7.2.4820 Release Notes

Release Date: 15 October 2024

Release Notes updated 25 October 2024

See the Controller What’s New for New and Enhanced Features, Preview Features, and Behavior Changes in this release.

Corrected Issues in Aviatrix Release 7.2.4820

Issue Description

AVX-34763

Fixed an issue where new AWS accounts showed "Pass" status immediately after being added, and even after Audit revealed IAM policy inconsistencies. Initial status now more accurately reflects account configuration and the Status updates properly after Audit to show any detected issues.Aviatrix recommends that you run the Audit tool in CoPilot (Administration > Audit) after adding new AWS accounts, to verify the configuration.

AVX-39609

When you upgraded the image of a VPN Gateway, a rare issue could cause the Gateway to fail. In this situation, VPN users might not have been able to connect. This is fixed.

AVX-41823

Fixed an issue where some routing tables were not properly updated when adding new network interfaces to Aviatrix Gateways. This could cause some network traffic to route inefficiently or experience connectivity issues when trying to reach the newly added interfaces. The system now automatically updates all related routing tables when new interfaces are added to a Gateway.

AVX-42076

Fixed an issue where FireNet management IP addresses displayed in the Aviatrix Controller did not match the actual IP addresses in Azure and firewall vendor interfaces. This was primarily a display issue and did not impact functionality. You will now see consistent IP information across the Aviatrix Controller, Azure portal, and firewall vendor interfaces.

AVX-43890

Corrected an issue seen while upgrading from a fresh AWS Controller that resulted in the error, "Exception ‘ValueError: None is not a valid UpgradePhase’’. This error appeared in logs when upgrading a new Aviatrix Controller launched from AWS Marketplace to version 7.1.1906.

AVX-45480

Distributed Cloud Firewall rules were not properly applied to non-encrypted, non-web traffic (Non-TLS and Non-HTTP traffic) when processed by the High Performance Encryption (HPE) enabled gateways.This issue was fixed to enable correct identification and Rule enforcement for all traffic types, regardless of Rule order.

AVX-46165

Fixed an issue where FlightPath did not correctly analyze all network traffic rules for certain AWS configurations. You no longer need to manually check network access control list (NACL) rules for accurate results. This fix provides more precise troubleshooting capabilities for AWS network configurations.

AVX-48675

Azure Intra-VPC Security Group Orchestration was not properly detecting all network resources on virtual networks. As a result, some network resources were omitted from the configuration. This fix ensures all resources are properly included in the configuration.

AVX-49421

Reduced the time needed to execute a Terraform plan by using caching.

AVX-49668

After a software upgrade, the Controller was unable to update the Aviatrix Gateway configuration, resulting in a Gateway that was marked as “not up-to-date”. This has been corrected.

AVX-51412

Fixed misleading log messages for GRE tunnel status. This was a logging-only issue and did not affect actual GRE tunnel functionality. Log messages now accurately reflect the tunnel status with the following:

  • Tunnel is marked as Down after 5 consecutive ping failures.

  • Tunnel is marked as Up after 2 consecutive ping successes.

AVX-52626

There was an issue when modifying the remote subnet CIDR range of an existing Site2Cloud (S2C) connection using Terraform provider version 3.1.4 with Aviatrix Controller versions 7.1.3696 and 7.0.2239. Instead of updating the remote subnet CIDR range as specified in the Terraform configuration, the change was incorrectly applied to the local subnet CIDR range.

AVX-53179

Previously, when the "Ensure TLS" setting on a Distributed Cloud Firewall rule was enabled, non-encrypted HTTP traffic was incorrectly passed to the next rule instead of being dropped. This occurred even when all other rule criteria were matched. The issue specifically affected HTTP traffic on port 80.

With this release, rules with Ensure TLS enabled correctly match TLS traffic and drop non-encrypted HTTP traffic.

If you want to verify that the Ensure TLS feature is performing as you expect, you can do the following:

  • Disable the Ensure TLS option on the DCF rule.

  • Wait awhile and then check traffic logs to see If non-TLS traffic matches the rule.

  • Re-enable Ensure TLS or configure a new DCF Rule, as needed.

AVX-53878

Fixed an issue where Transit Gateway peering tunnels in AWS and Azure could incorrectly show "Unknown" status. This could occur when recreating peering using the API or automation and only affected High Performance Encryption (HPE) enabled transit peering connections.

AVX-53986

Fixed an issue where the Aviatrix Controller was using excessive memory when managing large numbers of access accounts. Customers managing large numbers of access accounts should see improved Controller stability and performance after upgrading.

AVX-54035

Fixed an issue where license renewal failures could prevent creation of new gateways and tunnels. This occurred when the system attempted to renew licenses within 10 days of expiration. Renewal failed and backup acquisition consumed the remaining licenses.

AVX-54732

Fixed an issue where Aviatrix Edge Platform (AEP) Gateway upgrade status displayed incorrectly.After a successful image upgrade, the Controller showed an empty upgrade status and the CoPilot interface displayed the status as "unknown". This was only a display issue with no impact on Gateway functionality.

AVX-54897

Resolved a routing conflict that could disrupt the connection between Aviatrix Edge Gateways and the Controller using private IP. The system now properly handles routes learned from on-premises connections (BGP over LAN, IPSec, GRE) to prevent interference with controller communication.

AVX-55012

After upgrading to version 7.1, certain Source Network Address Translation (SNAT) IP addresses were not properly advertised to connected networks when manual connection summaries were configured. This has been corrected. Outbound traffic using the affected SNAT IP addresses now connects properly.This issue only affected BGP over IPSec connections between Transit Gateways and on-premises devices.

AVX-55092

Resolved a race condition that prevented the Layer7 engine process from initializing properly during system startup. This potentially disrupted normal network traffic handling on affected gateways.

AVX-55434

Resolved an issue where attaching a virtual network with both IPv4 and IPv6 address spaces could cause invalid routes to be added to the network, losing management connectivity. Data traffic was not affected. The workaround was to avoid attaching virtual networks with IPv6 enabled.

AVX-55474

Fixed an issue with Single IP High Availability (HA) for Site-to-Cloud connections where you could inadvertently select incompatible gateways when configuring Single IP HA. The system now checks that selected gateways belong to the same HA pair and blocks you from choosing incompatible gateways during setup.

If you previously created an invalid Single IP HA configuration, do the following:

  • Delete the existing connection.

  • Recreate the connection using two gateways that are part of the same HA pair.

AVX-56022

After a Spoke Gateway reboot, including from a resize or upgrade, the default route (0.0.0.0/0) advertised by the Spoke Gateway was removed from other connected VNet route tables. This resulted in loss of expected network connectivity between VNets.

AVX-56466

Resolved an issue affecting Azure Transit Gateways (with FireNet, VNG, or BGP over LAN enabled) where upgrading to 7.1.4139 resulted in additional routes being added to the Gateways’ secondary network interfaces.

AVX-56779

Fixed an issue where restore from backup fails during controller image upgrades.

AVX-56921

Resolved an issue where, during Azure service outages, resource handling incorrectly deleted all Azure resources from its database. This could cause brief interruptions in expected network traffic.

Known Issues in Aviatrix Release 7.2.4820

Issue Description

AVX-51456

Destination network address translation (DNAT) rules cannot be configured on Aviatrix Gateways using Terraform provider version 3.1.4. When setting up DNAT rules on standalone Gateways with policy-based tunnels configured, an error message indicates the interface for the connection cannot be found. To work around this issue, configure DNAT rules through the Aviatrix CoPilot interface at Cloud Fabric > Gateways. See Enabling Gateway DNAT Settings.

AVX-52095

If your Controller is running 7.1.4101, 7.1.3956, or earlier release (older Linux OS), you cannot upgrade directly to 7.2 or later releases. Upgrade to a release running the newer Linux OS (7.1.4183, 7.1.4139, 7.1.4105, 7.1.3958) before proceeding to any 7.2 releases.

AVX-55015

An issue can occur in handling Site2Cloud Mapped NAT connections when the local CIDR is set to 0.0.0.0/0. When a user edits or deletes a connection mapped to this CIDR, the corresponding IP table rule is not properly removed. This can cause incorrect routing behavior.

AVX-55379

When a remote BGP peered device initiates a graceful restart and stops its BGP session, BGP routes might not withdraw properly on Edge. Depending on the polling timing, the current BGP polling logic can send stale routes to the Controller once graceful restart occurs. This is particularly likely to happen when polling timers are shorter than graceful restart timers.

To work around this issue, disable graceful restart at the neighbor BGP device when it stops its BGP.

AVX-56499

The maximum number of CIDRs that can be enforced in a SmartGroup is 10,000. This limit includes both CIDR and tag-based resources in a SmartGroup. Anything beyond 10,000 CIDRs will be ignored and not enforced.

AVX-56595

SNAT/DNAT on Transit Edge peering is not supported in this release. Although the configuration is allowed, the routing with SNAT/DNAT is not currently working properly.

AVX-56778

When rolling back Aviatrix gateways from version 7.2 to 7.1, the rollback process does not block the operation if Site-to-Cloud (S2C) SmartGroup rules are enabled on the Aviatrix Gateways. The rollback completes successfully, but the S2C SmartGroup rules remain enforced on the rolled back 7.1 Gateways, potentially leading to connectivity issues.

To prevent issues, disable or remove any S2C SmartGroup rules before attempting to roll back Gateways from version 7.2 to 7.1.

This issue does not impact HPE or Public Subnet Filter gateways.

AVX-56827

Azure Security Group Azure Security Group Orchestration can take up to 30 minutes to update the Network Security Group (NSG) to be applied after the SgO is enabled. This can happen on a large scale set up, for example with 2 VPC/VNets with 100 subnets and 1000 VMs in each VNet.

AVX-57110

When creating a custom GeoGroup using Terraform and downloading the configuration from the Aviatrix Controller, the "match_expressions" block defining the country codes is missing.

AVX-57153

After a software upgrade to version 7.2, the Controller can lose the ability to communicate with and push configurations to the Spoke Gateway. The Spoke Gateway is still up and running on the cloud service provider, but appears down and unreachable from the Controller.

This issue occurs specifically when the following conditions are met:

  • The Spoke Gateway is deployed in a subnet monitored by a Public Subnet Filtering (PSF) Gateway.

  • The Spoke Gateway has rules configured with web filtering (HPE) enabled.

  • The DCF on PSF preview feature is enabled on the PSF Gateway, allowing web filtering on that gateway type.

You can restore connectivity between the Controller and Spoke Gateway by removing the Spoke Gateway’s subnet route table from being monitored by the PSF Gateway. You can do this from Cloud Fabric > Gateways > Specialty Gateways > Settings.

AVX-57245

With Single Availability Zone (AZ) HA feature enabled on an Aviatrix Gateway (it is enabled by default), when you reboot the Gateway, it might run into a reboot cycle. This is a timing related issue and could be hit if the Controller is busy with many tasks.

To avoid the recurring reboot or to bring the Gateway out of the reboot cycle, disable the Single AZ HA feature on the Gateway.

AVX-57342

The DCF Enforcement on External Connections feature can cause high CPU usage and delays in updating gateway configurations when enabled in a very large-scale test environment.

This is a Preview Feature and not Ideal for GA environments.

Disabling DCF Enforcement on External Connections feature resolves the high CPU usage and configuration delays. This feature is accessed at Security > Distributed Cloud Firewall > Settings.

AVX-57382

When creating SmartGroups for Azure resources using Terraform, the region formatting is incorrect. Incorrect region filters will cause SmartGroups to not work as intended for Azure resources grouped by region.

This issue affects creating Azure SmartGroups via Terraform only. It does not impact other clouds or creating groups through the CoPilot UI.

To address this issue, the region format must be updated in the Terraform provider code manually. You can get the exact region name using a command like az account list-locations --output table.

AVX-57551

Performing a like-version image replacement of an HA Gateway on GCP might result in network disruption of up to 4 minutes. This applies to a Gateway running version 7.2.4820. This does not apply to an image upgrade of a gateway running a 7.1 build.

You would run a like-version image replacement when a Gateway needs significant repair. For information about image upgrades, see Upgrade Gateways for the Latest Aviatrix Supported Images (AWS and Azure Only).