NSX Advanced Load Balancer 21.1.X Release Notes

Issues Resolved in 21.1.3 Patch Releases

Issues Resolved in 21.1.3-2p1

Release Date: 14 January 2022

  • AV-131681: If the follower site is being upgraded without putting leader site in maintenance mode, config sync to remote site can fail.
  • AV-133050: Re-uploading the image may fail if cloud generated SE files are present only in the leader node but not on the follower nodes.
  • AV-133339: Azure: After upgrade to 21.1.3, Virtual services are down due to ALB-SE health probe failures.
  • AV-133902: When attaching a .dat extension file to content switch policy, the virtual service goes to failure state with Out of memory error.

Known Issue in 21.1.3-2p1

  • AV-133349: SSL Profile UI: The Cipher list in NSX Advanced Load Balancer version 21.1.3 displays a limited set of ciphers, and erroneously hides additional, common ciphers. Workaround: Do not modify / update an existing SSL profile post upgrade, via the GUI. Use CLI to modify the Ciphers if required.

What’s New in 21.1.3

Release Date: 21 December 2021
To refer to the upgrade checklist, click here.

Application Security

Avi Cloud Services

  • Introducing VMware NSX Advanced Load Balancer with Cloud Services - available through a new License Tier called Enterprise with Cloud Services.
    Note: Avi Pulse has been rebranded as VMware NSX Advanced Load Balancer (Avi) Cloud Services

  • Central Licensing will enable zero-touch capacity management and cloud bursting for globally distributed NSX Advanced Load Balancer deployments

Cloud Connector

  • Support for preserve client IP in NSX-T overlay mode (under tech preview).

Core LB Features

DNS/ IPAM

GSLB

Horizon VDI

Networking

Observability and Monitoring

Application Metrics

System

WAF

Issues Resolved in 21.1.3

  • AV-98655: TSO offload does not work if one of the member interfaces in inactive at the time of bond creation.

  • AV-101483: GSLB configuration sync to other sites fail, if public IP is configured in the GSLB sites.

  • AV-118805: VMXNET3 interface receive stalls due to packet buffer depletion.

  • AV-121113: When GeoDB is added with a custom file object having IP Address Mapped to different GEO Attributes in non-ascending order, then rules using country code mapped IP Group in different policies will fail to add the IP Address in GeoDB custom file object into the IP group-generated country code files

  • AV-122704: Controller cluster VIP may not be accessible after reboot on Contrail with OpenStack.

  • AV-124867: Unable to mask query parameters in application logs

  • AV-125094: Scanner Application Profile rate limiter with Report Only action was not captured in significant logs.

  • AV-125824: If a bond exists on the management interface NICs (>=10G), it can be broken while stopping / restarting / upgrading the Service Engines in LSC deployments.

  • AV-126508: BGP: Virtual service scale in can result in minor traffic disruption.

  • AV-126754: Cluster VIP configuration fails in GCP cloud when the Controllers have Public IPs assigned to them.

  • AV-127498: When the SE group is in a version lower than 20.1.5 and the Controller is in a version 20.1.5 or higher, the SE may fail if a pool has multiple resolve by DNS - based pool members and these pool members fail to resolve.

  • AV-127802: Infoblox: When one of the virtual service VIPs is removed, the host record gets removed from the provider, even though there is still one virtual service VIP with that FQDN.

  • AV-128044: When streaming request logs over Syslog format, the virtual service name is not included in the streamed logs.

  • AV-128228: The SE_SYN_TABLE_HIGH alerts are seen for a large number of embryonic connections without the underlying system under attack or memory stress.

  • AV-128339: If the GSLB site was configured with an FQDN instead of an IP address, the GSLB service page failed to render properly, and the URL to the member site was not generated correctly.

  • AV-128707: The SE Agent process may leak an opened file descriptor and consume too much disk space.

  • AV-128745: When a GSLB leader site is represented as an FQDN instead of the IP address, the GSLB configuration replication from leader to follower site does not work.

  • AV-128843: Application traffic in a GSLB environment can get disrupted in upgrade scenarios in the following conditions:

    • GSLB service is configured with NO DATAPATH health monitors and relies on Controller-status.

    • GSLB federation is in maintenance mode

    • Site is upgraded to a newer version

  • AV-128928: Server-initiated renegotiation fails for both Pools and HTTPS Health Monitor.

  • AV-129063: The GeoDB object and the file objects are not recreated after upgrading to NSX Advanced Load Balancer Enterprise edition.

  • AV-129080: NSX Advanced Load Balancer does not sign the SAML authentication requests despite SSL Key and certificate being attached to the SAML virtual service.

Key Changes in 21.1.3

  • Avi Cloud Services
    Starting with NSX Advanced Load Balancer 21.1.3, the default license tier on a new Avi Controller deployment will change from ENTERPRISE to ENTERPRISE_WITH_CLOUD_SERVICES.
    To change this, from the NSX Advanced Load Balancer UI, navigate to Administration > Settings > Licensing.

  • Installing VMware Serial Key Licenses
    • To use VMware Serial Key licenses purchased before December 23, 2021, on a new Avi Controller deployment running version 21.1.3 or later:
      1. Upgrade your VMware Serial Key licenses from the customer connect portal. For more information, refer How to Upgrade License Keys.
      2. Apply the upgraded license keys on the newly deployed Avi Controller.

      Note: There is no action required on the Avi Controller deployments that are upgraded.

    • To use VMware Serial Key licenses purchased after December 23, 2021, on an existing Avi Controller deployment running version 21.1.2 or earlier:
      1. Downgrade your VMware Serial Key licenses from the customer connect portal. For more information, refer How to Downgrade License Keys.
      2. Apply the downgraded license keys on the newly deployed the Avi Controller.
  • FQDNs need to be configured for successful registration of NSX Advanced Load Balancer Controllers with Cloud Services.

  • DNS configuration in systemconfigurationtakes effect even in container-based deployments (Podman/ Docker).

  • The Avi server side now allows SSL renegotiation request from the backend server.

  • The user-agent check in Bot management allows user-agent strings with an uneven number of single quotes. For instance, Mozilla/5.0 (compatible; Let’s Encrypt validation server; +https://www.letsencrypt.org).

  • If a user-defined bot mapping is specified in a bot detection policy, the system bot mapping reference can be left empty.

  • RBAC: Roles can only be created in admin tenant only.

  • On Controller container deployment, the default DNS config from the host is inherited. This can be overridden by user configuration using system configuration.

  • If the admin_auth_profile is set to LDAP, after upgrading to version 21.1.3 all remote users which are not in lowercase will be removed from the system along with their auth tokens. Going forward, all LDAP users will be created in lowercase instead of being case sensitive.

Ecosystem Changes

  • Linux Server Cloud: OEL 6.9 reached end of support in March 2021. Starting with NSX Advanced Load Balancer version 21.1.3, OEL 6.9 is no longer supported. If you are running OEL 6.9, upgrade to a supported Linux distribution before upgrading to NSX Advanced Load Balancer 21.1.3.

  • vCenter Read Access cloud is deprecated in NSX Advanced Load Balancer 21.1.3 and support for vCenter Read Access will be removed in a future release of NSX Advanced Load Balancer. If you are using vCenter Read Access environment, it is recommended to migrate to vCenter Write Access or vCenter No Access.

Known Issue in 21.1.3

  • SSL Profile UI: The Cipher List in NSX Advanced Load Balancer 21.1.3 displays a limited set of ciphers, and erroneously hides the additional, common ciphers.
    Workaround: Do not modify/update an existing SSL profile post upgrade, through the GUI. Use CLI to modify the Ciphers, if required.

Checklist for Upgrade to NSX Advanced Load Balancer Version 21.1.3

Refer to this section before initiating upgrade.

  • Upgrade to NSX Advanced Load Balancer is only supported from the following versions:

    • Version 18.2.6 through 18.2.13

    • Version 20.1.1 through 20.1.7

    • Version 21.1.1 and 21.1.2

  • NSX Advanced Load Balancer no longer supports VMware vCenter version 5.5. The End of General Support for vSphere 5.5 by VMware was on September 29th, 2018.
    Before upgrading to NSX Advanced Load Balancer version 21.1.1, it is recommended to upgrade to a current vCenter version. For more information, refer to the System Requirements article.

  • To transition the NSX Advanced Load Balancer Controller to the SaaS edition refer to Getting Started with NSX Advanced Load Balancer Cloud Services.

    • Upgrade Avi Controller cluster to Avi version 21.1.3 (or later)
    • Disable Cloud Services (Pulse) if enabled,
    • Change License Tier from ENTERPRISE to ENTERPRISE_WITH_CLOUD_SERVICES
    • Register with VMware NSX Advanced Load Balancer Cloud Services (Pulse)
  • Linux Server Cloud: OEL 6.9 reached end of support in March 2021. Starting with NSX Advanced Load Balancer version 21.1.3, support for OEL 6.9 will be removed. If you are running OEL 6.9, upgrade to a supported Linux distribution before upgrading to NSX Advanced Load Balancer 21.1.3.

  • vCenter Read Access cloud is deprecated in NSX Advanced Load Balancer 21.1.3 and support for vCenter Read Access will be removed in a future release of NSX Advanced Load Balancer. If you are using vCenter Read Access environment, it is recommended to migrate to vCenter Write Access or vCenter No Access.

  • In case of Service Engine upgrade in a Nutanix Acropolis Hypervisor (AHV) environment, refer to the pre-upgrade changes.

Issues Resolved in 21.1.2 Patch Releases

What’s New in 21.1.2-2p4

Release Date: 12 December 2021

  • RSS support for LSC cloud deployments on VMware virtual machines.

Issues Resolved in 21.1.2-2p4

  • AV-129063: The GeoDB object and file objects are not recreated after upgrade to the Enterprise tier.

  • AV-130838: Issue with TCP checksum offload.

  • AV-131554: Service Engine failure occurs when a misconfigured SSL profile is attached to a pool.

  • AV-130669: Cloud UUID is not populated correctly due to which DNS resolution on SE fails.

  • AV-132339: Incorrect accounting of opackets & obytes of interface statistics in non-DPDK mode.

  • AV-132431: Mitigation for CVE-2021-44228. More details.

What’s New in 21.1.2-2p3

Release Date: 23 November 2021

  • AV-130700: LSC DPDK mode support to handle memory fragments for hosts with greater than 256 GB memory.

Issues Resolved in 21.1.2-2p3

  • AV-128928: Server-initiated renegotiation was disabled in 20.1.5. This results in Server-initiated renegotiation failures for both Pools and HTTPS health monitor.

  • AV-129080: NSX Advanced Load Balancer does not sign the SAML authentication requests despite SSL Key and certificate being attached to the SAML virtual service.

  • AV-129171: With Linux Server Cloud and Avi or Infoblox IPAM configured in a scaled setup, the virtual service placement can get stuck due to unnecessary attached IP RPCs being issued and these RPCs timing out.

  • AV-130327: GSLB configuration sync fails when site is represented by Cluster-VIP/FQDN/public-network address translated IPs.

  • AV-127498: When the SE group is in a version lower than 20.1.5 and the Controller is in a version 20.1.5 or higher, the SE may fail if a pool has multiple resolve by DNS - based pool members and these pool members fail to resolve.

What’s New in 21.1.2-2p2

Release Date: 03 November 2021

  • AV-128013: Support for kernel version 3.10.0-1160.45.1.el7.x86_64

Issues Resolved in 21.1.2-2p2

  • AV-125824: If a bond exists on the management interface NICs (>=10G), it can be broken while stopping / restarting / upgrading the Service Engines in LSC deployments.

  • AV-126508: BGP: Virtual service scale in can result in minor traffic disruption.

  • AV-128044: When streaming request logs over Syslog format, the virtual service name is not included in the streamed logs.

  • AV-128339: If the GSLB site was configured with an FQDN instead of an IP address, the GSLB service page failed to render properly, and the URL to the member site was not generated correctly.

Key Changes in 21.1.2-2p2

  • AV-121820: By default faults are not available in the inventory APIs. A query parameter to include faults is introduced in the inventory APIs.

Key Changes in 21.1.2-2p1

Release Date: 22 October 2021

  • AV-127130: Support round-robin selection of vCenter rather than random selection in NSX-T cloud with multiple vCenters.

What’s New in 21.1.2

Release Date: 14 October 2021
To refer to the upgrade checklist, click here.

Cloud Connector

Load Balancer Networking

Issues Resolved in 21.1.2

  • AV-116516: Graceful disable of server does not work for existing client connections to an L7 virtual service even when connection multiplex is disabled.

  • AV-118269: Network resolution of GSLB site persistence pool fails when using per tenant VRF in vCenter. This can cause the VS placement to fail if the site persistence is enabled before the VS is placed on all requested number of SEs.

  • AV-120022: In FIPS mode, TLS persistence on the pool used by the L7 virtual service may not be working as expected.

  • AV-120446: HSM: Virtual service with RSA certificates is inaccessible when HSM integration with Thales Luna HSM is enabled, and the Thales Luna HSM has FIPS enabled.

  • AV-121761: LSC: On hosts with large memory (>= 256 GB), when the Controller is also running on the same host, the Service Engine may fail due to memory fragmentation.

  • AV-122119: NSX-T cloud configuration APIs are failing on the Controller version 21.1.1, with header X-Avi-Version 20.1.6.

  • AV-122772: SE fails when auto gateway is enabled and the value of TCP maximum segment size (MSS) is 0 for IPv6 connections.

  • AV-122836: When GSLB leader site is represented with cluster VIP, configuration replication between sites is not working.

  • AV-124588: HTTPS requests with chunked transfer encoding might timeout when DataScript or WAF is enabled on the virtual service.

  • AV-124931: Auto-download of CRS fails when proxy is configured.

  • AV-124936: GRO in DPDK mode may be impaired for the following NIC families:
    • Virtio
    • ENA
    • VMXNET3
  • AV-125098: Upgrade to NSX Advanced Load Balancer fails in the tiers BASIC and ESSENTIALS.

  • AV-125377: External health monitor is unable to invoke ping since it requires raw socket access privileges.

  • AV-125530: During SE restart, a race condition could potentially result in SE failure.

  • AV-125682: GCP cloud fails to connect to the GCP API servers with x509.CertificateInvalidError.

  • AV-126067: The rollback system fails (with AttributeError:prev_patch_img_path) when the previous version has more than two patch versions

  • AV-126143: High Latency and reduced throughput may be observed on Service Engines running in the below ecosystems:
    • Linux Server Cloud using NICs apart from Mellanox ConnectX-4 and ConnectX-5 series
    • Cisco CSP
    • OpenStack
    • Google Cloud Platform
  • AV-126148: The Avi cloud connector fails to sync AWS Auto Scaling groups if there are more than 200 servers in the cloud.

  • AV-126153: When a patch is applied to the Controller or SE, file extraction can fail in some scenarios causing the patch operation to end prematurely.

  • AV-126389: When RSS is enabled, SE may fail due to a race condition during packet transmission on vNICs that have VLAN configured.

  • AV-127278: Existing static routes are overwritten due to pagination issues on the UI

Key Changes in 21.1.2

  • show servicenengine <se> cpu is extended to display cpu set information.

  • X_AVI_VERSION (AVI_API_VERSION) is removed from the response header.

  • As prevention against potential security threats, NSX Advanced Load Balancer version details will now be revealed only to authenticated users at all endpoints like CLI, API, and UI.
    The following endpoints are secured from displaying version related information:
    • initial-data

    • cluster/runtime

    • cluster/status

      To view the version details, ensure your account is authenticated.

      Note: The version details are permanently removed from the Controller SSH login banner.

  • Starting with NSX Advanced Load Balancer version 21.1.2, roles can only be created in the admin tenants.

Known Issue in 21.1.2

  • AV-127481: Auto-deployment of CRS might fail.
    Workaround: Manually download the CRS and upload it to the system.

  • AV-132122: Mellanox NICs [ConnectX-4/ConnectX-4 Lx/ConnectX-5] : RSS with VLAN tagged packets do not work.

Checklist for Upgrade to NSX Advanced Load Balancer Version 21.1.2

Refer to this section before initiating upgrade.

  • Upgrade to NSX Advanced Load Balancer is only supported from the following versions:

    • Version 18.2.6 through 18.2.13

    • Version 20.1.1 through 20.1.7

    • Version 21.1.1

  • NSX Advanced Load Balancer no longer supports VMware vCenter version 5.5. The End of General Support for vSphere 5.5 by VMware was on September 29th, 2018.
    Before upgrading to NSX Advanced Load Balancer version 21.1.1, it is recommended to upgrade to a current vCenter version. For more information, refer to the System Requirements article.

  • Starting with NSX Advanced Load Balancer 20.1.5, the NSX-V Cloud Connector is not supported. The NSX-V cloud was deprecated in version 20.1.3, and is now unsupported. It is recommended to migrate to an NSX-T cloud connector, or switch to no-orchestrator mode with NSX-V.

  • The default disk size for new SEs is 15 GB.
    For OpenStack deployments, ensure that the disk size for the requisite flavors is increased to a minimum of 15 GB
  • The Avi Controller and Service Engines use Python 3. Refer to the migration notes in the following sections:

  • Licensing Management of the Avi Service Engines has been updated. Refer to the License Management article for more information.

  • NSX Advanced Load Balancer now enforces system limits based on Controller cluster size. Refer to the System Limits article for more information.

  • In case of Service Engine upgrade in a Nutanix Acropolis Hypervisor (AHV) environment, refer to the pre-upgrade changes.

  • Support for Inter-SE Distributed Object Store: Service Engines can now perform the distribution and synchronization of information without the involvement of the Controller in AWS, Azure, GCP, OpenStack clouds (with default port being 4001). Ensure that TCP traffic on the selected port between Service Engine management interfaces is allowed via appropriate firewall rule.

Issues Resolved in 21.1.1 Patch Releases

What’s New in 21.1.1-2p5

Release Date: 14 December 2021

  • AV-132339: Incorrect accounting of opackets & obytes of interface statistics in non-DPDK mode.

  • AV-132431: Mitigation for CVE-2021-44228. More details.

What’s New in 21.1.1-2p4

Release Date: 29 November 2021

  • AV-131221: RSS support for LSC cloud deployments on VMware virtual machines.

Issues Resolved in 21.1.1-2p4

  • AV-127498: When the SE group is in a version lower than 20.1.5 and the Controller is in a version 20.1.5 or higher, the SE may fail if a pool has multiple resolve by DNS - based pool members and these pool members fail to resolve.

What’s New in 21.1.1-2p3

Release Date: 23 November 2021

  • AV-130700: LSC DPDK mode support to handle memory fragments for hosts with greater than 256 GB memory.

    Issues Resolved in 21.1.1-2p3

  • AV-125824: If a bond exists on the management interface NICs (>=10G), it can be broken while stopping/ restarting / upgrading the Service Engines in LSC deployments
  • AV-128220: Patch install from NSX Advanced Load Balancer version 21.1.1-2p1 to version 21.1.1-2p2 gets stuck at 35%.
  • AV-128745: When a GSLB leader site is represented as FQDN instead IP address, the GSLB configuration replication from leader to follower site is not working.
  • AV-129063: The GeoDB object and file objects are not recreated after upgrade to the Enterprise tier.
  • AV-129080: NSX Advanced Load Balancer does not sign the SAML authentication requests despite SSL Key and certificate being attached to the SAML virtual service.
  • AV-128928: Server-initiated renegotiation was disabled in 20.1.5. This results in Server-initiated renegotiation failures for both Pools and HTTPS Health Monitor.
  • AV-121761: LSC: On hosts with large memory (>= 256 GB), when the Controller is also running on the same host, Service Engine may fail due to memory fragmentation.

Issues Resolved in 21.1.1-2p2

  • AV-126389: When RSS is enabled, SE may fail due to a race condition during packet transmission on vNICs that have VLAN configured
  • AV-126153: When a patch is applied to the Controller or SE, file extraction can fail in some scenarios causing the patch operation to end prematurely.
  • AV-126143: High Latency and reduced throughput may be observed on Service Engines running in the below ecosystems:
    • Linux Server Cloud using NICs apart from Mellanox ConnectX-4 and ConnectX-5 series
    • Cisco CSP
    • OpenStack
    • Google Cloud Platform
  • AV-126067: From version 21.1.1, the rollback system fails (with AttributeError:prev_patch_img_path) when the previous version has more the two patch versions
  • AV-125530: During SE restart, a race condition could potentially result in SE failure.
  • AV-125098: Upgrade to version 21.1.1 fails in the license tiers ‘BASIC’ and ‘ESSENTIALS’
  • AV-124931: Auto-download of CRS fails when proxy is configured.

Issues Resolved in 21.1.1-2p1

Release date: 24 September 2021

  • AV-124931: Auto-download of CRS fails when proxy is configured.
  • AV-124588: HTTPS requests with chunked transfer encoding might timeout when DataScript or WAF is enabled on the virtual service.
  • AV-121987: In an Avi Controller with an older Avi API version, local_file can not be configured as fail_action on pool/pool group
  • AV-121573: If the Controller does not have access to the internet, creating SE image for vCenter cloud will fail after upgrade.
  • AV-116516: Graceful disable of server does not work for existing client connections to an L7 virtual service even when connection multiplex is disabled

What’s New in 21.1.1

Release date: 12 August 2021
To refer to the upgrade checklist, click here.

Application Security

Automation

Avi Pulse

Cloud Connector

Core LB Features

DataScripts

DNS & IPAM

Networking

Observability and Monitoring

Platform

User Interface

WAF

Issues Resolved in 21.1.1

  • AV-87320: In a Terraform plan with nested blocks, the Avi Terraform provider sets default values for the optional fields which were not defined in the plan

  • AV-102522: When FIPS mode is enabled, the Service Engine may fail if a virtual service is configured with the http security policy with the rate limiting rules per_client_ip and per_uri_path.

  • AV-111140: Unable to search audit logs for usernames containing the special character “.”

  • AV-113654: In the Avi UI, after adding a new GSLB site when the Save and Set DNS Virtual Services button was clicked, the HTTP error, 403: GSLB Operations are NOT Permitted. is displayed.

  • AV-115671: In an OpenStack cloud, the Controller may initiate multiple Add VNIC operations on the SE for the same network and VRF before the vNIC IP limit is reached, causing potential traffic issues.

  • AV-115797: The SE_DOWN event is not displayed under Operations > Events > All Events and user login events are not displayed in the Config Audit Trail.

  • AV-116043: Cluster based events are not generated when the Controller cluster leader is restarted.

  • AV-116327: High disk usage on the Controller leader node due to excess files in /var/lib/avi/systeminfo.

  • AV-116398: AWS: Removing the application domain name from a shared virtual service results in the deletion of a random entry from the list.

  • AV-116411: Service Engine fails when a HTTP/1.0 request is sent without a host header to a virtual service with a pool with both HTTP/2 and SSL enabled.

  • AV-116440: Reindexing a HTTP policy via the UI using Virtual Service >Policies>HTTP Requests>Move To does not work.

  • AV-116620: In an OpenStack cloud, the Service Engine Group page is inaccessible via the UI.

  • AV-116791: For OpenStack clouds using BGP, configuring a BGP peer network displays the error Network object not found.

  • AV-116974: SE may fail due to invalid memory access in local port processing.

  • AV-117141: PKI profile does not support API versioning.

  • AV-117414: An L4 object’s name exceeding 128 characters may lead to SE failure.

  • AV-117715: In an L4-SSL virtual service, disabling a server while it’s handing the traffic results in SE failure.

  • AV-117720 : App Cookie persistence fails when used in combination with the avi.http.remove_header (“Set-Cookie”) and avi.http.add_header (“Set-Cookie”) DataScript APIs, if the app cookie persistence and DataScript are on the same virtual service.

  • AV-117865: SE fail-over time is higher (more than three minutes) in AWS

  • AV-117960: The Avi Controller upgrade with AWS cloud can fail if the cloud is in failed state.

  • AV-118134: When a virtual service is configured with use_vip_as_snat or effectively using VIP IP as SNAT, consecutive migrations to the same SE may render the virtual service with that VIP inoperative.

  • AV-118242: ‘;’ is not allowed as a URL query parameter delimiter.

  • AV-118264: SE fails if the NAT policy is configured with source/destination port match and when a routable ICMP packet to external world lands on the SE.

  • AV-118277: High disk usage on SE because of IP reputation files consuming space.

  • AV-118802: System generates duplicate diffs for federated objects which can potentially lead to streaming of incorrect config objects to follower sites in a GSLB federation

  • AV-119921: In a persistence profile, the ip_mask behaves as an inverse CIDR mask and distributes the clients across servers instead of ensuring the clients in the same subnet are connected to the same servers.

  • AV-119971: When Ignore request body parsing errors due to partial scanning is enabled in a WAF Profile and Enable Request Body Buffering is also enabled in the Application profile, the parsing errors are not ignored in WAF and the request is denied.

  • AV-122119: NSX-T cloud configuration APIs failing on a Controller with header X-Avi-Version 20.1.6

Key Changes in 21.1.1

  • The maximum number of characters in a vip_id is limited to 16 characters.

  • Launching Bash access in the CLI shell using cli@<controlleriip> is deactivated.

  • Prior to NSX Advanced Load Balancer version 21.1.1, it was not possible to configure a service match criterion for policies under a child virtual service due to the lack of existing services object to be verified against. Starting with NSX Advanced Load Balancer 21.1.1, in SNI virtual hosting and Enhanced Virtual Hosting, for policies under a child virtual service, the service match criterion is matched against its parent virtual service.

  • For pools and pool groups, the special character “$” is not allowed in the field Name.

  • After switching to the Basic/ Essentials license tier, the default Error Page Profile reference is removed from the virtual service object.

  • The DOS_ATTACK events will be shown on the UI as non-internal events. That is, without clicking on the Internal checkbox, the user can see these events directly on the Controller events UI.

  • The minimum value for X-Avi-Version that can be used when interacting with the Avi Controller is 18.2.6. It is recommended to update the automation assets, as required.

  • Support for Inter-SE Distributed Object Store: Service Engines can now perform the distribution and synchronization of information without the involvement of the Controller in AWS, Azure, GCP, OpenStack clouds (with default port being 4001). Ensure that TCP traffic on the selected port between Service Engine management interfaces is allowed via appropriate firewall rule.

  • LDAP : Support for including exclamation mark ( ! ) in the username for Controller authentication

Known Issues in 21.1.1

  • AV-126143: High latency and reduced throughput may be observed on Service Engines running in the below ecosystems:
    • Linux Server Cloud using NICs apart from Mellanox ConnectX-4 and ConnectX-5 series
    • Cisco CSP
    • OpenStack
    • Google Cloud Platform
      Work Around: Disable TSO configuration for each Service Engine Group. For more details on the CLI, refer to Enabling GRO and TSO on an Avi SE.
      Notes:
    • TSO is enabled by default in environments supporting DPDK. Refer to TSO, GRO, RSS, and Blocklist Feature on Avi Vantage for more details.
    • Environments using VMXNET3 (vCenter, NSX-T, VMC on AWS, AVS, GCVE) and ENA (AWS) are not impacted.
  • AV-121113: Using GeoDB files that are not sorted in ascending order in the System-GeoDB can result in IP Groups missing entries.
    Workaround: Upload the GeoDB custom file object with IP addresses mapped to different Geo attributes only in ascending order.

  • AV-121573: If the Controller does not have access to the internet, creating SE image for vCenter cloud fails after upgrade.

  • AV-115513: LSC:
    • Upgrade/Patch may not work if the Controller is running as a container on a host running RHEL 8.x.
    • Podman version higher than 1.6.4 is not supported.
  • AV-127481: Auto-deployment of CRS might fail.
    Workaround: Manually download the CRS and upload it to the system.

  • AV-132122: Mellanox NICs [ConnectX-4/ConnectX-4 Lx/ConnectX-5] : RSS with VLAN tagged packets do not work.

System Limits Enforced

Checklist for Upgrade to NSX Advanced Load Balancer Version 21.1.1

Refer to this section before initiating upgrade.

  • Upgrade to NSX Advanced Load Balancer is only supported from the following versions:

    • Version 18.2.6 through 18.2.12

    • Version 20.1.1 through 20.1.6

  • NSX Advanced Load Balancer no longer supports VMware vCenter version 5.5. The End of General Support for vSphere 5.5 by VMware was on September 29th, 2018.
    Before upgrading to NSX Advanced Load Balancer version 21.1.1, it is recommended to upgrade to a current vCenter version. For more information, refer to the System Requirements article.

  • Starting with NSX Advanced Load Balancer 20.1.5, the NSX-V Cloud Connector is not supported. The NSX-V cloud was deprecated in version 20.1.3, and is now unsupported. It is recommended to migrate to an NSX-T cloud connector, or switch to no-orchestrator mode with NSX-V.

  • The default disk size for new SEs is 15 GB.
    For OpenStack deployments, ensure that the disk size for the requisite flavors is increased to a minimum of 15 GB
  • The Avi Controller and Service Engines use Python 3. Refer to the migration notes in the following sections:

  • Licensing Management of the Avi Service Engines has been updated. Refer to the License Management article for more information.

  • NSX Advanced Load Balancer now enforces system limits based on Controller cluster size. Refer to the System Limits article for more information.

  • In case of Service Engine upgrade in a Nutanix Acropolis Hypervisor (AHV) environment, refer to the pre-upgrade changes.

  • Support for Inter-SE Distributed Object Store: Service Engines can now perform the distribution and synchronization of information without the involvement of the Controller in AWS, Azure, GCP, OpenStack clouds (with default port being 4001). Ensure that TCP traffic on the selected port between Service Engine management interfaces is allowed via appropriate firewall rule.

Supported Platforms

Refer to System Requirements: Ecosystem

Product Documentation

For more information, please see the following documents, also available within this Knowledge Base.

Installation Guides

Copyrights and Open Source Package Information

For copyright information and packages used, refer to open_source_licenses.pdf.

Avi Networks software, Copyright © 2015-2021 by Avi Networks, Inc. All rights reserved. The copyrights to certain works contained in this software are owned by other third parties and used and distributed under license. Certain components of this software are licensed under the GNU General Public License (GPL) version 2.0 or the GNU Lesser General Public License (LGPL) Version 2.1. A copy of each such license is available at http://www.opensource.org/licenses/gpl-2.0.php and http://www.opensource.org/licenses/lgpl-2.1.php

Additional Reading

Protocol Ports Used by NSX Advanced Load Balancer for Management Communication