Avi Vantage 17.1.14 Release Notes

This article describes new features and fixes in Avi Vantage release 17.1.14.

What’s New in 17.1.14

• Avi Vantage Controller and Service Engine software includes the kernel patches for Meltdown-Spectre, as released by the Linux community, to eliminate the vulnerability.

Issues Resolved in 17.1.14

• AV-30805: Invalid HTTP cookies can cause a Service Engine failure
• AV-31635: Due to a race condition, Service Engine may sometimes fail while constructing the client log17
• AV-31904: Service Engine fails when parsing a malformed CONNECT request
• AV-32244: Number of descriptors used for SRIOV vNICs in Cisco CSP-2100 is too small
• AV-32247: Number of descriptors in VMware is too small
• AV-32382: SE may fail when consistent hash is used as algorithm for GSLB pools, and GeoDB is configured
• AV-32442: SE may fail if an HTTP health monitor is configured and there is an update/delete operation while there is an outstanding connection
• AV-33620: suspend_on_failure option did not take effect to prevent traffic outage when first SE failed upgrade

What’s New in 17.1.13

• Support for Kubernetes/OpenShift NodeSelector for egress pod
• Support for Oracle Enterprise Linux 7.4

Issues Resolved in 17.1.13

• AV-29611: Traffic to secondary SE fails with ECMP scale out in Kubernetes/OpenShift
• AV-30228: OpenShift: All virtual services placed on one Service Engine are not reachable
• AV-30849: In an OpenShift environment, DNS entries may be incorrect if applications are deleted and added

What’s New in 17.1.12

• Support to add DNS records independent of virtual service state. This is controlled by state-based-dns-registration, a new configuration knob in the cloud object.

Issues Resolved in 17.1.12

• AV-29700: Cannot migrate a VIP sharing virtual services to a new SE group even after disabling the virtual services
• AV-29831: When using IE11 browser, the Operations menu does not respond and VS pop-up menu formatting is broken
• AV-30295: OpenShift: Service Engine startup hangs with a non-default Avi Bbridge subnet
• AV-30355: Service Engine may fail if log streaming is enabled
• AV-30378: Service Engine may fail under queue-full conditions with UDP/DNS health monitor configured
• AV-30402: Cookie persistence may not return a cookie in some cases, when used with pool groups

What’s New in 17.1.11

• Support in DataScript for server selection by server name and server selection via custom-string-based consistent hash
• A counter has been added to monitor outstanding changes in the OpenShift cloud connector

Issues Resolved in 17.1.11

• AV-16748: Memory leak in job manager
• AV-26558: In OpenStack environments, the Avi API times out during large heat stack deployment
• AV-28492: Duplicate IP address are getting assigned to an SE’s data vNIC
• AV-28968: Infoblox profile cannot create DNS records
• AV-29045: Streaming log throttling is not working when throttling is set to 0
• AV-29439: Avi UI does not display the progress of SE upgrade

What’s New in 17.1.10

• Support for DPDK driver on RedHat 7.4 3.10.0-693.1.1.el7.x86_64 in Linux Server Cloud deployment
• Ability to synchronize services with the egress pod info, even if back-end application synchronization is disabled; refer to Authorized Source IP for OpenShift Project Identification
• Support for string hash API in DataScripts

Issues Resolved in 17.1.10

• AV-26095: SSL certificate content update done in OpenShift is not picked up by Avi Vantage
• AV-27396: In auto-allocation of VIPs, IP addresses overlap with other VIPs in the system
• AV-27876: In an OpenShift cloud, cloud-inventory call fails in Avi UI
• AV-28058: Incomplete AWS Auto Scale Group list displayed while creating a pool
• AV-28500: L7 HTTP virtual service rejects requests with “/../” in the URL and arguments
• AV-28664: Unnecessary events generated for spurious malformed packets

Known Issues in 17.1.10

• AV-29155: With Docker CE version 17.09, Avi Controllers and Avi SEs cannot be co-located on the same host. If they are, restart of any of them will fail.

What’s New in 17.1.9

• Ability added to REST API to monitor the Q depth of API calls in OpenShift cloud connector
• To support health monitoring from AWS to external IP addresses, Avi Vantage supports using VIP as SNAT IP
• Support for Mesosphere DC/OS 1.10
• Support for shared-VIP routes/ingress objects in an OpenShift/Kubernetes cloud
• Namespace-driven inclusion-exclusion of OpenShift-Kubernetes applications

Issues Resolved in 17.1.9

• AV-25646: Weak cipher is used on certificate that’s used for Controller-SE communication on port 8443
• AV-25804: Attaching to an SE from the Controller CLI fails in a Linux server (bare-metal) cloud
• AV-26629: BGP state on the SE is not initialized after many VRF updates
• AV-26726: Sending multiple DNS requests over the same TCP connection causes SE to fail
• AV-26831: RTT values are incorrect, causing timestamps to be wrong in client logs
• AV-26984: Disabling of servers during request processing of connection-switched virtual services causes SE to fail
• AV-27273: In the VS logs tab of the Avi UI, the bar graph is blank even though log details appear in the logs pane
• AV-27378: In an upgrade from 16.x to 17.1.x, an SE fails if it gets disconnected from the Avi Controller

Issues Resolved in 17.1.8

• AV-25952: Service engine fails when multiple pool groups are attached to a DataScript
• AV-26490: CONNECT requests with a URI starting with a digit are rejected as bad requests
• AV-26601: Controller process fails when a virtual service read immediately follows a virtual service delete
• AV-26737: SE may fail in bare-metal installations due to large packets
• AV-26781: OpenShift changes are not reflected in Avi Vantage due to a connectivity failure between the Avi Controller and OpenShift nodes
• AV-26850: Upgrade from 16.4.x to 17.x fails when a plus (+) sign appears in the tenant name

What’s New in 17.1.7

• Avi SEs as a pod can use daemonsets as an alternative to SE deployment as Docker containers

Issues Resolved in 17.1.7

• AV-24660: SE fails when root certificate is attached to an HTTPS health monitor
• AV-24788: SE fails due to a disk-full condition
• AV-25676: Slowness in HTTPS when many small packets are received from the server
• AV-25842: In OpenShift, traffic to a north-south virtual service is disrupted after a node is disabled
• AV-25936: SE fails during configuration of a floating IP
• AV-26037: SE fails during upgrade to 17.1.6

Known Issues in 17.1.7

• AV-26737: SE may fail in bare-metal installations due to large packets

What’s New in 17.1.6

This section summarizes the enhancements in 17.1.6. For more information, click on the feature names, which link to additional information in the Avi Networks Knowledge Base.

• Ability to share a pool across multiple virtual services
• Ability to stop DNS queries from passing through to back-end DNS servers when FQDNs are subdomains of authoritative domains
• Ability to add peer-specific local AS in eBGP

Key Changes in 17.1.6

• If “disable port translation” is selected in the pool, any health monitor associated with that pool must explicitly specify the port to be monitored.

Issues Resolved in 17.1.6

• AV-21218: Geo database not being applied correctly to pre-existing GSLB services
• AV-23211: Cannot override host header in health monitor
• AV-24463: New Service Engines cannot connect to the Controller when there is a delay in creating the SE’s “network adapter 1” in a vCenter configured for write access mode
• AV-25002: CLI command show running_config does not work
• AV-25031: While configuring BGP via Avi UI, setting send_community to False impacts BGP nexthop setting in container environments
• AV-25040: show config and GET with include_name fails with “not-found” alerts in the system
• AV-25041: Internal interface not deleted on SE, causing issues during SE restart
• AV-25091: Packet buffer leak due to fragmented UDP packets causing VIPs to go down
• AV-25517: Controller sporadically hangs after reboot of Cisco CSP 2100
• AV-25518: SE upgrade from 17.1.3 to 17.1.5 fails on Cisco CSP 2100 with bond configuration
• AV-25612: SE fails due to se_log_agent process crash
• AV-25692: Cluster IP change does not result in VS update in Avi Vantage

What’s New in 17.1.5

• GSLB site selection support

Issues Resolved in 17.1.5

• AV-23417: DataScript should not translate headers with underscore “_” to dash “-“
• AV-23817: Can’t encode characters after running show pool group CLI command
• AV-23979: No space left on volume in bare metal deployment /dev/mapper
• AV-23990: /var/lib/avi/log/snmpd.log file growing too big
• AV-23991: Upgrade from 17.1.2 to 17.1.3 failing to copy Controller images to follower nodes
• AV-24463: New Service Engines cannot connect to the Controller when there is a delay in creating the SE’s “Network adapter 1” in vCenter write access mode
• AV-24548: SE bond member change may remove interface config on SE restart
• AV-24562: External health monitor not picking correct namespace when VRFs are configured
• AV-24577: In an OpenStack-Nuage environment, after upgrade, VIPs are not accessible for some time
• AV-24585: Nuage 3.2r10 is not supported
• AV-24587: Nuage VSD authentication failure when editing the cloud object
• AV-24658: SE fails because of duplicate IPs in ipam_dns
• AV-24690: Upgrade fails if there are users with special characters in full_name
• AV-24698: VLAN interface statistics graph is missing in SE page
• AV-24952: Cannot send test emails for alerts
• AV-25025: Applications affected for virtual services scaled on more than one SE
• AV-25026: Tenants not removed in Avi for services already deleted from OpenShift

What’s New in 17.1.4

• Support for Extension Mechanisms for DNS (EDNS) client subnet option (ECS) insertion (Phase 2)

Issues Resolved in 17.1.4

• AV-22245: Close connection action for rate limiting of L7 virtual service not working
• AV-23396: When in the Avi UI, selecting an OpenStack tenant having “&” in its name logs the user out
• AV-23731: SE may fail on receipt of some malformed URIs
• AV-23752: LBaaSv2: Avi delete API calls fail when Keystone deletes a tenant without properly deleting all LB objects
• AV-23922: SE crashes after upgrade to 17.1.3 from 16.4.4
• AV-24048: SE crash can cause disruption of GSLB GeoDB setup
• AV-24055: OpenShift (kube-proxy disabled): Cluster IP set to “None” clutters logging unnecessarily
• AV-24071: SE failure in Linux server cloud with port channel after upgrade to 17.1.3
• AV-24296: IPtables on Avi Controller are not restored after reboot

What’s New in 17.1.3

• Support for multihop BGP
• Ability to customize the error page for Avi-generated responses, to include an application-specific message
• Ability to add new description and searchable tags fields to the VS object
• Support for Service Engine groups in an OpenShift/Kubernetes cloud
• Support for AWS IPAM and DNS in Mesos/Kubernetes clouds
• Custom security groups for Service Engines in OpenStack and AWS
• Ability to tighten security for SEs in OpenStack or AWS clouds
• Ability to specify SQL queries to monitor Oracle health
• Ability to throttle all client logs on the SE, based on analytics profile and SE group properties
• Support for caching objects from servers in HTTPS pools
• Support for Extension Mechanisms for DNS (EDNS) client subnet option (ECS) insertion (Phase 1)

Key Changes in 17.1.3

• If disable port translation is used in a pool, the health monitor must specify a monitor port.
• Client logs for all virtual services are throttled to at most ten per second, by default.

Issues Resolved in 17.1.3

• AV-17389: Bad Service returned by APIs on follower nodes
• AV-18634: Only partial POST request data forwarded to the back end server when request is retried
• AV-20506: Rsync logs not cleaned up
• AV-21188: “Message of the day” option not working after logging in from Controller UI
• AV-21346: Config import is failing when trying to import multiple virtual services with the same IP
• AV-22291: OpenShift: VS mapped to east-west services remains OPER_UP, even though all the SEs are down
• AV-22341: Discrepancy in “df -h” and “du -sh” command in SE
• AV-22342: Infoblox DNS profile - DNS view configuration seems to be ignored (stuck to default)
• AV-22473: Server is marked down ever though primary SE reports it as up
• AV-22508: Unable to create a virtual service after upgrading since Infoblox IPAM/DNS profiles have been separated as independent objects
• AV-22523: SSL server pool does not allow HTTP health monitor
• AV-22612: An SE host that is already part of one Controller cluster can be added as an SE in another Controller cluster
• AV-22657: Export/import on 17.1.x does not work after upgrade from 16.x
• AV-22658: If cluster is configured with DNS names, after reboot, cluster node doesn’t come up
• AV-22691: LBaaSv2: Updates failing due to concurrent error when deleting HEAT stack with LBaaSv2 health monitor and pool objects
• AV-22711: ASG objects without launch_config or with target-group cause cloud connector process failure
• AV-22751: SE failure when deleting a virtual service having many connections
• AV-22933: OpenShift: Memory leak in se_agent process on the SE
• AV-22977: Controller cluster may unnecessarily restart after system configuration change
• AV-22985: DNS records for disabled VSes not getting removed from the DNS table
• AV-22990: DNS request times out if response is larger than 2000 bytes
• AV-23074: Add SSL stats to pool to indicate selected cipher, TLS version, MAC, etc.
• AV-23119: OpenShift: VS became OPER_UNAVAIL after rebooting leader node multiple times
• AV-23149: VS dropping DNS NOTIFY and zone transfer messages when using DNS application profile
• AV-23188: OpenShift: SE failure during scaleout after the SE container has been restarted
• AV-23197: Virtual services are not placed (or moved) if vCenter connectivity is lost, even though SEs are available
• AV-23262: SE crash at ipstk_vsport_config_add
• AV-23550: SE analytics does not display the graphs for throughput and rx, tx packets
• AV-23552: Persistence Issue: “Select New Server When Persistent Server Down” configured to immediate but it is not selecting a new server

What’s New in 17.1.2

This section summarizes the enhancements in 17.1.2. For more information, click on the feature names, which link to additional information in the Avi Networks Knowledge Base.

Core ADC Features

• Support for NAT-aware (public/private) IPs in GSLB
• Support for a dedicated SE for GSLB health monitoring
• Support for Infoblox DNS when provisioning virtual services
• Support for custom NS records
• Support for rate limiting clients based on headers and cookies
• Support for BGP Community

  Cloud Connectors

• Support for non-disruptive upgrade for Multi-AZ virtual service in AWS
• Integration with AWS Auto Scaling groups
• Support for non-disruptive upgrade for scaled out virtual services in GCP

CLI, API, and Automation

• Support for Python 3 in Avi SDK

DataScript

• Base64 encoding and decoding support in DataScript
• DataScript’s UI editor extended to permit search for pools

Operations

• Interval for license-expiry notification now configurable

Key Changes in 17.1.2

• Prior to release 17.1.2, neither DNS-only nor IPAM-only were supported with Infoblox. Starting with release 17.1.2, they can be independently configured. For more information, read IPAM and DNS Provider (Infoblox).
• The SE standard/aggressive failure-detection option and the SE auto-rebalance option have been dropped from the Avi UI. If this affects you, read this resolution article.

Issues Resolved in 17.1.2

• AV-16891: In both the API and UI, an SE’s UUID is being displayed instead of the SE’s name
• AV-18813: Server gets added to the pool even if the FQDN is not resolved
• AV-19119: During Controller cluster recovery, some SEs are moved to the default group
• AV-19235: OpenShift cloud connector attempts SSH to all nodes in OpenShift cluster, not just those labelled for SE deployment
• AV-19505: FTP with user credentials fails through a virtual service that is used to load balance pool of forward proxies
• AV-20024: After changing a pool’s name, newer traffic logs are still showing the pool’s old name
• AV-20287: OpenShift: iptables rule order change breaks network security policies
• AV-20506: Rsync logs are not being cleaned up
• AV-20533: Payload is being sent to server even before the proxy header for SSL connections
• AV-20664: Unused security groups not deleted from OpenStack
• AV-20669: AWS: Network lookup fails during IAM role token refresh on Avi Controller
• AV-20860: Docker registry configuration is allowed for a Linux server cloud, even though it is not supported
• AV-20889: Aggressive failure detection can cause false “SE_UP” events
• AV-20890: X550 interface is lost after SE restarts on bare-metal servers
• AV-20928: SE may fail due to a race condition in an OpenShift cluster when a virtual service is deleted
• AV-20945: Missing service ports configuration in OpenShift stops route and service synchronization
• AV-20959: OpenStack: Deletion of an LBaaS pool member fails if lb-vip Neutron port is not present or is deleted out-of-band
• AV-21018: Disabling an Avi SE has no effect due to a race condition
• AV-21022: A high number of alerts causes a datastore restore to fail due to lack of memory on the Controller
• AV-21044: HSM configuration is not synced to follower Controller nodes
• AV-21090: SE management connectivity may be disrupted if using a bond interface for management
• AV-21105: Virtual services momentarily interrupted or unreachable some time after one Controller failure
• AV-21649: vCenter cloud creation fails if system configuration is created without global_tenant_config
• AV-21692: Upgrade fails if there is a comma in the user name

Known Issues in 17.1.2

• AV-21972: If IPAM is used for VIP allocation and if the VS creation fails, the allocated VIP is not returned back to the free IP address pool. Multiple such failures can result in exhaustion of the IPAM pool. Workaround: Please contact Avi Support to implement a workaround.

=========================================================================

What’s New in 17.1.1

This section summarizes the enhancements in 17.1.1. For more information, click on the feature names, which link to additional information in the Avi Networks Knowledge Base.

Core ADC Features

• DataScript can access HTTP request body for policy decisions
• Ability to modify HTTP response body via a content rewrite profile.
• Support for DNS virtual service policies based on DNS queries.
• Traffic cloning: VS traffic can additionally be directed to a clone server, set of servers or subnet.
• DataScript support to “upgrade” L7 VS to L4-only processing based on custom header field.
• Support for HTTPS health monitors for non HTTPS pools.
• Support for DNS service to be aware of EDNS (Extension mechanism for DNS).
• Geo-location-based load balancing in GSLB.
• Support for TCP DNS queries.
• Support for GSLB third-party site.
• Support for localized data-plane health checking.

Networking

• Support for port channel on CSP

OpenStack

• Support for Keystone v3 in Avi Heat resources.
• Ability to explicitly configure a list of VIP and pool networks for use by tenants.
• Ability to distribute an SE group’s Service Engines across multiple availability zones.
• Support for OpenContrail driver

Cloud Connectors

• Multi-AZ support in AWS
• Support for large number of virtual services in Google Cloud Platform environments by using route aggregation.
• Integration with NSX Distributed Firewall Module to program security policies.
• Support for Cisco ACI Unmanaged Mode.
• Support for vCenter version 6.5.
• VMware vRealize Orchestrator integration enables vRO to automate Avi Vantage tasks, such as deploying a new virtual service or editing an existing one..

Security

• Ability to disable local authentication as long as remote authentication is available. If remote authentication goes down, the Avi Controller reverts to local authentication.
• CSR-based and manually imported certificates can now be updated in place.

Analytics

• Ability to stream client logs to external servers
• Analytics support in UI as well as API for logical interfaces like VLAN and bonded interfaces.
• Ability to collect application container metrics (CPU and Memory) for Avi health score calculations, triggering alerts, and application autoscaling in Container Clouds.

CLI, API, and Automation

• API versioning supports backward compatibility for automation scripts written for Avi Vantage object models older than the current one.
• Swagger specifications for Avi API are integrated into API documentation hosted on Controller.
• Avi Ansible modules for RESTful objects and resources.
• Ansible Galaxy Role for Avi Controller that automates deployment of Avi Controllers in Linux server, CSP and Docker environments.
• Ansible Galaxy Role for Avi Service Engine that automates deployment of Avi Service Engines in Linux server, CSP and Docker environments.
• Ansible Galaxy Role for Avi RESTFul objects that provides more than 80 Ansible >= 2.2 compatible modules with api_versioning, idempotency and check mode options and full Avi API compatibility.
• Ability to specify api_version in Avi API SDK.
• New Avi Migration Tools (avimigrationtools) Python package that contains utilities for migration of applications to Avi Vantage solution.
• Updated API Documentation to reflect new Avi API and RESTful resources.

UI

• New HTTP Policyset view that allows drag and drop of policies, advanced search based on keywords, and enhanced summary of policies and actions

DataScript

• Two new DataScript functions have been added to support rewriting requests: avi.http.set_reqvar, avi.http.get_reqvar
• DataScript can access HTTP request body for policy decisions

Key Changes in 17.1.1

• The default number of virtual CPUs for an SE created in a VMware environment has been changed from 2 to 1. The default memory size remains 2 GB.
• Significant logs are indexed on the Controller only on demand. Otherwise these logs remain on the Service Engines.
• Need to specify API version in the API request in order to use new features and fields introduced in 17.1.1 (or any release specific APIs). If no version is specified, 16.3 is assumed.

Issues Resolved in 17.1.1

• AV-9602: Unable to search for pool members by IP address
• AV-13022: Expose certain additional user account creation/modification-related events
• AV-15158: Show file name of upgrade file if it has been uploaded to the Controller already
• AV-15195: For container clouds, use auth-token instead of allow-unauth-api for SE downloads
• AV-15344: In an OpenStack environment, during migration, failure to move the cluster nodes VIP turned a node inactive
• AV-15354: Enhance “sudo” to require a password for admin user
• AV-15421: SE has an old, unused VIP IP bound to its vNIC
• AV-15468: Pool servers defined with the same address but different ports are seen as the same object
• AV-15615: GUI does not show FQDN field for VS in OpenShift cloud
• AV-15630: Certificate name with special characters works from CLI/API, but not from GUI
• AV-15705: When creating a new VS with an auto-allocated IP, the network for VIP address allocation list takes too long to populate
• AV-15810: Migration of multiple VS with a shared VIP may create more Service Engines than necessary
• AV-16509: In AWS, support multiple virtual services with different front-end subnets on a single SE
• AV-16751: SE failure in error handling of fragmented UDP packets
• AV-16878: Avi Controller should check GCP route consistency
• AV-16926: Upgrade from 16.3.3 to 16.3.4 fails if parenthesis present in full name of remote user
• AV-16953: During cluster configuration (Admnistration > Controller > Nodes < Edit), pressing ESC key should result in a confirmation prompt
• AV-16958: Need to be able to disable auto-gateway monitor
• AV-17024: GCP IPAM should automate se_handle_interface and global_mtu
• AV-17066: SSH access failure causes cloud status timeout
• AV-17176: Can’t specify default route for SE group management network override
• AV-17213: A parent VS forwarding HTTP requests using content switching incorrectly labels the ‘x-forwarded-proto’ header with ‘https’ instead of ‘http’
• AV-17285: Every alert is duplicated three times
• AV-17979: In provider mode, networks shared with CloudAdmin tenant (via Neutron RBAC) are visible to all other tenants
• AV-18118: After enabling Infoblox IPAM/DNS, can no longer create new virtual services
• AV-18306: Export virtualservice does not export all the objects related to VS
• AV-18516: SELinux mode flips to permissive after an Avi SE start
• AV-18565: Unable to attach to SE from Avi Controller shell from a tenant other than admin
• AV-18948: Spin up SE with vNIC DirectPathIO disabled in VMware clouds
• AV-19238: Multiple cluster VIPs configured in the Controller management interface
• AV-19330: Metrics database not cleaned up in follower cluster node after upgrade
• AV-19505: 400 Bad request received when trying to download file from FTP through VS when specifying credentials
• AV-19518: After upgrade, in APIC environment, virtual services are not placed correctly
• AV-19558: Email alerts are delayed while using postfix relayhost
• AV-19629: Avi LBaaS CLI is not working with Keystone v3 credentials
• AV-19815: Postfix service doesn’t start when configured to use localhost mail agent on the Avi Controller
• AV-20064: Monitoring using Prometheus tool causes SE failure
• AV-20086: Virtual Services with a shared VIP are not scaled out to all SEs
• AV-20319: Avi Controller portal login fails for an OpenStack user who is part of a large number of tenants
• AV-20376: Add support for X520 NIC
• AV-20539: Need to be able to use cluster UUID to identify the SEs

Performing the Upgrade

Upgrade prerequisite: The current version of Avi Controller must be 16.3 or later.

Upgrade Instructions

Protocol Ports Used by Vantage for Management Communication

Supported Platforms

Refer to System Requirements: Ecosystem

Product Documentation

For more information, please see the following documents, also available within this knowledge base.

Installation Guides

• Avi Vantage Installation Guides

Open Source Package Information

• Copyright Information [https://s3.amazonaws.com/aviopensource/17.1.14/copyrights.pdf]
• Packages used [https://s3.amazonaws.com/aviopensource/17.1.14/packages.pdf]

Avi Networks software, Copyright © 2013-2018 by Avi Networks, Inc. All rights reserved. The copyrights to certain works contained in this software are owned by other third parties and used and distributed under license. Certain components of this software are licensed under the GNU General Public License (GPL) version 2.0 or the GNU Lesser General Public License (LGPL) Version 2.1. A copy of each such license is available at http://www.opensource.org/licenses/gpl-2.0.php and http://www.opensource.org/licenses/lgpl-2.1.php