This section contains the release notes for 30.2.1 and all the patches fixed for this branch.

Patch Release Notes for 30.2.1

30.2.1-2p3
Release Date: 28-August-2024
  • AV-213904: Service Engine failure occurs if the request URI contains invalid UTF-8 sequences.

30.2.1-2p2
Release Date: 29-July-2024
  • AV-209690: Service Engine failure when a server sends a Set-Cookie header with an empty cookie value for a cookie used by the AppCookie Persistence Profile.

  • AV- 206635: VSVIP creation through the UI for auto-allocation fails in the VPC mode.

30.2.1-2p1
Release Date: 07-June-2024
  • AV-206581: Using a variable in avi.pool.select() may fail to identify the pool during a virtual service update.

  • AV-207620: VSVIP creation will fail when Infoblox is used for IPAM and/or DNS.

  • AV-208107: Upgrade is failing when Infoblox profile is configured with FQDN instead of IPv4 address.

What's New in 30.2.1

Release Date: 07 May 2024

To refer to the upgrade checklist, click here.

VMware NSX Advanced Load Balancer is now known as VMware Avi Load Balancer. The product name change is being introduced in the Avi Controller UI, CLI, API, and product documentation from 30.2.1. This change has no impact to the functionality of the product or changes to the API that impacts compatibility with previous releases.

Cloud Connector

AWS

VMware NSX

OpenStack

VMware vCenter

Core LB Features
Networking

IPv6 for Control Plane

IPv6 Data Plane

BGP

Monitoring and Observability
System
Security
User Interface

Issues Resolved in 30.2.1

  • AV-122464: GSLB Site Persistence (SP) oper status is DOWN with the reason "Gslb Service Member has a VirtualService that has multiple services. These services have different values for enable_ssl and/or enable_http2".

  • AV-161092: In a VMware cloud, the Service Engine creation fails when the content library is shared between the NSX cloud and the vCenter cloud configured in the same Controller.

  • AV-163205: The Modsec rule does not support configuring `body_processor` to Multipart through `ctl:requestBodyProcessor`.

  • AV-164052: WAF log should show the matching part of a match_element value, not only the beginning. WAF logs only the initial 256 bytes of the match_value for any match_element and truncates the rest of the match_value, resulting in the omission of the actual matching portion, if it extends beyond this limit.

  • AV-168277: The `/api/analytics/logs` API endpoint does not check for authorization while processing the request, leading to sensitive information disclosure.

  • AV-176948: The ALB SDK code in not conforming to the defined types specified in the proto, resulting in inconsistencies such as using unit32 instead of int32.

  • AV-179772: Ansible serviceenginegroup collection import fails with more than 255 arguments error, this is fixed by splitting the serviceenginegroup into multiple collections.

  • AV-181314: Alerts from `deleted alert_configs` remain in the database instead of being deleted permanently.

  • AV-186052: Service engine failure if an LDAP response carries a referral to a server which is not reachable from the management interface.

  • AV-185901: The log recommendation feature fails to handle the scenario where the HTTP method GET is added to the Allowed Methods field in a WAF profile after it has been manually removed.

  • AV-195338: Editing SE through the UI erroneously permits configuring both DHCP IPv6 and Static IPv6 fields.

  • AV-186974: In ENS Interrupt mode for datapath, enabling GRO along with the default LRO may cause TCP-fastpath virtual service traffic to stall.

  • AV-189995: SE persistence may be out of sync for scaled out virtual services in Elastic HA mode.

  • AV-191036: Missing event for Objsync peer connection failures.

  • AV-192778: In Docker-based Controllers, during reboot/upgrade workflows, DNS configuration is not being persisted.

  • AV-194438: When health monitor sharding is enabled for GSLB services, GSLB Pool Members may occasionally be incorrectly marked as DOWN.

  • AV-195157:DNS resolution is affected due to incorrect GSLB status being synced across all the sites.

  • AV-195338: Editing SE through the UI erroneously permits configuring both DHCP IPv6 and Static IPv6 fields.

  • AV-195766:LDAP authentication on the Controller fails if the option Enable Full DN For Group Member Attribute is disabled in Auth profile configuration.

  • AV-196007: Controller authentication via SAML fails with some IDPs like vIDM and OKTA caused by an extra "/" at the end of Assertion Consumer Service (ACS) URL in the IDP configuration.

  • AV-196162: Upgrade to version 30.1.2 fails due to an issue in the export workflow when the configuration has Users with special characters in their Name.

  • AV-197591: High CPU utilization whenLeast Load Algorithm is configured in the pool and connection multiplexing is disabled in the Application Profile of the virtual service.

  • AV-202324: Upgrade fails if the current RT VS is more than the limit configured on the system limits based on the flavor.

  • AV-197737:Go SDK does not allow values within the range of uint32, causing it to crash while unmarshalling JSON data containing uint32 values in the request/response.

  • AV-198913: Using HTTP Response Policy or HTTP Response DataScript to replace the Content-Type header with "charset" directive present leads to an incomplete rewrite of the header.

  • AV-198989: When both WAF and Thales HSM are enabled, se_dp processes can fail.

  • AV-200414: When assign_tenants is not selected explicitly for an auth mapping profile, LDAP users will not be able to access any resources in 30.1.1 and 30.1.2.

  • AV-200616: SE Disk Encryption key update in GCP Cloud fails with the error, "Delete all Virtual Services and Service Engines of Cloud Default-Cloud to modify encryption_keys.se_disk_kms_key_id option".

  • AV-200930: Alert configurations with a rolling window fail to generate alerts when there are more than two events.

  • AV-201304: Requests are potentially being sent to the EVH Virtual Service with a wildcard domain instead of being processed by the EVH virtual service with a matching exact domain. This issue occurs specifically when the path of the request is matched using a regular expression (regex_match).

  • AV-201682: L4 Logs not being shown in case of single virtual service hosting ports on different protocols using override option.

  • AV-202324: Upgrade fails if the current RT VS is more than the limit configured on the system limits based on the flavor.

  • AV-202493:

  • AV-203418: If the Shared SSL certificates functionality option is enabled and a non-admin tenant certificate links with an admin tenant, during renewal , the link update fails.

  • AV-203271: Importing a Let's Encrypt certificate implicitly associates it with the default Let's Encrypt certificate management profile, lacking the flexibility to manage the certificates externally.

  • AV-204295: Shared memory allocation failures for debug, trace, or event rings cause Service Engine failure.

Security Advisory

This release resolves CVE-2024-22264 and CVE-2024-22266. For more information on these vulnerabilities including impacted product suites and release lines, please see VMSA-2024-0009.

Key Changes in 30.2.1

  • The minimum Controller size supported from 30.2.1 is 6 vCPU, 32 G RAM (Small).

  • All Controller nodes in a cluster must be homogeneous in terms of memory, CPU, and disk configurations. See Cluster Compatibiliy and Upgrade Requirements to know more.

  • System limits will be enforced for the following parameters:

    • Number of tenants

    • Number of virtual services with Real-Time Analytics

    • Number of VSs with Web Application Firewall

    • Number of Service Engines

  • Max number of virtual services with WAF has been increased to 2500 for the Large Controller flavor.

For more information on the limit enforced for various entities, see VMware Configuration Maximums.

  • Any Controller cluster having an Azure cloud will have the following warning message, displayed:
    Azure Basic LB will be discontinued on September 30, 2025. If you plan on continuing to use Azure, we recommend using Standard ALB
  • Any event files in the older format containing process IDs (PID) or files older than a year will be systematically removed from the Controller to enhance the efficiency of the log subsystem.

  • Large Receive Offload (LRO) in VMware environments:

    • LRO is enabled by default only for NSX Cloud.

    • LRO will work only when ENS mode is configured in the NSX cloud.

  • GRO is auto enabled on systems with eight vCPUs or higher by default, unless explicitly disabled using the disable_gro option in the SE Group.

  • Graceful closure of data connections: When the server is marked as unavailable by the health monitor, any existing data connections to the server will be terminated after a specific time interval (graceful_hm_down_disable_timeout).

  • When an API has not returned all the available logs data within a specified duration, a timeout can occur in the logs page with the error message, “We are unable to fetch all logs. Please reduce display timeframe or refresh logs.

Feature Deprecations / Removal of Support

  • The Avi Essentials tier is not qualified in release 30.2.1, and hence is not supported. Upgrade of an existing (any version lesser than 30.2.1) Controller in Avi Essentials tier to Avi release 30.2.1 is not allowed.

    Customers using the Avi Essentials tier are advised to remain on the existing active (lesser than 30.2.1) release, or upgrade to the latest recommended release in the 22.1.x release train.

    Support for Avi Essentials tier will be reintroduced in a future release.

  • Effective from version 30.2.1, the Avi Basic License Tier will no longer be supported, resulting in the following changes:

    • Upgrades to version 30.2.1 with an Avi Basic License Tier will not be permitted.

    • New deployments of the Avi Controller will be unable to switch to the Avi Basic License Tier.

    • NSX License keys providing Avi Basic entitlement and conversion will not be accepted in version 30.2.1.

    See KB article for more information.

  • OpenStack Write Access mode is deprecated with effect from Avi Load Balancer Controller version 30.2.1, with OpenStack Zed being the final supported OpenStack release. OpenStack No-Orchestration mode will continue to be supported.

    • Existing Deployments

      • Avi Load Balancer will continue to support OpenStack Write Access deployments until the End of General Support (EoGS) of the 30.2.x release.

      • It is recommended to migrate your workloads to the No-Orchestrator mode of the Avi Load Balancer before the EoGS date of the 30.2.x release.

    • New Deployments

      • New deployments in Openstack should be configured using the No-Orchestrator mode of Avi Load Balancer.

Known Issues in 30.2.1

  • AV-204781: SCTP virtual service does not support auto gateway.

    • Workaround: Configure default route for the traffic to respond to client.

  • AV-206740: In versions prior to 30.2.1, when the Override Management Network option is used to specify the SE management network, mgmt_ip_v6_enabled is set to False on the respective cloud, even if IPv6 Auto Configuration is enabled, thereby, blocking SE creation for deployments that require an IPv6 secondary interface on the Controller for secure channel connections.

  • AV-207186: Update of existing NSX-T clouds or creation of a new NSX-T cloud fails with the error Cannot configure more than 0 Tier1 logical routers. However, a new Controller deployed in version 30.2.1 does not encounter this issue.

  • AV-207620: VSVIP creation will fail when Infoblox is used for IPAM and/or DNS.

    • Workaround: Adding specific Infoblox IP and profile_url entries to the file /etc/hosts on the Avi Controller nodes will mitigate the issue. For more details, raise a support case.