What's New and Release Notes for 26.x

PCE upgrade failed (E-82713)

Upgrading a PCE to release 21.2.3 failed. The failure was reported on data nodes with a NEN installed via the error " PGPASSWORD cannot be included in the command. Please use env_hash to pass it as env variable." This issue is resolved and upgrading to PCE release 21.2.3 now succeeds.

Discovering a load balancer's virtual servers could take 30 minutes or longer (E-80718)

In the previous release, the NEN completed the following operations serially: load balancer policy programming, tamper checking, and virtual server discovery. Programming policy can take up to 30 minutes; therefore, the NEN could take 30 minutes or longer to discover the load balancer's virtual servers (especially, when the NEN performed tamper checking too). This issue is resolved. In this release, the NEN discovers virtual servers in parallel with programming policy and tamper checking. Discovering new virtual servers occurs much faster because the NEN no longer waits for policy programming and tamper checking to finish first.

PCE could mark discovered virtual servers as pending deletion (E-80662, SFDC Issue 15594)

The PCE could mark a discovered virtual server as pending deletion when it wasn't unpaired via the PCE web console or REST API, or removed from the F5. This issue could occur due to the F5 returning unexpected errors during virtual server discovery. When the NEN rediscovered the virtual server in the "Deletion Pending" state, the PCE did not revert that state automatically. This issue is resolved. The PCE no longer marks discovered virtual servers as pending deletion when the NEN encounters unexpected errors from the F5.

Badly formed JSON when reprogramming DVS (E-79438)

JSON was sometimes badly formed due to tampering when DVS was reprogramed.

This issue is resolved.

NEN needs to ignore VS when filtering is disabled (E-78454)

NEN needs to ignore VS when filtering is disabled and when protocol is neither TCP nor UDP.

This issue is resolved and the system is able to discover all VIP's configured on F5.

Increase timeouts on NEN requests (E-78109)

When handling large number of SLBs and VSs it was needed to increase timeouts for NEN requests to PCE for the SLB configuration and policy.

This issue is resolved.

Change in policy order or policy action state on AFM does not trigger tampering (E-77888)

The NEN was not always detecting minor modifications in VS rule values or the change in order of rules within a policy, when programming a policy.

This issue is resolved.

SLB reject rules now support logging (E-77278)

In the previous release, traffic flows for server load balancer (SLB) reject rules ("action":"reject") were not logged by the NEN. In this release, the log option is set ("log":"yes") for SLB reject rules.

NEN didn't propagate rule with updated IP list (E-77038)

When customers provisioned a rule with a new IP list, the virtual server(s) impacted by the rule received the update but it wasn't propagated through the F5 interface to the Advanced Firewall Manager (AFM) cluster. This issue is resolved. Provisioned rules with updates to their IP lists are propagated to the AFM cluster.

Script to back up or duplicate the NEN database can now run when the NEN is part of a Supercluster (E-76952)

In the previous release, you could not run the illumio-nen-db-management script on a NEN that was part of a Supercluster deployment because it required running at runlevel 1. In this release, you can run the illumio-nen-db-management script on a NEN that is part of a Supercluster deployment, because it no longer requires running at runlevel 1 in a Supercluster deployment.

When the NEN is deployed as a standalone NEN primary node, you still must run the illumio-nen-db-management script at runlevel 1.

The Policy Manager process stopped responding and closed (E-76934)

When programming an F5 Application Services 3 (AS3) virtual server that didn't exist, the NEN PolicyMgr process stopped responding and closed. This issue could happen when a virtual server was renamed or deleted on a server load balancer (SLB) before the NEN discovered it by polling the SLB. This issue is resolved. When attempting to program a virtual server that doesn't exist, the NEN no longer stops responding or closes and instead writes a message to the log that it cannot program the missing virtual server.

NEN failed to detect a policy rule change (E-75343)

The NEN did not detect when the F5 UI was used to remove and replace the policy for an AS3 managed VIP. It should have detected that the original policy had been modified. This issue is resolved.

NEN failed to detect enforcement that had been tampered with (E-75342)

The NEN did not detect when the F5 UI was used to tamper with the enforcement state of the policy for an F5 AS3 managed VIP, despite a change that should have been detected. This issue is resolved.

PCE did not display a list of discovered virtual servers (E-75088) An API version mismatch between the PCE and the NEN caused the NEN to discover the presence of virtual servers, but the PCE could not display the list of these virtual servers. This issue is resolved.

PCE was setting 0.0.0.0/32 even when policy existed (E-75028)

When the PCE encountered a rule set with both empty and non-empty IP sets, the PCE replaced the empty sets with the 0.0.0.0/32 entry to make sure nothing matched. The non-empty IP sets were still set to the correct IPs, so no traffic was incorrectly blocked; this was only a display issue. The empty IP sets could be caused when there were not currently any workloads with those labels. This issue is resolved. The PCE now only adds the 0.0.0.0/32 entry if the entire combined IP list for the rule is empty.

NEN updated AFM Policies even when no changes were triggered from PCE (E-74952)

This issue arose only for AS3 managed BIG-IP Advanced Firewall Manager (AFM)s. The NEN would repeatedly create and delete AFM policies, even when no changes were triggered from the PCE. This issue happened because the NEN code used the wrong address list name when comparing policy information during AS3 managed VIP tamper checking. This caused tamper checking to fail and the NEN to reprogram the VIP. This issue is resolved. The NEN now uses the correct format of the address list name for AS3 VIPs.

AFM policy provisioning failure on the NEN-managed VIPs (E-74876)

If VIPs were removed from the NEN DB but not from the PCE DB, when a policy for the unknown VIPs was sent to a NEN it stopped programming policy instead of ignoring the VIP.

This issue is resolved. The code was updated to ignore the VIPs it doesn't know about.

NEN 2.1.0+HF2 was unable to provision policy to both active/standby devices in an AFM pair (E-74515)

When the NEN sent a PATCH command to update the F5 AS3 declare, the F5 returned a 202 response code which was not expected by the NEN. This issue was resolved.

Incomplete removal of VIPs from SLB (E-66278)

When you used the server load balancer (SLB) UI to remove all virtual IP addresses (VIPs) from the SLB, the VIPs were still displayed in the PCE UI. This issue is resolved and the VIPs are not displayed in the PCE web console after being removed.

F5 16.x not supported (E-75470)

Due to a known F5 issue, NEN 2.1.0+H3 does not support F5 16. x.

NEN was unable to provision policy to AFM HA pair (E-73673)

NEN was unable to provision policy written on the PCE to the AFM HA pair even though it could communicate with that pair . This issue was caused due the way in which credential/connectivity information was stored for an HA pair. This issue is resolved and the NEN can successfully provision policies.

NEN was not overriding Illumio policies on AFM when tampered manually (E-72468)

After logging in to AFM, if you selected an AFM policy that was written by Illumio and edited that policy by adding a 'dummy IP', the Illumio ACL did not remove the 'dummy IP'. This issue is resolved and NEN overrides the manually tampered Illumio ACL back to its original state.

NEN was not able to program rules to the AVI controller when IPv6 was present (E-72952)

After setting up AVI integration with the PCE, when you wrote a policy rule that contained virtual servers and managed workloads, the NEN could not program that rule. This issue is resolved and the NEN programs the AVI controller with the correct ACLs.

SLB Tampering checks did not detect errors if the address-list generation number contained a zero (E-72923)

If anything in a rule was changed other than the data group information, then the tampering was not detected if the address list generation value contained a zero. This issue is resolved.

AVI load balancer integration would be in a pending state (E-72704, E-72540)

After integrating an AVI Vantage load balancer with the Illumio Core NEN, the load balancer would remain in the Pending connection state. This issue is resolved.

NEN stopped updating the IPset addresses (E-71650)

A bad heartbeat or config response from the PCE would cause the NEN to clear its config and it never requested the config, because as per the PCE the configured policy had not changed. This issue is resolved and the NEN gets the config as soon as it gets a valid heartbeat response.

AVI load balancer integration in pending state (E-72540)

After integrating an AVI Vantage load balancer with the Illumio Core NEN, the load balancer remains in the Pending connection state. From the PCE web console menu, choose Infrastructure > Load Balancers. The Server Load Balancer page appears. The hourglass icon in the Status column indicates that the load balancer is in the Pending connection state. AVI Vantage load balancers are not supported in this release.