Skip to main content

Illumio Core What's New and Release Notes 22.5

Resolved Issues in Illumio Core 22.5.30

Illumination Plus

  • Illumination Plus and reports pages display blank when time-saved filters are created (E-102528)

    Illumination Plus and reports pages were displaying blank when users created a custom time-saved filter in different timezone formats.

    This issue is resolved.

  • Illumination Plus - Filtered Objects lists are not displayed properly (E-102466)

    When users add a filter after the PCE has generated two columns of objects, the first column (workloads) stays empty and the second one (container workloads) contains the filtered object. This issue is resolved.

  • Change the network name "External" to "External (Non-Corporate)" (E-102368)

    The name External was changed to External (Non-Corporate) in Explorer, in Illumination Plus Traffic Tables, and on the Networks page.

  • Default view to go straight to the table view from the classic UI (E-102364)

    Configure the default view on Illumination Plus to go straight to the table view from the classic UI. This issue is resolved.

  • Delete icon not visible when a filter has a long name (E-102359)

    The Delete icon was not properly visible in Illumination Plus and Explorer if a filter with a lengthy name was saved. This issue is resolved.

  • Illumination Plus Deep Rule Analysis showed Allowed Traffic as Blocked (E-101506)

    A rule created to allow traffic was shown as Blocked when viewed in Deep rule analysis. The same rule was correctly shown as Allowed in Quick Draft Rules and in Explorer. This issue is resolved.

  • Provider/source order mismatched between filters and column headers (E-101156)

    Configuring the source/destination order in the Policy Settings did not control the filters and the column headers in the table view of Illumination Plus. Instead, the filters and column headers were displayed in the opposite order. This issue is resolved.

  • Illumination Plus - Reports page displaying with a blank page when upgrading from v22.4.x to v22.5.0 (E-99327)

    When users who had two-label app group filters upgraded from 22.4.x to 22.5.0, a JavaScript error caused reports to display as a blank page. This issue is resolved.

Endpoint

  • VEN services restarted unnecessarily (E-106136)

    On some Windows workloads, VEN services were restarted unnecessarily after waking up from sleep. This issue is resolved.

  • Double colons in FQDNs with quad A records caused a policy sync error (E-104996)

    A policy sync error affecting multiple VENs occurred in the following circumstances:

    1. The PCE policy included rules specifying FQDNs, and . . .

    2. The customer environment had FQDNs that contained AAAA (IPv6) records ending in double colons (::). For example, 2603:1037:1:60::

This issue is resolved. This error no longer occurs in these circumstances.

Enterprise Server

  • VEN doesn't capture local DNS properly (E-106370)

    On systems that use local DNS resolution (such as systemd-resolved), DNS capture packets did not properly match DNS responses for processing in userspace. This issue is resolved.

  • On-Prem 21.5.34 Workload Filter Inconsistency (E-106223)

    Using multiple filters for the workload page that includes IP addresses might have produced an inaccurate result set. This issue is resolved.

  • Workloads filter returned an incomplete list (E-105920)

    Specifying a particular subnet when filtering for workloads returned an incomplete list if any of the workloads had more than one interface in that subnet. This issue is resolved.

  • After upgrade, the VEN could lose connectivity to the PCE (E-105022)

    After upgrading the VEN to 22.5.10, it could lose connectivity with the PCE. This issue only occurred with PCEs that were part of a Supercluster deployment. This issue is resolved. After upgrading the VEN to 22.5.22, the VEN can connect with PCEs in a Supercluster.

  • Kubelink could restart when container cluster services were deleted (E-104786)

    Kubelink could restart due to an unexpected PCE error when reporting to the PCE that container cluster services were deleted. This issue occurred when PCE port separation was enabled. This issue is resolved.

  • Traffic worker not coming up after stop/start (E-104519)

    After operations involving changes in the runlevel and/or service restart, in rare circumstances, the app gateway service generated duplicate proxy ports. This resulted in the failure of services, such as traffic worker, to connect to redis related services, with a "wrong password" exception. This issue is resolved.

  • Data in exported CSV files didn't match policy decision data in Explorer (E-104439)

    When exporting policy data from Explorer, the content in the CSV file didn't match the policy data in the Explorer page. This issue occurred because the PCE exported the aggregate traffic flows and not the individual connections, which the Explorer page displays. This issue is resolved. In this release, exporting policy data from Explorer correctly exports the individual connections. The CSV file now matches the data displayed in the PCE web console Explorer page.

  • Scopes not appearing on User Activity details and Local user details screen (E-104175)

    In automated environments, labels can be created or can exist with invalid label types. Labels in grids will not appear if their label types are invalid, but they will appear in other places such as edit/detail pages. Currently, no workaround is available.

  • Warn when changing labels of enforced workloads (E-102907)

    Net admins needed to be informed when they change labels used by workloads so that they are aware these changes will impact policies. This issue is resolved and admins receive appropriate warnings

PCE Platform

  • PCE upgrade fails from PCE 22.2.x and earlier to 22.5.0 and later with endpoint VENs (E-105999)

    The PCE upgrade failed in the `illumio-pce-db-management migrate` step when upgrading from PCE version 22.2.x and earlier to 22.5.20 and later when endpoint VENs were present before the PCE upgrade. This issue is resolved.

Policy Platform

  • Deadlocks in Container Workload Purging (E-106907)

    There is a background job in the PCE to remove decommissioned container workloads from the database. This background job could fail in highly dynamic container environments due to PostgreSQL deadlocks. This job has been made resilient to this and other failures.

  • Potential PCE performance impact in highly dynamic container environments (E-106906)

    When C-VENs acknowledged to the PCE that policy had been applied, the PCE in turn updated all records associated with the C-VENs, including records for previously-deleted container workloads still in the PCE database. While this caused no functional issues, it could possibly result in a large number of writes with the potential to degrade performance in highly dynamic container environments where containers were being created and deleted very quickly.

    This issue is resolved.

  • Workloads page did not update on external IP changes (E-106847, E-106806)

    When VENs are deployed on VMs in certain well-known public clouds (such as AWS), the PCE attempts to detect the public NAT address (e.g. elastic IP) of those workloads and use them in policy. The logic that updates the NAT address upon a VEN heartbeat was not working properly. When the NAT address of a public cloud VM changed, the PCE did not program the new address in the policy unless there was an interface change on that VM. This issue is now resolved.

  • Events page showing repeated clone.detected messages (E-106579)

    After upgrading from the release 21.5 to 22.5, the Events page was flooded with clone.detected messages up to 5 times per second. This issue is resolved.

  • Supercluster PCE upgrade failure from PCE version 22.2.x with endpoint VENs (E-106479)

    The supercluster PCE upgrade failed in the `illumio-pce-db-management migrate step when upgrading from PCE version 22.2.x to 22.5.x when endpoint VENs were present before the PCE upgrade. This issue is resolved.

  • Keys were missing from agent_missed_heartbeats_check event detail page (E-97912)

    When viewing a system_task.agent_missed_heartbeats_check event in the UI, the "resource changes" and "notifications" fields were missing from the UI. The data existed in the API JSON but these values didn't appear in the UI. This issue is resolved.

UI Components

  • Backport: Application labels absent in the workload's Blocked Traffic tab (E-105383)

    UI did not display application labels for source/Provider in the workload's Blocked Traffic tab. This issue is resolved.

  • Unable to add CIDR range to unmanaged workload interfaces (E-104729)

    In certain conditions, a CIDR could not be applied to an unmanaged workload interface. Note that the CIDR is used for informational purposes only to encode information about a subnet mask, and does not add the entire IP range to the unmanaged workload. This issue is resolved.

  • Virtual server rules weren't displayed in the Rules tab (E-103687)

    When viewing a virtual server page, the Rules tab could be empty. This issue occurred when you navigated to the Rules tab from the Summary tab using the following path: PCE web console main menu > Policy Objects > Virtual Servers > Summary tab > Rules tab.

    This issue is resolved. In this release, the virtual server rules appear in the Rules tab when navigating from the Summary tab.

  • A rule copy appears to modify the original rule (E-103604)

    Deleting a virtual service on a rule copy makes it look as if the change will also apply to the original rule.

    If the rule copy is saved with the change, the original rule remains unchanged. This issue is mostly cosmetic and is closed as such.

VEN

  • On Windows, VEN fails to add an AUS rule for a logged-in user (E-106773)

    This resulted in the user not being able to connect to the source protected by the AUS rule. The issue is resolved.

  • VEN pairing fails with certain macOS updates (E-106229)

    A recent security update from Apple caused the macOS VEN pairing to fail. An error appears, "Could not set environment: 150: Operation not permitted while System Integrity Protection is engaged." This has been resolved.

  • Incomplete static policy caused VENs to go offline (E-105833/E-105138)

    In some circumstances, VENs went offline after the PCE sent an incomplete static policy to VENs. This issue is resolved.

  • Unexpected Port Scan Results (E-104213)

    During a port scanning test, a Windows server protected by Illumio VENs in Enforcement mode was able to respond to ports that had no listeners. This issue stemmed from unexpected behavior from the Windows Firewall Stealth filter. This issue is resolved.

  • Allowed traffic reported as dropped (E-103701)

    After an upgrade, VENs temporarily reported allowed flows as dropped. The issue is resolved.

  • ilo_ipsets load: ipset v6.36: Error in line 6975: The set with the given name does not exist (E-103250)

    On Linux and AIX operating systems, VEN still inserted IPv6 elements into IPv6 FQDN ipsets, which were not created when IPv6 was disabled. This issue is resolved. In this release, if IPv6 is disabled, the VEN will not create the IPv6 FQDN ipset, nor will the VEN insert elements into the FQDN ipset.

  • Disabled boundary rules causing potentially blocked by boundary flows in Explorer (E-98104)

    Explorer displays traffic that is potentially blocked by a boundary even if there are no active boundary rules.

    Workaround: Not available.

  • VEN on Solaris 10 fills up space with the large ippool-extra debug file (E-92538)

    An OS bug exists whereby the IP Filter ippool OS utility may generate repetitive/unlimited output under the /opt/illumio_ven_data directory. This fix mitigates the OS bug by terminating ippool as needed.