Aviatrix Controller and Gateway Software Release Notes

Fixed an issue where BGP gateways could crash when receiving route updates containing AS-SET information in the AS-PATH attribute. The system now rejects AS-SET and AS_CONFED_SET using default configuration, improving BGP stability and aligning with industry standards.

Fixed an issue where configuring more than 16 route-based Site-to-Cloud External Connections with DCF enabled could cause high Controller CPU utilization and configuration push delays. Policy handling has been optimized to scale beyond 16 External Connections without performance degradation.

Fixed an issue where recreating a policy-based Site-to-Cloud VPN connection after deleting a previous one could trigger a false CIDR overlap error. The Controller now properly clears CIDR state when connections are deleted, allowing reuse of the same CIDRs without manual cleanup.

Fixed an issue where the Distributed Cloud Firewall (DCF) policy writer generated ~40KB of redundant data per gateway during each configuration snapshot, creating unnecessary Controller database writes. The policy writer now only records changes when policies are updated, reducing load and improving stability in large environments.

Fixed an issue where DCF rules failed to match traffic correctly when customized SNAT was configured and the same SmartGroups were used in both source and destination fields. Rule evaluation now accounts for translated addresses, preventing unintended blocking.

Fixed an issue where Edge Gateway version numbers in the Controller UI were incorrectly updated after the gateway came back online. The version display now reflects the actual running image.

Fixed an issue where Edge Gateways on Equinix Network Edge or certain VMware environments failed to resize the root disk during initial setup. Disk resize logic has been corrected.

Fixed an issue where gateway resize operations could fail with a KeyError: 'src' during validation. This occurred when resizing gateways, including attempts to resize to the same instance size for recovery. The fix improves peer data handling to ensure resize operations complete successfully.

Fixed an issue where new CIDRs added to an OCI VCN through the OCI console were not reflected in the Controller. Previously, the Controller only read CIDRs during initial spoke-transit attachment, causing failures in gateway creation for new CIDRs. The fix enables the Controller to dynamically query and sync updated VCN CIDRs from OCI.

Resolved an issue where the Public Internet SmartGroup incorrectly retained the 100.64.0.0/10 range after upgrading to 8.0.0. The range is now removed per updated default definitions.

Resolved an issue where creating or modifying DCF rules failed in the CoPilot UI or Terraform due to a missing policy list. The system now generates and updates the list correctly.

Fixed an issue where Jumbo Frame support could not be enabled on existing BGPoLAN connections for AWS HPE gateways. MTU configuration updates are now applied without requiring recreation.

Resolved an issue where IPSec diagnostics in the Controller UI did not display logs for non-Equinix Edge Gateways. Log retrieval now works for all Edge Gateway types.

Fixed an issue where certain Edge Gateway images (g3-202504251522, g3-202504251525) incorrectly sized the root disk after ZTP, limiting available storage. Disk sizing has been corrected in these images.

Resolved an issue where creating a Secondary or HA Transit/Spoke Edge Gateway on a Dell appliance failed due to incorrect hardware detection. Appliance compatibility has been updated.

Fixed an issue where transit peering status was shown as UNKNOWN in the Controller even though tunnels were established. The problem was caused by Edge gateways sending invalid peer values (“<nil>”), which blocked route exchange. The fix adds proper validation of peer IP values so that transit status is reported correctly and routes are exchanged as expected.

Fixed a performance regression and packet drop issue with Site-to-Cloud mapped NAT at scale. Packet forwarding performance has been restored to expected levels.

Fixed an issue where backup restoration failed on GCP controllers when restoring from earlier versions (such as 7.2.5090) to 8.0.0 and later. The issue was caused by a Google Cloud Storage API error during the upload phase. The fix includes a library update and improved error handling to ensure successful restoration.

Fixed an issue where DCF policies failed to apply to Azure gateways due to Cloud Asset Inventory (CAI) not resolving Azure subnets correctly. This was caused by missing Azure VNET GUID metadata during upgrades, resulting in Smart Group resolution failures and incorrect policy rule enforcement. The fix improves Azure metadata handling and ensures consistent DCF policy application.

Fixed an issue where system diagnostics could fail with an AttributeError during Controller operations. The error occurred when collecting CloudXD process data that unexpectedly returned None. The fix adds proper null checks to ensure the diagnostic collection completes successfully.

Resolved an issue where creating a WebGroup containing both Domain and URL entries caused configuration pushes to fail. Validation now accepts mixed entry types.

Fixed an issue preventing upgrades to Controller version 8.0.0 when duplicate DCF policy names existed. The upgrade process now detects and resolves name conflicts automatically.

Fixed an issue where Distributed Cloud Firewall (DCF) eBPF programs were not fully cleaned up from gateway interfaces when DCF features were disabled. The cleanup logic has been improved to ensure all interfaces are properly cleared, preventing residual eBPF programs from remaining after disabling Site-to-Cloud DCF or other DCF features.

Fixed a memory leak in the DCF Traffic Server (TS_MAIN process) that could cause gateway reboots during high-volume threat IP traffic processing. The issue occurred when multiple DCF rules with ThreatIQ external groups were triggered by continuous probing to inactive threat IPs. Memory usage now stabilizes under sustained load.

Fixed an issue where modifying the custom certificate domain while gateways were already deployed could cause VPN containers to fail on restart. The Controller now blocks domain changes if gateways exist, ensuring consistency and preventing misconfiguration.

Fixed an issue where user-uploaded SSL certificates were not automatically restored during Controller migration to version 8.0.0. This caused FQDN-based secure access to the Controller UI to fail post-migration. The fix ensures that existing certificates are now retained and restored during the migration process.

Azure Standard_B1ms SNAT-enabled Egress Spoke Gateways may experience significant throughput drops under high connection loads. This limitation is caused by the Azure Standard_B1ms instance type, which has limited compute and network resources.

Affected Scenario:

Workaround:

Upsize the Spoke Gateway to a larger Azure instance type for workloads that require more than 10K concurrent connections or consistent network throughput.

When upgrading from Controller version 7.1 to 7.2 or 8.0, Spoke Gateways with routing through a Public Subnet Filtering (PSF) Gateway may fail to upgrade and become unreachable if the PSF Gateway has not been upgraded first. This issue affects AWS environments where Spoke Gateway route tables are configured to point to a PSF Gateway.

To avoid this issue, follow the correct upgrade sequence:

During a gateway software upgrade, traffic matching DCF WebGroup rules may be briefly dropped during the upgrade. This impacts both Layer 7 (HTTP/HTTPS) and Layer 4 traffic and occurs across all supported cloud providers (AWS, Azure, and GCP). The disruption typically lasts a few seconds but may vary depending on gateway load and policy complexity.

Workaround:

None

Recommendations:

In Controller release 8.0, gateway software upgrades take longer to complete compared to earlier versions. On average, the upgrade rate drops from approximately 14 gateways per minute in version 7.2 to approximately 11 gateways per minute in 8.0, which is an increase of about 20% in execution time.

Affected Scenarios:

Impact:

Only the upgrade duration is affected. Gateway functionality remains unaffected after a successful upgrade.

Recommendations:

In the CoPilot UI, Groups > SmartGroups and Groups > ExternalGroups with multiple filters may not appear as originally configured after being saved. This issue occurs when creating groups with multiple sets of any resource type. While policy enforcement is correct, the UI may display missing or merged filter sets, leading to ambiguity and confusion during review or editing.

Affected Scenario:

Workaround:

There is no workaround at this time. If possible, avoid using multiple filter sets in a single group until the issue is resolved.

In OCI environments, new CIDRs added to a VCN via the OCI console may not be reflected in the Controller after the initial spoke-transit attachment. As a result, users cannot create gateways in the newly added CIDRs, and the CIDR will not appear in the subnet selection dropdown.

Workaround:

Impact:

When Distributed Cloud Firewall (DCF) is enabled, policy-based Site-to-Cloud (S2C) traffic may be misclassified due to how the traffic flows through the gateway. This can lead to unintended blocking or incorrect policy enforcement.

Workaround:

Impact:

In some scenarios involving rapid VRRP state transitions, the keepalived VRRP state may not be reported accurately to the Controller. This can result in temporary discrepancies between the actual VRRP status and what is displayed in the Controller UI, leading to confusion and difficulties during troubleshooting.

Workaround:

Impact:

When using Threat Intelligence (ThreatIQ) external groups in Distributed Cloud Firewall (DCF), gateways may log field threat_severity not found errors if unsupported selectors (such as threat_severity) are used.

These configurations are currently accepted by the Controller without validation, but the unsupported selectors are ignored during policy enforcement, and repeated error messages are logged.

Workaround:

Impact:

Resolution:

Future enhancements will add validation during configuration and UI notifications when unsupported selectors are used.

When using Distributed Cloud Firewall (DCF) Layer 7 rules with Smart Groups that contain tagged resources, no bell notifications appear when configuration issues potentially block traffic. This affects deployments where Smart Groups match resources by tags (such as AWS instance tags) rather than static IPs or CIDRs. Although traffic is enforced correctly, administrators may not be alerted to the problematic configuration.

Affected Scenario:

Workaround:

Impact: Only affects notifications. Traffic enforcement continues to function as expected.

Uploading SSL certificates from some providers (such as GoDaddy) could fail if the PEM file included a Unicode Byte Order Mark (BOM). The certificate might appear to upload successfully but would not take effect, and could cause the Controller’s application server to crash with a missing private key error.

Workaround:

Impact:

Transit gateways with large-scale tunnel deployments (1300+ tunnels) may experience extended traffic loss during image upgrades. Although the image upgrade completes successfully, traffic may remain down for several minutes afterward due to delayed tunnel reconfiguration.

Workaround:

Impact:

During large-scale gateway software upgrades (typically 50+ gateways), the Controller UI may display incorrect or unclear upgrade status messages. This includes repeated messages, incomplete reporting, and misleading "undefined" entries. Despite the UI errors, the actual upgrade process continues in the background.

Workaround:

Impact:

OpenVPN Okta authentication does not support the new Okta Integrator Free Plan URL format (https://integrator-xxxxxx.okta.com), which replaced the Developer Edition on July 18, 2025.

When using this new format, the Controller shows a "Not a valid Okta URL" error because it only accepts the older dev-xxxxxx.okta.com format.

Affected Scenarios:

Workaround:

Use an Okta paid plan with supported URL format.

Existing setups using the old Developer Edition will keep working until Okta deactivates them.

Resolution:

A fix to support the new format is planned for release 8.2.0 or later.

In Edge deployments with multiple WAN interfaces, the StrongSwan service was incorrectly bound only to the first WAN interface after upgrade to 8.1.0. This prevented IPSec tunnels from establishing over other WAN interfaces, affecting all Edge-as-a-Transit (EaT) peering types and Edge-as-Spoke with multiple WAN interfaces.

Workaround:

Impact:

When using the Refresh VPC/VNet Route Tables feature in CoPilot with HA gateways configured with custom SNAT and DNAT rules, new route tables may not receive SNAT and DNAT routes for the HA gateway. Only the primary gateway SNAT and DNAT IP routes are added. This may lead to asymmetric routing or traffic loss if the primary gateway fails.

Impact:

Affected Configuration:

Workaround:'

Dry-run validation may fail when upgrading the Controller from version 8.0.10 to 8.1.0 due to a gateway version mismatch error. This occurs when the upgrade path starts from 8.0.0, progresses to 8.0.10 successfully, but encounters a dry-run failure when proceeding to 8.1.0.

In CoPilot version 4.23 or earlier, using the Administration > Upgrade > Upgrade Plan feature to perform a Gateway image upgrade does not correctly apply the new image. The upgrade process may silently fail across various upgrade paths, leaving the Gateway on the original version.

Impact:

Workaround:

When BGP communities are configured on gateways, restarting the Controller (such as restarting the cloudxd service or upgrading Controller software) may cause brief traffic disruption and elevated CPU utilization. This is due to a delay in BGP route propagation during the restart process, which can affect Site-to-Cloud (S2C) connectivity.

Impact:

Workaround:

When deleting a cloud account from the Controller, email notifications are not sent to configured recipients. The notification bell shows sent to as blank, and no actual email is delivered. This is a regression from version 8.0.0 where email alerts for account deletion worked correctly.

Impact:

Workaround: No current workaround. Teams should manually monitor cloud account deletions and notify stakeholders as needed.