Patch Release Notes for 30.2.1

30.2.1-2p1

Release Date: 07-June-2024

• AV-206581: Using a variable in avi.pool.select() may fail to identify the pool during a virtual service update.

• AV-207620: VSVIP creation will fail when Infoblox is used for IPAM and/or DNS.

• AV-208107: Upgrade is failing when Infoblox profile is configured with FQDN instead of IPv4 address.

What's New in 30.2.1

Release Date: 07 May 2024

To refer to the upgrade checklist, clickhere.

VMware NSX Advanced Load Balancer is now known as VMware Avi Load Balancer. The product name change is being introduced in the Avi Controller UI, CLI, API, and product documentation from 30.2.1. This change has no impact to the functionality of the product or changes to the API that impacts compatibility with previous releases.

Cloud Connector

AWS

• Support for C6i Instance Type for Service Engines.

VMware NSX

• The capability to control creation of DFW objects using the flag automate_dfw_objects.

• Proxy support for outgoing traffic through the system_configuration.proxy_configuration field for vCenter and NSX Manager.

• The maximum number of Tier-1s per NSX cloud for data segments is increased to 800.

• Preserve Client IPv6 support for NSX cloud.

• Support added to revoke VIP route in case of NSX cloud deployments, when a pool server goes down.

• To enhance datapath performance in NSX deployments, ctxPerDev and pnicfeatures are configured in the vNICs on the SE VM.

OpenStack

• SRIOV support for Mellanox VF in OpenStack No Orchestrator cloud.

• Support for default gateway for outbound NAT in OpenStack No-Orchestrator cloud.

VMware vCenter

• The ability to change the datacenter name in vCenter write-access cloud configuration.

• Support to change the URL/IP of vCenter in Avi vCenter write access cloud configuration.

Core LB Features

• Support for specifying any HTTP Response Code (200-599) in DataScripts functions and HTTP Policies.

• WebSocket support for communication between V1 client (HTTP/1.x) and V2 (HTTP/2) servers.

• TCP Proxy Protocol is supported (Enable PROXY Protocol is selected) when an L4 application profile is used as an override application profile.

• SSL handshake failure now includes logging of client-supplied ciphers in the client log.

Networking

• General Availability of the following functionalities of SCTP Support:

  • SCTP Proxy profile with Legacy HA in vCenter Cloud environment.

  • Support for Preserve-Client-IP, Auto gateway, L4 Connection Logs and Metrics.

  • Active-Active and N+M HA mode support for SCTP.

• Support for AND/OR/NOT filters for Virtual Service and Service Engine Packet Capture.

• A new action for NAT Policy rule NAT_POLICY_ACTION_TYPE_DYNAMIC_IP_PRESERVE_PORT is introduced to support the Outbound NAT feature by preserving the source port for UDP flows and help in graceful recovery of UDP flows.

• Floating IPs displayed in the In-Use Interface List pop up screen of the Service Engine UI.

• Linux Server Cloud: Support for the Mellanox ConnectX6 LX NIC in MLNX_OFED version OFED_LINUX-5.8-2.0.3.0.

IPv6 for Control Plane

• Support for IPv6 on primary interface for clustering and external communication i.e., Primary interface can be IPv6 or IPv4.

• Cloud connector support for vCenter and NSX-T cloud for IPv6 communication to these endpoints.

IPv6 Data Plane

• Preserve Client IP for vCenter and NSX Cloud environments, Floating IP, routing support, service insertion for NSX.

• Fast-Path Support (TCP and UDP Network Profile).

• SCTP IPv6 (SCTP Proxy profile).

• DSR (Direct Server Return), SNAT, Path MTU support.

• IPv6 support for BGP communities.

• GRO and RSS support for IPv6.

BGP

• Support to configure AS-Path Prepend and local preference settings at the virtual service level, alongside the existing configuration options available for VRF level settings.

Monitoring and Observability

• CONFIG_CREATE and CONFIG_DELETE audit events now provide the user-agent and IP address of the client that made the configuration change.

• Unparsed URIs are now logged in the App Log and can be viewed through the UI.

• Support for user-configurable thresholds for SE resource metrics events/alerts through the UI.

• Enhanced SE-Log-Agent Statistics using Per VS Log Statistics (vslogstats) and Per VS Per SE Log Statistics (vslogstatsdisaggr).

System

• Enhanced Disaster Recovery and Configuration Restore capability.

Security

• Enhanced functionality to manage certificate revocation lists (CRL).

• Support for configuratable CRL expiry event.

• DataScript avi.ssl.get_tls_fingerprint(type) to return the TLS fingerprint of the client for the SSL/TLS connection to the virtual service.

• Auto Renewal and issuing of certificates through LetsEncrypt using DNS-01 challenge through InfoBlox DNS can now be done using a ControlScript.

• The ability to select the type of errors excluded during certificate verification, to implement fail-close or fail-open scenarios within a PKI Profile.

• Support to automatically retrieve, monitor and update SAML IDP Metadata periodically using the Enable Periodic Download field when configuring IDP Metadata URL.

Web Application Firewall (WAF)

• Support for CSRF protection.

• HTTP session and client state management to enable CSRF protection and stateful Bot Management.

• Content Type Mapping in WAF Profile supports enabling the string operations (Equals and Regex) for matching the content type.

• Support for protecting JSON and XML API traffic via WAF Profile System-WAF-Profile-API.

• String Groups support for PSM Location match.

• When Avi Bot Management is used, the Trusted Client Type option is introduced in WAF Policy, to configure the application to learn only from clients that match the configured criteria.

• Support to clone an existing WAF Policy.

• The WAF CRS default version has been updated to 2024-01.

User Interface

• UI support to configure the minimum number of pools to be in the UP state for the virtual service to be marked as UP.

• A visual indicator in the Virtual Service Tree view denotes the primary Service Engine associated with each virtual service.

• In the logs page, a timeout occurs on the logs page indicating that the API has not returned all the available logs data within a specified duration.

• UI support to manage multiple static records for the same hostname, ensuring existing configurations made through CLI and API are retained.

• User Interface enhancements leveraging the VMware Clarity framework across the following features:

  • Service Engine

  • Pool Group

  • GSLB

  • Health Monitors

    • LDAP/LDAPS

    • FTP/FTPS

    • SMTP/SMTPS

    • IMAP/IMAPS

    • POP3/POP3S

  • Alerts

Issues Resolved in 30.2.1

• AV-122464: GSLB Site Persistence (SP) oper status is DOWN with the reason "Gslb Service Member has a VirtualService that has multiple services. These services have different values for enable_ssl and/or enable_http2".

• AV-163205: The Modsec rule does not support configuring `body_processor` to Multipart through `ctl:requestBodyProcessor`.

• AV-164052: WAF log should show the matching part of a match_element value, not only the beginning. WAF logs only the initial 256 bytes of the match_value for any match_element and truncates the rest of the match_value, resulting in the omission of the actual matching portion, if it extends beyond this limit.

• AV-168277: The `/api/analytics/logs` API endpoint does not check for authorization while processing the request, leading to sensitive information disclosure.

• AV-176948: The ALB SDK code in not conforming to the defined types specified in the proto, resulting in inconsistencies such as using unit32 instead of int32.

• AV-179772: Ansible serviceenginegroup collection import fails with more than 255 arguments error, this is fixed by splitting the serviceenginegroup into multiple collections.

• AV-181314: Alerts from `deleted alert_configs` remain in the database instead of being deleted permanently.

• AV-186052: Service engine failure if an LDAP response carries a referral to a server which is not reachable from the management interface.

• AV-185901: The log recommendation feature fails to handle the scenario where the HTTP method GET is added to the Allowed Methods field in a WAF profile after it has been manually removed.

• AV-195338: Editing SE through the UI erroneously permits configuring both DHCP IPv6 and Static IPv6 fields.

• AV-186974: In ENS Interrupt mode for datapath, enabling GRO along with the default LRO may cause TCP-fastpath virtual service traffic to stall.

• AV-191036: Missing event for Objsync peer connection failures.

• AV-192778: In Docker-based Controllers, during reboot/upgrade workflows, DNS configuration is not being persisted.

• AV-194438: When health monitor sharding is enabled for GSLB services, GSLB Pool Members may occasionally be incorrectly marked as DOWN.

• AV-195157:DNS resolution is affected due to incorrect GSLB status being synced across all the sites.

• AV-195338: Editing SE through the UI erroneously permits configuring both DHCP IPv6 and Static IPv6 fields.

• AV-195766:LDAP authentication on the Controller fails if the option Enable Full DN For Group Member Attribute is disabled in Auth profile configuration.

• AV-196007: Controller authentication via SAML fails with some IDPs like vIDM and OKTA caused by an extra "/" at the end of Assertion Consumer Service (ACS) URL in the IDP configuration.

• AV-196162: Upgrade to version 30.1.2 fails due to an issue in the export workflow when the configuration has Users with special characters in their Name.

• AV-197591: High CPU utilization whenLeast Load Algorithm is configured in the pool and connection multiplexing is disabled in the Application Profile of the virtual service.

• AV-202324: Upgrade fails if the current RT VS is more than the limit configured on the system limits based on the flavor.

• AV-197737:Go SDK does not allow values within the range of uint32, causing it to crash while unmarshalling JSON data containing uint32 values in the request/response.

• AV-198913: AV-198989: When both WAF and Thales HSM are enabled, se_dp processes can fail.

• AV-200414: When assign_tenants is not selected explicitly for an auth mapping profile, LDAP users will not be able to access any resources in 30.1.1 and 30.1.2.

• AV-200616: SE Disk Encryption key update in GCP Cloud fails with the error, "Delete all Virtual Services and Service Engines of Cloud Default-Cloud to modify encryption_keys.se_disk_kms_key_id option".

• AV-200930: Alert configurations with a rolling window fail to generate alerts when there are more than two events.

• AV-201304: Requests are potentially being sent to the EVH Virtual Service with a wildcard domain instead of being processed by the EVH virtual service with a matching exact domain. This issue occurs specifically when the path of the request is matched using a regular expression (regex_match).

• AV-201682: L4 Logs not being shown in case of single virtual service hosting ports on different protocols using override option.

• AV-202324: Upgrade fails if the current RT VS is more than the limit configured on the system limits based on the flavor.

Security Advisory

This release resolves CVE-2024-22264 and CVE-2024-22266. For more information on these vulnerabilities including impacted product suites and release lines, please see VMSA-2024-0009.

Key Changes in 30.2.1

• The minimum Controller size supported from 30.2.1 is 6 vCPU, 32 G RAM (Small).

• All Controller nodes in a cluster must be homogeneous in terms of memory, CPU, and disk configurations. See Cluster Compatibiliy and Upgrade Requirements to know more.

• System limits will be enforced for the following parameters:

  • Number of tenants

  • Number of virtual services with Real-Time Analytics

  • Number of VSs with Web Application Firewall

  • Number of Service Engines

• Max number of virtual services with WAF has been increased to 2500 for the Large Controller flavor.

For more information on the limit enforced for various entities, see VMware Configuration Maximums.

• Any Controller cluster having an Azure cloud will have the following warning message, displayed:

  Azure Basic LB will be discontinued on September 30, 2025. If you plan on continuing to use Azure, we recommend using Standard ALB

Feature Deprecations / Removal of Support

Known Issues in 30.2.1

• AV-204781: SCTP virtual service does not support auto gateway.

  • Workaround: Configure default route for the traffic to respond to client.

• AV-206740: In versions prior to 30.2.1, when the Override Management Network option is used to specify the SE management network, mgmt_ip_v6_enabled is set to False on the respective cloud, even if IPv6 Auto Configuration is enabled, thereby, blocking SE creation for deployments that require an IPv6 secondary interface on the Controller for secure channel connections.

  • Workaround: After upgrade, manually set the option mgmt_ip_v6_enabled to True, on the affected Cloud.

• AV-207186: Update of existing NSX-T clouds or creation of a new NSX-T cloud fails with the error Cannot configure more than 0 Tier1 logical routers. However, a new Controller deployed in version 30.2.1 does not encounter this issue.

  • Workaround: Contact Broadcom Support by raising a support case for recovery.

• AV-207620: VSVIP creation will fail when Infoblox is used for IPAM and/or DNS.

  • Workaround: Adding specific Infoblox IP and profile_url entries to the file /etc/hosts on the Avi Controller nodes will mitigate the issue. For more details, raise a support case.