NSX Advanced Load Balancer 21.1.X Release Notes

Issues Resolved in 21.1.1 Patch Releases

Issues Resolved in 21.1.1-2p1

Release date: 24 September 2021

  • AV-124931: Auto-download of CRS fails when proxy is configured.
  • AV-124588: HTTPS requests with chunked transfer encoding might timeout when DataScript or WAF is enabled on the virtual service.
  • AV-121987: In an Avi Controller version 21.1.1 with an older Avi API version, local_file can not be configured as fail_action on pool/pool group
  • AV-121573: If the Controller does not have access to the internet, creating SE image for vCenter cloud will fail after upgrade.
  • AV-116516: Graceful disable os server does not work for existing client connections to an L7 virtual service even when connection multiplex is disabled

What’s New in 21.1.1

Release date: 12 August 2021
To refer to the upgrade checklist, click here.

Application Security

Automation

Avi Pulse

Cloud Connector

Core LB Features

DataScripts

DNS & IPAM

Networking

Observability and Monitoring

Platform

User Interface

WAF

Issues Resolved in 21.1.1

  • AV-87320: In a Terraform plan with nested blocks, the Avi Terraform provider sets default values for the optional fields which were not defined in the plan

  • AV-102522: When FIPS mode is enabled, the Service Engine may fail if a virtual service is configured with the http security policy with the rate limiting rules per_client_ip and per_uri_path.

  • AV-111140: Unable to search audit logs for usernames containing the special character “.”

  • AV-113654: In the Avi UI, after adding a new GSLB site when the Save and Set DNS Virtual Services button was clicked, the HTTP error, 403: GSLB Operations are NOT Permitted. is displayed.

  • AV-115671: In an OpenStack cloud, the Controller may initiate multiple Add VNIC operations on the SE for the same network and VRF before the vNIC IP limit is reached, causing potential traffic issues.

  • AV-115797: The SE_DOWN event is not displayed under Operations > Events > All Events and user login events are not displayed in the Config Audit Trail.

  • AV-116043: Cluster based events are not generated when the Controller cluster leader is restarted.

  • AV-116327: High disk usage on the Controller leader node due to excess files in /var/lib/avi/systeminfo.

  • AV-116398: AWS: Removing the application domain name from a shared virtual service results in the deletion of a random entry from the list.

  • AV-116411: Service Engine fails when a HTTP/1.0 request is sent without a host header to a virtual service with a pool with both HTTP/2 and SSL enabled.

  • AV-116440: Reindexing a HTTP policy via the UI using Virtual Service >Policies>HTTP Requests>Move To does not work.

  • AV-116620: In an OpenStack cloud, the Service Engine Group page is inaccessible via the UI.

  • AV-116791: For OpenStack clouds using BGP, configuring a BGP peer network displays the error Network object not found.

  • AV-116974: SE may fail due to invalid memory access in local port processing.

  • AV-117141: PKI profile does not support API versioning.

  • AV-117414: An L4 object’s name exceeding 128 characters may lead to SE failure.

  • AV-117715: In an L4-SSL virtual service, disabling a server while it’s handing the traffic results in SE failure.

  • AV-117720 : App Cookie persistence fails when used in combination with the avi.http.remove_header (“Set-Cookie”) and avi.http.add_header (“Set-Cookie”) DataScript APIs, if the app cookie persistence and DataScript are on the same virtual service.

  • AV-117865: SE fail-over time is higher (more than three minutes) in AWS

  • AV-117960: The Avi Controller upgrade with AWS cloud can fail if the cloud is in failed state.

  • AV-118134: When a virtual service is configured with use_vip_as_snat or effectively using VIP IP as SNAT, consecutive migrations to the same SE may render the virtual service with that VIP inoperative.

  • AV-118242: ‘;’ is not allowed as a URL query parameter delimiter.

  • AV-118264: SE fails if the NAT policy is configured with source/destination port match and when a routable ICMP packet to external world lands on the SE.

  • AV-118277: High disk usage on SE because of IP reputation files consuming space.

  • AV-118802: System generates duplicate diffs for federated objects which can potentially lead to streaming of incorrect config objects to follower sites in a GSLB federation

  • AV-119921: In a persistence profile, the ip_mask behaves as an inverse CIDR mask and distributes the clients across servers instead of ensuring the clients in the same subnet are connected to the same servers.

  • AV-122119: NSX-T cloud configuration APIs failing on the Controller version 21.1.1, with header X-Avi-Version 20.1.6

Key Changes in 21.1.1

  • The maximum number of characters in a vip_id is limited to 16 characters.

  • Launching Bash access in the CLI shell using cli@<controlleriip> is deactivated.

  • Prior to NSX Advanced Load Balancer version 21.1.1, it was not possible to configure a service match criterion for policies under a child virtual service due to the lack of existing services object to be verified against. Starting with NSX Advanced Load Balancer 21.1.1, in SNI virtual hosting and Enhanced Virtual Hosting, for policies under a child virtual service, the service match criterion is matched against its parent virtual service.

  • For pools and pool groups, the special character “$” is not allowed in the field Name.

  • After switching to the Basic/ Essentials license tier, the default Error Page Profile reference is removed from the virtual service object.

  • The DOS_ATTACK events will be shown on the UI as non-internal events. That is, without clicking on the Internal checkbox, the user can see these events directly on the Controller events UI.

  • The minimum value for X-Avi-Version that can be used when interacting with the Avi Controller is 18.2.6. It is recommended to update the automation assets, as required.

  • Support for Inter-SE Distributed Object Store: Service Engines can now perform the distribution and synchronization of information without the involvement of the Controller in AWS, Azure, GCP, OpenStack clouds (with default port being 4001). Ensure that TCP traffic on the selected port between Service Engine management interfaces is allowed via appropriate firewall rule.

  • LDAP : Support for including exclamation mark ( ! ) in the username for Controller authentication

Known Issues in 21.1.1

  • AV-121573: If the Controller does not have access to the internet, creating SE image for vCenter cloud fails after upgrade.

System Limits Enforced

Checklist for Upgrade to NSX Advanced Load Balancer Version 21.1.1

Refer to this section before initiating upgrade.

  • Upgrade to NSX Advanced Load Balancer is only supported from the following versions:

    • Version 18.2.6 through 18.2.12

    • Version 20.1.1 through 20.1.6

  • NSX Advanced Load Balancer no longer supports VMware vCenter version 5.5. The End of General Support for vSphere 5.5 by VMware was on September 29th, 2018.
    Before upgrading to NSX Advanced Load Balancer version 21.1.1, it is recommended to upgrade to a current vCenter version. For more information, refer to the System Requirements article.

  • Starting with NSX Advanced Load Balancer 20.1.5, the NSX-V Cloud Connector is not supported. The NSX-V cloud was deprecated in version 20.1.3, and is now unsupported. It is recommended to migrate to an NSX-T cloud connector, or switch to no-orchestrator mode with NSX-V.

  • The default disk size for new SEs is 15 GB.
    For OpenStack deployments, ensure that the disk size for the requisite flavors is increased to a minimum of 15 GB
  • The Avi Controller and Service Engines use Python 3. Refer to the migration notes in the following sections:

  • Licensing Management of the Avi Service Engines has been updated. Refer to the License Management article for more information.

  • NSX Advanced Load Balancer now enforces system limits based on Controller cluster size. Refer to the System Limits article for more information.

  • In case of Service Engine upgrade in a Nutanix Acropolis Hypervisor (AHV) environment, refer to the pre-upgrade changes.

  • Support for Inter-SE Distributed Object Store: Service Engines can now perform the distribution and synchronization of information without the involvement of the Controller in AWS, Azure, GCP, OpenStack clouds (with default port being 4001). Ensure that TCP traffic on the selected port between Service Engine management interfaces is allowed via appropriate firewall rule.

Known Issues in 21.1.1

  • AV-115513: LSC:
    • Upgrade/Patch may not work if the Controller is running as a container on a host running RHEL 8.x.
    • Podman version higher than 1.6.4 is not supported.
  • AV-121113: Using GeoDB files that are not sorted in ascending order in the System-GeoDB can result in IP Groups missing entries. Workaround: Upload the GeoDB custom file object with IP addresses mapped to different Geo attributes only in ascending order.

Supported Platforms

Refer to System Requirements: Ecosystem

Product Documentation

For more information, please see the following documents, also available within this Knowledge Base.

Installation Guides

Copyrights and Open Source Package Information

For copyright information and packages used, refer to open_source_licenses.pdf.

Avi Networks software, Copyright © 2013-2019 by Avi Networks, Inc. All rights reserved. The copyrights to certain works contained in this software are owned by other third parties and used and distributed under license. Certain components of this software are licensed under the GNU General Public License (GPL) version 2.0 or the GNU Lesser General Public License (LGPL) Version 2.1. A copy of each such license is available at http://www.opensource.org/licenses/gpl-2.0.php and http://www.opensource.org/licenses/lgpl-2.1.php

Additional Reading

Protocol Ports Used by NSX Advanced Load Balancer for Management Communication