Avi Vantage 18.1.X Release Notes
Issues Resolved in 18.1.5 Patch Release
Issues Resolved in 18.1.5-10p1
- AV-58098: Virtual service fails to come up for OpenStack Rocky release
Issues Resolved in 18.1.5-8p1
- AV-59927: After a reboot Service Engine may not connect back to the Controller
Issues Resolved in 18.1.5-7p2
- AV-58181: Handle IPv6 routes application with /48 mask
Issues Resolved in 18.1.5-7p1
- AV-54379: Service Engine failure after bond VLAN interface was deleted
- AV-55606: In DPDK mode, all the interrupt resources were not released to the kernel by the Service Engine at the time of stopping the services
- AV-58039: SE-DP crash while retrieving interface statistics from DP
- AV-58446: CSP: Physical link flap causes virtual function (VF) connectivity loss
Issues Resolved in 18.1.5-6p1
- AV-56179: Auth profiles created with same name stop working
Issues Resolved in 18.1.5-5p1
- AV-56113: OpenShift on Azure: One Service Engine is stuck in OPER_DISABLED mode even though Kubernetes node is in Ready state
Issues Resolved in 18.1.5-4p3
- AV-58660: Polling for Azure VM scalesets stops if a scaleset is deleted from Azure, without being removed from Avi pool
Issues Resolved in 18.1.5-4p2
- AV-56476: Back polling interval switched back to 60 seconds by removing unnecessary Azure API call for scalesets to avoid rate limiting errors in scaleset polling
Issues Resolved in 18.1.5-4p1
- AV-54968: Reduce the number of API calls made for polling Azure virtual machine scale sets
- AV-55941: Azure scale set polling does not update the pools and can hit rate limiting errors on Azure
Issues Resolved in 18.1.5-3p2
- AV-56660: Service Engine restarts on applying Controller patch that requires a reboot
Issues Resolved in 18.1.5-3p1
- AV-53448: OpenStack: Neutron APIs timeout in a large deployment
- AV-54186: Service Engine failure when certificate expires
- AV-54964: SQL injection possible while using some APIs
Issues Resolved in 18.1.5-2p1
- AV-52095: PKI profile with CRL enabled breaks after 24 hours
- AV-53301: In Avi UI, under virtual service > security tab, small graphs on right side fail to load
- AV-53902: Configuring proxy protocol in UI does not work
- AV-54109: Unable to update system configuration in CLI scripting mode
- AV-54186: Virtual service goes to fault state when certificate expiry warning is generated
- AV-54302: Avi infoblox integration create pointer in forward instead of reverse lookup zone
Issues Resolved in 18.1.5-1p2
- AV-58384: Remove duplicate pool members with an IP address 0.0.0.0
Issues Resolved in 18.1.5-1p1
- AV-53025: Service Engine failure on inserting HTTP header in a request body event DataScript
- AV-53039: Enabling/Disabling WAF rules with non-ASCII characters fails
- AV-53365: Incorrect handling of Nagios health monitor requests
- AV-53914: Service Engine failure when Response event Datascript runs in the context of HTTP response generated by a request event DataScript
- AV-54186: Virtual service goes to fault state when certificate expiry warning is generated
- AV-55454: Service Engine failure for virtual service with application type System-SSL-Application when network profile type is set to TCP Fast
What’s New in 18.1.5
ADC
- Support for selecting a Service Engine based on a consistent hash of the client-ip[, port]
- Support for Request header with location of the originating client IP on a DataScript or HTTP Policy
- Support SNI with HTTP/2
Analytics
- Support for SIP health monitor over TCP
Containers
- Support for using alternate ingress provider
- Kubernetes: Opt-in or Opt-out support for load balancer deployment in conformance with Kubernetes standards
- OpenShift: Avi ServiceAccounts restricted to just projects requesting egress pod service
- OpenShift: Support for enforcing OpenShift information and annotations
Logging
- Support for capturing client cipher list in logs when SSL handshake fails due to cipher mismatch
- Support for capturing headers in significant logs
- Support for large trap payload in SNMP trap notifications
Networking
- Support for increased number of BGP Peers
- Support for HTTP request retry policy
- Support for HTTP server reselect when the connection fails
- UDP maximum session idle timeout increased to one hour for maintaining longer open UDP sessions
OpenStack
Private Cloud
- vCenter: Support for virtual hardware version 10. Deprecated support for ESXi 5.0, ESXi 5.1
Public Cloud
- AWS: Support for tighter control over AWS security group auto-creation
- Azure: Support for market place licensing
- Azure: Support for Managed Services Identity (MSI) based authentication for Microsoft Azure
Security
- WAF: Support for combined buffering and streaming mode for the request body
- Support for setting access permission to HSM groups independent of SSL key and certificates
System
- Support for adding client IP filter for Service Engine packet capture
- Support for restarting Service Engine one at a time when resources in SE group are changed
Key Changes in 18.1.5
- AV-51312: To interact with Avi Vantage version 18.1.5, the Avi SDK needs to be upgraded to the latest.
Issues Resolved in 18.1.5
- AV-33959: URL invalid encoding for redirect action
- AV-36484: OpenStack: Service Engine anti-affinity not working after Service Engine creation failure
- AV-41838: Avi Controller portal not available after changing the Controller certificate and rebooting
- AV-41878: OpenShift: Insecure termination policy does not work with HTTP when shared virtual service is used
- AV-42367: GSLB service updates may not get delivered to the DNS virtual service after an upgrade
- AV-42445: OpenStack: Virtual service placement fails after creating due to Controller process failure
- AV-42719: IP address allocation failed in spite of free IPs
- AV-43048: Frequent updates to the IPAM object can cause disk space exhaustion
- AV-43455: Avi Vantage fails to import root CA certificate if it has generalized time format instead of UTC format
- AV-43926: Service Engine may fail if the name of a WAF profile is changed when it is already associated with a virtual service
- AV-43929: Cisco CSP 2100: IPv6 failure with SRIOV NICs
- AV-43973: VMware: Pool members added by FQDN change to 0.0.0.0 IP address if DNS resolution fails
- AV-43980: Secure channel flapping between the Controller and SE when GRO is enabled
- AV-44089: Service Engine with large memory may fail during a SE list update for a virtual service
- AV-44239: Service Engine fails if external log server cannot be resolved to an IP address
- AV-44473: Import configuration fails if string contains unicode character
- AV-44659: Error message on saving HTTP security policy with rate-limit and local response HTML file
- AV-45040: Unable to update the virtual service name to have () parentheses from UI, but can change from API and CLI
- AV-45221: Virtual service placement stuck in a state to acquire IP addresses for network/subnet for SNI parent
- AV-45496: Service Engine may fail if TLS persistence is used for a non-SSL pool
- AV-45747: XML content for a WAF enabled virtual service causes log file growth on the Service Engine
- AV-45852: OpenShift: Delay in creating Avi routes
- AV-45943: Health monitor fails if there is a \r\n\r\n before the HTTP/x.x in the send string
- AV-45967: Azure: The Avi Controller tries to delete non-Avi VM’s disk
- AV-45970: Non admin users are able to view users, tenants, and role mapping configuration
- AV-46045: Linux server cloud: Service Engine may fail when DPDK is enabled on Mellanox NICs in a port channel
- AV-46061: Third party GSLB sites are not shown in the list of DNS policy primary and fallback sites
- AV-46169: Syslog message with invalid PRI 324
- AV-46190: Two virtual services with same IP in two different tenants do not work if placed on the same Service Engine
- AV-46349: Packet buffer usage went up causing Service Engine to be unreachable
- AV-46650: Unable to use regex or list of strings for basic authentication
- AV-46742: Service Engine stuck in a disabled state while the cluster and SEs are having intermittent network partitioning issues
- AV-46832: Mellanox interfaces on the Service Engine are not restored correctly after an SE failure
- AV-46883: Service Engine fails if TCP FastPath network profile is used for DNS application with DNS-over-TCP enabled
- AV-46899: OpenShift: Stale Avi bridge ports are not being cleaned up
- AV-47080: Linux server cloud: Service Engine may fail on using multiple bond interfaces to advertise VIP via BGP
- AV-47140: SMTP error while running email test
- AV-47185: OpenShift: Egress pod not coming up on Azure
- AV-47249: AWS: Nodes added to the pool by FQDN does not update when the IPs are changed
- AV-47333: Upgrade hung on remote task when the time is not synced between Service Engine and the Controller
- AV-47387: vCenter discovery does not complete after a Controller warmstart
- AV-47437: Linux server cloud: Default route may not take effect on using Mellanox NICs in inband mode
- AV-47500: WAF: Service Engine may fail under memory pressure
- AV-47568: Service Engine failure due to a corrupted persistence cookie
- AV-47574: vCenter API version 6.7U1 is not supported by Avi Controller
- AV-47600: Service Engine may stop processing packets if it has been up for more than 392 days
- AV-47647: Service Engine failure due to out of memory condition with WAF enabled
- AV-47650: Service Engine advertising routes to BGP for virtual service that are not placed
- AV-47661: SMTP alerts not working with anonymous SMTP settings
- AV-47797: When RSS is enabled, connections to pool servers delayed due to dropped SYN+ACK packets causing retransmits
- AV-47800: When VIP to SNAT is enabled, changing non critical fields (ex. name) causes virtual service to detach and reattach to Service Engines
- AV-50783: Virtual service cannot be enabled due to IP address exhaustion
- AV-50784: Azure: HTTP Health monitor fails for VMs added to a pool from a scale set because of “_” in the hostname
- AV-51019: Linux server cloud: NIC bonding may fail on Ubuntu 16.04 servers when Service Engine is restarted
- AV-51330: Service Engine failure when Layer 4 SSL virtual service is configured without a pool
- AV-52374: DNS virtual service with preserve client IP does not work for UDP traffic
- AV-52822: Upgrade fails if roles exist without any privilege
Issues Resolved in 18.1.4
- AV-43756: Exporting configuration from CLI requires passphrase
- AV-44673: OpenShift: All Service Engines in OpenShift cloud fails to upgrade with SE_IMAGE_INSTALL error
What’s New in 18.1.4
- Support for configuring certificates for internal key exchange service on port 8443
Issues Resolved in 18.1.3 Patch Releases
Issues Resolved in 18.1.3-3p4
- AV-53815: Pool / virtual service state inconsistent in corner cases
- AV-55491: SNI parent pool is not coming up after deleting and adding the server back
Issues Resolved in 18.1.3-2p5
- AV-56197: Zone transfer through Avi DNS virtual service fails after limit of a certain number of records
Issues Resolved in 18.1.3-2p4
- AV-54379: Service Engine crash after bond VLAN interface was deleted on bonded VLAN interface
Issues Resolved in 18.1.3-9p1
- AV-47003: Few of the pool groups are missing after the test for leader node permanent failure is triggered, but they exist in the vCenter.
- AV-50783: In a VMware environment, rediscovery of Service Engines fails as virtual services cannot be enabled due to IP address exhaustion.
Issues Resolved in 18.1.3-3p3
- AV-52174: In Azure multi-NIC environment, need to add a route for management to reach the metadata server at initialization time
Issues Resolved in 18.1.3-5p2
- AV-51849: SE UI Configuration: Support for VLAN list and creation button for CLOUD_NONE
Issues Resolved in 18.1.3-6p1
- AV-46349: SE_PKT_BUFF_HIGH event and buffer usage went up causing SE to be unreachable
Issues Resolved in 18.1.3-4p3
- AV-43973: VMware: Pool members added by FQDN brings the virtual service down
- AV-47249: AWS: Nodes added to the pool by FQDN does not update when the IPs are changed
- AV-47661: SMTP alerts not working with anonymous SMTP settings
Issues Resolved in 18.1.3-2p3
- AV-41006: IPv6: Learn link local IP in internal network and fix multiple dhclient
- AV-47122: VMware write access: Handling IPv6 server down events
Issues Resolved in 18.1.3-3p2
- AV-46087: GCP: Move ILB advanced route create API from alpha to beta
Issues Resolved in 18.1.3-5p1
- AV-46190: Two virtual services with same IP in two different tenants do not work if placed on the same SE
- AV-46447: Enable routing on all VRFs
- AV-46449: Configure floating interface IPs on all VRFs
- AV-45490: Defer VLAN cleanup if secondary IPs are present on IFP
- AV-45867: Service Engine datapath hitting a panic in
rt_tables_get_rnh_ptr
Issues Resolved in 18.1.3-2p1
- AV-43929: IPv6 failure on Cisco CSP 2100 with SRIOV NICs
- AV-44709: VIP advertisement does not work through Ipv6 BGP peer.
Issues Resolved in 18.1.3-1p1
- AV-43910: OCI: Avi Controller fails to discover all SE VMs which may result in virtual service creation or placement failures
What’s New in 18.1.3
ADC
- Support for Mellanox MCX4121A-ACAT ConnectX-4 Lx EN NIC,25GbE
- Support for custom rate limiter in DataScript
DNS
- DNS server and pool selection using DNS policy
- Infoblox DNS: Support to append “usable domain” as a suffix, if the host does not end with a usable domain
Networking
Private Cloud
- Linux server cloud: Support for RHEL 7.5
- OpenShift: Handle port mapping on the service port for virtual service
Public Cloud
- Azure: Automated multi Azure LB support for OpenShift
- Azure: Allow custom tags for resources
Security
Issues Resolved in 18.1.3
- AV-28815: Shared memory usage is not considered for SE health status
- AV-32521: Traceroute within the namespace does not show the hops
- AV-34396: UI: GSLB service cannot map to SNI child virtual service
- AV-35713: Change in cipher list in Controller access controls does not change the accepted cipher list in SSH
- AV-40376: Standby Service Engine is also advertising the VIP route to BGP in legacy active/standby mode with SNAT
- AV-40988: Bare metal: Status of all hosts show “start in progress” when only one of the host is non-responsive
- AV-41232: BGP peering not established on Service Engine restart when there are a lot of VRFs
- AV-41289: Service Engine failure on updating
dp_hb_frequency
value in Service Engine properties - AV-41710: Azure: Pools configured with Azure scale sets may go down when there is an Azure API error
- AV-41842: STARTTLS fails on sending an email if the server does not support TLS
- AV-41861: Memory leak during RSS scaleout
- AV-41877: OpenShift: Ingress creation fails with “Max VS per IP reached” message
- AV-41880: Avi Controller is not registered in APIC as a Logical Device
- AV-42079: OCI IPAM support for legacy HA
- AV-42759: Azure: Latency increases after some time
Issues Resolved in 18.1.2 Patch Releases
Issues Resolved in 18.1.2-1p1
- AV-41006: DHCP is not working for IPv6 addresses
- AV-41767: OpenStack: Cluster VIP is not programmed correctly when using Contrail
- AV-41880: Avi Controller is not registered in APIC as a Logical Device
What’s New in 18.1.2
ADC
- HTTP caching can now be controlled by specifying URIs, in addition to MIME types
- Support for sharing pool groups across virtual services
- IPv6 protocol support both at the client and server side for bare metal, VMware, OpenStack and Linux server cloud environments
- Support for HTTP/2 for client-side connections
- Minimum number of Service Engines for VS placement can be dynamically reduced
- Support for L4 SSL virtual service to handle both SSL and non-SSL ports on both client and server side
- Customized response pages can be created for errors generated in TCP, SSL/TLS, HTTP, WAF, and DataScript processing
- Support to set a server timeout on a per-request basis
- Strings in string groups can now be edited
- A DataScript can read an HTTP response body
DNS
- DNS Quad-A (AAAA) and DNS64 support
- DNS Policy enhancement: Support to return specific A, AAAA, CNAME or NS record(s) for a matching FQDN
Security
- Client logs: Support for removing or masking Personally Identifiable Information (PII) in request-headers and response-headers fields
- WAF: Enhanced metrics to estimate WAF SE resource sizing
sslkeyandcertificate/generatecertificate
,sslkeyandcertificate/[uuid]/importcertificate
,sslkeyandcertificate/importkeyandcertificate
endpoints deprecated
Analytics
- Client log streaming now supports TCP as well as optional syslog header
- For higher performance and scale, client logs can be streamed directly from SE memory without initially writing to disk
Operations
System
Public Cloud
- AWS: Alert user when an AWS Auto Scaling group referenced by an Avi pool is deleted
- AWS: Route 53 AWS account can be different from Controller AWS account
- AWS: Each tenant may create and manage its cloud in AWS
- Azure: Each tenant may create and manage its cloud in Azure
- GCP: Support user-owned IP ranges for VIPs
- GCP: Support for GCP autoscaling groups
Cisco ACI
- Multiple virtual services can share the same service graph in ACI
- Avi Service Graph implementation changed from 2 node to 1 node
Private Cloud
Networking
Automation
- Golang package for Avi SDK
- Native Terraform provider support for managing Avi configuration
Issues Resolved in 18.1.2
- AV-23166: OpenShift: Logs consume more disk than the configured limit causing disk to fill up, leading to SE failure
- AV-23359: After changing one of the nodes in cluster, virtual service analytics page does not render data due to inconsistent metrics mapping between SE and the Controller
- AV-31453: Changes to /etc/docker/daemon.json are not preserved across Avi Vantage upgrade
- AV-34379: DataScript in non-admin tenant cannot reference shared IP groups in admin tenant
- AV-34396: UI: global service cannot map to SNI child virtual service
- AV-35683: VLAN interface IP removed after changing the bond interface members
- AV-35689: API session ID does not expire
- AV-36958: Avi Service Engine responds to ARP for non-VIP addresses in OpenShift
- AV-38322: Portal stuck at initialization with leader in inactive state
- AV-38353: UDP traceroute to VIP does not work if df bit is set in the packet
- AV-38533: OpenShift: Service Engines may fail after deploying route with an invalid SSL certificate
- AV-39027: OpenStack with Contrail plugin: All traffic for VIP subnet is being routed to Service Engine
- AV-39760: Controller UI shows wrong metrics for End to End UDP Log Analytics
- AV-40377: Cisco CSP2100: Secondary Service Engine may not process flows if multiple bond interfaces are in use
- AV-40421: UI: While creating a Service Engine VLAN interface, UI drop-down menu shows only 8 VRFs
Known Issues in 18.1.2
- AV-40988 : Linux Server Cloud: Status of all hosts show “start in progress” when only one of the host is non-responsive
Performing the Upgrade
Upgrade prerequisite: The current version of Avi Controller must be 17.2 or later.
Protocol Ports Used by Avi Vantage for Management Communication
Supported Platforms
Refer to System Requirements: Ecosystem
Product Documentation
For more information, please see the following documents, also available within this knowledge base.
Installation Guides
Open Source Package Information
- Copyright Information [https://s3.amazonaws.com/aviopensource/18.1.3/copyrights.pdf]
- Packages used [https://s3.amazonaws.com/aviopensource/18.1.3/packages.pdf]
Avi Networks software, Copyright © 2013-2019 by Avi Networks, Inc. All rights reserved. The copyrights to certain works contained in this software are owned by other third parties and used and distributed under license. Certain components of this software are licensed under the GNU General Public License (GPL) version 2.0 or the GNU Lesser General Public License (LGPL) Version 2.1. A copy of each such license is available at http://www.opensource.org/licenses/gpl-2.0.php and http://www.opensource.org/licenses/lgpl-2.1.php