Avi Vantage 20.1.X Release Notes

What’s New in 20.1.1

ADC

Automation

Avi Pulse

DataScript

DNS and IPAM

Flexible Upgrades

GSLB

Logging

  • Support for VMware Log Insights for Avi Controller events

Networking

Public/ Private Cloud

Security

System

Key Changes in 20.1.1

Feature Behaviour Changes

Licensing

The highlights of licensing in Avi Vantage release 20.1.1 are as below:

  • Socket Licenses (for Linux Server Cloud Service Engines) are not supported. On upgrade, existing Service Engines will be migrated to equivalent Service Core licenses.
  • The One GB bandwidth license is not supported. On upgrade, existing Service Engines will be migrated to unlimited bandwidth, and require four Service Core licenses.
  • Future-dated subscription licenses cannot be issued anymore. All subscription serial keys are valid from the time of issue

For detailed information, refer to the Avi Vantage License Management article.

Ecosystem Changes

OpenStack

Starting with Avi Vantage release 20.1.1, the The following features/ integrations are removed:

  • Port-Security as the plugin for standard ML2 and Contrail
  • Hypervisor Type option from OpenStack cloud (Default will be only KVM)
  • Support for Nuage as the SDN
  • Support for ACI as the SDN
  • Support for Horizon dashboard
  • LBaaSv2 as the deployment mode

Google Cloud

  • Support for GCP IPAM (Linux Server Cloud mode of deployment in Google Cloud) is deprecated. We recommend customers to use the GCP Full Access Deployment.

Container Clouds

Issues Resolved in 20.1.1

  • AV-72536: Unauthenticated requests create sessions on the database
  • AV-73155: OpenStack: Scale in does not happen for SE during migration
  • AV-74434: DNS resolution not working from one of the egress pods because of wrong route entry for source IP egress pod DNS resolution not working from one of the egress pods because of wrong route entry for src ip egress pod
  • AV-76098: UI: Non federated persistence profiles are shown for GSLB services
  • AV-78741: Content-Type cannot be removed or replaced through the HTTP response policy
  • AV-79264: Application profile with client cert validation fails to write headers in other tenants
  • AV-79346: Avi-Venafi integration: Certificate is not being renewed in the right tenant
  • AV-79847: The health score under the Health tab is marked as NA
  • AV-79912: When specifying a port range, the DataScript function avi.vs.port reports the first port in the range specified
  • AV-80050: avi.http.add_header(), avi.http.remove_header(), avi.http.replace_header() allow an extra integer argument not shown in existing documentation
  • AV-80115: Unable to clean up stale tenants using /api/openstack-cleanup when the use_admin_url config is set to False in OpenStack cloud configuration.
  • AV-80196: SE failure when passing avi.HTTP_RESPONSE as the second argument to the avi.http.get_cookie() when it is used in the Request header script.
  • AV-80594: Service Engine installed in Nutanix-AHV for versions prior to 20190916.96 fails during initialization
  • AV-81373: AWS: Extra VIPs on SE data NICs that belong to a disabled virtual service are not moving to a parking NIC during reconcile
  • AV-81374: GSLB Health Monitor fails due to incorrect namespace
  • AV-81456: Service Engine issues if a chunked transfer encoding cache entry is hit when enable_chunk_merge is configured as false with response buffer mode on
  • AV-81836: Users with PERMISSION_TRAFFIC_CAPTURE can do ‘packet capture’ of virtual service but cannot view the captured files
  • AV-81908: Some of the GSLB pool members’ FQDNs are not resolvable (as they are in a DR site). When DNS refresh interval is set to 5 minutes, this will create excessive CRUD on the system resulting in leader site not being able to send health status probes to the follower sites
  • AV-81953: BGP peering is not established on using a VLAN interface that is in a different VRF than the parent interface. External health monitors that use that VLAN interface also do not work
  • AV-82284: External AWS DNS profile with AWS cloud does not work if cloud is using cross account-based authentication
  • AV-82432: Virtual service is unreachable when placed on Service Engines running in PCAP mode and with BGP Layer 3 scale-out configured
  • AV-82459: metrics-mgr process fails repeatedly if an IP Group covering the range 128.0.0.0 to 255.255.255.255, or a subset, is configured on the Controller
  • AV-82753: LSC: Virtual service traffic failure when inband management is disabled and DPDK mode is disabled
  • AV-82965: WAF admin unable to edit WAF Policy from the UI
  • AV-83138: When upgrading with action_on_error is ROLLBACK_UPGRADE_OPS_ON_ERROR, the SE fails to upgrade and goes to UPGRADE_FSM_ERROR state
  • AV-83223: Under severe memory pressure, cache processing can fail while parsing response from backend server
  • AV-83301: When an interface or its corresponding IP is removed the associated gateway monitor is not disabled. This will cause the gateway monitor to report a GW_DOWN to the Controller
  • AV-83367: Controller users logged in via LDAP authentication may be logged out intermittently
  • AV-83620: While serving objects from the cache, if the client abruptly closes the connection (or stream in case of HTTP2), the object being served from cache might hold onto the connection resulting in connection memory usage. Many such instances could lead to high connection memory usage
  • AV-83643: Service Engine fails when connection multiplexing is disabled, pool group is configured, and pool member goes down between requests on the same connection
  • AV-83804: Possible Controller configuration loss due to multiple Controller node failover events involving the same leader node
  • AV-83807: GCP: Default-cloud cannot be set as GCP full access cloud via UI
  • AV-83835: OpenStack: Cannot create/deploy virtual services, if Keystone v2 endpoint is used for integration and admin endpoints of nova, neutron, and glance services are not reachable or if Keystone v3 endpoint is used for integration and public endpoints of nova, neutron, and glance services are not reachable
  • AV-83912: Every time image check was invoked, it generated an image uploaded event
  • AV-83953: Connection reset in TCP fast path after idle timeout may send the reset with incorrect sequence number
  • AV-84035: Postgres database on the follower node does not fully sync with the leader node causing it to leave the cluster and restart the full sync again
  • AV-84092: Traffic to GSLB FQDN does not work when GSLB is enabled for OpenShift routes
  • AV-84103: While deleting GSLB pool members, the wrong member is getting deleted from the UI
  • AV-84247: SE fails when passing the avi.HTTP_RESPONSE as the second argument to the DataScript function avi.http.cookie_exists() when the said function is used in the request header script.
  • AV-84284: L4 DataScript stalls with TCP request event. The virtual service having a TCP request DataScript event rejects requests after 57,000 connections. This is specific to TCP request events only
  • AV-84287: OpenStack: SE failure when 25 vNICs are added
  • AV-84396: For a virtual service with traffic_enabled set to False and the option use VIP as SNAT enabled, the SE responds to ARP for the VIP which negates the effect of traffic_enabled being set to False
  • AV-84400: The Avi Controller fails to find the right VIP port to place VIP address on it
  • AV-84432: On configuring use_vip_as_snat as False and snat_ip the same as VIP manually, the SNAT/IP configuration will be ignored
  • AV-84678: Virtual services down due to SSL certificate PEM encoding read error when length of line in certificate is a multiple of 254
  • AV-84679: Service Engine can fail while deleting a virtual service after it has been in fault state
  • AV-85207: Clients proxying through Avi virtual service of Layer 4 SSL application type might experience intermittent TCP connection errors
  • AV-85218: Same vLAN / vNIC IPs allowed in other SEs, VIP, Floating Interface IPs and sNAT IP
  • AV-85647: Memory leak when creating HTTP policy configuration fails
  • AV-85680: Service Engine processes may hold up freed memory that may cause memory being unavailable for other system process leading to Service Engine fail
  • AV-85800: Service Engine can fail when requests with cookies with no spaces in between or large cookies use the avi.http.remove_cookie or avi.http.replace_cookie API
  • AV-86092: TCP DNS queries over IPv6 network incorrectly load balanced
  • AV-86518: Service Engine becomes unresponsive when time is set backwards on the SE by a large range of hours
  • AV-86782: SE initialization fails if the data path interfaces are not released back to Linux successfully when SE is restarted
  • AV-86871: Upgrade from Avi Vantage version 17.2.x to 18.2.x or higher can result in the metrics manager using a lot of memory after upgrade (more than 50,000 backend servers. This can happen at a lower scale if the pools are shared across many virtual services.
  • AV-86953: IPv6 GeoDB may contain duplicate entries depending on the order of the DB entry creation
  • AV-86955: DNS policy using client IP match / Geo location match behavior is not behaving as expected, impacting the DNS policies Match client location (use_edns_client_subnet_ip enabled), Match client location ( use_edns_client_subnet_ip not enabled), Match client IP (use_edns_client_subnet_ip enabled)
  • AV-87502: Service Engine failure when Auth Profile is disabled while still processing HTTP traffic is sent on old connections
  • AV-87505: Service Engine failure due to a double close of LDAP connection
  • AV-88094: Service Engine on Azure could fail if the NIC’s link flaps
  • AV-88267: Requests sent to virtual services with incorrect DataScripts in the LB Done event sends a 200 OK response instead of responding with a server error
  • AV-88692: Service Engine can fail due to incorrect rate limiter configuration in a network security policy
  • AV-88795: SE Group or SE upgrade initiated when the Controller is upgraded at the system level in case of software or patch update
  • AV-89227: Requests resulting in a SAML authentication loop
  • AV-89246: Python exception in pci_unbind.py during SE initialization
  • AV-89946: HTTP Policy port match always matches to the first port in port range instead of the service port the request arrived on

Known Issues in 20.1.1

  • AV-90949: NSX-T: After changing the NSX-T Manager password provided to the Avi Controller,the NSX-T account may get locked temporarily due to excessive login attempts by the Avi Controller with the old password.
  • AV-90364: NSX-T: When a Virtual Service is placed in a different Service Engine Group, duplicate static route entries with same network but with different next hop can cause traffic failure.

Checklist for Upgrade

Refer to this section before initiating upgrade to Avi Vantage release 20.1.1:

  1. Ensure that the current version of the Avi Controller is 17.2 or higher to upgrade to release 20.1.1.

  2. The default disk size for new SEs is now 15 GB.
    For OpenStack deployments, ensure that the disk size for the requisite flavors is increased to a minimum of 15 GB
  3. Starting with Avi Vantage release 20.1.1, the Avi Controller and Service Engines use Python 3. Refer to the migration notes in the following sections:

  4. Licensing Management of the Avi Service Engines has been updated. Refer to the Avi Vantage License Management article for more information.

  5. Avi Vantage now enforces system limits based on Controller cluster size. Refer to the System Limits article for more information.

Supported Platforms

Refer to System Requirements: Ecosystem

Product Documentation

For more information, please see the following documents, also available within this Knowledge Base.

Installation Guides

Open Source Package Information

Avi Networks software, Copyright © 2013-2019 by Avi Networks, Inc. All rights reserved. The copyrights to certain works contained in this software are owned by other third parties and used and distributed under license. Certain components of this software are licensed under the GNU General Public License (GPL) version 2.0 or the GNU Lesser General Public License (LGPL) Version 2.1. A copy of each such license is available at http://www.opensource.org/licenses/gpl-2.0.php and http://www.opensource.org/licenses/lgpl-2.1.php

Additional Reading

Protocol Ports Used by Avi Vantage for Management Communication