Illumio Core What's New and Release Notes 21.5

Potentially blocked syslog traffic was not present in log (E-84710, E-84789)

With the PCE set up to forward potentially blocked traffic to the syslog server, other logs appeared, but not potentially blocked traffic. The cause was an error in the syslog configuration code. This issue is resolved. Potentially blocked traffic is now logged.

(Supercluster) Migration failed and slony services did not start on upgrade (E-84281)

In some environments and after certain previous upgrades, Supercluster upgrade to 21.2.x or later PCE versions failed during migration on member PCEs with an error like "An error has occurred, this and all later migrations canceled". Or, if migration succeeded, slony services would not start, with an error like "[agent_slony_service] Configuration appears to have failed." Also, on member PCEs, one or more tables might have missing replication triggers, causing replication issues. This issue is resolved. These upgrade issues no longer occur. This issue was described in more detail in Supercluster Upgrade Failure When Upgrading to 21.2.x or Later (login required).

Name of removed service account could not be reused (E-83917)

After a service account was deleted, its name could not be used again within the same org. This issue is resolved. The name of a deleted service account can be used for a new service account.

Isolated node caused error (E-83819)

A 500 Internal Server error occurred some time after a PCE node became isolated, and in server log messages, a long time interval was reported between isolated_time and now. This occurred because the "node isolated" flag was not cleared when the node came back online. This issue is resolved. The "node isolated" flag is now cleared.

(Supercluster) Tab missing from PCE Health and information missing (E-83516)

The Supercluster tab was sometimes missing from the PCE Health page of the PCE web console, and the replication lag was not being calculated. This was caused by a cached connection to a data node that was no longer valid. This issue is resolved.

Service discovery log contains debug messages in production (E-83455)

In the service_discovery log, DEBUG level messages sometimes appeared. These messages could be identified by containing the text "level=debug." This issue is resolved. Only messages of type INFO are now logged, as expected.

(Supercluster) During rolling upgrade of PCE, service repeatedly restarted on another PCE (E-83332)

In a Supercluster, when one PCE is in the midst of a rolling upgrade, the replication monitoring service restarted multiple times on a PCE in another region. This occurred because a PCE in the process of upgrading can be unreachable. This issue is resolved. If a remote PCE becomes unreachable, the connection is retried without restarting the replication monitoring service.

PCE upgrade failed (E-83200)

Upgrading a PCE to release 21.5.0 failed. The failure was reported on data nodes with a NEN installed via the error "PGPASSWORD cannot be included in the command. Please use env_hash to pass is as env variable." This issue is now fixed. Upgrading to PCE release 21.5.0 now succeeds.

Access restriction could not be deleted after deleting service account (E-82752)

When attempting to delete an access restriction, the message "Access Restriction is associated with one or more users" was displayed. This occurred when using a service account with access restriction in place. If you deleted the service account, you could not later delete the access restriction which had been associated with it. The association between the access restriction and the service account persisted after the service account was deleted. This issue is resolved. When a service account is deleted, the association with the access restriction is explicitly removed.

Login denied message changed (E-82583)

When the Read Only User feature is turned off, and a local user has no permissions, any login attempts are blocked, which is the expected behavior. However, the message generated had changed from the expected "You are not authorized to access this Organization." to "Access denied." This issue is resolved. The message has been changed back to "You are not authorized to access this Organization."

Service accounts: JSON report error (E-82377)

When generating an export report, if you selected JSON format and selected Service Accounts in the Containing All dropdown list, the report was not exported. In the Export Reports page, the Status column showed "Error". This issue is resolved. The report is now exported without error.

Vacuum backlog warning at almost 50% (E-80929)

On systems with very light database activity, the vacuum backlog metric of the policy database sometimes showed a high percentage (>= 40%) and the metric could be in a warning state. This issue is resolved. The vacuum backlog metric no longer promotes a needless warning.

Asynchronous GET requests returned 403 errors when using Service Account (E-84292)

When using a service account-based API key with the Illumio REST API, performing an async GET request returned an HTTP 403 error. This issue is resolved. This release now supports performing async GET requests while using a service account.

Time Drift warning for PCE nodes was misleading (E-81610)

The Time Drift health warning is displayed in the PCE Health page when time drift is detected between two PCE nodes. Time drift is the difference between the time when PCE cluster health was generated and the time when node health was generated. If NTP was not set up correctly, the PCE might use stale information to generate the Time Drift warning, so the Time Drift warning message could be misleading. This issue is resolved. The Time Drift warning message is now accurate.

Details for removed node no longer visible in PCE Health (E-81353)

The command illumio-pce-ctl cluster-leave removes a node from the PCE, but it did not remove details about the removed node from the PCE internal registry. As a result, the PCE Health page showed nodes that were no longer participating in PCE operations. This issue is resolved. The removed nodes do not appear on the PCE Health page.