-flight blob transfers. The gateway’s container initialization cannot complete, and the apache-spiffe-helper service exits with code 125.

Impact:

Gateway creation fails with tls: bad certificate or unexpected EOF errors during container image pull
The apache-spiffe-helper service crash-loops with exit code 125
Manual intervention is required to recover

Workaround:

Restart the avx-ctrl-appserver on the Controller to reset the registry state, then retry gateway creation. Contact Aviatrix Support for assistance.

AVX-75869

In OCI environments, security list rules may not be restored when a spoke gateway re-joins a transit gateway after a leave operation.

Impact:

Network security rules may be missing after spoke-transit re-attachment
Traffic may not be properly filtered by OCI security lists

Workaround:

Manually verify and restore security list rules after re-joining. Contact Aviatrix Support for assistance.

AVX-75872

A locking race condition between initial setup and post-upgrade actions may cause gateway configuration issues after upgrade.

Impact:

Gateway may not complete post-upgrade configuration correctly
Manual intervention may be required

Workaround:

Contact Aviatrix Support for assistance.

AVX-76132

Deploying more than one OpenVPN gateway behind a UDP load balancer is not supported and may fail.

Impact:

Only one OpenVPN gateway can be placed behind a UDP load balancer
Attempts to add additional gateways may fail

Workaround:

Use a single OpenVPN gateway behind each UDP load balancer. Contact Aviatrix Support for assistance.

AVX-76263

On Edge-as-a-Transit (EaT) gateways with IPsec peering, if the primary and secondary IP addresses on a network interface are swapped following network events such as VM reboot, cloud provider host maintenance, or gateway replacement/re-deployment, the gateway identifies itself with an incorrect source IP address to the Aviatrix Controller. As a result, the Controller generates a new pre-shared key (PSK) keyed to the incorrect IP identifier for the IPsec tunnel pair. Since the peer gateway retains the PSK associated with the original correct IP identifier, the IKE authentication exchange (IKE_AUTH) fails with an AUTHENTICATION_FAILED error, causing IPsec peering sessions to fail to establish.

Impact:

IPsec peering tunnels fail to come up after an interface IP swap.
Affected EaT gateways cannot establish peering sessions with transit gateways.

Workaround: Contact Aviatrix Support for assistance.

AVX-76296

During routine gateway operations (such as resize or image upgrade) in GCP global VPC environments, traffic may be blackholed due to incorrect route handling.

Impact:

Traffic through the affected gateway may be dropped during operations
GCP global VPC routing may be temporarily disrupted

Workaround:

Schedule gateway operations during maintenance windows. Contact Aviatrix Support for assistance.

AVX-76413

After a Controller restart or recovery, gateways that were temporarily unreachable may not be given sufficient time to reconnect before being marked as permanently down.

Impact:

Gateways that are temporarily unreachable during a Controller restart may be incorrectly treated as permanently down
Unnecessary gateway replacement or failover actions may be triggered for gateways that would have reconnected given more time

Workaround:

None.