Avi Vantage 18.1.X Release Notes

Issues Resolved in 18.1.5 Patch Release

Issues Resolved in 18.1.5-10p1

• AV-58098: Virtual service fails to come up for OpenStack Rocky release

Issues Resolved in 18.1.5-8p1

• AV-59927: After a reboot Service Engine may not connect back to the Controller

Issues Resolved in 18.1.5-7p2

• AV-58181: Handle IPv6 routes application with /48 mask

Issues Resolved in 18.1.5-7p1

• AV-54379: Service Engine failure after bond VLAN interface was deleted
• AV-55606: In DPDK mode, all the interrupt resources were not released to the kernel by the Service Engine at the time of stopping the services
• AV-58039: SE-DP crash while retrieving interface statistics from DP
• AV-58446: CSP: Physical link flap causes virtual function (VF) connectivity loss

Issues Resolved in 18.1.5-6p1

• AV-56179: Auth profiles created with same name stop working

Issues Resolved in 18.1.5-5p1

• AV-56113: OpenShift on Azure: One Service Engine is stuck in OPER_DISABLED mode even though Kubernetes node is in Ready state

Issues Resolved in 18.1.5-4p3

• AV-58660: Polling for Azure VM scalesets stops if a scaleset is deleted from Azure, without being removed from Avi pool

Issues Resolved in 18.1.5-4p2

• AV-56476: Back polling interval switched back to 60 seconds by removing unnecessary Azure API call for scalesets to avoid rate limiting errors in scaleset polling

Issues Resolved in 18.1.5-4p1

• AV-54968: Reduce the number of API calls made for polling Azure virtual machine scale sets
• AV-55941: Azure scale set polling does not update the pools and can hit rate limiting errors on Azure

Issues Resolved in 18.1.5-3p2

• AV-56660: Service Engine restarts on applying Controller patch that requires a reboot

Issues Resolved in 18.1.5-3p1

• AV-53448: OpenStack: Neutron APIs timeout in a large deployment
• AV-54186: Service Engine failure when certificate expires
• AV-54964: SQL injection possible while using some APIs

Issues Resolved in 18.1.5-2p1

• AV-52095: PKI profile with CRL enabled breaks after 24 hours
• AV-53301: In Avi UI, under virtual service > security tab, small graphs on right side fail to load
• AV-53902: Configuring proxy protocol in UI does not work
• AV-54109: Unable to update system configuration in CLI scripting mode
• AV-54186: Virtual service goes to fault state when certificate expiry warning is generated
• AV-54302: Avi infoblox integration create pointer in forward instead of reverse lookup zone

Issues Resolved in 18.1.5-1p2

• AV-58384: Remove duplicate pool members with an IP address 0.0.0.0

Issues Resolved in 18.1.5-1p1

• AV-53025: Service Engine failure on inserting HTTP header in a request body event DataScript
• AV-53039: Enabling/Disabling WAF rules with non-ASCII characters fails
• AV-53365: Incorrect handling of Nagios health monitor requests
• AV-53914: Service Engine failure when Response event Datascript runs in the context of HTTP response generated by a request event DataScript
• AV-54186: Virtual service goes to fault state when certificate expiry warning is generated
• AV-55454: Service Engine failure for virtual service with application type System-SSL-Application when network profile type is set to TCP Fast

What’s New in 18.1.5

ADC

• Support for selecting a Service Engine based on a consistent hash of the client-ip[, port]
• Support for Request header with location of the originating client IP on a DataScript or HTTP Policy
• Support SNI with HTTP/2

Analytics

• Support for SIP health monitor over TCP

Containers

• Support for using alternate ingress provider
• Kubernetes: Opt-in or Opt-out support for load balancer deployment in conformance with Kubernetes standards
• OpenShift: Avi ServiceAccounts restricted to just projects requesting egress pod service
• OpenShift: Support for enforcing OpenShift information and annotations

Logging

• Support for capturing client cipher list in logs when SSL handshake fails due to cipher mismatch
• Support for capturing headers in significant logs
• Support for large trap payload in SNMP trap notifications

Networking

• Support for increased number of BGP Peers
• Support for HTTP request retry policy
• Support for HTTP server reselect when the connection fails
• UDP maximum session idle timeout increased to one hour for maintaining longer open UDP sessions

OpenStack

• Support to choose SE group/VRF context from LBaaS v2 driver configuration

Private Cloud

• vCenter: Support for virtual hardware version 10. Deprecated support for ESXi 5.0, ESXi 5.1

Public Cloud

• AWS: Support for tighter control over AWS security group auto-creation
• Azure: Support for market place licensing
• Azure: Support for Managed Services Identity (MSI) based authentication for Microsoft Azure

Security

• WAF: Support for combined buffering and streaming mode for the request body
• Support for setting access permission to HSM groups independent of SSL key and certificates

System

• Support for adding client IP filter for Service Engine packet capture
• Support for restarting Service Engine one at a time when resources in SE group are changed

Key Changes in 18.1.5

• AV-51312: To interact with Avi Vantage version 18.1.5, the Avi SDK needs to be upgraded to the latest.

Issues Resolved in 18.1.5

• AV-33959: URL invalid encoding for redirect action
• AV-36484: OpenStack: Service Engine anti-affinity not working after Service Engine creation failure
• AV-41838: Avi Controller portal not available after changing the Controller certificate and rebooting
• AV-41878: OpenShift: Insecure termination policy does not work with HTTP when shared virtual service is used
• AV-42367: GSLB service updates may not get delivered to the DNS virtual service after an upgrade
• AV-42445: OpenStack: Virtual service placement fails after creating due to Controller process failure
• AV-42719: IP address allocation failed in spite of free IPs
• AV-43048: Frequent updates to the IPAM object can cause disk space exhaustion
• AV-43455: Avi Vantage fails to import root CA certificate if it has generalized time format instead of UTC format
• AV-43926: Service Engine may fail if the name of a WAF profile is changed when it is already associated with a virtual service
• AV-43929: Cisco CSP 2100: IPv6 failure with SRIOV NICs
• AV-43973: VMware: Pool members added by FQDN change to 0.0.0.0 IP address if DNS resolution fails
• AV-43980: Secure channel flapping between the Controller and SE when GRO is enabled
• AV-44089: Service Engine with large memory may fail during a SE list update for a virtual service
• AV-44239: Service Engine fails if external log server cannot be resolved to an IP address
• AV-44473: Import configuration fails if string contains unicode character
• AV-44659: Error message on saving HTTP security policy with rate-limit and local response HTML file
• AV-45040: Unable to update the virtual service name to have () parentheses from UI, but can change from API and CLI
• AV-45221: Virtual service placement stuck in a state to acquire IP addresses for network/subnet for SNI parent
• AV-45496: Service Engine may fail if TLS persistence is used for a non-SSL pool
• AV-45747: XML content for a WAF enabled virtual service causes log file growth on the Service Engine
• AV-45852: OpenShift: Delay in creating Avi routes
• AV-45943: Health monitor fails if there is a \r\n\r\n before the HTTP/x.x in the send string
• AV-45967: Azure: The Avi Controller tries to delete non-Avi VM’s disk
• AV-45970: Non admin users are able to view users, tenants, and role mapping configuration
• AV-46045: Linux server cloud: Service Engine may fail when DPDK is enabled on Mellanox NICs in a port channel
• AV-46061: Third party GSLB sites are not shown in the list of DNS policy primary and fallback sites
• AV-46169: Syslog message with invalid PRI 324
• AV-46190: Two virtual services with same IP in two different tenants do not work if placed on the same Service Engine
• AV-46349: Packet buffer usage went up causing Service Engine to be unreachable
• AV-46650: Unable to use regex or list of strings for basic authentication
• AV-46742: Service Engine stuck in a disabled state while the cluster and SEs are having intermittent network partitioning issues
• AV-46832: Mellanox interfaces on the Service Engine are not restored correctly after an SE failure
• AV-46883: Service Engine fails if TCP FastPath network profile is used for DNS application with DNS-over-TCP enabled
• AV-46899: OpenShift: Stale Avi bridge ports are not being cleaned up
• AV-47080: Linux server cloud: Service Engine may fail on using multiple bond interfaces to advertise VIP via BGP
• AV-47140: SMTP error while running email test
• AV-47185: OpenShift: Egress pod not coming up on Azure
• AV-47249: AWS: Nodes added to the pool by FQDN does not update when the IPs are changed
• AV-47333: Upgrade hung on remote task when the time is not synced between Service Engine and the Controller
• AV-47387: vCenter discovery does not complete after a Controller warmstart
• AV-47437: Linux server cloud: Default route may not take effect on using Mellanox NICs in inband mode
• AV-47500: WAF: Service Engine may fail under memory pressure
• AV-47568: Service Engine failure due to a corrupted persistence cookie
• AV-47574: vCenter API version 6.7U1 is not supported by Avi Controller
• AV-47600: Service Engine may stop processing packets if it has been up for more than 392 days
• AV-47647: Service Engine failure due to out of memory condition with WAF enabled
• AV-47650: Service Engine advertising routes to BGP for virtual service that are not placed
• AV-47661: SMTP alerts not working with anonymous SMTP settings
• AV-47797: When RSS is enabled, connections to pool servers delayed due to dropped SYN+ACK packets causing retransmits
• AV-47800: When VIP to SNAT is enabled, changing non critical fields (ex. name) causes virtual service to detach and reattach to Service Engines
• AV-50783: Virtual service cannot be enabled due to IP address exhaustion
• AV-50784: Azure: HTTP Health monitor fails for VMs added to a pool from a scale set because of “_” in the hostname
• AV-51019: Linux server cloud: NIC bonding may fail on Ubuntu 16.04 servers when Service Engine is restarted
• AV-51330: Service Engine failure when Layer 4 SSL virtual service is configured without a pool
• AV-52374: DNS virtual service with preserve client IP does not work for UDP traffic
• AV-52822: Upgrade fails if roles exist without any privilege

Issues Resolved in 18.1.4

• AV-43756: Exporting configuration from CLI requires passphrase
• AV-44673: OpenShift: All Service Engines in OpenShift cloud fails to upgrade with SE_IMAGE_INSTALL error

What’s New in 18.1.4

• Support for configuring certificates for internal key exchange service on port 8443

Issues Resolved in 18.1.3 Patch Releases

Issues Resolved in 18.1.3-3p4

• AV-53815: Pool / virtual service state inconsistent in corner cases
• AV-55491: SNI parent pool is not coming up after deleting and adding the server back

Issues Resolved in 18.1.3-2p5

• AV-56197: Zone transfer through Avi DNS virtual service fails after limit of a certain number of records

Issues Resolved in 18.1.3-2p4

• AV-54379: Service Engine crash after bond VLAN interface was deleted on bonded VLAN interface

Issues Resolved in 18.1.3-9p1

• AV-47003: Few of the pool groups are missing after the test for leader node permanent failure is triggered, but they exist in the vCenter.
• AV-50783: In a VMware environment, rediscovery of Service Engines fails as virtual services cannot be enabled due to IP address exhaustion.

Issues Resolved in 18.1.3-3p3

• AV-52174: In Azure multi-NIC environment, need to add a route for management to reach the metadata server at initialization time

Issues Resolved in 18.1.3-5p2

• AV-51849: SE UI Configuration: Support for VLAN list and creation button for CLOUD_NONE

Issues Resolved in 18.1.3-6p1

• AV-46349: SE_PKT_BUFF_HIGH event and buffer usage went up causing SE to be unreachable

Issues Resolved in 18.1.3-4p3

• AV-43973: VMware: Pool members added by FQDN brings the virtual service down
• AV-47249: AWS: Nodes added to the pool by FQDN does not update when the IPs are changed
• AV-47661: SMTP alerts not working with anonymous SMTP settings

Issues Resolved in 18.1.3-2p3

• AV-41006: IPv6: Learn link local IP in internal network and fix multiple dhclient
• AV-47122: VMware write access: Handling IPv6 server down events

Issues Resolved in 18.1.3-3p2

• AV-46087: GCP: Move ILB advanced route create API from alpha to beta

Issues Resolved in 18.1.3-5p1

• AV-46190: Two virtual services with same IP in two different tenants do not work if placed on the same SE
• AV-46447: Enable routing on all VRFs
• AV-46449: Configure floating interface IPs on all VRFs
• AV-45490: Defer VLAN cleanup if secondary IPs are present on IFP
• AV-45867: Service Engine datapath hitting a panic in rt_tables_get_rnh_ptr

Issues Resolved in 18.1.3-2p1

• AV-43929: IPv6 failure on Cisco CSP 2100 with SRIOV NICs
• AV-44709: VIP advertisement does not work through Ipv6 BGP peer.

Issues Resolved in 18.1.3-1p1

• AV-43910: OCI: Avi Controller fails to discover all SE VMs which may result in virtual service creation or placement failures

What’s New in 18.1.3

ADC

• Support for Mellanox MCX4121A-ACAT ConnectX-4 Lx EN NIC,25GbE
• Support for custom rate limiter in DataScript

DNS

• DNS server and pool selection using DNS policy
• Infoblox DNS: Support to append “usable domain” as a suffix, if the host does not end with a usable domain

Networking

• Streaming mode for HTTP/2 uploads
• Support for Session Initiation Protocol (SIP)

Private Cloud

• Linux server cloud: Support for RHEL 7.5
• OpenShift: Handle port mapping on the service port for virtual service

Public Cloud

• Azure: Automated multi Azure LB support for OpenShift
• Azure: Allow custom tags for resources

Security

• Support for hiding Personally Identifiable Information (PII) in logs

Issues Resolved in 18.1.3

• AV-28815: Shared memory usage is not considered for SE health status
• AV-32521: Traceroute within the namespace does not show the hops
• AV-34396: UI: GSLB service cannot map to SNI child virtual service
• AV-35713: Change in cipher list in Controller access controls does not change the accepted cipher list in SSH
• AV-40376: Standby Service Engine is also advertising the VIP route to BGP in legacy active/standby mode with SNAT
• AV-40988: Bare metal: Status of all hosts show “start in progress” when only one of the host is non-responsive
• AV-41232: BGP peering not established on Service Engine restart when there are a lot of VRFs
• AV-41289: Service Engine failure on updating dp_hb_frequency value in Service Engine properties
• AV-41710: Azure: Pools configured with Azure scale sets may go down when there is an Azure API error
• AV-41842: STARTTLS fails on sending an email if the server does not support TLS
• AV-41861: Memory leak during RSS scaleout
• AV-41877: OpenShift: Ingress creation fails with “Max VS per IP reached” message
• AV-41880: Avi Controller is not registered in APIC as a Logical Device
• AV-42079: OCI IPAM support for legacy HA
• AV-42759: Azure: Latency increases after some time

Issues Resolved in 18.1.2 Patch Releases

Issues Resolved in 18.1.2-1p1

• AV-41006: DHCP is not working for IPv6 addresses
• AV-41767: OpenStack: Cluster VIP is not programmed correctly when using Contrail
• AV-41880: Avi Controller is not registered in APIC as a Logical Device

What’s New in 18.1.2

ADC

• HTTP caching can now be controlled by specifying URIs, in addition to MIME types
• Support for sharing pool groups across virtual services
• IPv6 protocol support both at the client and server side for bare metal, VMware, OpenStack and Linux server cloud environments
• Support for HTTP/2 for client-side connections
• Minimum number of Service Engines for VS placement can be dynamically reduced
• Support for L4 SSL virtual service to handle both SSL and non-SSL ports on both client and server side
• Customized response pages can be created for errors generated in TCP, SSL/TLS, HTTP, WAF, and DataScript processing
• Support to set a server timeout on a per-request basis
• Strings in string groups can now be edited
• A DataScript can read an HTTP response body

DNS

• DNS Quad-A (AAAA) and DNS64 support
• DNS Policy enhancement: Support to return specific A, AAAA, CNAME or NS record(s) for a matching FQDN

Security

• Client logs: Support for removing or masking Personally Identifiable Information (PII) in request-headers and response-headers fields
• WAF: Enhanced metrics to estimate WAF SE resource sizing
• sslkeyandcertificate/generatecertificate, sslkeyandcertificate/[uuid]/importcertificate, sslkeyandcertificate/importkeyandcertificate endpoints deprecated

Analytics

• Client log streaming now supports TCP as well as optional syslog header
• For higher performance and scale, client logs can be streamed directly from SE memory without initially writing to disk

Operations

• Controller syslog events can be sent in JSON-formatted messages for consumption by a wider range of tools

System

• HA: Automatic SE failover, even when Controller is down or unreachable

Public Cloud

• AWS: Alert user when an AWS Auto Scaling group referenced by an Avi pool is deleted
• AWS: Route 53 AWS account can be different from Controller AWS account
• AWS: Each tenant may create and manage its cloud in AWS
• Azure: Each tenant may create and manage its cloud in Azure
• GCP: Support user-owned IP ranges for VIPs
• GCP: Support for GCP autoscaling groups

Cisco ACI

• Multiple virtual services can share the same service graph in ACI
• Avi Service Graph implementation changed from 2 node to 1 node

Private Cloud

• VMware: Support for VMware vSphere 6.7

Networking

• Cisco CSP2100: VLAN trunking support
• Multihop BGP peer support for iBGP

Automation

• Golang package for Avi SDK
• Native Terraform provider support for managing Avi configuration

Issues Resolved in 18.1.2

• AV-23166: OpenShift: Logs consume more disk than the configured limit causing disk to fill up, leading to SE failure
• AV-23359: After changing one of the nodes in cluster, virtual service analytics page does not render data due to inconsistent metrics mapping between SE and the Controller
• AV-31453: Changes to /etc/docker/daemon.json are not preserved across Avi Vantage upgrade
• AV-34379: DataScript in non-admin tenant cannot reference shared IP groups in admin tenant
• AV-34396: UI: global service cannot map to SNI child virtual service
• AV-35683: VLAN interface IP removed after changing the bond interface members
• AV-35689: API session ID does not expire
• AV-36958: Avi Service Engine responds to ARP for non-VIP addresses in OpenShift
• AV-38322: Portal stuck at initialization with leader in inactive state
• AV-38353: UDP traceroute to VIP does not work if df bit is set in the packet
• AV-38533: OpenShift: Service Engines may fail after deploying route with an invalid SSL certificate
• AV-39027: OpenStack with Contrail plugin: All traffic for VIP subnet is being routed to Service Engine
• AV-39760: Controller UI shows wrong metrics for End to End UDP Log Analytics
• AV-40377: Cisco CSP2100: Secondary Service Engine may not process flows if multiple bond interfaces are in use
• AV-40421: UI: While creating a Service Engine VLAN interface, UI drop-down menu shows only 8 VRFs

Known Issues in 18.1.2

• AV-40988 : Linux Server Cloud: Status of all hosts show “start in progress” when only one of the host is non-responsive

Performing the Upgrade

Upgrade prerequisite: The current version of Avi Controller must be 17.2 or later.

Upgrade Instructions

Protocol Ports Used by Avi Vantage for Management Communication

Supported Platforms

Refer to System Requirements: Ecosystem

Product Documentation

For more information, please see the following documents, also available within this knowledge base.

Installation Guides

• Avi Vantage Installation Guides

Open Source Package Information

• Copyright Information [https://s3.amazonaws.com/aviopensource/18.1.3/copyrights.pdf]
• Packages used [https://s3.amazonaws.com/aviopensource/18.1.3/packages.pdf]

Avi Networks software, Copyright © 2013-2019 by Avi Networks, Inc. All rights reserved. The copyrights to certain works contained in this software are owned by other third parties and used and distributed under license. Certain components of this software are licensed under the GNU General Public License (GPL) version 2.0 or the GNU Lesser General Public License (LGPL) Version 2.1. A copy of each such license is available at http://www.opensource.org/licenses/gpl-2.0.php and http://www.opensource.org/licenses/lgpl-2.1.php