Skip to main content

What's New and Release Notes 25.2

Resolved Issues in NEN 2.5.0

  • When processing multi-paged AVI API responses, policy programming failed (E-95740)

    While processing multiple-paged AVI networksecuritypolicy API responses during policy programming, the NEN incorrectly stored the policy ID to associate the policy to its rules. This caused the NEN to point to an invalid memory location, which in turn caused network_enforcement_policymgr to crash and policy programming to fail. This issue is resolved.

  • Problem when tamper checking AVI SLBs in multi-page AVI API responses (E-95546)

    An invalid check of the returned API response occured when the NEN performed tamper checking of multiple-paged AVI networksecuritypolicy API responses. This issue could have caused the NEN to miss some Illumio networksecuritypolicies . The NEN could then have interpreted the missed policy as policy tampering, triggering a check on the SLB for those missing policies, resulting in no errors found. The issue was resolved by fixing the API response checks to make sure the NEN retrieved all networksecuritypolicies from the AVI SLB.

  • Generating switch policy failed in a HA configuration (E-94344)

    Generating policy by running the switch policy generate command on the primary node of an High Availability (HA)-configured NEN ( from either the UI or from the CLI ) could cause policy generation to fail and return the following error message: This command can only be run on the node running the primary Network Enforcement Service . This issue is resolved. The command can now be run on any NEN node – primary or secondary – that is running the network_enforcement service.

  • Policy update failed when new Illumio iRules weren't applied correctly (E-93921)

    An error occurred when trying to create a policy that applied a new Illumio iRule to block an existing non-Illumio iRule. The error prevented policy from being updated. This issue is resolved. New Illumio iRules are now applied before non-Illumio iRules.

  • PCE sent multiple unnecessary policy updates to the NEN (E-93851)

    Illumio updated the NEN 2.5.0 to address this issue in the PCE. In previous releases, the PCE sent policy updates to the NEN even when the SLB virtual services address list hadn't changed. This issue occurred because pods frequently go down and come back up and that triggered a policy job with "no address list changes" in the PCE. In this release, this issue is resolved for the NEN. The issue will be resolved in the PCE in a future release. In this release, the NEN optimizes the addresses in the address list and stores the SHA of the sorted address list for comparison between policies. The PCE ignores policy updates that don't contain changes in the overall address list by comparing the SHA of new address list with the previous one.

  • F5 AM policy deletion for a deleted VS failed (E-92008)

    When a NEN tried to delete a policy from an F5 BIG-IP Advanced Firewall Manager (F5 AFM) for a virtual server (VS) that had been deleted, the NEN defaulted to treating the VS like a non-AS3 managed VS. This resulted in the policy remaining on the F5 AFM. This issue is resolved and the NEN now makes sure (as originally intended) that no artifact of a policy remains on the SLB for the deleted VS.