8.2.0 Release Notes

Release Date: 22 December 2025

Corrected Issues in Aviatrix Release 8.2.0

Fixed several internal issues that improved overall stability and performance.

Issue	Description
AVX-64447	Fixed an issue where toggling between Active/Active HA and Active/Standby modes for Site2Cloud connections was not working properly. Users can now successfully switch between these high availability modes as expected.
AVX-66324	Fixed an issue where bell notifications were missing for Distributed Cloud Firewall (DCF) L7 rules between Kubernetes pods and VMs when using HA gateways. Previously, traffic would work intermittently when DCF L7 rules were applied between Kubernetes services and VMs in different VPCs with HA gateways. The system now properly generates notifications when these rules are applied.
AVX-67530	Fixed an issue where the traffic count displayed in the Controller interface could be inaccurate when using Distributed Cloud Firewall (DCF) with external groups that include multiple IP ranges. The Controller now reports traffic statistics correctly for DCF rules involving external groups, providing accurate visibility for monitoring, analysis, and validation of firewall policy behavior.
AVX-68108	Fixed an issue where upgrading the Controller from version 8.0.30 to 8.1.10 would display a "Service temporarily unavailable" error message. The system now properly handles the service restart during the upgrade process.
AVX-68606	Resolved an issue where Edge gateway upgrades from version 8.1 to 8.1.10 could cause temporary traffic disruption due to service restarts during the upgrade process. The upgrade workflow now handles service restarts more effectively, reducing traffic impact during Edge gateway upgrades, including in large-scale deployments.
AVX-69733	Resolved an issue where the ESTABLISHED rule disappeared after a Public Subnet Filtering (PSF) gateway image upgrade. This issue affected PSF gateways using the legacy stateful firewall on Controller versions 7.1 and later, and could result in traffic disruption after the upgrade. The rule is now preserved during PSF gateway image upgrades.
AVX-70123	Fixed an issue with database schema type definitions that could trigger migration errors during the Controller upgrade process. The schema now uses the correct database type definition, ensuring compatibility with migration logic and preventing upgrade failures.
AVX-70253	Fixed an issue where FireNet deployments with bootstrap enabled could fail in Google Cloud due to changes in how GCP credentials were handled during the bootstrap process. The bootstrap workflow has been updated to correctly retrieve and use GCP credentials, ensuring FireNet deployments with bootstrap complete successfully in Google Cloud environments.
AVX-70506	Fixed an issue where deploying multiple GCP gateways through Terraform resulted in ResourceDuplicateId errors. Users can now successfully deploy multiple gateways in GCP regions without encountering resource ID conflicts.
AVX-71087	Fixed an issue where the default access control rules did not properly allow ICMP traffic used for debugging. The updated rules ensure ICMP-based troubleshooting continues to work after upgrades.
AVX-71135	Resolved an issue where upgrading to Controller 8.1 failed during database migration if VPC tunnel records contained non-numeric values in the timestamp field. The migration logic now correctly handles timestamp values, preventing conversion errors and allowing the upgrade to complete successfully.
AVX-71784	Resolved an issue where eBPF packet marking could fail on transit gateways with Network Segmentation enabled, causing traffic to be associated with incorrect network domains. The packet marking logic has been corrected to ensure Network Segmentation policies are enforced consistently without requiring service restarts.

Issue

Description

AVX-64447

Fixed an issue where toggling between Active/Active HA and Active/Standby modes for Site2Cloud connections was not working properly. Users can now successfully switch between these high availability modes as expected.

AVX-66324

Fixed an issue where bell notifications were missing for Distributed Cloud Firewall (DCF) L7 rules between Kubernetes pods and VMs when using HA gateways. Previously, traffic would work intermittently when DCF L7 rules were applied between Kubernetes services and VMs in different VPCs with HA gateways. The system now properly generates notifications when these rules are applied.

AVX-67530

Fixed an issue where the traffic count displayed in the Controller interface could be inaccurate when using Distributed Cloud Firewall (DCF) with external groups that include multiple IP ranges.

The Controller now reports traffic statistics correctly for DCF rules involving external groups, providing accurate visibility for monitoring, analysis, and validation of firewall policy behavior.

AVX-68108

Fixed an issue where upgrading the Controller from version 8.0.30 to 8.1.10 would display a "Service temporarily unavailable" error message. The system now properly handles the service restart during the upgrade process.

AVX-68606

Resolved an issue where Edge gateway upgrades from version 8.1 to 8.1.10 could cause temporary traffic disruption due to service restarts during the upgrade process.

The upgrade workflow now handles service restarts more effectively, reducing traffic impact during Edge gateway upgrades, including in large-scale deployments.

AVX-69733

Resolved an issue where the ESTABLISHED rule disappeared after a Public Subnet Filtering (PSF) gateway image upgrade.

This issue affected PSF gateways using the legacy stateful firewall on Controller versions 7.1 and later, and could result in traffic disruption after the upgrade. The rule is now preserved during PSF gateway image upgrades.

AVX-70123

Fixed an issue with database schema type definitions that could trigger migration errors during the Controller upgrade process.

The schema now uses the correct database type definition, ensuring compatibility with migration logic and preventing upgrade failures.

AVX-70253

Fixed an issue where FireNet deployments with bootstrap enabled could fail in Google Cloud due to changes in how GCP credentials were handled during the bootstrap process.

The bootstrap workflow has been updated to correctly retrieve and use GCP credentials, ensuring FireNet deployments with bootstrap complete successfully in Google Cloud environments.

AVX-70506

Fixed an issue where deploying multiple GCP gateways through Terraform resulted in ResourceDuplicateId errors. Users can now successfully deploy multiple gateways in GCP regions without encountering resource ID conflicts.

AVX-71087

Fixed an issue where the default access control rules did not properly allow ICMP traffic used for debugging. The updated rules ensure ICMP-based troubleshooting continues to work after upgrades.

AVX-71135

Resolved an issue where upgrading to Controller 8.1 failed during database migration if VPC tunnel records contained non-numeric values in the timestamp field.

The migration logic now correctly handles timestamp values, preventing conversion errors and allowing the upgrade to complete successfully.

AVX-71784

Resolved an issue where eBPF packet marking could fail on transit gateways with Network Segmentation enabled, causing traffic to be associated with incorrect network domains.

The packet marking logic has been corrected to ensure Network Segmentation policies are enforced consistently without requiring service restarts.

Known Issues in Aviatrix Release 8.2.0

Issue Description

Issue	Description
AVX-62003	Azure gateway image upgrades may fail when the Controller does not have the required Azure image subscription access. During the upgrade, the system deletes the existing gateway before validating subscription availability, which can result in gateway deletion without a replacement being created. This leaves dangling gateways in the Controller and can cause potential service outages. Impact: Existing gateways may be deleted during image upgrade Replacement gateway creation fails due to missing subscription Customers may experience connectivity loss and dangling gateway entries in the Controller Manual intervention required, leading to support escalations Workaround: None. To avoid outages, ensure the Controller subscription includes access to the required Azure image before attempting upgrades.
AVX-62299	When upgrading from Controller version 7.1 to 7.2 or 8.0, Spoke Gateways with routing through a Public Subnet Filtering (PSF) Gateway may fail to upgrade and become unreachable if the PSF Gateway has not been upgraded first. This issue affects AWS environments where Spoke Gateway route tables are configured to point to a PSF Gateway. To avoid this issue, follow the correct upgrade sequence: Upgrade the PSF Gateway first. Wait for the PSF Gateway upgrade to complete successfully. Then upgrade the dependent Spoke Gateways.
AVX-62506	During a gateway software upgrade, traffic matching DCF WebGroup rules may be briefly dropped during the upgrade. This impacts both Layer 7 (HTTP/HTTPS) and Layer 4 traffic and occurs across all supported cloud providers (AWS, Azure, and GCP). The disruption typically lasts a few seconds but may vary depending on gateway load and policy complexity. Workaround: None Recommendations: Schedule gateway upgrades during maintenance windows or low-traffic periods. Use HA deployments and upgrade gateways one at a time in HA pairs. Monitor logs for "Failed to load policy" messages to confirm when policies are reloaded.
AVX-63224	In Controller release 8.0, gateway software upgrades take longer to complete compared to earlier versions. On average, the upgrade rate drops from approximately 14 gateways per minute in version 7.2 to approximately 11 gateways per minute in 8.0, which is an increase of about 20% in execution time. Affected Scenarios: Upgrading from version 7.2.x to 8.0.x Upgrading between 8.0.x versions Impact: Only the upgrade duration is affected. Gateway functionality remains unaffected after a successful upgrade. Recommendations: Allocate approximately 20% more time for gateway upgrades. For large environments (for example, 1,000+ gateways), plan for 90–120 minutes of upgrade time. Schedule upgrades during maintenance windows to accommodate the longer duration.
AVX-64868	In some scenarios involving rapid VRRP state transitions, the keepalived VRRP state may not be reported accurately to the Controller. This can result in temporary discrepancies between the actual VRRP status and what is displayed in the Controller UI, leading to confusion and difficulties during troubleshooting. Impact: Controller UI may show incorrect VRRP status such as both peers reporting `Primary` or `Initializing` No impact on actual VRRP traffic handling or failover behavior. Workaround: Use diagnostic logs to verify actual VRRP state
AVX-65016	In some environments, the Firewall state may not recover from Unaccessible after the first vendor integration failure. This issue has been observed when integrating with third-party firewall vendors, leaving the gateway firewall state stuck even after the environment stabilizes. Impact: Firewall integration appears stuck in Unaccessible state Recovery does not occur automatically after initial failure May require manual intervention to restore proper firewall state reporting Workaround: Contact Aviatrix Supportfor manual correction.
AVX-66631	Transit gateways with large-scale tunnel deployments (1300+ tunnels) may experience extended traffic loss during image upgrades. Although the image upgrade completes successfully, traffic may remain down for several minutes afterward due to delayed tunnel reconfiguration. Impact: Traffic loss may persist after image upgrade completes Route service startup is blocked until all tunnels are sequentially reconfigured Configuration push may time out with `Context cancelled during Phase 1 Create` error Workaround: Schedule maintenance windows to account for potential traffic loss beyond upgrade completion. Consider staggering upgrades across transit gateways to reduce impacts. Monitor tunnel and route service status post-upgrade through the CoPilot UI.
AVX-66696	When DCF processes high volumes of logging messages, rsyslogd rate-limiting may cause message loss. The system drops messages exceeding 500 per 5-second interval, with rsyslogd logging "messages lost due to rate-limiting" notifications. Affected Scenario: High-traffic environments generating intensive logging activity Impact: Log messages may be dropped during peak traffic periods Potential gaps in audit trails and monitoring data Reduced visibility into network events and troubleshooting information Workaround: Monitor rsyslogd logs for rate-limiting messages and consider implementing log aggregation strategies to distribute message processing load across multiple collection points.
AVX-67126	Dry-run validation may fail when upgrading the Controller from version 8.0.10 to 8.1.0 due to a gateway version mismatch error. This occurs when the upgrade path starts from 8.0.0, progresses to 8.0.10 successfully, but encounters a dry-run failure when proceeding to 8.1.0.
AVX-67571	In Oracle Cloud Infrastructure (OCI) environments, OpenVPN clients cannot connect to VPN gateways configured with DUO multi-factor authentication (MFA). Connection attempts fail with `ECONNREFUSED` errors during tunnel establishment, preventing authentication from completing. Impact: VPN tunnels cannot be established to DUO-enabled OCI gateways Only affects OCI deployments with DUO MFA Other authentication methods (OKTA, LDAP) work normally Workaround: No current workaround. Users may temporarily switch to OKTA or LDAP authentication if feasible.
AVX-68561	In large-scale deployments with 1300+ gateways, enabling Distributed Cloud Firewall Site-to-Cloud (DCF S2C) can cause gateway configurations to become out of sync with the Controller. Even after disabling DCF S2C, the issue may persist and lead to elevated Controller resource usage. Impact: Gateway configurations may show as out of sync in the Controller UI Controller CPU utilization (conduit process) increases significantly Performance degradation may occur during DCF S2C operations Issue may persist after disabling DCF S2C Workaround: Monitor Controller CPU usage before enabling DCF S2C in large-scale environments. Consider enabling DCF S2C during scheduled maintenance windows. For deployments with 1300+ gateways, evaluate the necessity of DCF S2C functionality.
AVX-68887	When attaching VPN users to profiles using the `attach_vpn_user_to_profile` API, the CoPilot or Controller UI may continue to display the user profile as N/A even though the attachment operation completes successfully. In some cases, users later reappear as active but still show no profile association in the UI. This results in a display inconsistency between the UI and the backend state. Impact: VPN user profile assignments may appear unsuccessful in the UI, which can cause confusion during profile management. There is no functional impact: the VPN profile is correctly assigned in the backend, and users can connect to the VPN as expected. Affected Scenario: OpenVPN profile management operations that use API-based user-to-profile attachment. Workaround: None.
AVX-69342	When a Controller experiences out-of-memory conditions followed by upsizing and restart, duplicate resource ID entries may be created in the database. This prevents the Controller from starting properly and blocks access to the web UI. Impact: Controller fails to start after restart Web UI becomes inaccessible Database contains duplicate resource entries for GCE networks and other resources Affected Scenario: Controllers that have experienced memory issues, been upsized, and restarted may encounter this database corruption. Workaround: Connect directly to the Controller database and manually remove the duplicate resource ID entries to restore normal operation.
AVX-70864	In Controller version 8.2.0, gateways may remain in a Configuration Not Up-to-Date state when applying Distributed Cloud Firewall (DCF) policies under certain conditions. This issue can occur when DCF policies with Web Groups and IDS or IPS enabled are pushed to gateways. The configuration update does not complete within the expected time, which may leave the gateway out of sync. Impact: Gateway shows Configuration Not Up-to-Date status DCF policies may not be fully applied Traffic may be dropped unexpectedly Affected Scenario: Gateways running Controller 8.2.0 with DCF policies that include IDS or IPS features, particularly on smaller gateway instance sizes. Workaround: Restart the affected gateway to clear the condition and allow the configuration to be applied successfully. If the issue persists, contact Aviatrix Support for assistance.
AVX-70958	When clients use HTTP/2 connections, TrafficServer incorrectly reuses origin connections, potentially causing connection handling issues in MITM SNI verification scenarios. Impact: Origin connections may be shared inappropriately between different client requests MITM SNI verification may not function as expected Connection routing decisions may be based on incomplete matching criteria Affected Scenario: HTTP/2 client connections with MITM SNI verification enabled Workaround: Use both IP address and SNI instead of IP alone to ensure proper connection isolation.
AVX-70995	When a gateway is downsized in environments with IPS (Intrusion Prevention System) enabled, L7 traffic (HTTP/HTTPS) is dropped instead of being allowed through. The system blocks traffic when it detects that security policies cannot be properly enforced due to insufficient gateway resources, preventing the traffic-server from running. Affected Scenario: Gateways with IPS enabled that undergo downsizing operations. Impact: HTTP and HTTPS traffic is completely blocked Security policies cannot be enforced on downsized gateways Service disruption for applications relying on L7 traffic Workaround: Resize the gateway back to adequate specifications that support IPS functionality and traffic-server operations.
AVX-71122	In some environments, after the Identity Provider (IdP) rotates its SAML signing certificate, the Aviatrix Controller may fail to fetch and update the new certificate from the configured metadata URL. As a result, the Controller continues to use a stale certificate, which causes signature verification errors during SAML authentication. Impact: SAML single sign-on (SSO) authentication fails. Users may experience repeated login failures or timeouts and are unable to access the Controller dashboard using SAML. Workaround: Contact Aviatrix Support to manually update the SAML certificate on the Controller.
AVX-71217	When upgrading gateway software from version 7.2 to 8.0.30, the VRRP state file becomes empty on AEP edge gateways configured in active-active HA pairs. The keepalived service continues running and the keepalived.conf file retains correct configuration, but /etc/localgateway/vrrp_state.json loses primary/backup information. Affected Scenario: AEP edge gateways with VRRP configuration during software upgrade from 7.2.x to 8.0.30 Impact: Loss of VRRP state information after gateway upgrade Potential disruption to high availability failover behavior Manual intervention required to restore proper VRRP state Workaround: Reconfigure VRRP settings on affected gateways after the upgrade to repopulate the state file with correct primary/backup information.
AVX-71245	Additional Distributed Cloud Firewall (DCF) log support records end-session events for IDS and IPS signature matches. These logs include a reason field indicating the match type (IPS_POLICY_DENY or IDS_POLICY_ALERT) along with the Signature ID (SID) of the matched rule. Due to a bug, the end-session log is omitted when Decryption is not enabled for Intrusion Analysis. Impact: Missing end-session log entries for IDS/IPS signature matches when Decryption is disabled No impact to DCF policy actions No impact to existing Intrusion Analysis logs Affected Version: 8.2.0 Workaround: Enable Decryption under Intrusion Analysis to ensure end-session logs are generated.
AVX-71441	When upgrading gateways from version 8.1.20 to 8.2.0 in rare cases, we have seen the gateway could enter an infinite retry loop attempting to download a non-existent configuration file from the Controller, causing the upgrade process to fail completely. Impact: Gateway upgrade fails and cannot be completed. Gateway becomes stuck in upgrade state. Network connectivity through the affected gateway will be disrupted. Workaround: Retry the gateway upgrade operation from the Controller UI or Copilot UI. If the issue persists, perform an image upgrade of the impacted gateway.
AVX-71489	When the Controller processes inventory data across multiple accounts and inventory types, the public.inventory table in the database continuously grows by inserting new entries for each inventory operation instead of updating existing records. This results in excessive database storage consumption and potential performance degradation as the table can accumulate millions of unnecessary duplicate entries. Impact: Database storage consumption increases significantly over time Query performance may degrade due to large table size System maintenance operations take longer to complete Workaround: Monitor database size regularly and consider periodic cleanup of old inventory entries through database maintenance windows until the fix is implemented.
AVX-71494	When CoPilot Asset Inventory (CAI) performs queries on the inventory table, the existing database indexes are not utilized effectively, causing performance degradation during inventory operations. Affected Scenario: CAI inventory queries for retrieving resource counts and metadata across cloud service providers experience slower response times. Impact: Delayed inventory data retrieval and reporting Increased database load during CAI operations Slower CoPilot dashboard performance when displaying asset information Workaround: None.
AVX-71672	When upgrading the Controller to version 8.1, the database migration may fail if the tunnel `rtt_avg` field contains `None` values. The migration logic expects either a numeric value or the string `"N/A"`, and encountering a `None` value causes the upgrade to stop. Impact: Upgrade to 8.1 cannot complete Controller remains on the previous version Workaround: Contact Aviatrix Support for assistance in correcting the database values before retrying the upgrade.
AVX-71686	Azure controllers using default P6 disk tier (240 IOPS) may experience performance issues, particularly with 8.x containerized controllers. This limitation can cause system instability and processing delays during high-load operations. Affected Scenario: Controllers launched from Azure marketplace AMI with default disk configuration. Impact: System instability during high-load operations Processing delays and performance degradation Potential service disruptions Workaround: Upgrade the Azure controller disk tier from default P6 to minimum P10 (500 IOPS) through Azure portal disk configuration settings.
AVX-71719	When ICMP traffic passes through Suricata inspection on gateways, alert rules trigger only once until the Suricata process restarts. This limitation affects the eBPF → proxyPcap → Suricata traffic path and likely impacts UDP and other non-TCP protocols as well. Impact: Security alerts may not fire for subsequent ICMP traffic Potential gaps in threat detection for non-TCP protocols Reduced visibility into network security events Affected Scenario: Gateways with Suricata-based security inspection enabled for ICMP and potentially UDP traffic. Workaround: Contact Aviatrix Support to restore the alert functionality for ICMP traffic.
AVX-71720	When processing decrypted POST traffic through the ATS tee plugin on PSF gateways, the gateway may crash during request body processing. This occurs specifically with decrypted traffic that contains POST requests being processed by the tee plugin functionality. Impact: Gateway crashes and becomes unavailable Traffic disruption through affected PSF gateway Service interruption until gateway recovery Affected Scenario: PSF gateways processing decrypted POST traffic through ATS tee plugin Workaround: Avoid routing decrypted POST traffic through PSF gateways with ATS tee plugin enabled until the fix is available.
AVX-71787	When managing Distributed Cloud Firewall (DCF) rules through Terraform with Multi-Writer Policy (MWP) enabled, Terraform operations may take significantly longer compared to using the legacy V1 policy list. In environments with large rule sets, such as 3,000+ DCF rules, the Terraform apply and refresh operations can be up to 20× slower when compared to storing them in the default V1 policy list. This behavior has been observed in environments with hundreds of spokes and high rule volume. Impact: Terraform `apply` and `refresh` operations may take several minutes Large-scale DCF environments see increased management latency Automation pipelines may experience delays Affected Scenario: Terraform workflows that create or manage large DCF rulesets under Multi-Writer Policy (MWP). Workaround:** Rule sets can be broken up in multiple smaller rule sets under a rule block, this helps manageability. The recommended maximum size for a ruleset is 500-750 rules. Contact Aviatrix Support for further assistance with large-scale DCF Terraform deployments.
AVX-71820	When deploying a load balancer–enabled VPN gateway with an overlapping VPN CIDR on Controller versions 8.0, 8.1, or 8.2, the gateway creation fails. Impact: VPN gateway deployment fails Error message does not clearly indicate the root cause Affected Scenario: Load balancer–enabled VPN gateway deployments on Controller versions 8.0, 8.1, and 8.2. Workaround: Ensure that the VPN CIDR does not overlap with existing gateways behind the load balancer before deployment. Contact Aviatrix Support for assistance.
AVX-71826	In Aviatrix software versions 8.1.x and 8.2.0, the VRRP state file /etc/localgateway/vrrp_state.json, may be empty on AEP and self-managed Edge-as-Spoke gateways configured in active-active HA pairs. This prevents VRRP state updates from being sent from the edge gateways to the Aviatrix Controller, and Aviatrix CoPilot will not display the updated VRRP states. This is a cosmetic issue and there will be no disruption to traffic. Impact: VRRP state information for edge gateways is not shown accurately in Aviatrix CoPilot Aviatrix CoPilot may display both primary and HA edge gateways with the same VRRP state The VRRP state information will not be updated in Aviatrix CoPilot when VRRP failovers occur on the data plane. This is a display-only issue and the data plane will not be disrupted The VRRP state information may show Initializing in Aviatrix CoPilot for Edge-as-Spoke gateways which are created in version 8.1 and 8.2 Affected Scenario: - AEP and self-managed Edge-as-Spoke gateways in active-active HA deployments with VRRP enabled upgrade from 8.0 to 8.1 or created in 8.1 and 8.2 Workaround: Please contact Aviatrix Support for assistance to help you fix the incorrect display of VRRP states in Aviatrix CoPilot.

AVX-62003

Azure gateway image upgrades may fail when the Controller does not have the required Azure image subscription access. During the upgrade, the system deletes the existing gateway before validating subscription availability, which can result in gateway deletion without a replacement being created. This leaves dangling gateways in the Controller and can cause potential service outages.

Impact:

Existing gateways may be deleted during image upgrade
Replacement gateway creation fails due to missing subscription
Customers may experience connectivity loss and dangling gateway entries in the Controller
Manual intervention required, leading to support escalations

Workaround:

None. To avoid outages, ensure the Controller subscription includes access to the required Azure image before attempting upgrades.

AVX-62299

When upgrading from Controller version 7.1 to 7.2 or 8.0, Spoke Gateways with routing through a Public Subnet Filtering (PSF) Gateway may fail to upgrade and become unreachable if the PSF Gateway has not been upgraded first. This issue affects AWS environments where Spoke Gateway route tables are configured to point to a PSF Gateway.

To avoid this issue, follow the correct upgrade sequence:

Upgrade the PSF Gateway first.
Wait for the PSF Gateway upgrade to complete successfully.
Then upgrade the dependent Spoke Gateways.

AVX-62506

During a gateway software upgrade, traffic matching DCF WebGroup rules may be briefly dropped during the upgrade. This impacts both Layer 7 (HTTP/HTTPS) and Layer 4 traffic and occurs across all supported cloud providers (AWS, Azure, and GCP). The disruption typically lasts a few seconds but may vary depending on gateway load and policy complexity.

Workaround:

None

Recommendations:

Schedule gateway upgrades during maintenance windows or low-traffic periods.
Use HA deployments and upgrade gateways one at a time in HA pairs.
Monitor logs for "Failed to load policy" messages to confirm when policies are reloaded.

AVX-63224

In Controller release 8.0, gateway software upgrades take longer to complete compared to earlier versions. On average, the upgrade rate drops from approximately 14 gateways per minute in version 7.2 to approximately 11 gateways per minute in 8.0, which is an increase of about 20% in execution time.

Affected Scenarios:

Upgrading from version 7.2.x to 8.0.x
Upgrading between 8.0.x versions

Impact:

Only the upgrade duration is affected. Gateway functionality remains unaffected after a successful upgrade.

Recommendations:

Allocate approximately 20% more time for gateway upgrades.
For large environments (for example, 1,000+ gateways), plan for 90–120 minutes of upgrade time.
Schedule upgrades during maintenance windows to accommodate the longer duration.

AVX-64868

In some scenarios involving rapid VRRP state transitions, the keepalived VRRP state may not be reported accurately to the Controller. This can result in temporary discrepancies between the actual VRRP status and what is displayed in the Controller UI, leading to confusion and difficulties during troubleshooting.

Impact:

Controller UI may show incorrect VRRP status such as both peers reporting Primary or Initializing
No impact on actual VRRP traffic handling or failover behavior.

Workaround:

Use diagnostic logs to verify actual VRRP state

AVX-65016

In some environments, the Firewall state may not recover from Unaccessible after the first vendor integration failure. This issue has been observed when integrating with third-party firewall vendors, leaving the gateway firewall state stuck even after the environment stabilizes.

Impact:

Firewall integration appears stuck in Unaccessible state
Recovery does not occur automatically after initial failure
May require manual intervention to restore proper firewall state reporting

Workaround:

Contact Aviatrix Supportfor manual correction.

AVX-66631

Transit gateways with large-scale tunnel deployments (1300+ tunnels) may experience extended traffic loss during image upgrades. Although the image upgrade completes successfully, traffic may remain down for several minutes afterward due to delayed tunnel reconfiguration.

Impact:

Traffic loss may persist after image upgrade completes
Route service startup is blocked until all tunnels are sequentially reconfigured
Configuration push may time out with Context cancelled during Phase 1 Create error

Workaround:

Schedule maintenance windows to account for potential traffic loss beyond upgrade completion.
Consider staggering upgrades across transit gateways to reduce impacts.
Monitor tunnel and route service status post-upgrade through the CoPilot UI.

AVX-66696

When DCF processes high volumes of logging messages, rsyslogd rate-limiting may cause message loss. The system drops messages exceeding 500 per 5-second interval, with rsyslogd logging "messages lost due to rate-limiting" notifications.

Affected Scenario: High-traffic environments generating intensive logging activity

Impact:

Log messages may be dropped during peak traffic periods
Potential gaps in audit trails and monitoring data
Reduced visibility into network events and troubleshooting information

Workaround: Monitor rsyslogd logs for rate-limiting messages and consider implementing log aggregation strategies to distribute message processing load across multiple collection points.

AVX-67126

Dry-run validation may fail when upgrading the Controller from version 8.0.10 to 8.1.0 due to a gateway version mismatch error. This occurs when the upgrade path starts from 8.0.0, progresses to 8.0.10 successfully, but encounters a dry-run failure when proceeding to 8.1.0.

AVX-67571

In Oracle Cloud Infrastructure (OCI) environments, OpenVPN clients cannot connect to VPN gateways configured with DUO multi-factor authentication (MFA). Connection attempts fail with ECONNREFUSED errors during tunnel establishment, preventing authentication from completing.

Impact:

VPN tunnels cannot be established to DUO-enabled OCI gateways
Only affects OCI deployments with DUO MFA
Other authentication methods (OKTA, LDAP) work normally

Workaround:

No current workaround. Users may temporarily switch to OKTA or LDAP authentication if feasible.

AVX-68561

In large-scale deployments with 1300+ gateways, enabling Distributed Cloud Firewall Site-to-Cloud (DCF S2C) can cause gateway configurations to become out of sync with the Controller. Even after disabling DCF S2C, the issue may persist and lead to elevated Controller resource usage.

Impact:

Gateway configurations may show as out of sync in the Controller UI
Controller CPU utilization (conduit process) increases significantly
Performance degradation may occur during DCF S2C operations
Issue may persist after disabling DCF S2C

Workaround:

Monitor Controller CPU usage before enabling DCF S2C in large-scale environments.
Consider enabling DCF S2C during scheduled maintenance windows.
For deployments with 1300+ gateways, evaluate the necessity of DCF S2C functionality.

AVX-68887

When attaching VPN users to profiles using the attach_vpn_user_to_profile API, the CoPilot or Controller UI may continue to display the user profile as N/A even though the attachment operation completes successfully.

In some cases, users later reappear as active but still show no profile association in the UI. This results in a display inconsistency between the UI and the backend state.

Impact: VPN user profile assignments may appear unsuccessful in the UI, which can cause confusion during profile management. There is no functional impact: the VPN profile is correctly assigned in the backend, and users can connect to the VPN as expected.

Affected Scenario: OpenVPN profile management operations that use API-based user-to-profile attachment.

Workaround: None.

AVX-69342

When a Controller experiences out-of-memory conditions followed by upsizing and restart, duplicate resource ID entries may be created in the database. This prevents the Controller from starting properly and blocks access to the web UI.

Impact:

Controller fails to start after restart
Web UI becomes inaccessible
Database contains duplicate resource entries for GCE networks and other resources

Affected Scenario:

Controllers that have experienced memory issues, been upsized, and restarted may encounter this database corruption.

Workaround:

Connect directly to the Controller database and manually remove the duplicate resource ID entries to restore normal operation.

AVX-70864

In Controller version 8.2.0, gateways may remain in a Configuration Not Up-to-Date state when applying Distributed Cloud Firewall (DCF) policies under certain conditions.

This issue can occur when DCF policies with Web Groups and IDS or IPS enabled are pushed to gateways. The configuration update does not complete within the expected time, which may leave the gateway out of sync.

Impact:

Gateway shows Configuration Not Up-to-Date status
DCF policies may not be fully applied
Traffic may be dropped unexpectedly

Affected Scenario:

Gateways running Controller 8.2.0 with DCF policies that include IDS or IPS features, particularly on smaller gateway instance sizes.

Workaround: Restart the affected gateway to clear the condition and allow the configuration to be applied successfully. If the issue persists, contact Aviatrix Support for assistance.

AVX-70958

When clients use HTTP/2 connections, TrafficServer incorrectly reuses origin connections, potentially causing connection handling issues in MITM SNI verification scenarios.

Impact:

Origin connections may be shared inappropriately between different client requests
MITM SNI verification may not function as expected
Connection routing decisions may be based on incomplete matching criteria

Affected Scenario:

HTTP/2 client connections with MITM SNI verification enabled

Workaround:

Use both IP address and SNI instead of IP alone to ensure proper connection isolation.

AVX-70995

When a gateway is downsized in environments with IPS (Intrusion Prevention System) enabled, L7 traffic (HTTP/HTTPS) is dropped instead of being allowed through. The system blocks traffic when it detects that security policies cannot be properly enforced due to insufficient gateway resources, preventing the traffic-server from running.

Affected Scenario: Gateways with IPS enabled that undergo downsizing operations.

Impact:

HTTP and HTTPS traffic is completely blocked
Security policies cannot be enforced on downsized gateways
Service disruption for applications relying on L7 traffic

Workaround: Resize the gateway back to adequate specifications that support IPS functionality and traffic-server operations.

AVX-71122

In some environments, after the Identity Provider (IdP) rotates its SAML signing certificate, the Aviatrix Controller may fail to fetch and update the new certificate from the configured metadata URL.

As a result, the Controller continues to use a stale certificate, which causes signature verification errors during SAML authentication.

Impact: SAML single sign-on (SSO) authentication fails. Users may experience repeated login failures or timeouts and are unable to access the Controller dashboard using SAML.

Workaround: Contact Aviatrix Support to manually update the SAML certificate on the Controller.

AVX-71217

When upgrading gateway software from version 7.2 to 8.0.30, the VRRP state file becomes empty on AEP edge gateways configured in active-active HA pairs. The keepalived service continues running and the keepalived.conf file retains correct configuration, but /etc/localgateway/vrrp_state.json loses primary/backup information.

Affected Scenario: AEP edge gateways with VRRP configuration during software upgrade from 7.2.x to 8.0.30

Impact:

Loss of VRRP state information after gateway upgrade
Potential disruption to high availability failover behavior
Manual intervention required to restore proper VRRP state

Workaround: Reconfigure VRRP settings on affected gateways after the upgrade to repopulate the state file with correct primary/backup information.

AVX-71245

Additional Distributed Cloud Firewall (DCF) log support records end-session events for IDS and IPS signature matches. These logs include a reason field indicating the match type (IPS_POLICY_DENY or IDS_POLICY_ALERT) along with the Signature ID (SID) of the matched rule.

Due to a bug, the end-session log is omitted when Decryption is not enabled for Intrusion Analysis.

Impact:

Missing end-session log entries for IDS/IPS signature matches when Decryption is disabled
No impact to DCF policy actions
No impact to existing Intrusion Analysis logs

Affected Version: 8.2.0

Workaround: Enable Decryption under Intrusion Analysis to ensure end-session logs are generated.

AVX-71441

When upgrading gateways from version 8.1.20 to 8.2.0 in rare cases, we have seen the gateway could enter an infinite retry loop attempting to download a non-existent configuration file from the Controller, causing the upgrade process to fail completely.

Impact:

Gateway upgrade fails and cannot be completed.
Gateway becomes stuck in upgrade state.
Network connectivity through the affected gateway will be disrupted.

Workaround: Retry the gateway upgrade operation from the Controller UI or Copilot UI. If the issue persists, perform an image upgrade of the impacted gateway.

AVX-71489

When the Controller processes inventory data across multiple accounts and inventory types, the public.inventory table in the database continuously grows by inserting new entries for each inventory operation instead of updating existing records. This results in excessive database storage consumption and potential performance degradation as the table can accumulate millions of unnecessary duplicate entries.

Impact:

Database storage consumption increases significantly over time
Query performance may degrade due to large table size
System maintenance operations take longer to complete

Workaround: Monitor database size regularly and consider periodic cleanup of old inventory entries through database maintenance windows until the fix is implemented.

AVX-71494

When CoPilot Asset Inventory (CAI) performs queries on the inventory table, the existing database indexes are not utilized effectively, causing performance degradation during inventory operations.

Affected Scenario: CAI inventory queries for retrieving resource counts and metadata across cloud service providers experience slower response times.

Impact:

Delayed inventory data retrieval and reporting
Increased database load during CAI operations
Slower CoPilot dashboard performance when displaying asset information

Workaround: None.

AVX-71672

When upgrading the Controller to version 8.1, the database migration may fail if the tunnel rtt_avg field contains None values. The migration logic expects either a numeric value or the string "N/A", and encountering a None value causes the upgrade to stop.

Impact:

Upgrade to 8.1 cannot complete
Controller remains on the previous version

Workaround: Contact Aviatrix Support for assistance in correcting the database values before retrying the upgrade.

AVX-71686

Azure controllers using default P6 disk tier (240 IOPS) may experience performance issues, particularly with 8.x containerized controllers. This limitation can cause system instability and processing delays during high-load operations.

Affected Scenario: Controllers launched from Azure marketplace AMI with default disk configuration.

Impact:

System instability during high-load operations
Processing delays and performance degradation
Potential service disruptions

Workaround: Upgrade the Azure controller disk tier from default P6 to minimum P10 (500 IOPS) through Azure portal disk configuration settings.

AVX-71719

When ICMP traffic passes through Suricata inspection on gateways, alert rules trigger only once until the Suricata process restarts. This limitation affects the eBPF → proxyPcap → Suricata traffic path and likely impacts UDP and other non-TCP protocols as well.

Impact:

Security alerts may not fire for subsequent ICMP traffic
Potential gaps in threat detection for non-TCP protocols
Reduced visibility into network security events

Affected Scenario: Gateways with Suricata-based security inspection enabled for ICMP and potentially UDP traffic.

Workaround: Contact Aviatrix Support to restore the alert functionality for ICMP traffic.

AVX-71720

When processing decrypted POST traffic through the ATS tee plugin on PSF gateways, the gateway may crash during request body processing. This occurs specifically with decrypted traffic that contains POST requests being processed by the tee plugin functionality.

Impact:

Gateway crashes and becomes unavailable
Traffic disruption through affected PSF gateway
Service interruption until gateway recovery

Affected Scenario: PSF gateways processing decrypted POST traffic through ATS tee plugin

Workaround: Avoid routing decrypted POST traffic through PSF gateways with ATS tee plugin enabled until the fix is available.

AVX-71787

When managing Distributed Cloud Firewall (DCF) rules through Terraform with Multi-Writer Policy (MWP) enabled, Terraform operations may take significantly longer compared to using the legacy V1 policy list.

In environments with large rule sets, such as 3,000+ DCF rules, the Terraform apply and refresh operations can be up to 20× slower** when compared to storing them in the default V1 policy list.

This behavior has been observed in environments with hundreds of spokes and high rule volume.

Impact:

Terraform apply and refresh operations may take several minutes
Large-scale DCF environments see increased management latency
Automation pipelines may experience delays

Affected Scenario: Terraform workflows that create or manage large DCF rulesets under Multi-Writer Policy (MWP).

Workaround: Rule sets can be broken up in multiple smaller rule sets under a rule block, this helps manageability. The recommended maximum size for a ruleset is 500-750 rules. Contact Aviatrix Support for further assistance with large-scale DCF Terraform deployments.

AVX-71820

When deploying a load balancer–enabled VPN gateway with an overlapping VPN CIDR on Controller versions 8.0, 8.1, or 8.2, the gateway creation fails.

Impact:

VPN gateway deployment fails
Error message does not clearly indicate the root cause

Affected Scenario: Load balancer–enabled VPN gateway deployments on Controller versions 8.0, 8.1, and 8.2.

Workaround:

Ensure that the VPN CIDR does not overlap with existing gateways behind the load balancer before deployment. Contact Aviatrix Support for assistance.

AVX-71826

In Aviatrix software versions 8.1.x and 8.2.0, the VRRP state file /etc/localgateway/vrrp_state.json, may be empty on AEP and self-managed Edge-as-Spoke gateways configured in active-active HA pairs. This prevents VRRP state updates from being sent from the edge gateways to the Aviatrix Controller, and Aviatrix CoPilot will not display the updated VRRP states. This is a cosmetic issue and there will be no disruption to traffic.

Impact:

VRRP state information for edge gateways is not shown accurately in Aviatrix CoPilot
Aviatrix CoPilot may display both primary and HA edge gateways with the same VRRP state
The VRRP state information will not be updated in Aviatrix CoPilot when VRRP failovers occur on the data plane. This is a display-only issue and the data plane will not be disrupted
The VRRP state information may show Initializing in Aviatrix CoPilot for Edge-as-Spoke gateways which are created in version 8.1 and 8.2

Affected Scenario: - AEP and self-managed Edge-as-Spoke gateways in active-active HA deployments with VRRP enabled upgrade from 8.0 to 8.1 or created in 8.1 and 8.2

Workaround: Please contact Aviatrix Support for assistance to help you fix the incorrect display of VRRP states in Aviatrix CoPilot.