Aviatrix Controller and Gateway Software Release Notes

AVX-50895

Customers using an Aviatrix Controller to orchestrate AWS Transit Gateways (TGWs), can encounter a software defect wherein the Aviatrix software might raise a false positive warning about duplicated CIDRs which could impact route propagation.

This issue occurs when you have two or more AWS TGWs and have TGW peering between them. The false positive warning can be raised on unrelated VPCs. If there are duplicated CIDRs in any TGW attachments in peered TGWs, routing propagation could be impacted.

AVX-45598

(AWS) When you add a UserVPN Load Balancer to the UserVPN User Accelerator in the Aviatrix Controller before the Load Balancer state becomes active in the Cloud Service Provider, the Controller may throw an exception: “command vpn_user_xlr failed due to exception errors 'HealthState'<p></p>. An email notification with exception reason and trace log has been sent to exceptions@aviatrix.com for troubleshooting. Please feel free to contact Aviatrix Support.

To resolve this issue: Delete the endpoint group associated with the Load Balancer from the Global Accelerator configuration through the Cloud Service Provider console. Then, re-associate the Load Balancer with the Global Accelerator through the Aviatrix Controller UI.

AVX-45782

AVX-47437

The traceroute for an Edge Gateway may display an incorrect value for the Edge Gateway Interface.

AVX-48456

AVX-49015

If you change your Jumbo Frame configuration for Edge Gateways, that configuration change is not propagated to existing VLAN sub-interfaces.

If you experience this issue and need to change your Jumbo Frame configuration, make the configuration change and then delete and recreate all existing VLAN sub-interfaces.

AVX-49375

When you try to create a GCP Palo Alto firewall instance using a certain version of a Palo Alto image, the instance creation fails. The affected versions are versions of the Palo Alto Networks Next-Generation Firewall BUNDLE that contain the letter “h,” such as “8.1.25-h1.”

If you experience this issue, choose a Palo Alto Networks image version that does not contain the letter “h.” New Check Point and FortiGate Fortinet instance deployments are unaffected.

AVX-50076

The Aviatrix Controller now only displays the metrics for the last hour, in Dashboard > Controller Metrics or Gateway Metrics. For detailed Gateway metrics, please use Aviatrix CoPilot.

AVX-26567

A FireNet Egress FQDN gateway was dropping traffic.

AVX-36054

AVX-36996

(Azure) After an Azure FireNet FQDN Egress gateway image upgrade, the gateway goes into the “config_fail” state. To resolve this issue, try restarting the gateway. If the gateway state does not change, please contact Aviatrix Support.

AVX-38843

AVX-39477

When you tried to do an image upgrade or a software rollback for a BGP-enabled gateway on which you applied the “remove-unnecessary-packages-from-gateway” software patch, the operation may have failed.

AVX-39662

(GCP) Upgrading a GCP Transit Gateway with BGPoLAN and Firenet features enabled might have resulted in the loss of direct connectivity to the on-site firewall appliance.

AVX-41223

At the early stage of the gateway initialization, if you configured SSM agents to patch your Ubuntu servers automatically, the gateway initialization process may have failed.

AVX-41361

If a domain name used in an Egress FQDN tag had a long DNS record, attaching that FQDN tag to a gateway could fail. The error given was “command hostname_filter failed due to exception errors invalid IPNetwork.” An email notification was sent.

AVX-41555

When a Controller was in Private Mode and you opened the Firewall page and tried to select a subnet, nothing appeared in the dropdown menu.

AVX-41680

If a Gateway Transit-Spoke attachment was deployed before version 6.2.1742 and one of the Transit Gateway tunnels went down, then the connected Spoke Gateway CIDRs would be removed from the Transit Gateway’s routing tables, causing a traffic outage.

AVX-41693

Linux auditd logs filled the disk space of some instances.

AVX-42269

(GCP) In GCP, if the gateway deployment fails due to CSP (Cloud Service Provider) errors, the rollback fails due to the configuration being in an inconsistent state.

AVX-42706

FortiGate Firewalls failed to launch due to using an incorrect template on the Controller.

AVX-42789

Increased the length of time before an attempt to Encrypt Existing Gateways times out. This improvement helps avoid an encryption failure you would receive if the encryption timed out too soon. The warning message for that encryption failure was: Encryption failed. Waiter SnapshotCompleted failed: Max attempts exceeded.

AVX-43028

On a newly registered CloudN, users could not create attachments to multiple transits from a single CloudN Gateway.

AVX-43362

Aviatrix’s Single AZ HA (Availability Zone High Availability HA) feature would restart a gateway if it found that the gateway had gone down. Due to a timing issue between the process handling the feature and detecting the gateway state, it was possible for the gateway to go into a repeated stop-and-start loop. Disabling the Single AZ HA feature would break the loop.

AVX-43663

There was a memory leak in a firewall monitoring task. The memory leak was proportional to the number of firewalls in the network.

AVX-44022

In Distributed Cloud Firewall, rules inserted by Terraform or by API call were incorrectly evaluated in order of entry instead of order of priority. This issue only affected accounts that used the preview features WebGroups or decrypted IDS.

Note that with this fix, the rules may be rearranged as they are reordered by priority. This correction may change the behavior in your account.

Action required: To determine whether your configuration is affected, please check the ordering of the rules in your Terraform definition or API call. If they are not ordered by priority, reorder them by priority and check affected traffic and expected behavior.

AVX-44023

When running Aviatrix Edge on a Dell R450 device, when you configured a Transit Gateway attachment with HPE (High Performance Encryption) mode, you could not set the tunnel count to more than two.

AVX-44255

When you tried to do a dry run for a Controller software version upgrade with more than one version in the pending list for upgrading and chose “latest” as the default version for the upgrade, the Controller incorrectly ran the dry run for the last version to upgrade to instead of the next upgrade version. For example, if you ran a dry run for 6.9 > 7.0 > 7.1, the Controller ran the dry run for 7.1 instead of 7.0.

AVX-44526

VPN NAT for gateway traffic did not work as expected due to a NAT-related misconfiguration in the iptable rules.

Action required: If you experience a VPN NAT issue after upgrading to this software version, disable and reenable your UserVPN NAT configuration.

AVX-44673

When you changed the tunnel count for an existing Spoke-Transit HPE (High-Performance Encryption) peering, some tunnels may not have come up.

AVX-44812

Deployments with a Utility license were unable to view some license details.

AVX-44974

(Azure) When Transit Gateways had Active-Standby enabled and the Active Transit Gateway was down, the attached Azure Native Spoke VNet route tables failed to switchover routes.

AVX-45853

A Controller web page loading issue occurred when you tried to edit any FQDN tag other than the first one in the row table.

AVX-45873

When you used a link local address as an IPSec peer address, a Controller upgrade to release 6.8.1148 would drop traffic.

AVX-45897

On the Site2Cloud Details page in the Controller, the message “Authentication Type: null” was displayed for Site2Cloud connections even though there was a PSK authentication. Now, the page correctly displays “Authentication Type: psk” where PSK is the Authentication Type.

AVX-46098

When an Egress Filtering Gateway had a base Stateful Firewall policy of DENY, the gateway added the DROP rule from the base policy instead of letting the packets flow to the egress filter. The Egress Filtering Gateway should not have the DROP rule from the Stateful Firewall base policy. Instead, the packets should be allowed to flow to the egress filter.

AVX-46462

An HPE gateway resize could fail if the gateway had a peering with a gateway from release 6.7.1148 or earlier, as the new peering had additional fields in the structure.

AVX-46788

The Controller would not disable the Access Security feature during a Controller restore if the feature was not enabled in the backup configuration.

AVX-47027

(OCI Gov) OCI Gov gateways failed to launch.

AVX-47234

Previously, the S2C RX Balancing feature was supported only on AWS C5 and C5n gateway sizes. S2C RX Balancing now supports AWS C6in instances. Now, you can upgrade your gateway instance size to C6in and enable S2C RX Balancing.

AVX-47486

(AWS) Starting with software release 7.0.1307, AWS Gateways enabled tags in the instance metadata service. As a result, the tag keys used on the instance had to match this pattern: ([0-9a-zA-Z\\-_+=,.@:]{1,255}), and could not be a reserved name ('.', ‘..', '_index').

Image upgrades and new gateway creations would fail if tag keys in the instance metadata did not manage the requirements above.

AVX-47764

(AWS) When a VPC was attached to an AWS Transit Gateway (TGW), if you deleted one of the Spoke VPC Advertised CIDRs, the routes in associated Transit Gateways were not correctly updated.

AVX-47795

An issue with reading the Controller time zone caused the Controller to send false alerts about an expired PKI agent certificate on gateways.

AVX-48007

(Azure) When a VNet is created with intra-VPC resources enabled, any Aviatrix resources created (NSG or ASG), had a tag with the key “Aviatrix-Created-Resource Value.” Now, Aviatrix-created NSGs or ASGs have tags with the key “Aviatrix-Created-Resource.”

Action required: For NSG/ASGs created before this software release, you must fix the tag manually in your Azure account.

AVX-48193

When a Transit Gateway had a Stateful Firewall policy configured that uses tags, creating or deleting BGP connections on the Transit Gateway could fail. The BGP connection change may have appeared to have completed successfully, but the updated configuration was not applied on the gateway.

AVX-48337

(AWS) The Controller was sending too many API requests to AWS to query route tables. AWS could respond with duplicate route table information.

AVX-48457

(AWS) AWS Gateways with tags that did not match new AWS requirements caused metadata service to fail to turn on.

AVX-48931

When you detached and reattached a CloudN attachment to an Aviatrix Transit Gateway that had any Stateful Firewall rules that used Stateful Firewall Tags, the BGP configuration incorrectly remained on the gateways.

AVX-49236

(OCI) After an OCI gateway image upgrade, several routing tables within several VCNs were missing the default route, 0.0.0.0/0.

AVX-45598

(AWS) When you add a UserVPN Load Balancer to the UserVPN User Accelerator in the Aviatrix Controller before the Load Balancer state becomes active in the Cloud Service Provider, the Controller may throw an exception: “command vpn_user_xlr failed due to exception errors 'HealthState'<p></p>. An email notification with exception reason and trace log has been sent to exceptions@aviatrix.com for troubleshooting. Please feel free to contact Aviatrix Support.

To resolve this issue: Delete the endpoint group associated with the Load Balancer from the Global Accelerator configuration through the Cloud Service Provider console. Then, re-associate the Load Balancer with the Global Accelerator through the Aviatrix Controller UI.

AVX-45782

AVX-47437

The traceroute for an Edge Gateway may display an incorrect value for the Edge Gateway Interface.

AVX-48456

AVX-49015

If you change your Jumbo Frame configuration for Edge Gateways, that configuration change is not propagated to existing VLAN sub-interfaces.

If you experience this issue and need to change your Jumbo Frame configuration, make the configuration change and then delete and recreate all existing VLAN sub-interfaces.

AVX-49375

When you try to create a GCP Palo Alto firewall instance using a certain version of a Palo Alto image, the instance creation fails. The affected versions are versions of the Palo Alto Networks Next-Generation Firewall BUNDLE that contain the letter “h,” such as “8.1.25-h1.”

If you experience this issue, choose a Palo Alto Networks image version that does not contain the letter “h.” New Check Point and FortiGate Fortinet instance deployments are unaffected.

AVX-50076

The Aviatrix Controller now only displays the metrics for the last hour, in Dashboard > Controller Metrics or Gateway Metrics. For detailed Gateway metrics, please use Aviatrix CoPilot.

AVX-39662

(GCP) Upgrading a GCP Transit Gateway with BGPoLAN and Firenet features enabled might have resulted in the loss of direct connectivity to firewall appliance management.

AVX-43547

On a newly registered CloudN, users could not create attachments to multiple transits from a single CloudN Gateway.

AVX-43545

When you updated the credentials of your cloud access accounts, the Aviatrix Controller could no longer get the latest status of the resources (for example, instances or VPCs) in your Cloud Service Providers: AWS, Azure, or GCP.

AVX-43549

Removing the Egress FQDN tag from a gateway could result in the uninstalling of the hostname filtering service (avx-hostname-filter). Adding the tag back didn’t reinstall the service and the feature did not work.

AVX-43550

A Stateful Firewall rule allowing reverse-path traffic flows was temporarily removed during a software upgrade.

AVX-43552

A previous method for adding new metrics to interface RRD files caused unnecessary delay and decreased performance. Resolved this issue so that the new metrics are available without the extra expense of time and performance. You must upgrade to software version 7.0.2004 or 7.1.2131 or later to access the new metrics.

AVX-43863

(GCP) A tag issue prevented the Global VPC feature for Spoke Gateways from being enabled or disabled properly.

AVX-44022

AVX-44818

AVX-45566

AVX-45569

Linux auditd logs filled the disk space of some instances.

AVX-45571

(Azure) After an Azure FireNet-enabled gateway image upgrade, the gateway went into the “config_fail” state.

AVX-45630

(GCP and AWS) There was a connectivity issue between workloads behind Aviatrix Gateways within GCP and workloads in GCP VPCs and AWS gateways. GCP has a default MTU of 1460, while AWS has a default MTU of 1500.

AVX-48199

(GCP) Controllers that manage GCP resources may run into errors when a new Controller instance is started (via Controller High Availability or Controller Migration) or when a new GCP account is onboarded.

AVX-44987

After multiple Controller migrations and upgrades, the Spire Nodes page (Controller > Troubleshoot > Diagnostics > mTLS > Spire Nodes) may have duplicate gateway entries. To re-attest a gateway with duplicate entries, select the gateway and click Re-Attest.

AVX-45156

AVX-45682

A rare issue with a gateway software upgrade may cause the BGP neighbor status to go down. To resolve this issue, restart the gateway.

AVX-45684

AVX-45685

AVX-43137

If your Aviatrix Controller image was from 2022 or newer, a dependency caused an upgrade failure to 7.0.1724 or 7.1.1187.

AVX-1470

During Panorama vendor integration, a configuration using the same template or template stack on both primary and HA (High Availability) gateways was blocked, as there would have been a routing issue.

AVX-21689

(GCP) When two VPN gateways without ELBs (External Load Balancers) were deployed in two different regions in GCP, after adding VPN user to the first VPN GW, you could not add a VPN user to the second gateway.

AVX-25209

The Aviatrix rsyslog may have unexpectedly stopped forwarding logging packets to remote server(s).

AVX-26234

With inter-region HPE (High-Performance Encryption) transit peering between gateways, application traffic across the regions was failing. Packets were not getting clamped to TCP MSS 1370 for inter-region vs intra-region traffic.

AVX-27704

When a gateway had too many routes, the CoPilot Cloud Routes page did not display anything.

AVX-30518

After enabling CoPilot Security Group management, an error occurred: you could not enable copilot security group management. Rest API enable_copilot_sg POST failed, and then Controller was unable to initialize Aviatrix Gateways.

AVX-32351

During Packet Capture, if you clicked Download multiple times, you received an error message: “Failed to open file.” Now, you can download successfully even if you click Download multiple times.

AVX-32730

You could not modify a UserVPN LDAP configuration and upload CA certificate when more than one VPN Gateway was deployed behind a load-balancer.

AVX-32904

If the Edge node could not access the Aviatrix release server because of a firewall setting or because the Management was over a private network, enabling the FIPS caused the Edge gateway to fail. The gateway could not be recovered.

AVX-32921

Some VPN user traffic to certain destinations was dropped on the VPN Gateway. This issue could occur when the VPN Gateway was rebooted and old VPN profile rules were not cleaned up from the system iptables.

AVX-33510

(GCP) All GCP gateways reached 100% CPU Utilization at the same time.

AVX-33814

When a Controller account had too many Site2Cloud connections, Multicloud Transit Segmentation pages failed to load.

AVX-33917

If you had set a custom NetFlow certificate domain when in Private Mode, NetFlow and Syslog data could not be sent to Aviatrix CoPilot.

AVX-34163

When your Controller was deployed in Private Mode, enabling NetFlow on a gateway failed. The iptables rules associated with NetFlow would not be installed, and the gateway configuration failed.

AVX-34401

After the Controller was updated to the 6.7.1376 software version with the AVX-25632 bug fix, you could not attach a CloudN as a Gateway (CaaG) to an Azure Transit Gateway.

AVX-34487

A gateway upgrade may have failed if the gateway could not reach the Internet and install the Linux sysstat package.

AVX-34540

When you configured NAT and NetFlow on a gateway and rebooted it, the NAT rules were accidentally removed.

AVX-34823

(AWS and Azure) In AWS accounts in the Controller that were onboarded using a key and secret instead of IAM Roles, an error occurred when you tried to bring up an Azure gateway.

AVX-34845

Removed a file from managed CloudN or the CaaG device during an upgrade to improve security.

AVX-34872

On a newly-deployed Controller or gateways, if multiple syslog profiles were configured, data was only forwarded on the most recently saved profile.

AVX-35096

(Azure) An API error may have caused the Controller to become unresponsive.

AVX-35549

(Azure, US East region) A default route advertised from on-prem was not written to the VNet route table.

AVX-35646

Previously, the gateway name reported in logs generated by the HTTP/HTTPS FQDN enforcer was “NA.” Now, the gateway name is correctly reported for newly created gateways.

AVX-35728

If an incorrect passphrase was entered when attempting to enable SSH access to your Controller, a bug was causing all the keys for on-prem managed CloudN or CaaG devices to be removed.

AVX-35844

(AWS) When you had a Transit Gateway attached to an AWS TGW and many Site2Cloud connections, the TGW list and plan page loaded slowly.

AVX-35958

The primary and HA gateway shared the same remote IP configuration.

AVX-36147

Configuring customized SNAT policies on a Spoke Gateway via Terraform failed.

AVX-36249

In Private Mode, when the Controller’s proxy was set up, gateway diagnostics and an upgrade dry run would incorrectly show a status failure.

AVX-36387

(AWS) You received a gateway error message, “Missing account or VPC,” when you tried to bring up a gateway.

AVX-36546

FlightPath may have incorrectly shown Spoke and Transit Gateway routes as inactive if the Controller and Gateways were using the following software versions: 7.0.1373, 7.0.1383, 6.9.308, or 6.8.1483.

AVX-36794

If a Spoke Gateway has multiple Custom Mapped or Mapped Site2Cloud connections, Forward Traffic to Transit configuration enabled, and the same virtual destination CIDRs are configured in other Site2Cloud connections, a failover in one connection will cause TCP sessions belonging to the other connections to drop.

AVX-36893

A Controller restore may have failed if the Controller had some dangled files.

AVX-36913

(GCP) GCP gateways may have experienced CPU spikes every 10 minutes.

AVX-36971

A gateway instance could shut down as you used the Monitor Gateway Subnet feature.

AVX-37020

(Azure) Upgrading certain older Azure gateways was unsuccessful because they did not have the “gw_subnet_cidr” attribute.

AVX-37066

Under certain conditions, when you tried to download Egress FQDN logs or stats, the download failed and you received an error message: "…​ 'utf-8' codec can’t decode byte …​"

VX-37120

Editing the Stateful Firewall policy for a gateway could fail when a large amount of rules were added to the policy.

AVX-37394

(Azure) An Azure FireNet route table would fill up and not allow any more gateways after you attached more than 400 non-HPE Spoke Gateways.

AVX-37801

(Azure) Deleting an Azure Spoke Gateway incorrectly deleted user-created RFC1918 routes in the VNet route table.

AVX-38158

(Alibaba Cloud) With CoPilot Security Group management enabled, when you brought up gateways in Alibaba Cloud, they would be missing Security Group rules on CoPilot. This issue meant there would be no visibility of NetFlow and syslog data from the gateways.

AVX-38161

If a Spoke Gateway has multiple Custom Mapped or Mapped Site2Cloud connections, Forward Traffic to Transit configuration enabled, and the same virtual destination CIDRs are configured in other Site2Cloud connections, a failover in one connection will cause TCP sessions belonging to the other connections to drop.

AVX-38409

A gateway credential could be doubly encrypted.

AVX-38469

Unnecessary or irrelevant threat rules for gateways were not successfully deleted.

AVX-38471

If the quagga bgp Debian packages were not installed properly, the Aviatrix Controller would try to reinstall the package instead of failing the gateway configuration.

AVX-38682

(GCP) When you selected the CheckPoint BYOL image as the third-party firewall option, the CheckPoint PAYG image came up instead.

AVX-38954

A Controller bug could lead to gateway crashes and traffic disruption.

AVX-38965

When a gateway was deployed in Private Mode with NetFlow enabled, and you disabled NetFlow and rebooted it, NetFlow could not be reenabled.

AVX-39037

If you added policy rules to Distributed Firewalling, additional and unnecessary code could always run, even if the rules were deleted.

AVX-39040

Gateways reconnecting to the Controller could cause a resource leak on the gateway.

AVX-39050

This fix applies to gateways deployed in Private Mode with NetFlow enabled and NAT rules configured. When you rebooted this type of gateway, NAT rules were sometimes cleared from the IP tables. This clearing could affect data traffic.

AVX-39358

When you updated the CIDR range for a VPN gateway with NAT enabled, the gateway may have stopped forwarding traffic.

Issue

Description

AVX-21547

Spokes using the Global VPC Routing for GCP feature cannot be connected to FireNet transit gateways.

AVX-25000

(AWS) A Private Mode gateway may not have Internet access, in which case it cannot directly upload a gateway tracelog to the S3 bucket. Instead, when you need to upload a gateway tracelog to an S3 bucket, upload the gateway tracelog to the Controller. Then, your Controller uploads the gateway tracelog to the S3 bucket.

AVX-30776

AVX-34997

If you deploy your Aviatrix Controller using proxy configuration and Private mode, the SMTP port does not open. In this situation, because Aviatrix accounts do not have an SMTP relay, your Controller will email Aviatrix Support about the error using port 443 via API.

AVX-35077

(Azure) If the Azure Spoke Gateways were down and a Transit Gateway propagated to an Azure Spoke Gateway with the default route, the Spoke VNet could not program default routes in the route table.

AVX-35613

When the Controller’s timezone was set to any other time zone than UTC (Coordinated Universal Time), a software upgrade became stuck at 99% progress.

AVX-36138

AVX-36492

When single-IP HA (High Availability) is enabled on Aviatrix Gateways and the HA gateway goes up, a bug may cause the security group to not be added to the gateway. To resolve this issue, manually add the security group to the HA gateway.

AVX-37895

AVX-43180

If your Controller is using an outdated image, a software upgrade may fail. If your Controller software upgrade fails, please contact the Aviatrix Support team for assistance.