What's New and Changed in 25.2.20-VEN
Before upgrading to Illumio Core 25.2.20, familiarize yourself with the new and modified features in this release.
Drop pre-existing open connections not covered by Illumio policy
Warning
Installing VEN release 24.2.30 or later on AIX workloads can result in blocking traffic in your environment that you currently allow. Please read carefully.
Beginning with VEN release 24.2.30, AIX VENs are now at parity with Windows and Linux VENs with regard to how they handle pre-existing open connections not covered by Illumio policy. Consider the following example use case:
An application in your tenant holds open a pre-existing connection to a database server (for example) and the connection is not covered by an Allow rule in your Illumio policy.
You transition the VEN to Full Enforcement (a strict Allow-list mode).
Analysis:
Windows and Linux VENs have always dropped such pre-existing connections when transitioned to Full Enforcement because there is no Allow rule allowing them in this scenario.
Prior to VEN release 24.2.30, AIX VENs left such pre-existing connections open in this scenario (despite no rule allowing it) until the application closed the connection and later tried to make a new connection. At that point, the VEN blocked the connection (because there is no rule allowing it).
Result: Now, with VEN release 24.2.30 and later, AIX VENs, in parity with Windows and Linux VENs, drop the existing connection if IP Filter 5.3.0.5004 or later is installed on the workload.
Illumio IPFilter Update
The release of IPFilter version 5.3.0.5004 removes a mutex present in 5.3.0.5003 that caused the CPU to become a bottleneck for IPFiltering, as many CPU cores tried to access the counter variables concurrently. In IPFilter version 5.3.0.5004, counter variables are incremented / decremented using atomic operations, such as fetch_and_add.