| AVX-58696 | TCP MSS clamping is not supported on Standalone Gateways in Release 7.1 and later. |
| AVX-59298 | In Aviatrix Controller 8.0 versions, when deploying Edge Spoke or Edge Transit Gateways in Megaport Virtual Edge (MVE), less than 5 VNICs can result in the gateway failing to initialize. This issue occurs because the cloud-init expects 5 interfaces. Workaround: To ensure the successful deployment of Edge Spoke or Edge Transit Gateways in MVE, configure the MVE with 5 VNICs. |
| AVX-59376 | When using Controller High Availability (HA) with Controllers version 8.0 and later, the standby Controller will fail to launch correctly. This is because the HA mechanism relies on a fixed software version specified in the Auto Scaling Group (ASG) launch template, but Controllers version 8.0 and later now require the version to be passed dynamically through cloud-init during instance creation. This issue occurs only in environments that use: Controller HA for Controllers version 8.0 and later, AWS Auto Scaling Group (ASG) launch templates, and the default CloudFormation HA deployment method. Workaround: Use the new CloudFormation template to enable AWS Controller High Availability. This template supports dynamic version injection and restores compatibility with Controllers version 8.0 and later in supported regions. For versions 7.x and earlier, use the existing CloudFormation script (without the v3 suffix). Note: This solution is not available in AWS regions that do not support Lambda Function URLs. |
| AVX-60731 | BGP Event Monitor on gateways may crash when receiving BGP route updates containing AS-SET or AS_CONFED_SET values in the AS-PATH attribute (such as {13908,17063,…}). This occurs because the system attempts to parse AS-SET entries as individual integers, resulting in a ValueError and causing the BGP monitoring process to exit. Impact: BGP monitoring service crash; affected routes are not processed or sent to the Controller; no BGP routes appear in /avx-northbound-v1/best_routes in etcd; systemd logs may show avx-bgpd-event-mon.service: Main process exited, code=exited, status=1/FAILURE. Workaround: Add a route-map on the upstream sender to strip or reject AS-SET entries. Alternatively, configure the Aviatrix gateway to reject AS-SET-containing routes manually if applicable. Resolution: Fixed in version 8.1.10 by enabling bgp reject-as-sets to automatically drop routes with AS-SET or AS_CONFED_SET values. |
| AVX-61355 | Azure Standard_B1ms SNAT-enabled Egress Spoke Gateways may experience significant throughput drops under high connection loads. This limitation is caused by the Azure Standard_B1ms instance type, which has limited compute and network resources. Workaround: Upsize the Spoke Gateway to a larger Azure instance type for workloads that require more than 10K concurrent connections or consistent network throughput. |
| AVX-62003 | Azure gateway image upgrades may fail when the Controller does not have the required Azure image subscription access. During the upgrade, the system deletes the existing gateway before validating subscription availability, which can result in gateway deletion without a replacement being created. This leaves dangling gateways in the Controller and can cause potential service outages. Workaround: None. To avoid outages, ensure the Controller subscription includes access to the required Azure image before attempting upgrades. |
| AVX-62011 | Auto migration will not work from 7.2 to 8.0 when proxy is enabled. You must use a manual backup and restore process to perform the upgrade. Steps: 1. If your Controller software version is 7.2.5012 or older, upgrade both the Controller and Gateways to the latest 7.2 build. 2. Delete the proxy configuration from Controller UI > Settings > Advanced > Proxy. 3. Back up the Controller from Controller UI > Settings > Maintenance > Backup & Restore > Backup. 4. Shut down the old Controller. 5. Launch the new 8.0 Controller and transfer the EIP. 6. Once the 8.0 Controller is up, restore the Controller using the backup config from Controller UI > Settings > Maintenance > Backup & Restore > Restore. 7. Add back the proxy configuration from Controller UI > Settings > Advanced > Proxy. 8. Software upgrade the Gateways from version 7.2 to 8.0. |
| AVX-62147 | The Controller auto-migration and Gateway upgrade features do not function properly when the Aviatrix Controller has proxy settings enabled. In such environments, migration may fail, and you must follow a manual backup and restore process instead of using the standard auto-migration workflow. Check Whether You Are Affected: In Controller UI go to Settings > Advanced > Proxy. In CoPilot UI go to Settings > Configuration > Private Mode > Proxy Servers. If proxy configurations are present in either location, your deployment is affected. Workaround: 1. If the Controller is running version 7.2.5012 or earlier, upgrade to the latest 7.2 build first. 2. Delete the proxy configuration in the Controller UI. 3. Back up the Controller from Settings > Maintenance > Backup & Restore > Backup in the CoPilot UI. 4. Shut down the old Controller. 5. Launch a new Controller with version 8.0 and reassign the EIP. 6. Restore the backup in the new Controller. 7. Reconfigure the proxy settings. 8. Upgrade the Gateways from version 7.2 to 8.0. A maintenance window is recommended for this manual upgrade, as it involves Controller downtime and multiple steps. |
| AVX-62230 | When upgrading Aviatrix Gateways from version 7.2.x to 8.0.0 with TLS decryption enabled in Distributed Cloud Firewall (DCF), the Gateway automatically regenerates its TLS decryption certificate authority (CA). Because each Gateway maintains its own unique CA for security, the regenerated CA no longer matches the CA previously trusted by clients. Workaround: If you have imported your own proxy CA and key, you can re-import the same certificate and key after the Gateway upgrade to maintain trust continuity. If you rely on the Aviatrix-generated CA, after the Gateway upgrade, export the newly generated CA certificate and add it to the trust bundles on client systems to restore trust and resume decrypted connections. |
| AVX-62299 | When upgrading from Controller version 7.1 to 7.2 or 8.0, Spoke Gateways with routing through a Public Subnet Filtering (PSF) Gateway may fail to upgrade and become unreachable if the PSF Gateway has not been upgraded first. Workaround: Upgrade the PSF Gateway first. Wait for the PSF Gateway upgrade to complete successfully. Then upgrade the dependent Spoke Gateways. |
| AVX-62506 | During a gateway software upgrade, traffic matching DCF WebGroup rules may be briefly dropped during the upgrade. This impacts both Layer 7 (HTTP/HTTPS) and Layer 4 traffic and occurs across all supported cloud providers (AWS, Azure, and GCP). The disruption typically lasts a few seconds but may vary depending on gateway load and policy complexity. Workaround: None. Recommendations: Schedule gateway upgrades during maintenance windows or low-traffic periods. Use HA deployments and upgrade gateways one at a time in HA pairs. Monitor logs for “Failed to load policy” messages to confirm when policies are reloaded. |
| AVX-62542 | In environments where Distributed Cloud Firewall (DCF) and customized SNAT are used together, DCF rules may fail to match traffic correctly when the same SmartGroups are specified in both the source and destination fields. This is because the system does not account for the translated source address during rule evaluation. Workaround: In earlier versions, avoid using 0.0.0.0/0 as the destination in SNAT rules. Instead, specify only the required destination CIDRs. |
| AVX-62636 | Distributed Cloud Firewall (DCF) is not officially supported on Edge gateways. Although DCF rules may appear to be deployed to Edge gateways, they are not fully validated and may not function correctly, especially in environments using NAT for overlapping IP address spaces. Workaround: Avoid applying DCF rules to Edge gateways in environments with NAT or overlapping IP ranges. Explicitly exclude Edge from DCF deployment by using the Provider Deployment API: POST /v2.5/api/microseg/deploy-policy with {"providers": ["AWS", "AZURE", "GCP"]} (include all desired cloud providers except “EDGE”). |
| AVX-62712 | When recreating a policy-based Site-to-Cloud (S2C) VPN connection after deleting a previous one with the same remote CIDR, the system may incorrectly report a CIDR overlap error, even though the original connection has been removed. This occurs because the system does not fully clean up the remote CIDR information. Workaround: Contact Aviatrix Support to manually clear the cached CIDR information. |
| AVX-62719 | The Distributed Cloud Firewall (DCF) policy writer writes approximately 40KB of data per gateway during each configuration snapshot, regardless of whether there are policy changes. In large deployments, this results in frequent and unnecessary write operations to the controller database. Workaround: There is no direct workaround at this time. Users operating at scale should monitor controller resource usage closely. Contact Aviatrix Support for evaluation and potential tuning options. |
| AVX-63016 | In Aviatrix Controller, newly added Additional CIDRs in OpenVPN split tunnel mode are not pushed to OpenVPN clients. This occurs because the OpenVPN service does not automatically restart after CIDR updates. Workaround 1: Stop and restart the gateway instance from the CSP console. Workaround 2: Request Support to restart the OVPN service on the gateway. Note: Both workarounds are traffic-impacting and must be performed during a scheduled maintenance window. Resolution: Fixed in versions 8.0.10 and 8.1.0. |
| AVX-63175 | In Aviatrix Controller version 8.0, Edge Gateway version numbers may be incorrectly updated in the Controller UI after the gateway comes back online from a down state. This occurs even when no new software installation has taken place. Workaround: Maintain a separate record of installed Gateway versions outside the Controller. Use the Edge Gateway’s local console or logs to verify the current version when planning upgrades or diagnosing issues. Note: This issue only affects Edge Gateways. Cloud provider (CSP) Gateways in AWS, Azure, GCP, or OCI are not affected. |
| AVX-63224 | In Controller release 8.0, gateway software upgrades take longer to complete compared to earlier versions. On average, the upgrade rate drops from approximately 14 gateways per minute in version 7.2 to approximately 11 gateways per minute in 8.0, which is an increase of about 20% in execution time. Recommendations: Allocate approximately 20% more time for gateway upgrades. For large environments (for example, 1,000+ gateways), plan for 90–120 minutes of upgrade time. Schedule upgrades during maintenance windows to accommodate the longer duration. |
| AVX-63334 | Aviatrix Edge Gateways deployed on Equinix Network Edge and certain VMware environments may experience issues with root disk resizing during initial setup. The root filesystem might not expand to utilize the full allocated disk space. Workaround: Contact Aviatrix Support for assistance. |
| AVX-63522 | On GCP (Google Cloud Platform) gateways with FireNet or BGPoLAN enabled, additional interfaces may be incorrectly configured with subnet-based netmasks instead of the required /32 prefix. This misconfiguration can cause routing problems and break connectivity between gateways and remote end devices. Workaround: Upgrade gateways to version 7.2.7.2.5097 or later, 8.0.10 or later, or 8.1.0 or later. Contact support to have the routes corrected manually. Resolution: Fixed in version 8.0.10, 8.1.0 and 7.2.7.2.5097. |
| AVX-63608 | In earlier versions, gateway resize operations may fail with a KeyError: 'src' during the resize process. This occurred when peer tunnel data lacked the expected structure, blocking resize attempts including those used for recovery from config_fail states. Workaround: If urgent, delete and recreate the gateway. Contact Aviatrix Support for assistance with recovery options. Resolution: Fixed in release 8.0.10 and later. |
| AVX-63816 | In versions prior to 8.0.0, the Public Internet SmartGroup includes the RFC6598 Shared Address Space (100.64.0.0/10). Starting in version 8.0.0, this range is excluded from new installations to improve Layer 7 (L7) traffic inspection and policy enforcement. However, during upgrades to 8.0.0, the existing configuration is retained, and the 100.64.0.0/10 range is not automatically removed. Workaround: Clone the existing Public Internet SmartGroup, remove 100.64.0.0/10 from the cloned group, and update your policies to use the custom SmartGroup. Recommendation: After upgrading to version 8.0.0, review your SmartGroup configuration if your deployment uses the 100.64.0.0/10 range in DCF rules. |
| AVX-63846 | In the CoPilot UI, Groups > SmartGroups and Groups > ExternalGroups with multiple filters may not appear as originally configured after being saved. While policy enforcement is correct, the UI may display missing or merged filter sets, leading to ambiguity and confusion during review or editing. Workaround: There is no workaround at this time. If possible, avoid using multiple filter sets in a single group until the issue is resolved. |
| AVX-63883 | In Aviatrix Controller version 8.0.0, you may encounter a problem when creating or modifying Distributed Cloud Firewall (DCF) rules using either the CoPilot UI or Terraform. In the CoPilot UI, the ruleset may not display correctly and the “Commit” button may be non-functional. When using Terraform, an error may occur indicating that the DCF policy API is unavailable. Workaround: Contact Aviatrix Support. They can run a script to restore the missing policy list without requiring a full upgrade. |
| AVX-64015 | Jumbo Frame support cannot be enabled on BGPoLAN (BGP over LAN) connections for AWS HPE gateways. In version 8.0.0, Jumbo Frame support can only be enabled when creating a new BGPoLAN connection on AWS HPE gateways. Editing an existing connection to enable Jumbo Frames is not supported. Workaround: None. To enable Jumbo Frame support, delete the existing connection and recreate it with the setting enabled. |
| AVX-64136 | In OCI environments, new CIDRs added to a VCN via the OCI console may not be reflected in the Controller after the initial spoke-transit attachment. As a result, users cannot create gateways in the newly added CIDRs, and the CIDR will not appear in the subnet selection dropdown. Workaround: Add both the original and newly added CIDRs to the Customized Spoke Advertised VPC CIDRs field in the Controller. |
| AVX-64196 | IPSec diagnostics in the Controller UI do not display logs for non-Equinix Edge Gateways (such as AEP or self-managed Edge Gateways). When accessing the diagnostics page for these gateways, the IPSec log section may appear empty, even if IPSec tunnels are operating correctly. Workaround: Use tunnel status and statistics to verify IPSec operation. Note: This is a UI diagnostic issue only. IPSec tunnel functionality is not impacted. |
| AVX-64213 | When deploying Edge Gateways using images g3-202504251522 and g3-202504251525, the root disk may be incorrectly sized after the VM boots and the ZTP (Zero Touch Provisioning) process runs. Even if the VM is created with a 64GB disk, the root filesystem may be limited to only 12GB. Workaround: Manual resizing of the root partition and filesystem is required. Please contact Aviatrix Support for assistance, as this step cannot be performed independently. |
| AVX-64339 | AWS t3.small and t3.medium instances used for Egress Spoke Gateways have limited connection tracking capacity, which can affect performance in high-connection environments. Affected Versions: 7.2.4996, 8.0.0, 8.1.0. Impact: t3.medium supports around 25,000 concurrent connections; IDS-enabled DCF rules can reduce this to about 2,000; when limits are exceeded, traffic may drop and SSH access to the gateway may fail. Workaround: Use larger instance types such as c5.xlarge or c6in.large for applications requiring high concurrent connections. Avoid or remove IDS-enabled DCF rules if high connection capacity is needed. Monitor conntrack usage using platform tools or gateway diagnostics. |
| AVX-64447 | Site2Cloud High Availability (HA) tunnels may not behave correctly when toggling between Active/Active and Active/Standby modes. Problem 1: When disabling Active/Active HA, the HA Gateway may retain metric 100 routes pointing to tunnel interfaces in the Gateway Route table, even though they should be removed. Problem 2: When enabling Active/Active HA from Active/Standby, the HA Gateway tunnel may not be properly enabled, resulting in missing routes despite the UI showing Active/Active status. Workaround: Contact Aviatrix Support for assistance. |
| AVX-64483 | Creating a Secondary or HA Transit/Spoke Edge Gateway on a Dell appliance currently fails due to a backend issue. Workaround: Contact Aviatrix Support for assistance. |
| AVX-64502 | On Azure gateways with High Performance Encryption (HPE) enabled, an underlay network issue may cause the eth0 interface to drop, bringing the interface flap. When this occurs, the DHCP-assigned primary IP address may be released while the static IP remains, resulting in one of the static IPs being promoted as the primary address. Impact: The gateway and its associated tunnels may go down, resulting in traffic disruption. Workaround: Stop and start the affected gateway from the cloud service provider console. |
| AVX-64741 | After an image upgrade on a Transit Gateway that is attached to an edge gateway, while the transit peering connections may establish successfully, the status may not reach the controller due to an IP address parsing exception. This may impact route propagation. Symptoms: Transit peering status displays as UNKNOWN in the controller; S2C tunnel status displays UNKNOWN in the controller; route exchange between impacted tunnels is blocked. Workaround: Contact Aviatrix Support if you need to perform an image upgrade of a Transit Gateway (attached to an edge gateway) to software version 7.2.5090. Resolution: Fixed in version 8.0.10 and 8.1. |
| AVX-64767 | Customers using the Site-to-Cloud (S2C) mapped NAT feature at scale may encounter a performance regression and higher than normal packet drops after upgrading their gateways to version 7.1.4208, 7.2.5090 or 8.0.0. Contact Aviatrix Support before proceeding with the upgrade. |
| AVX-64774 | On GCP Controllers, backup restoration may fail when restoring from earlier versions—for example, from version 7.2.5090 to 8.0.0 or later. The issue occurs during the backup upload process and is caused by a redirect error in the Google Cloud Storage API. Workaround: Retry the restoration after upgrading to 8.0.10 or later. Ensure GCP backup settings are correctly enabled in the Controller. Resolution: Fixed in the latest builds of 8.0.10 and 8.1.10. |
| AVX-64794 | When Distributed Cloud Firewall (DCF) is enabled, policy-based Site-to-Cloud (S2C) traffic may be misclassified due to how the traffic flows through the gateway. This can lead to unintended blocking or incorrect policy enforcement. Workaround: Consider using route-based S2C VPNs, where plaintext traffic traverses a dedicated tunnel interface and is classified correctly by DCF. Temporarily disable DCF on gateways handling policy-based S2C connections if misclassification impacts production traffic. |
| AVX-64868 | In some scenarios involving rapid VRRP state transitions, the keepalived VRRP state may not be reported accurately to the Controller. This can result in temporary discrepancies between the actual VRRP status and what is displayed in the Controller UI. Impact: Controller UI may show incorrect VRRP status such as both peers reporting Primary or Initializing. No impact on actual VRRP traffic handling or failover behavior. Workaround: Use diagnostic logs to verify actual VRRP state. |
| AVX-65016 | In some environments, the Firewall state may not recover from Unaccessible after the first vendor integration failure. This issue has been observed when integrating with third-party firewall vendors, leaving the gateway firewall state stuck even after the environment stabilizes. Workaround: Contact Aviatrix Support for manual correction. |
| AVX-65050 | In earlier versions, Distributed Cloud Firewall (DCF) policies may not be applied correctly to Azure gateways due to Cloud Asset Inventory (CAI) failing to resolve Azure subnets. This is caused by missing Azure VNET GUIDs in the CAI database during upgrades. Workaround: Use the recovery procedure to clear and re-cache Azure resource metadata: delete CAI cache entries and restart the asset service, force asset polling using asset-cli fetcher forcepoll. For severe cases, delete Azure CAI entries and trigger a full refresh. Resolution: Fixed in version 8.0.10 and later. |
| AVX-65213 | In earlier versions, system diagnostics could fail with an AttributeError ('NoneType' object has no attribute 'role') during migration or health check operations. The issue occurred when CloudXD process data returned None during the system info collection. Workaround: Retry the diagnostic operation. Restart the Controller if needed. Resolution: Fixed in 8.0.10 and 8.1.0. |
| AVX-65252 | The current API allows creating a WebGroup that includes both Domains and URLs entries. This mixed configuration is not supported and causes the configuration push to fail in a way that may not be immediately obvious. Workaround: Do not create WebGroups that combine both Domain and URL filters. Separate them into distinct WebGroups. |
| AVX-65386 | A known issue prevents successful upgrades to Controller version 8.0.0 if the configuration contains Distributed Cloud Firewall (DCF) policies with duplicate names. Workaround: Before upgrading to version 8.0.0, check your DCF policies for duplicate names, ensure all policy names are unique, and rename any duplicates before starting the upgrade. Recommendations: Always perform a dry-run upgrade if possible. Back up your Controller configuration before upgrading. Review DCF policy names for uniqueness as part of your pre-upgrade checklist. |
| AVX-65565 | In earlier versions, disabling Distributed Cloud Firewall (DCF) features (such as Site-to-Cloud DCF) may not fully remove all eBPF programs from gateway interfaces. This could leave orphaned filtering logic on interfaces, leading to inconsistent gateway state. Workaround: Manually restart the gateway to remove residual eBPF programs. Re-enable and then cleanly disable DCF policies again to force cleanup logic. Resolution: Fixed in releases 8.0.10, 8.1.0, and later. |
| AVX-65698 | In earlier versions, gateways running Distributed Cloud Firewall (DCF) could reboot due to a memory leak in the Traffic Server (TS_MAIN process). This occurred in environments with ThreatIQ external groups and a high number of DCF rules, where traffic was continuously sent to threat IPs, particularly on ports 80/443. Workaround: Reduce the number of active DCF threat rules where possible. Monitor memory usage closely during high-load scenarios. |
| AVX-66162 | DNAT and SNAT (Destination/Source NAT) configuration updates may fail on gateways that have policy-based Site2Cloud tunnels. When attempting to add, modify, or delete DNAT and SNAT rules in the Controller UI, the operation can fail with an error. Workaround: No direct workaround is available. Customers can contact Aviatrix Support for assistance with manual configuration updates. |
| AVX-66961 | In earlier versions, gateways running Distributed Cloud Firewall (DCF) with WebGroups enabled may encounter a memory leak in the Traffic Server (TS_MAIN process), leading to gateway memory exhaustion and potential traffic disruption. Workaround: Monitor gateway memory usage. If usage exceeds the defined threshold, contact Aviatrix Support to restart the ATS process. |
| AVX-67128 | During migration to Controller version 8.0.0, user-uploaded SSL certificates are not automatically restored. This may impact secure access to the Controller UI via FQDN (Fully Qualified Domain Name) after migration. Workaround: Manually re-upload the existing SSL certificate to the new Controller after migration: Controller UI: Settings > Controller > Certificate > Import Certificate with Key. CoPilot UI: Settings > Configuration > Controller Certificate > Upload Certificate with Key. |
| AVX-68308 | Gateway resize operations could fail with a KeyError: 'src' exception in UserConnect 7.2 environments, particularly for customers with non-HPE peering configurations that were upgraded from earlier versions (for example, 6.6 → 7.2). This issue prevents users from being able to resize gateways as the gateway enters a config_fail state. Workaround: There is no direct workaround available. Contact Aviatrix Support for assistance. Resolution: Fixed the gateway resize logic to properly handle missing src fields in peering database records. |
| AVX-70123 | When upgrading from Controller 8.0.x to 8.1.x, the upgrade may fail to complete due to incorrect database schema type definitions. As a result, the controller remains on version 8. |
