Skip to main content

Illumio Core What's New and Release Notes for 23.5

Resolved Issues in Release 23.5.30-PCE

  • PCE setup does not work on RHEL 9.x in FIPS mode (E-119668)

    This release resolves an incompatibility with the PCE and RHEL 9.x in FIPS mode which caused the PCE to not start properly.

  • Errors in Flow Analytics (E-118558)

    Flows in Illumination or the traffic database summary were not appearing, and the traffic database size summary was being shown as zero on some PCE clusters.

  • Last updated policy timestamp for C-VENs reflects Kubernetes Workload policy changes (E-118372)

    The last updated policy timestamp on C-VENs now updates after a C-VEN successfully updates the policy for its pods.

  • Navigation error while navigating to Authentication Settings > SAML: Not Found (E-118183)

    In PCEs running 22.5.32, sometimes going to Authentication Settings > SAML resulted in the attempted navigation being cancelled, and a "Navigation error details" popup appearing.

  • PCE is sending partial IPP instructions (E-117863) 

    PCE was sending partial IPP instructions to Kubelink, which resulted in incorrect policy in the destination cluster.

  • Policy generator throwing an error when saving rules (E-117499)

    When users tried to save the rule with custom iptables rules, the Policy generator was throwing an "Unexpected input validation error".

  • Missing app-tiers label on pod using annotation (E-117004) 

    In non-CLAS (legacy) container clusters, when applying Illumio labels through Kubernetes annotations, a label key containing a dash (-) is not properly assigned to Container Workloads. For example, a pod annotation of annotation.com.illumio.app-tiers with a label value of AT_A is not created with label type App-Tiers nor the label AT_A.  This issue is now resolved for new Container Workloads created on this release. However, upgrading the PCE to this release does not fix existing Container Workloads that have labels containing a dash character. To fix such existing Container Workloads, you can edit the Container Workload Profile to add another possible value for the dash-containing label. After saving this edit, existing Container Workloads get re-labelled correctly to their assigned annotation values.

  • NEN 2.6.20 is stuck in "ACL generation pending" (E-116805)

    In a configuration with a 2.6.20 NEN paired with a supercluster member on PCE Version 22.5.32-12, running "Generate ACLs" never completed, and only showed the "ACL Generation Pending" message without ever producing an ACL. 

  • CLAS - Rules are not created for Kubernetes Workloads and VIPs (E-116721) 

    In CLAS-enabled deployments, rules created between a Kubernetes Workload and a VIP (from a virtual server, for example a F5 Virtual Server) are not created even after provisioning. These rules fail to appear in the PCE Web Console. This issue is resolved. The new runtime environment variable clas_workloads_ipset_only_changes_enabled must be set to false in the PCE runtime_env.yml file (under agent_service:) for the PCE to correctly send Virtual Server instructions to Kubernetes Workloads.

  • Header manipulation issue fixed (E-116114)

    Appropriate validation for host header was added to avoid any host header manipulation.

  • HTTP 500 error from Kubernetes Workloads filter (E-115416)

    After navigating to Workloads > Kubernetes Workloads, then setting the Filter to Category NO LABEL, Type == NO APPLICATION LABELS, after pressing Enter, the action fails with a Navigation has been cancelled due to an error message appears.

  • Container cluster reporting "Virtual service is still active on a workload" after upgrading to "clusterMode: migrateLegacyToClas" (E-114727)

    After a non-CLAS (legacy) deployment was upgraded to CLAS mode, existing container clusters running multiple ClusterIP virtual services each went into an Error Status, with each cluster detail page also displaying a "Virtual service is still active on a workload" message.

  • report_monitor and traffic_query services flapping on coordinator replica node after OS upgrade (E-113024) 

    On DX configurations, adding a new CC (Citus Coordinator) node or a new CW (Citus Worker) node to the cluster sometimes caused flapping of some services, such as report_monitor or traffic_query. This flapping occurred because IP restrictions on some current nodes of the cluster did not account for the new node IP addresses.

  • External users with multiple scopes reporting PCE slowness  (E-109314)

    External users with many scopes in their RBAC permission have been reporting PCE UI slowness, especially when browsing the VENs tab and querying traffic.