Release Notes for NSX Advanced Load Balancer Version 30.1.2

This section contains the release notes for 30.1.2 and the patches released under this branch.

Patch Release Notes for 30.1.2

30.1.2-2p1

17 February 2024

AV-175344 : Log Manager's task queue stall causing unbounded growth on the Controller
AV-189340: The se_log_agent fails with the error message, SE crashed with fatal error for external log streaming over TCP/TLS.
AV-195595: External log streaming to a servers or load balancers which erroneously responds to simplex log stream causes Service Engine memory growth, eventually leading to SE crash.
AV-196007: NSX Advanced Load Balancer Controller authentication via SAML fails with some IDPs like vIDM and OKTA caused by an extra "/" at the end of Assertion Consumer Service (ACS) URL in the IDP configuration.
AV-196162: Upgrade to version 30.1.2 fails due to an issue in the export workflow when the configuration has Users with special characters in their Name.
AV-197350: Log streaming fails owing to the streaming endpoint restarts or receipt of any unexpected responses.

Release Notes for NSX Advanced Load Balancer Version 30.1.2

Release Date: 12 December 2023

Before initiating the upgrade, see Checklist for Upgrade to NSX Advanced Load Balancer Version 30.1.2 to understand the considerations and prerequisites for upgrade.

What's New in 30.1.2

GSLB: Ability to get the GSLB service member hostname through environmental variable in external health monitor script code.
WAF: NSX Advanced Load Balancer is not affected by CVE-2021-44832.

Issues Resolved in 30.1.2

AV-127214: SE failure due to incompatibility in hardware versions for LSC deployments on VMware ESXi VMs.
AV-179858: Unable to modify or save an existing DNS application profile due to a validation error in the Admin Email entered in the Domains section in the Domain Names/Subdomains screen.
AV-182114: When the SEs are created with insufficient licenses, the NSX Advanced Load Balancer UI shows that the SE is enabled, when the SE is in the disabled state. On clicking DISABLE, the SE is stuck and displays the error message, “Cannot change state since disable operation is in progress”.
AV-182892: AWS cloud-specific information is not displayed in the Clouds page (Infrastructure > Clouds) in the NSX Advanced Load Balancer UI.
AV-183400: HTTP request header size greater than 4K with ICAP deployment enabled can cause Service Engine failure.
AV-185604: When configuring a TCP request for a health monitor of type TCP with user-defined settings including get or post strings, the system automatically appends HTTP/1.0 and \r\n\r\n to the TCP request.
AV-185882: Unable to update secure channel root certificate when the cloud is not No- Orchestrator or SEs are running in the system.
AV-186355: DNS resolution for pool FQDN may result in failure when the response is greater than 512 bytes to trigger the resolution to happen through TCP transport.
AV-186671: Successive restarts of Service Engine results in creation of multiple events & event files leading to potential Controller cluster instability.
AV-187841: SAML users are directed to the CSP in VMware cloud services to re-initiate the login process on user-logout and session-timeout, instead of navigating to the login page [https://controller/#!/login].
AV-187842: SAML authentication fails if the IDP configuration does not include the email-ID and UID attributes i.e. assertion coming from IDP to NSX Advanced Load Balancer does not include the email-ID and UID attributes by default. The IDP needs to be explicitly configured to send email-ID and UID attributes.
AV-187919: SE failure when the client sends an invalid HTTP/2 header.
AV-188047: When using the recommendation workflow in the log view, the system does not check if it exceeded the allowed number of excluded elements in the crs_overrides. In this case, further changes to the WAF Policy through the UI are not possible without removing some of the crs_overrides first.
AV-188363: The Service Engine may fail to initialise in an LSC host when NICs from multiple vendors are present or may under perform due to variable descriptor sizes across NIC vendors.
AV-188464: Modifying the pool configuration through the GUI on an NSX-T cloud with Security Groups as server definitions can lead to the removal of pool members until the next discovery sync occurs. This issue occurs even when the existing pool configuration is not modified, but just saved via UI.
AV-188824: LDAPS authentication fails when the LDAP server has a self-signed cert certificate or a certificate signed by a private CA.
AV-188904: Trailing RST on a closed L7 SSL VS connection may cause SE failure.
AV-188919: If the vm_uuid file is edited or saved manually, it can result in the generation of an extra newline at the end, causing image upload failures due to host resolution issues.
AV-189995: SE persistence may be out of sync for scaled out virtual services in Elastic HA mode.
AV-189818: Unable to edit or update the federation checkpoint object after setting a checkpoint as active in adaptive replication mode. The replication stalls with the following error, Sync Stalled, reason: replicating federationcheckpoint:<checkpoint_name>.
AV-190003: High CPU utilization may be observed in NSX based cloud connector environments (check using the `show cpuusage` Controller command).
AV-190126: Using Broadcom NIC as management with Mellanox NIC for datapath causes issues in bringing up the NIC.
AV-190461: Frequent updates to StringGroups attached to a DataScript, that also makes repeated calls to avi.stringgroup functions may result in failures in string group lookups.
AV-190475: `se_dp` crash occurs due to memory corruption in rare cases within the GRO (Generic Receive Offload) layer.
AV-190615: Deploying a Controller node with ovf property for IPv6 address, avi.mgmt-ip-v6.CONTROLLER set as null instead of leaving it as blank, leads to erroneous IP configuration.
AV-190853: Performance issues when handling large requests in WAF with a large Positive Security Model.
AV-191545: Free Range Routing (FRR) does not adhere to the RFC5881 prescribed source port range.
AV-191615: When a WebSocket is utilized with front-end using HTTP/2 and backend using HTTP/1, then NSX Advanced Load Balancer does not terminate the v1 WebSocket on the backend if the "Upgrade" header sent by the server is not "websocket" (all in lowercase), the upgrade header's value being case sensitive.
AV-191642: A PKI profile with a large CRL (greater than 4 MB) fails in replication across federation because of gRPC message size limitation.
AV-191670: In VMware NSX environments, in some scenarioswhen VIPs are created and added, NSX Advanced Load Balancer retains stale routes causing VIPs to go down.
AV-191821: User creation fails when the option Passwordless is set to true through the CLI/ API. Consequently, NSX Advanced Load Balancer deployment through NSX fails.
AV-191913: Using a GeoDB object configured with the option Is Federated through the UI causes NSX Advanced Load Balancer to fail. This option has been deactivated now.
AV-192083: Failure in Objsync connection over management interfaces between SEs might lead to memory exhaustion.
AV-192220: The attributes defined in NSX Advanced Load Balancer are case-sensitive. LDAP user authentication fails when the attributes defined in NSX Advanced Load Balancer do not exactly match the values returned by the server.
AV-193663: Metrics Manager database connections with Postgres are unclosed, causing a connection leak.

Known Issues in 30.1.2

AV-186974: In ENS Interrupt mode for datapath, enabling GRO along with the default LRO may cause TCP-fastpath virtual service traffic to stall.
- Workaround: Follow the steps given below:
  - Disable GRO on the SE-group associated with the TCP-fastpath virtual service.
  - Disable the virtual service
  - Reboot the service engine
  - Enable the virtual service.

AV-187931: When System-SCTP-Proxy TCP/UDP Profile is selected as network profile for virtual services, a port range cannot be specified under Service Ports. If a port range is configured, only the first port within the specified range handles traffic.
If the Controller is connected to the proxy server and the proxy server goes down during an active connection to Cloud Services, the Controller displays the error GET <https://10.49.50.118/api/albservices/status> 500 (Internal Server Error).

Key Changes in 30.1.2

Ecosystem Update: In case of LSC deployments on VMware ESXi VMs, the hardware compatibility version is 11 or earlier.
WAF: Automatic application rules updates will be discontinued in July 2024. Further communication and guidance will be provided in the upcoming releases.

Checklist for Upgrade to NSX Advanced Load Balancer Version 30.1.2

Upgrade to NSX Advanced Load Balancer to 30.1.2 is only supported from the following versions:
- Version 20.1.1 through 20.1.9
- Version 21.1.1 through 21.1.6
- Version 22.1.1 through 22.1.5
- Version 30.1.1

Use the following table to configure Controller and Service Engine resource requirements before upgrading from an earlier version to 30.1.1 and later:


Upgrade from Version	Minimum Requirement (In the lower versions)		Minimum Requirement (Starting from version 30.1.1 onwards)
22.1.1	Essentials	12 GB	Essentials: 4 vCPU / 24 GB Small: 6 vCPU / 32 GB
22.1.1	Small	24 GB
22.1.2	Essentials	16 GB
22.1.2	Small	24 GB
22.1.3 - 22.1.5	Essentials	24 GB
22.1.3 - 22.1.5	Small	24 GB

Upgrade Recommendation

Upgrade the Controller resources to meet the new requirements before upgrade.

Service Engines are mandated to have 2 GB memory starting with version 30.1.1. Upgrade the SE memory prior to upgrade if you are running service engines with less than 2 GB memory.

Even when opting for a Controller-only upgrade, it's necessary to increase the SE memory to 2 GB. Otherwise, the upgrade will not succeed.