Skip to main content

Illumio Core What's New and Release Notes 23.2

Resolved Issues in 23.2.30-VEN

Important

Compatibility and performance issues can occur if the operating system version running on your workloads and endpoints is upgraded to a version that is not supported by the VENs on those machines. Before upgrading the operating system on workloads and endpoints, first make sure that the VENs installed on these machines support the new OS version. For workload VENs, see https://support.illumio.com/software/os-support-package-dependencies/ven.html . For Endpoint VENs, see https://support.illumio.com/software/os-support-package-dependencies/endpoint.html.

  • Policy application failed in some circumstances (E-117246)

    Some earlier VEN versions failed to apply policy if the workload on which it was installed had multiple valid IPv6 DNS addresses. This issue is fixed.

  • Some endpoint VENs experienced high CPU usage and slow firewall programming (E-116252)

    On Endpoint VEN's installed on MackBook macOS v14.x (Ventura), PlatformHandler exhibited high CPU usage and increasingly longer times to program firewall rules over time. The issue stemmed from an Apple bug that leaked pfctl anchors over time. The issue could be solved temporarily by rebooting the endpoint. Illumio resolved the issue by engineering a workaround.

  • Bug in nftables versions pre-0.9.2 prevented policy application (E-116635)

    Policy failed to load on VENs installed on RHEL Linux 8/9 workloads with a version of nftables earlier than 0.9.2. This issue is resolved.

  • Issue affecting the persistent connection between PCE and VEN (E-116177)

    A regression was introduced into 22.5.33 and 23.2.23 Windows VEN, which could cause the Event Channel between VEN and PCE to stop functioning, resulting in a policy convergence delay. This issue is resolved.

  • Some endpoint VENs experienced high CPU usage and slow firewall programming (E-116006)

    On Endpoint VEN's installed on MackBook macOS v14.x (Ventura), PlatformHandler exhibited high CPU usage and increasingly longer times to program firewall rules. The issue stemmed from an Apple bug that leaked pfctl anchors over time. The issue could be solved temporarily by rebooting the endpoint. Illumio resolved the issue by engineering a workaround.

  • PCE didn't recognize external IP address of external Azure VM (E-115935)

    Unix VENs failed to correctly detect Azure environment prevented the PCE from recognizing the external IP addresses of the workloads. This issue is resolved. VENs now correctly detect when they're operating in an Azure environment,

  • Failure to apply policy update caused by excessive pfctl table generation (E-115342, E-113337)

    In some circumstances, Endpoint VENs failed to program firewall policy updates. The issue occured because the number of pfctl tables generated by customer rules exceeded the default limit, which has since been adjusted. This issue is resolved.

  • RHEL5 VEN didn't apply generated IPv6 rule (E-113324)

    The RHEL5 VEN failed to ignore rules that reference IPv6 IPsets as designed, and as a result also failed to apply the generated IPv6 rules. This issue is resolved.

  • Windows VEN over-restricted cipher suites selection for Event Channel (E-113245)

    When the PCE was set to disable weak ciphers, a service on the VEN restricted the selection of some TLS cipher suites on the Event Channel. This prevented the PCE from updating policy on Windows VENs using Lightning Bolts (event service), meaning policy could be updated only during scheduled heartbeats (5 minutes). This issue is resolved: Lightning Bolt communication now works as designed.

  • Improper VM shutdowns caused VEN data file corruption (E-113231, E-109231)

    If a workload was shut down improperly, such as by a sudden loss of power, and the kernel crashed, some critical VEN data files could've gotten corrupted, preventing the VEN from loading policy. This issue is resolved. Critical VEN data files are now more resilient if the workload is shut down improperly.

  • Outbound source process rule failed with FQDN in the destination IP List (E-112838)

    Rules that specified a Windows Outbound process or service failed to allow the configured connection(s) if the Destination IP List included an FQDN. This issue is resolved.

  • Generating an Individual Maintenance Token Failed (E-111662)

    When the Agent Tampering Detection feature was enabled and a user generated a token for a specific VEN (as opposed to tokens for all VENs), in some cases it wasn't possible to perform a protected illunio-ven-ctl action such as stop. For example: PS C:\Program Files> .\Illumio\illumio-ven-ctl.ps1 stop --maintenance-token <token for a specific VEN> Failed to verify maintenance token.

  • Make policy fetch non-blocking (E-104718, E-111622)

    This issue is resolved. Policy fetch requests now have a timeout of 15 minutes, which is longer than the standard VEN → PCE API timeout of 3 minutes. These requests also now send TCP keepalive probes to keep the connection active. Policy fetch requests are now performed on a separate thread, ensuring that the VEN can continue to operate and make other API calls without being blocked on policy fetch.

  • C-VENs failed to synchronize policy (E-108536, E-111490)

    C-VENs running 21.5.33 showed "Error" for the Policy Sync state with the message "Failed to load policy line." Concurrent threads (MsgHandler and downloadPolicyFromPCE) caused a race condition because of shared variables. This issue is resolved.

  • VEN failed to process FQDN rules, caused blocked traffic (E-111486, E-108639)

    After upgrading VENs from version 19.3.5 to version 22.5 and greater, some VENs failed to process FQDN rules, causing traffic to be blocked. Due to a transient error, the VEN may fail to detect the DNS server(s) on the workload and fail to program FQDN rules correctly. This issue is resolved. Now VENs will continue trying to detect a DNS server after the initial detection fails.

  • Policy sync error if no Allow rule for proxy server (E-110516)

    If your environment included a proxy server and your Illumio policy didn't include a rule allowing the proxy's IP:port, the VEN reported a policy sync error and tried continually to sync policy. This issue is resolved.

  • PCE clone detection led to continual retry loop (E-110732)

    After the PCE detected a cloned workload, multiple API failures occurred in venAgentMgr in a continual retry loop. This issue is fixed.

  • Message about stopping the venAgentMonitor appears in error (E-110150) On macOS 14.3 Endpoints running VEN 23.2.22, you may see the following failure message if you issue

    /opt/illumio_ven/illumio-ven-ctl restart to restart the ven: Stopping venAgentMonitor: ...fail! In this circumstance, this failure message appears in error and you can safely ignore it.

  • VEN IPSec policy tampering detection not supported with RHEL5 (E-110015)

    In Illumio Core 23.2.20-GA, VEN IPSec policy tampering detection and recovery doesn't work with VENs running on RHEL5 workloads. On all other supported Linux distributions, tampering detection works as designed.

  • Support for pairing VENs on AWS Workloads with IMDS v2 (E-109528)

    This release provides support for pairing VENs on AWS workloads with Instance Metadata Service Version 2 (IMDS v2). This update was necessary to support IMDS v2 session-oriented authentication.

  • Improper VM shutdowns caused VEN data file corruption (E-109231)

    If a workload was shut down improperly, such as by a sudden loss of power, and the kernel crashed, some critical VEN data files could've gotten corrupted, causing the VEN to lose connectivity with the PCE. This issue is resolved. Critical VEN data files are now more resilient if the workload is shut down improperly.