Avi Vantage 16.3, 16.4, and 16.5 Release Notes

This article describes new features and fixes in Avi Vantage release 16.5.2.

What’s New in 16.5.2

  • Ability to add peer-specific local AS in eBGP
  • Ability to create HSM groups on a per-tenant basis
  • Support for SafeNet HSM version 6.2.1
  • Ability to create a SafeNet HSM group for multiple partitions on the same HSM device

Issues Resolved in 16.5.2

  • AV-25091: Packet buffer leak due to fragmented UDP packets causing VIPs to go down
  • AV-25102: SE fails during server reselect configuration
  • AV-25518: SE upgrade fails on Cisco CSP 2100 with bond configuration

What’s New in 16.4.8

  • Performance and logging enhancements for HSM integration

Issues resolved in 16.4.8

  • AV-19415: Error “Bad Service” in API and Avi UI for cluster follower
  • AV-19437: Traffic capture in AWS throws an error
  • AV-22284: SE_VNIC_DUPLICATE_IP events for floating interface IPs are seen during upupgrade for legacy active/standby group
  • AV-22489: SE failure in OpenShift after upgrade and VS update
  • AV-22514: SE fails when executing show serviceengine <> tcp-flows command
  • AV-22607: LBaaSv2: TCP loadbalancer create/update/delete generates a “400 bad request” response when it wrongly checks for the existence of a pool
  • AV-22982: SE may fail if client logging is enabled and memory is exhausted
  • AV-23083: SE may fail if >40 MB of data is buffered in a TCP connection and there are many retransmissions
  • AV-23416: PFS performance is low when using SSL Async

Issues Resolved in 16.4.7

  • AV-21359: PATCH on systemconfiguration.snmp_configuration.community fails
  • AV-21959: SE failure while processing heartbeat message
  • AV-21985: SE_HM process crash fills up SE disk space, causing SE failure
  • AV-22110: UDP health monitor is always expecting a response
  • AV-22140: Upgrade fails if there is a user whose name contains a ‘-‘
  • AV-22237: If password in URI ends with an ‘@’ symbol, Avi Vantage generates a “400: bad request” response
  • AV-22338: Cookie persistence fails periodically

Issues Resolved in 16.4.6

  • AV-16891: In both the API and UI, the SE UUID is being displayed instead of the SE name
  • AV-19330: After an upgrade, the metrics DB is not removed from the follower, increasing disk usage in the follower node
  • AV-19505: An FTP with user credentials fails through a VS that is used to load-balance a pool of forward proxies
  • AV-20329: Login to Avi Controller fails for an OpenStack user who is a member of a large number of tenants
  • AV-20506: Rsync logs are not getting cleaned up
  • AV-20533: For SSL connections, the payload is being sent to a pool server member even before the proxy header
  • AV-20673: Avi VIP port status shows as “down” even though it is active
  • AV-20889: Aggressive failure detection can cause false “SE_UP” events
  • AV-20927: Log analytics is not working for IP type (client IP, server IP) fields
  • AV-20945: Missing service ports configuration in OpenShift stops route and service synchronization
  • AV-21692: Upgrade fails if there is a comma in the user name
  • AV-21832: Traffic disruption is observed when upgrading a legacy-HA SE when HSM is configured

Issues Resolved in 16.4.5

  • AV-17213: X-Forwarded-Proto is always HTTPS
  • AV-19328: UI does not allow scaleout beyond 4 SEs in GCP
  • AV-20024: Pool name change not reflected in logs
  • AV-20664: Unused security groups not deleted from OpenStack
  • AV-20890: X550 interface lost after SE restart
  • AV-20927: Log analytics missing IP information
  • AV-20928: SE failure in OpenShift cluster when a VS is deleted
  • AV-20945: Missing service ports configuration in OpenShift stops route and service synchronization
  • AV-21018: Avi SE disable has no effect due to a race condition
  • AV-21022: High number of alerts causes restore datastore to fail with out of memory
  • AV-21023: VS not reachable after Controller leader was shutdown
  • AV-21037: Requests without a cookie are wrongly marked with “persistence server changed” significance in the log
  • AV-21090: SE management connectivity may be disrupted if using a bond interface for management

Issues Resolved in 16.4.4

  • AV-17969: Not validating against all CA certs in PKI profile
  • AV-19799: Round robin with HTTP cookie persistence sticking to one server when new requests come from a single connection
  • AV-19815: Postfix service didn’t start on Avi Controller
  • AV-19955: Pool IP address not updated correctly after OpenShift node reboot
  • AV-20064: HTTP CONNECT without a port number may cause an SE failure
  • AV-20283: REST API errors skip object updates for unrelated objects
  • AV-20287: iptables rule order change breaks network security policies
  • AV-20376: Add support for X520 NIC

Issues Resolved in 16.4.3

  • AV-19384: Only virtual services are editable in the UI’s all-tenants view
  • AV-19486: SE may fail if connectivity to the Controller fails and there is a metrics message being sent to the Controller at the same time
  • AV-19490: SE fails if VS is disabled and at the same time application profile is changed
  • AV-19518: After upgrade, in an APIC environment, virtual services are not placed correctly
  • AV-19558: Email alerts are delayed in certain deployments where there is restricted external connectivity
  • AV-19567: In a bare-metal setup, logs show as missing due to Intel P-state changing frequencies on SE
  • AV-19620: In an AWS environment DNS VS doesn’t resolve to new IP after Controller migration
  • AV-19683: Packets > 1500 bytes are failing in AWS even though the DHCP server provides an MTU of 9000
  • AV-19684: Wrong date appears in alert email notification
  • AV-19700: Orphaned HTTPPolicySet, PoolGroup and Pool are not being deleted

What’s New in 16.4.2

  • Support for Egress pod automation in OpenShift/Kubernetes

Issues Resolved in 16.4.2

  • AV-19238: Multiple cluster VIPs configured on leader Controller’s eth0
  • AV-19254: ACI endpoint is pointing to secondary SE in OpenShift environment
  • AV-19289: SE crashes when the cluster leader is powered off in container ecosystems (e.g., OpenShift, Mesos)

Issues Resolved in 16.4.1

  • AV-18042: api/pool/pool-id/runtime/server doesn’t show correct pool information
  • AV-18306: export virtualservice does not export all the objects related to a virtual service
  • AV-18516: SELinux mode flips to permissive after an Avi SE start
  • AV-18568: SE failed because of a queue-full condition
  • AV-18818: Some HTTP responses are getting truncated
  • AV-18848: SE failed when network profile was changed for a virtual service that has disable port translation set
  • AV-18911: Upgrade is not graceful if virtual services imported via config migrator tool have duplicate names in multiple clouds

Issues Resolved in 16.3.8

  • AV-16751: SE failure in error handling of fragmented UDP packets
  • AV-17092: Upgrade from 16.2 to 16.3.4 fails
  • AV-17118: OpenStack: Floating IP mappings in are lost when a virtual service is removed from an SE
  • AV-17240: Avi UI: Cluster configuration should allow configuration of cluster node name
  • AV-17379: Avi UI: Warning message for virtual service deletion is wrong
  • AV-17427: Avi UI: HTTP response rule can’t be saved with “match” of type “HTTP Status”
  • AV-17841: SNMP MIB walk returns “down” for Controller state even though it is up
  • AV-17963: Node name from cluster configuration is not used as sysName in SNMP traps
  • AV-17979: OpenStack: In provider mode, networks shared with CloudAdmin tenant (via Neutron RBAC) are visible to all other tenants
  • AV-18042: Avi API “api/pool/pool-id/runtime/server” doesn’t show correct pool information
  • AV-18118: If Infoblox IPAM is managing Microsoft DNS/DHCP, auto-allocation of IP address for virtual service fails
  • AV-18320: Cannot save a DataScript if it is referencing two or more pools
  • AV-18350: In CSP, dedicated HSM does not work with port channel interfaces
  • AV-18374: Upgrade in AWS may become disruptive because of a spurious SE_FATAL_ERROR message

Known Issues in 16.3.x

  • AV-16655: Upgrade from pre-16.3 can fail if disk is >85% full
    • Workaround: Stop the disk monitoring script (stop monit) on all the controller nodes

What’s New in 16.3.6

  • Support for L4 health monitors by default in OpenShift/Kubernetes

Issues Resolved in 16.3.6

  • AV-16705: Upgrade fails with metrics_db failure if a separate metrics partition is used in Linux Server Cloud
  • AV-17161: Geolocation file /var/lib/avi/etc/ipgroups/country_codes.json is missing
  • AV-17217: Unable to edit “Usable Subnet” and “Usable Domain” in an IPAM profile from Avi UI
  • AV-17237: 404 response when selecting “View all headers” from Avi UI
  • AV-17284: SE crash due to a race condition in flow cleanup in Google cloud
  • AV-17437: Alert e-mail does not work
  • AV-17393: service_ip_subnet configuration in serviceengineproperties does not take effect for Google cloud

Issues Resolved in 16.3.5

  • AV-15746: After a Controller warm start, VLAN interfaces are lost when the Service Engine restarts
  • AV-16705: If a separate metrics partition is configured on Avi Controller in a Bare Metal environment, after an upgrade to 16.3.3, the follower nodes fail to initialize
  • AV-16813: Virtual service creation for a new OpenShift service fails if a Service Engine is restarting at the same time
  • AV-16864: Some DNS requests fail in a Cisco APIC environment with an Active/Active HA configuration
  • AV-16890: SNMP MIB walk does not show virtual service status
  • AV-16927: Upgrading to 16.3.4 fails if a parenthesis is present in the full name of a remote user
  • AV-16978: Alerts generate multiple redundant syslog messages
  • AV-16996: In a container environment, SE fails when configuring network security policy that contains microservice group
  • AV-17006: Microsoft IE6 clients are not allowed to do POSTs on HTTP keep-alive connections
  • AV-17026: VIP unreachable after upgrade to 16.3.4 in OpenStack with port security disabled
  • AV-17057: Upgrade to 16.3.4 fails if a plus sign character is in a tenant name
  • AV-17141: SafeNet HSM HA configuration fails when HA is configured without having any certificates present on the HSM devices
  • AV-17181: OpenStack Keystone v2: Avi Controller does not accept usernames with “@”

What’s New in 16.3.4

This section summarizes the enhancements in 16.3.4. For more information, click on the feature names. They are hyperlinks to additional information in the Avi Networks knowledge base.

Issues Resolved in 16.3.4

  • AV-15383: Cannot add more networks to an existing IPAM/DNS profile
  • AV-15384: Cannot allocate IP address and set FQDN using Infoblox IPAM/DNS profile
  • AV-15715: If Avi SE has two BGP peers and a VS with network security policy is updated, the SE may fail
  • AV-15755: Upgrade may stall if the controller cluster in Linux Server Cloud has a cluster VIP
  • AV-15801: Keystone authentication fails when port is not set in the URL
  • AV-15844: VRF update for SE not allowed in vCenter read access mode
  • AV-15845: Pool VRF not using the VS VRF in the create VS advanced wizard UI
  • AV-15847: SNMP walk does not work when Controller is installed on bare metal servers
  • AV-15896: When using FQDN to add servers to a new pool, only the first server is added
  • AV-15905: Editing pool configuration fails when pool was configured with non default VRF
  • AV-15967: After an SE crash, disk becomes 100% full and SE does not restart
  • AV-15968: WebSockets to OpenShift Console does not work
  • AV-16028: Metrics engine doesn’t update all entries for all virtual services in ‘all tenant view’
  • AV-16086: SE crashes when compression profile is updated in SNI configuration
  • AV-16124: Reflect virtual service status in OpenShift Route object’s status field
  • AV-16194: AWS: only place virtual services with same front-end subnets on a single SE
  • AV-16298: Export/import of just cloud config causes SE image name conflict in the new cluster
  • AV-16483: Skip VS creation for headless Kubernetes services

Issues Resolved in 16.3.3

  • AV-15566: Virtual service placement fails with an incorrect message when the gateway monitor marks an SE down
  • AV-15703: In Keystone v3 when a group is assigned a role in a project, a user belonging to that group does not inherit that role
  • AV-15754: VS scale out in OpenStack & AWS does not work because traffic from a secondary SE is not being tunneled through the primary SE

What’s New in 16.3.2

This section summarizes the enhancements in 16.3.2. For more information, click on the feature names. They are hyperlinks to additional information in the Avi Networks knowledge base.

Issues Resolved in 16.3.2

  • AV-15100: API should reject if more than 2 certificates are attached to the virtual service
  • AV-15234: SE failure when DoS events are reported for an SNI chld virtual service
  • AV-15259: GSLB inventory calls fail, and hence UI fails
  • AV-15345: Conditional PUT requests generate 412 errors
  • AV-15386: Same service name across OpenShift projects/Kubernetes namespaces causes IP allocation failure
  • AV-15392: Controller health status does not work correctly when health monitor for a non-Avi virtual service is specified
  • AV-15411: Storage verification not working in avi_baremetal.sh script with Docker ver 1.9
  • AV-15418: Support “Disable port translation” feature in pools for L7 and l4 SSL virtrual service
  • AV-15428: Controller version incorrectly displayed on GSLB UI
  • AV-15431: Alert for server down within a specific pool also triggers server down in other pools
  • AV-15516: Non-admin user login into CLI shell is broken
  • AV-15547: Cloud connector did not recover after IAM permissions were restored to Avi Controller
  • AV-15620: UI: edit of FQDN not allowed
  • AV-15624: Unable to bind cluster VIP to NIC - Numerical result out of range
  • AV-15671: Handle different SSH user-ids for multiple clouds

Issues Resolved in 16.3.1

  • AV-11682: Unable to specify ‘and’ when searching logs for inequality
  • AV-12481: Length of time a user is logged in is inaccurate
  • AV-13450: UI does not allow changing NTP config if no DNS is configured
  • AV-15060: VS IP change does not trigger RHI updates
  • AV-15145: Unable to connect to vCenter cloud after upgrade to 16.3
  • AV-15163: Multiple, unnecessary scale out ready events reported
  • AV-15191: Remote users not able to login after upgrade to 16.3
  • AV-15194: Packet drops seen when a BGP virtual service is migrated
  • AV-15198: If Avi Controller and SE are on the same host, sometimes the SE upgrade hangs, causing a disruptive reboot
  • AV-15223: Add correct port mapping for SNMP (161/UDP) for Controller on bare-metal host

What’s New in 16.3

This section summarizes the enhancements in 16.3. For more information, click on the feature names. They are hyperlinks to additional information in the Avi Networks knowledge base.

Core ADC Features


  • DNS implemented as a virtual service, capable of hosting GSLB, virtual service DNS records, and manually configured DNS records; DNS visibility and analytics
  • Comprehensive support for IPAM/DNS services, including integrated Avi Vantage IPAM/DNS, Infoblox, and cloud-native solutions across all cloud infrastructures


Cloud Connectors




CLI, API, and Automation


Key Changes in 16.3

  • In a VMware vCenter cloud, Avi Controller checks the connectivity to vCenter via ICMP Ping request before trying to login via SSH. Ensure firewall rules are updated to allow ICMP Ping requests from Avi Controller to vCenter.

Issues Resolved in 16.3

  • AV-9672:   Incorrect virtual service metrics for post requests
  • AV-10717: LDAP: User record needs to be updated with LDAP attributes for (user full name, email)
  • AV-10805: vCenter password update should be allowed in default cloud
  • AV-11160: SSL profile configuration shoud restart HTTP service for the Web UI
  • AV-11846: LDAP not mapping groups correctly
  • AV-11896: Can’t migrate virtual services to different SE when multiple virtual services have the same IP but different ports
  • AV-12384: Unable to update pool because of unreferenced HTTP policies
  • AV-12596: Bare-metal script should check /var/lib/docker for space
  • AV-13458: HTTP Response rule variables not displayed
  • AV-13463: Changing one node of the cluster fails
  • AV-13625: Prevent multiple simultaneous upgrades
  • AV-14818: Change default pool placement network to VIP network in AWS
  • AV-14936: OpenStack: “Concurrent Update Error” when using a script for LBaaS config
  • AV-14997: DataScript fails to handle server status_code 202
  • AV-15100: Virtual Service create/update API should fail the request if more than two SSL certificates are configured

Performing the Upgrade

Upgrade prerequisite: current version of Avi Controller must be 16.2 or later.

Upgrade Instructions

Protocol Ports Used by Avi Vantage for Management Communication

Supported Platforms

Refer to System Requirements: Ecosystem

Product Documentation

For more information, please see the following documents, also available within this knowledge base.

Installation Guides

Open Source Package Information

Avi Networks software, Copyright © 2013-2019 by Avi Networks, Inc. All rights reserved. The copyrights to certain works contained in this software are owned by other third parties and used and distributed under license. Certain components of this software are licensed under the GNU General Public License (GPL) version 2.0 or the GNU Lesser General Public License (LGPL) Version 2.1. A copy of each such license is available at http://www.opensource.org/licenses/gpl-2.0.php and http://www.opensource.org/licenses/lgpl-2.1.php