8.0.30 Release Notes

Release Date: 16 September 2025

Release Notes Last Updated: 22 December 2025

Corrected Issues in Aviatrix Release 8.0.30

Issue Description

Issue	Description
AVX-58696	Fixed an issue where TCP MSS clamping was not supported on Standalone Gateways in Release 7.1 and later. Gateways now properly apply MSS clamping to prevent fragmentation issues in TCP traffic flows.
AVX-59298	Fixed an issue where Edge Spoke or Edge Transit Gateways deployed in Megaport Virtual Edge (MVE) with fewer than five VNICs failed to initialize. The deployment process now handles fewer VNICs correctly, ensuring successful gateway initialization.
AVX-59376	Fixed an issue where Controller High Availability (HA) standby instances failed to launch in Controllers version 8.0 and later. The HA deployment workflow now supports dynamic version injection during instance creation, restoring compatibility with AWS Auto Scaling Group launch templates.
AVX-61355	Fixed a performance issue where Azure `Standard_B1ms` SNAT-enabled Egress Spoke Gateways experienced throughput drops under high connection loads. The gateway logic was updated to optimize performance on smaller instance types.
AVX-62542	Fixed an issue where Distributed Cloud Firewall (DCF) rules did not correctly evaluate traffic when customized SNAT was configured with the same SmartGroups in both source and destination fields. Rule evaluation now accounts for translated source addresses.
AVX-62712	Fixed an issue where recreating a policy-based Site-to-Cloud (S2C) VPN connection after deleting one with the same remote CIDR incorrectly triggered a CIDR overlap error. The system now fully clears deleted CIDRs to allow re-creation of connections.
AVX-62719	Fixed an issue where Distributed Cloud Firewall (DCF) policy writer created unnecessary 40KB configuration snapshots per gateway regardless of changes, increasing Controller database load. Snapshot logic was optimized to reduce redundant write operations.
AVX-63175	Fixed an issue where Edge Gateway version numbers in the Controller UI were incorrectly updated after a gateway returned from a down state. The UI now preserves the actual version running on the gateway.
AVX-63334	Fixed an issue where Aviatrix Edge Gateways deployed on Equinix Network Edge and VMware environments failed to resize root disks during setup, preventing cloud-init modules from executing. Disk resizing logic was updated to ensure proper root filesystem allocation.
AVX-63816	Fixed an issue where the RFC6598 Shared Address Space (`100.64.0.0/10`) remained in the Public Internet SmartGroup after upgrade to version 8.0.0, allowing traffic to bypass Layer 7 inspection. The upgrade process now removes this range as expected.
AVX-63846	Fixed an issue where CoPilot UI SmartGroups and ExternalGroups with multiple filters were not displayed correctly after saving. The UI now preserves all configured filter sets.
AVX-63883	Fixed an issue where Distributed Cloud Firewall (DCF) rules created via CoPilot UI or Terraform failed to commit, blocking new policies. The API and UI now correctly display and commit new rule sets.
AVX-64015	Fixed an issue where Jumbo Frame support could not be enabled on BGPoLAN connections for AWS HPE gateways. Configuration updates now allow enabling Jumbo Frames as expected.
AVX-64136	Fixed an issue where newly added OCI VCN CIDRs were not recognized in the Controller, preventing gateway creation in new ranges. The Controller now correctly reflects new OCI CIDRs without manual configuration.
AVX-64196	Fixed an issue where IPSec diagnostics did not display logs for AEP and self-managed Edge Gateways. The Controller UI now correctly shows IPSec logs across all supported Edge platforms.
AVX-64213	Fixed an issue where certain Edge Gateway images (`g3-202504251522`, `g3-202504251525`) incorrectly sized root disks to 12GB instead of full capacity. The boot process now correctly allocates full disk size.
AVX-64483	Fixed an issue where creating Secondary or HA Transit/Spoke Edge Gateways on Dell appliances failed. The backend workflow has been updated to allow successful HA gateway creation.
AVX-64767	Fixed an issue where using Site-to-Cloud (S2C) mapped NAT at scale caused performance regressions and packet drops after gateway upgrades. Packet handling and NAT translation logic have been optimized to restore performance.
AVX-65252	Fixed an issue where WebGroups combining both Domains and URLs caused configuration pushes to fail. Validation has been added to prevent mixing unsupported entry types.
AVX-65386	Fixed an issue where upgrades to Controller version 8.0.0 failed if Distributed Cloud Firewall (DCF) policies contained duplicate names. The upgrade process now validates and handles duplicate policy names.
AVX-66630	Fixed an issue where SSL certificate uploads containing a Unicode Byte Order Mark (BOM) failed and could crash the Controller application server. Certificates are now validated and BOMs are correctly handled during upload.

AVX-58696

Fixed an issue where TCP MSS clamping was not supported on Standalone Gateways in Release 7.1 and later. Gateways now properly apply MSS clamping to prevent fragmentation issues in TCP traffic flows.

AVX-59298

Fixed an issue where Edge Spoke or Edge Transit Gateways deployed in Megaport Virtual Edge (MVE) with fewer than five VNICs failed to initialize. The deployment process now handles fewer VNICs correctly, ensuring successful gateway initialization.

AVX-59376

Fixed an issue where Controller High Availability (HA) standby instances failed to launch in Controllers version 8.0 and later. The HA deployment workflow now supports dynamic version injection during instance creation, restoring compatibility with AWS Auto Scaling Group launch templates.

AVX-61355

Fixed a performance issue where Azure Standard_B1ms SNAT-enabled Egress Spoke Gateways experienced throughput drops under high connection loads. The gateway logic was updated to optimize performance on smaller instance types.

AVX-62542

Fixed an issue where Distributed Cloud Firewall (DCF) rules did not correctly evaluate traffic when customized SNAT was configured with the same SmartGroups in both source and destination fields. Rule evaluation now accounts for translated source addresses.

AVX-62712

Fixed an issue where recreating a policy-based Site-to-Cloud (S2C) VPN connection after deleting one with the same remote CIDR incorrectly triggered a CIDR overlap error. The system now fully clears deleted CIDRs to allow re-creation of connections.

AVX-62719

Fixed an issue where Distributed Cloud Firewall (DCF) policy writer created unnecessary 40KB configuration snapshots per gateway regardless of changes, increasing Controller database load. Snapshot logic was optimized to reduce redundant write operations.

AVX-63175

Fixed an issue where Edge Gateway version numbers in the Controller UI were incorrectly updated after a gateway returned from a down state. The UI now preserves the actual version running on the gateway.

AVX-63334

Fixed an issue where Aviatrix Edge Gateways deployed on Equinix Network Edge and VMware environments failed to resize root disks during setup, preventing cloud-init modules from executing. Disk resizing logic was updated to ensure proper root filesystem allocation.

AVX-63816

Fixed an issue where the RFC6598 Shared Address Space (100.64.0.0/10) remained in the Public Internet SmartGroup after upgrade to version 8.0.0, allowing traffic to bypass Layer 7 inspection. The upgrade process now removes this range as expected.

AVX-63846

Fixed an issue where CoPilot UI SmartGroups and ExternalGroups with multiple filters were not displayed correctly after saving. The UI now preserves all configured filter sets.

AVX-63883

Fixed an issue where Distributed Cloud Firewall (DCF) rules created via CoPilot UI or Terraform failed to commit, blocking new policies. The API and UI now correctly display and commit new rule sets.

AVX-64015

Fixed an issue where Jumbo Frame support could not be enabled on BGPoLAN connections for AWS HPE gateways. Configuration updates now allow enabling Jumbo Frames as expected.

AVX-64136

Fixed an issue where newly added OCI VCN CIDRs were not recognized in the Controller, preventing gateway creation in new ranges. The Controller now correctly reflects new OCI CIDRs without manual configuration.

AVX-64196

Fixed an issue where IPSec diagnostics did not display logs for AEP and self-managed Edge Gateways. The Controller UI now correctly shows IPSec logs across all supported Edge platforms.

AVX-64213

Fixed an issue where certain Edge Gateway images (g3-202504251522, g3-202504251525) incorrectly sized root disks to 12GB instead of full capacity. The boot process now correctly allocates full disk size.

AVX-64483

Fixed an issue where creating Secondary or HA Transit/Spoke Edge Gateways on Dell appliances failed. The backend workflow has been updated to allow successful HA gateway creation.

AVX-64767

Fixed an issue where using Site-to-Cloud (S2C) mapped NAT at scale caused performance regressions and packet drops after gateway upgrades. Packet handling and NAT translation logic have been optimized to restore performance.

AVX-65252

Fixed an issue where WebGroups combining both Domains and URLs caused configuration pushes to fail. Validation has been added to prevent mixing unsupported entry types.

AVX-65386

Fixed an issue where upgrades to Controller version 8.0.0 failed if Distributed Cloud Firewall (DCF) policies contained duplicate names. The upgrade process now validates and handles duplicate policy names.

AVX-66630

Fixed an issue where SSL certificate uploads containing a Unicode Byte Order Mark (BOM) failed and could crash the Controller application server. Certificates are now validated and BOMs are correctly handled during upload.

Known Issues in Aviatrix Release 8.0.30

Issue Description

Issue	Description
AVX-62003	Azure gateway image upgrades may fail when the Controller does not have the required Azure image subscription access. During the upgrade, the system deletes the existing gateway before validating subscription availability, which can result in gateway deletion without a replacement being created. This leaves dangling gateways in the Controller and can cause potential service outages. Impact: Existing gateways may be deleted during image upgrade Replacement gateway creation fails due to missing subscription Customers may experience connectivity loss and dangling gateway entries in the Controller Manual intervention required, leading to support escalations Workaround: None. To avoid outages, ensure the Controller subscription includes access to the required Azure image before attempting upgrades.
AVX-62299	When upgrading from Controller version 7.1 to 7.2 or 8.0, Spoke Gateways with routing through a Public Subnet Filtering (PSF) Gateway may fail to upgrade and become unreachable if the PSF Gateway has not been upgraded first. This issue affects AWS environments where Spoke Gateway route tables are configured to point to a PSF Gateway. To avoid this issue, follow the correct upgrade sequence: Upgrade the PSF Gateway first. Wait for the PSF Gateway upgrade to complete successfully. Then upgrade the dependent Spoke Gateways.
AVX-62506	During a gateway software upgrade, traffic matching DCF WebGroup rules may be briefly dropped during the upgrade. This impacts both Layer 7 (HTTP/HTTPS) and Layer 4 traffic and occurs across all supported cloud providers (AWS, Azure, and GCP). The disruption typically lasts a few seconds but may vary depending on gateway load and policy complexity. Workaround: None Recommendations: Schedule gateway upgrades during maintenance windows or low-traffic periods. Use HA deployments and upgrade gateways one at a time in HA pairs. Monitor logs for “Failed to load policy” messages to confirm when policies are reloaded.
AVX-63224	In Controller release 8.0, gateway software upgrades take longer to complete compared to earlier versions. On average, the upgrade rate drops from approximately 14 gateways per minute in version 7.2 to approximately 11 gateways per minute in 8.0, which is an increase of about 20% in execution time. Affected Scenarios: Upgrading from version 7.2.x to 8.0.x Upgrading between 8.0.x versions Impact: Only the upgrade duration is affected. Gateway functionality remains unaffected after a successful upgrade. Recommendations: Allocate approximately 20% more time for gateway upgrades. For large environments (for example, 1,000+ gateways), plan for 90–120 minutes of upgrade time. Schedule upgrades during maintenance windows to accommodate the longer duration.
AVX-64447	Site2Cloud High Availability (HA) tunnels may not behave correctly when toggling between Active/Active and Active/Standby modes. Problem 1: When disabling Active/Active HA, the HA Gateway (HAGW) may retain metric 100 routes pointing to tunnel interfaces in the Gateway Route table, even though they should be removed. Problem 2: When enabling Active/Active HA from Active/Standby, the HA Gateway tunnel may not be properly enabled. This can result in missing routes despite the UI showing Active/Active status. Impact: Inconsistent routes on the gateway while switching the s2c HA Mode. Potential routing gaps on the gateway lead to incorrect traffic distribution. Workaround: If you encounter this issue, contact Aviatrix Support for assistance.
AVX-64502	On Azure gateways with High Performance Encryption (HPE) enabled, an underlay network issue may cause the eth0 interface to drop, bringing the interface flap. When this occurs, the DHCP-assigned primary IP address may be released while the static IP remains, resulting in one of the static IPs being promoted as the primary address. This can impact gateway operations. Impact: The gateway and its associated tunnels may go down, resulting in traffic disruption. Workaround: Stop and start the affected gateway from the cloud service provider console.
AVX-64794	When Distributed Cloud Firewall (DCF) is enabled, policy-based Site-to-Cloud (S2C) traffic may be misclassified due to how the traffic flows through the gateway. This can lead to unintended blocking or incorrect policy enforcement. Impact: Policy-based S2C traffic may be incorrectly evaluated against VPC or internet DCF rules Unexpected traffic drops or policy mismatches Inconsistent DCF behavior between policy-based and route-based S2C configurations Workaround: Consider using route-based S2C VPNs, where plaintext traffic traverses a dedicated tunnel interface and is classified correctly by DCF Temporarily disable DCF on gateways handling policy-based S2C connections if misclassification impacts production traffic
AVX-64868	In some scenarios involving rapid VRRP state transitions, the keepalived VRRP state may not be reported accurately to the Controller. This can result in temporary discrepancies between the actual VRRP status and what is displayed in the Controller UI, leading to confusion and difficulties during troubleshooting. Impact: Controller UI may show incorrect VRRP status such as both peers reporting `Primary` or `Initializing` No impact on actual VRRP traffic handling or failover behavior. Workaround: Use diagnostic logs to verify actual VRRP state
AVX-65016	In some environments, the Firewall state may not recover from Unaccessible after the first vendor integration failure. This issue has been observed when integrating with third-party firewall vendors, leaving the gateway firewall state stuck even after the environment stabilizes. Impact: Firewall integration appears stuck in Unaccessible state Recovery does not occur automatically after initial failure May require manual intervention to restore proper firewall state reporting Workaround: Contact Aviatrix Support for manual correction.
AVX-66190	When using Threat Intelligence (ThreatIQ) external groups in Distributed Cloud Firewall (DCF), gateways may log `field threat_severity not found` errors if unsupported selectors (such as `threat_severity`) are used. These configurations are currently accepted by the Controller without validation, but the unsupported selectors are ignored during policy enforcement, and repeated error messages are logged. Impact: DCF policies continue to function as expected, but administrators may be unaware that some threat selectors are not being applied. The repeated log entries may also affect log analysis and monitoring. Workaround: Remove unsupported selectors (e.g., `threat_severity`) from threat group configurations Use only supported fields when defining ThreatIQ external groups Monitor DCF gateway logs for error messages to identify invalid selectors Resolution: Future enhancements will add validation during configuration and UI notifications when unsupported selectors are used.
AVX-66324	When using Distributed Cloud Firewall (DCF) Layer 7 rules with Smart Groups that contain tagged resources, no bell notifications appear when configuration issues potentially block traffic. This affects deployments where Smart Groups match resources by tags (such as AWS instance tags) rather than static IPs or CIDRs. Although traffic is enforced correctly, administrators may not be alerted to the problematic configuration. Affected Scenario: DCF Layer 7 rules configured between Smart Groups based on resource tags (for example, Kubernetes pods and VMs) Both VPCs use RFC1918 IP addresses Gateways are deployed in High Availability (HA) mode Impact: Only affects notifications. Traffic enforcement continues to function as expected. Workaround: Monitor traffic flow manually Use Smart Groups with static IPs or CIDRs if alerting is critical
AVX-68102	When upgrading from Controller version 8.0.10 to 8.0.30, the Controller UI becomes temporarily inaccessible while containers reload. During this time, users cannot view progress or upgrade status messages. The UI becomes available again once the upgrade completes successfully. Impact: Controller UI is unavailable during the upgrade No upgrade status is displayed in the browser Behavior differs from previous versions Workaround: Wait for the upgrade to finish in the background. Refresh the browser after a few minutes to reconnect once the UI is available.
AVX-68887	When attaching VPN users to profiles using the `attach_vpn_user_to_profile` API, the CoPilot or Controller UI may continue to display the user profile as N/A even though the attachment operation completes successfully. In some cases, users later reappear as active but still show no profile association in the UI. This results in a display inconsistency between the UI and the backend state. Impact: VPN user profile assignments may appear unsuccessful in the UI, which can cause confusion during profile management. There is no functional impact: the VPN profile is correctly assigned in the backend, and users can connect to the VPN as expected. Affected Scenario: OpenVPN profile management operations that use API-based user-to-profile attachment. Workaround: None.
AVX-69733	When upgrading Public Subnet Filtering (PSF) gateway images on Controller version 7.1 or later, the ESTABLISHED iptables firewall rule may be removed during the upgrade process. This issue occurs on PSF gateways using the legacy stateful firewall and can alter existing firewall behavior after the upgrade. Impact PSF gateway traffic filtering becomes incomplete Network security policies may not be enforced correctly Existing connections may be disrupted Affected Scenario: PSF gateways using the legacy stateful firewall on Controller version 7.1 or later that undergo image upgrades. Workaround: Contact Aviatrix Support for assistance.
AVX-70123	When upgrading from Controller 8.0.x to 8.1.x, the upgrade may fail to complete due to incorrect database schema type definitions. As a result, the controller remains on version 8.0.x and the upgrade process does not finish successfully. Impact: Controller upgrade from 8.0.x to 8.1.x fails. Workaround: Contact Aviatrix Support for a manual fix to complete the upgrade.
AVX-70253	FireNet deployment with bootstrap enabled may fail in Google Cloud due to changes in how GCP credentials are handled. The system no longer reads GCP credentials from local files during bootstrap. Instead, credentials are retrieved as encoded data from the database, which causes bootstrap operations to fail in certain FireNet deployment workflows. Impact: FireNet deployment with bootstrap fails in the Google Cloud environment. Affected Scenario: FireNet deployments with bootstrap enabled in Google Cloud. Workaround: Do not use bootstrap when deploying FireNet in Google Cloud. Alternatively, perform the bootstrap process directly from the GCP cloud.
AVX-71087	When upgrading to Controller versions 8.0 or 8.1, ICMP traffic may be blocked by default due to updated access control rules that do not include allowances for ICMP-based debugging. Affected Scenario: Environments where ICMP is used for network troubleshooting and diagnostic workflows. Impact: ICMP-based debugging tools may stop functioning Network troubleshooting capabilities may be limited Existing workflows that depend on ICMP may be disrupted Workaround: Manually add access control rules to the Controller to explicitly allow ICMP traffic for debugging. Contact Aviatrix Support for assistance if needed.
AVX-71217	When upgrading gateway software from version 7.2 to 8.0.30, the VRRP state file /etc/localgateway/vrrp_state.json, may become empty on AEP and self-managed Edge-as-Spoke gateways configured in active-active HA pairs. This prevents VRRP state updates from being sent from the edge gateways to the Aviatrix Controller, and Aviatrix CoPilot will not display the updated VRRP states. This is a cosmetic issue and there will be no disruption to traffic. Impact: VRRP state information for edge gateways is not shown accurately in Aviatrix CoPilot Aviatrix CoPilot may display both primary and HA edge gateways with the same VRRP state The VRRP state information will not be updated in Aviatrix CoPilot when VRRP failovers occur on the data plane. This is a display-only issue and the data plane will not be disrupted The VRRP state information may show Initializing in Aviatrix CoPilot for Edge-as-Spoke gateways which are created in version 8.0.30 Affected Scenario: AEP and self-managed Edge-as-Spoke gateways in active-active HA deployments with VRRP enabled, upgraded from version 7.2 to 8.0.30 Workaround: Please contact Aviatrix Support for assistance.
AVX-71672	When upgrading the Controller to version 8.1, the database migration may fail if the tunnel `rtt_avg` field contains `None` values. The migration logic expects either a numeric value or the string `"N/A"`, and encountering a `None` value causes the upgrade to stop. Impact: Upgrade to 8.1 cannot complete Controller remains on the previous version Workaround: Contact Aviatrix Support for assistance in correcting the database values before retrying the upgrade.
AVX-71820	When deploying a load balancer–enabled VPN gateway with an overlapping VPN CIDR on Controller versions 8.0, 8.1, or 8.2, the gateway creation fails. Impact: VPN gateway deployment fails Error message does not clearly indicate the root cause Affected Scenario: Load balancer–enabled VPN gateway deployments on Controller versions 8.0, 8.1, and 8.2. Workaround: Ensure that the VPN CIDR does not overlap with existing gateways behind the load balancer before deployment. Contact Aviatrix Support for assistance.

AVX-62003

Azure gateway image upgrades may fail when the Controller does not have the required Azure image subscription access. During the upgrade, the system deletes the existing gateway before validating subscription availability, which can result in gateway deletion without a replacement being created. This leaves dangling gateways in the Controller and can cause potential service outages.

Impact:

Existing gateways may be deleted during image upgrade
Replacement gateway creation fails due to missing subscription
Customers may experience connectivity loss and dangling gateway entries in the Controller
Manual intervention required, leading to support escalations

Workaround:

None. To avoid outages, ensure the Controller subscription includes access to the required Azure image before attempting upgrades.

AVX-62299

When upgrading from Controller version 7.1 to 7.2 or 8.0, Spoke Gateways with routing through a Public Subnet Filtering (PSF) Gateway may fail to upgrade and become unreachable if the PSF Gateway has not been upgraded first. This issue affects AWS environments where Spoke Gateway route tables are configured to point to a PSF Gateway.

To avoid this issue, follow the correct upgrade sequence:

Upgrade the PSF Gateway first.
Wait for the PSF Gateway upgrade to complete successfully.
Then upgrade the dependent Spoke Gateways.

AVX-62506

During a gateway software upgrade, traffic matching DCF WebGroup rules may be briefly dropped during the upgrade. This impacts both Layer 7 (HTTP/HTTPS) and Layer 4 traffic and occurs across all supported cloud providers (AWS, Azure, and GCP). The disruption typically lasts a few seconds but may vary depending on gateway load and policy complexity.

Workaround:

None

Recommendations:

Schedule gateway upgrades during maintenance windows or low-traffic periods.
Use HA deployments and upgrade gateways one at a time in HA pairs.
Monitor logs for “Failed to load policy” messages to confirm when policies are reloaded.

AVX-63224

In Controller release 8.0, gateway software upgrades take longer to complete compared to earlier versions. On average, the upgrade rate drops from approximately 14 gateways per minute in version 7.2 to approximately 11 gateways per minute in 8.0, which is an increase of about 20% in execution time.

Affected Scenarios:

Upgrading from version 7.2.x to 8.0.x
Upgrading between 8.0.x versions

Impact:

Only the upgrade duration is affected. Gateway functionality remains unaffected after a successful upgrade.

Recommendations:

Allocate approximately 20% more time for gateway upgrades.
For large environments (for example, 1,000+ gateways), plan for 90–120 minutes of upgrade time.
Schedule upgrades during maintenance windows to accommodate the longer duration.

AVX-64447

Site2Cloud High Availability (HA) tunnels may not behave correctly when toggling between Active/Active and Active/Standby modes.

Problem 1: When disabling Active/Active HA, the HA Gateway (HAGW) may retain metric 100 routes pointing to tunnel interfaces in the Gateway Route table, even though they should be removed.

Problem 2: When enabling Active/Active HA from Active/Standby, the HA Gateway tunnel may not be properly enabled. This can result in missing routes despite the UI showing Active/Active status.

Impact:

Inconsistent routes on the gateway while switching the s2c HA Mode.
Potential routing gaps on the gateway lead to incorrect traffic distribution.

Workaround:

If you encounter this issue, contact Aviatrix Support for assistance.

AVX-64502

On Azure gateways with High Performance Encryption (HPE) enabled, an underlay network issue may cause the eth0 interface to drop, bringing the interface flap.

When this occurs, the DHCP-assigned primary IP address may be released while the static IP remains, resulting in one of the static IPs being promoted as the primary address. This can impact gateway operations.

Impact:

The gateway and its associated tunnels may go down, resulting in traffic disruption.

Workaround:

Stop and start the affected gateway from the cloud service provider console.

AVX-64794

When Distributed Cloud Firewall (DCF) is enabled, policy-based Site-to-Cloud (S2C) traffic may be misclassified due to how the traffic flows through the gateway. This can lead to unintended blocking or incorrect policy enforcement.

Impact:

Policy-based S2C traffic may be incorrectly evaluated against VPC or internet DCF rules
Unexpected traffic drops or policy mismatches
Inconsistent DCF behavior between policy-based and route-based S2C configurations

Workaround:

Consider using route-based S2C VPNs, where plaintext traffic traverses a dedicated tunnel interface and is classified correctly by DCF
Temporarily disable DCF on gateways handling policy-based S2C connections if misclassification impacts production traffic

AVX-64868

In some scenarios involving rapid VRRP state transitions, the keepalived VRRP state may not be reported accurately to the Controller. This can result in temporary discrepancies between the actual VRRP status and what is displayed in the Controller UI, leading to confusion and difficulties during troubleshooting.

Impact:

Controller UI may show incorrect VRRP status such as both peers reporting Primary or Initializing
No impact on actual VRRP traffic handling or failover behavior.

Workaround:

Use diagnostic logs to verify actual VRRP state

AVX-65016

In some environments, the Firewall state may not recover from Unaccessible after the first vendor integration failure. This issue has been observed when integrating with third-party firewall vendors, leaving the gateway firewall state stuck even after the environment stabilizes.

Impact:

Firewall integration appears stuck in Unaccessible state
Recovery does not occur automatically after initial failure
May require manual intervention to restore proper firewall state reporting

Workaround:

Contact Aviatrix Support for manual correction.

AVX-66190

When using Threat Intelligence (ThreatIQ) external groups in Distributed Cloud Firewall (DCF), gateways may log field threat_severity not found errors if unsupported selectors (such as threat_severity) are used.

These configurations are currently accepted by the Controller without validation, but the unsupported selectors are ignored during policy enforcement, and repeated error messages are logged.

Impact:

DCF policies continue to function as expected, but administrators may be unaware that some threat selectors are not being applied.
The repeated log entries may also affect log analysis and monitoring.

Workaround:

Remove unsupported selectors (e.g., threat_severity) from threat group configurations
Use only supported fields when defining ThreatIQ external groups
Monitor DCF gateway logs for error messages to identify invalid selectors

Resolution:

Future enhancements will add validation during configuration and UI notifications when unsupported selectors are used.

AVX-66324

When using Distributed Cloud Firewall (DCF) Layer 7 rules with Smart Groups that contain tagged resources, no bell notifications appear when configuration issues potentially block traffic. This affects deployments where Smart Groups match resources by tags (such as AWS instance tags) rather than static IPs or CIDRs. Although traffic is enforced correctly, administrators may not be alerted to the problematic configuration.

Affected Scenario:

DCF Layer 7 rules configured between Smart Groups based on resource tags (for example, Kubernetes pods and VMs)
Both VPCs use RFC1918 IP addresses
Gateways are deployed in High Availability (HA) mode

Impact:

Only affects notifications. Traffic enforcement continues to function as expected.

Workaround:

Monitor traffic flow manually
Use Smart Groups with static IPs or CIDRs if alerting is critical

AVX-68102

When upgrading from Controller version 8.0.10 to 8.0.30, the Controller UI becomes temporarily inaccessible while containers reload. During this time, users cannot view progress or upgrade status messages. The UI becomes available again once the upgrade completes successfully.

Impact:

Controller UI is unavailable during the upgrade
No upgrade status is displayed in the browser
Behavior differs from previous versions

Workaround:

Wait for the upgrade to finish in the background.
Refresh the browser after a few minutes to reconnect once the UI is available.

AVX-68887

When attaching VPN users to profiles using the attach_vpn_user_to_profile API, the CoPilot or Controller UI may continue to display the user profile as N/A even though the attachment operation completes successfully.

In some cases, users later reappear as active but still show no profile association in the UI. This results in a display inconsistency between the UI and the backend state.

Impact: VPN user profile assignments may appear unsuccessful in the UI, which can cause confusion during profile management. There is no functional impact: the VPN profile is correctly assigned in the backend, and users can connect to the VPN as expected.

Affected Scenario: OpenVPN profile management operations that use API-based user-to-profile attachment.

Workaround: None.

AVX-69733

When upgrading Public Subnet Filtering (PSF) gateway images on Controller version 7.1 or later, the ESTABLISHED iptables firewall rule may be removed during the upgrade process.

This issue occurs on PSF gateways using the legacy stateful firewall and can alter existing firewall behavior after the upgrade.

Impact

PSF gateway traffic filtering becomes incomplete
Network security policies may not be enforced correctly
Existing connections may be disrupted

Affected Scenario: PSF gateways using the legacy stateful firewall on Controller version 7.1 or later that undergo image upgrades.

Workaround:

Contact Aviatrix Support for assistance.

AVX-70123

When upgrading from Controller 8.0.x to 8.1.x, the upgrade may fail to complete due to incorrect database schema type definitions.

As a result, the controller remains on version 8.0.x and the upgrade process does not finish successfully.

Impact: Controller upgrade from 8.0.x to 8.1.x fails.

Workaround: Contact Aviatrix Support for a manual fix to complete the upgrade.

AVX-70253

FireNet deployment with bootstrap enabled may fail in Google Cloud due to changes in how GCP credentials are handled.

The system no longer reads GCP credentials from local files during bootstrap. Instead, credentials are retrieved as encoded data from the database, which causes bootstrap operations to fail in certain FireNet deployment workflows.

Impact: FireNet deployment with bootstrap fails in the Google Cloud environment.

Affected Scenario: FireNet deployments with bootstrap enabled in Google Cloud.

Workaround: Do not use bootstrap when deploying FireNet in Google Cloud. Alternatively, perform the bootstrap process directly from the GCP cloud.

AVX-71087

When upgrading to Controller versions 8.0 or 8.1, ICMP traffic may be blocked by default due to updated access control rules that do not include allowances for ICMP-based debugging.

Affected Scenario: Environments where ICMP is used for network troubleshooting and diagnostic workflows.

Impact:

ICMP-based debugging tools may stop functioning
Network troubleshooting capabilities may be limited
Existing workflows that depend on ICMP may be disrupted

Workaround: Manually add access control rules to the Controller to explicitly allow ICMP traffic for debugging. Contact Aviatrix Support for assistance if needed.

AVX-71217

When upgrading gateway software from version 7.2 to 8.0.30, the VRRP state file /etc/localgateway/vrrp_state.json, may become empty on AEP and self-managed Edge-as-Spoke gateways configured in active-active HA pairs. This prevents VRRP state updates from being sent from the edge gateways to the Aviatrix Controller, and Aviatrix CoPilot will not display the updated VRRP states. This is a cosmetic issue and there will be no disruption to traffic.

Impact:

VRRP state information for edge gateways is not shown accurately in Aviatrix CoPilot
Aviatrix CoPilot may display both primary and HA edge gateways with the same VRRP state
The VRRP state information will not be updated in Aviatrix CoPilot when VRRP failovers occur on the data plane. This is a display-only issue and the data plane will not be disrupted
The VRRP state information may show Initializing in Aviatrix CoPilot for Edge-as-Spoke gateways which are created in version 8.0.30

Affected Scenario:

AEP and self-managed Edge-as-Spoke gateways in active-active HA deployments with VRRP enabled, upgraded from version 7.2 to 8.0.30

Workaround: Please contact Aviatrix Support for assistance.

AVX-71672

When upgrading the Controller to version 8.1, the database migration may fail if the tunnel rtt_avg field contains None values. The migration logic expects either a numeric value or the string "N/A", and encountering a None value causes the upgrade to stop.

Impact:

Upgrade to 8.1 cannot complete
Controller remains on the previous version

Workaround: Contact Aviatrix Support for assistance in correcting the database values before retrying the upgrade.

AVX-71820

When deploying a load balancer–enabled VPN gateway with an overlapping VPN CIDR on Controller versions 8.0, 8.1, or 8.2, the gateway creation fails.

Impact:

VPN gateway deployment fails
Error message does not clearly indicate the root cause

Affected Scenario: Load balancer–enabled VPN gateway deployments on Controller versions 8.0, 8.1, and 8.2.

Workaround:

Ensure that the VPN CIDR does not overlap with existing gateways behind the load balancer before deployment. Contact Aviatrix Support for assistance.