This page applies to Apigee and Apigee hybrid.
View Apigee Edge documentation.
Select one or more of the following to filter this page:
This section lists known issues for Apigee components. For a list of bugs, new features, and other release information, see the release notes.
Issue ID | Affects | Status | Description | ||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
N/A |
Apigee hybrid | OPEN |
Invalid service account can send the UpdateControlPlaneAccess api into a retry loop.
If a user provides an invalid service account to the UpdateControlPlaneAccess api, the operation goes on a retry loop effectively locking the organization from invoking the API until the operation times out. |
||||||||||||||||||||||
N/A |
Apigee hybrid | OPEN |
The apigee-logger component does not support Workload Identity Federation.
|
||||||||||||||||||||||
N/A |
Apigee hybrid | OPEN | Distributed trace in Apigee hybrid is not supported for orgs using data residency. | ||||||||||||||||||||||
N/A |
Apigee | OPEN | Apigee does not support key re-encryption, which means even after rotation, the old key version will still be used and you cannot change the CMEK key after org creation. | ||||||||||||||||||||||
354716994 |
Apigee | OPEN | Apigee does not support Cloud External Key Manager. | ||||||||||||||||||||||
364872027 |
Apigee Apigee hybrid |
OPEN |
PEM parsing error in JWT/JWS policies due to non-standard format
For Apigee and Apigee hybrid versions 1.13 and higher, any deviations in the required PEM format of keys
used in Apigee JWS or JWT policies
may result in a parsing error. For example, placing
any character other an a newline ( To prevent this error, make sure that no characters other than a newline, such as trailing spaces or slashes, immediately precede the post-encapsulation boundary. For more information about the encoding used for public or private keys, see IETF RFC 7468. |
||||||||||||||||||||||
310191899 |
Apigee Apigee hybrid |
OPEN |
Timeouts when deploying API proxies and shared flows
The following endpoints may experience timeouts when used with a high volume of queries per second (QPS):
To reduce the likelihood of timeouts, we recommend a target of three QPS when using these endpoints. |
||||||||||||||||||||||
329304975 |
Apigee | FIXED |
Limit on number of basepaths per environment
Apigee is enforcing a temporary limit of 1000 basepaths per environment to avoid potential failures when deploying API proxy revisions. While this limit is in place, you can deploy up to 1000 API proxy revisions (each containing a single basepath) per environment. If your API proxies or revisions contain more than one basepath, the total number of basepaths per environment must not exceed 1000. |
||||||||||||||||||||||
333791378 |
hybrid 1.12.0 | OPEN |
Cassandra backup and restore features not supported by Helm migration tool
For the steps required to install a patch for the workaround, see Troubleshooting. |
||||||||||||||||||||||
310384001 |
hybrid 1.11.0 | OPEN |
Cert validation failures may return a 502 instead of a 503 error response when users
add the tag <Enforce>true</Enforce> in the target
<SSLInfo> block for default validation of TLS target endpoint
certificates.
|
||||||||||||||||||||||
289583112 |
Apigee | OPEN |
OASValidation policy does not work with global security requirements in OpenAPI specifications
If the OASValidation policy specifies an <OASResource> with security requirements set at a global level, the security requirements are not enforced. Workaround: To ensure enforcement, all security requirements must be set at the operation level
in the OpenAPI specification passed in the |
||||||||||||||||||||||
205666368 |
Apigee hybrid 1.10.2 hybrid 1.10.3 |
FIXED in Apigee 1-10-0-apigee-6 and Hybrid 1.10.3-hotfix.1 |
Apigee hybrid does not validate the target certificate by default.
See About setting TLS options in a target endpoint or target server. |
||||||||||||||||||||||
295929616 |
hybrid 1.10.0 and later | FIXED in hybrid 1.10.3 |
Installing Apigee hybrid 1.10 on OpenShift (OSE) can fail with out-of-memory errors.
Installing or upgrading to Apigee hybrid 1.10.0 through 1.10.2 could fail on OSE due to out-of-memory issues. Fixed in Apigee hybrid version 1.10.3. |
||||||||||||||||||||||
292268968 |
hybrid 1.10.1 | OPEN |
apigee-udca may not honor the http proxy settings.
If the firewall forces all traffic through a forward-proxy, |
||||||||||||||||||||||
269573358 |
Apigee hybrid 1.8.0 and later |
OPEN |
OASValidation policy fails with Unable to parse JSON error.
|
||||||||||||||||||||||
299953958 |
Apigee hybrid 1.8.0 and later |
OPEN |
Deployment Issues with OAS Validation while using circular reference.
Workaround: Use an OpenAPI specification yaml without circular references. |
||||||||||||||||||||||
289254725 |
Apigee Apigee 1-10-0-apigee-3 hybrid 1.8.8 hybrid 1.9.3 |
FIXED in Apigee 1-10-0-apigee-5 OPEN in hybrid |
Proxy deployments that include the OASValidation policy may fail.
Proxy deployments that include the OASValidation policy may fail if:
|
||||||||||||||||||||||
284500460 |
Apigee Apigee 1-10-0-apigee-1 |
FIXED |
Increase in latency for Message Logging policy when used with Cloud Logging.
To avoid increasing latency in responses to the client, the Message Logging policy should be attached to the PostClientFlow. For more information on using policies in PostClientFlows, see Controlling API proxies with flows. |
||||||||||||||||||||||
282997216 |
hybrid 1.8.0 and later hybrid 1.9.0 and later |
OPEN |
Special characters not allowed in Cassandra Jolokia password
Use only alphanumeric characters for the Cassandra Jolokia password. Using special characters (including but not limited to "!", "@", "#", "$", "%", "^", "&", & "*") can cause Cassandra startup to fail. |
271415351 |
Apigee | OPEN |
Avoid concurrent API proxy or SharedFlow deployments
Concurrent deployment requests for a SharedFlow or API proxy can result in an inconsistent state in the Management Server where multiple revisions are shown as deployed. This can happen, for example, when concurrent runs of a CI/CD deployment pipeline occur using different revisions. To avoid this problem, avoid deploying API proxies or SharedFlows before the current deployment is complete. |
||||||||||||||||||
271689008 |
hybrid 1.9.0 and later | OPEN |
cert-manager pods on OpenShift version 4.7 to 4.10 do not start
as expected
With cert-manager v1.10.1 on OpenShift versions 4.7 to 4.10, the cert-manager pods do not start as expected. To resolve the problem, modify the security config constraint as described in the cert-manager 1.10 release notes. |
||||||||||||||||||||||
270371160 |
hybrid 1.9.0 and later | FIXED | Apigee Ingress gateway supports TLS1.2+ protocol/ciphers only
Apigee Ingress gateway only supports TLS1.2+, and not earlier versions of TLS. |
||||||||||||||||||||||
269139342 |
hybrid 1.7.0 and later | OPEN | apigeectl getOrg does not follow
HTTP_PROXY settings in overrides.yaml
Apigee organization validation does not follow HTTP Forward proxy
rules set in |
||||||||||||||||||||||
266452840 |
Apigee hybrid 1.7.0 and later hybrid 1.8.0 and later hybrid 1.9.0 and later |
OPEN | Web sockets not working with Anthos Service Mesh 1.15.3 in
Apigee X and Apigee Hybrid
In certain circumstances, web sockets are not working for
Apigee X and Apigee Hybrid when using Anthos Service Mesh
|
||||||||||||||||||||||
242213234 |
Apigee | OPEN |
API product fails to load with a "no connections available"
error
This error might be returned when attempting to load API products: "Products were not loaded successfully. Error: no connections available from the Apigee connect agent(s)."
The problem occurs
after enabling VPC service control in the Google Cloud project and adding
Workaround: Manually create an egress rule, such as the following: -egressTo: operations: -serviceName: "iamcredentials.googleapis.com" methodSelectors: -method: resources: -projects/608305225983 egressFrom: identityType: ANY_IDENTITY |
||||||||||||||||||||||
247540503 |
hybrid 1.7.0 and later hybrid 1.8.0 and later |
OPEN |
A race condition with encryption key lookup can cause KVM
lookup failures.
In certain circumstances at very high throughput a race condition with encryption key lookup can cause KVM lookup failures. |
||||||||||||||||||||||
258699204 |
hybrid 1.8.0 and later | OPEN |
The default memory requests and limits for metrics pods have
inadvertently changed in 1.8.x.
If you see problems with the apigee-telemetry-app or
apigee-telemetry-proxy pods not running, change the
Apply the changes with apigeectl apply --telemetry -f overrides.yaml |
||||||||||||||||||||||
260324159 |
Apigee 1-9-0-apigee-16 | OPEN |
API proxy and shared flow deployments taking up to 30 minutes.
API proxies and shared flows could take around 20 to 30 minutes to deploy in the runtime plane in certain circumstances due to a 'socket closed' error in synchronizer. |
||||||||||||||||||||||
254505866 |
API hub | FIXED |
New regions cause provisioning failure
Provisioning API hub using the UI fails if you select a region other than the following:
|
||||||||||||||||||||||
251897633 |
Documentation | OPEN |
Apigee hybrid version selector
The Apigee hybrid version selector works only if you select or click directly on the text. |
||||||||||||||||||||||
250875730 |
All | OPEN |
The message "Precondition check failed" is displayed in the
audit log.
This is expected to occur every minute and does not affect your billing cost. |
||||||||||||||||||||||
260772383 |
hybrid 1.8.0 and later | OPEN |
Socket bind error on the AKS platform
If installing hybrid on AKS, you may see this error:
ingressGateways: See Configure the hybrid runtime. See also Use an internal load balancer with AKS. |
||||||||||||||||||||||
241786534 |
hybrid 1.8.0 and later | OPEN |
MART sometimes unable to connect to FluentD.
When using Org-scoped UDCA, MART is sometimes unable to connect
to FluentD. Org-scoped UDCA is the default in Apigee hybrid
version 1.8. See
|
||||||||||||||||||||||
N/A | hybrid 1.6.0 and later | OPEN |
apigee-logger not working on Anthos BareMetal with
CentOS or RHEL.
After migration of |
||||||||||||||||||||||
231758700 |
hybrid 1.5.0 and later | OPEN |
Apigee Hybrid Dockerhub customers unable to pull images with
Docker Content Trust enabled.
Users are encountering the following error when pulling
images for Apigee Hybrid from Docker Hub:
Workaround If you encounter this error, you can use one of the two following workarounds:
|
||||||||||||||||||||||
207762842 | hybrid 1.5.0 and later | OPEN |
Logs not shipped to Cloud Logging by apigee-logger.
Current |
||||||||||||||||||||||
203827738 | Archive deployments | OPEN |
Configurable API proxy without operations fails.
Proxies that do not contain operations, or contain operations
without HTTP matches, will return a |
||||||||||||||||||||||
201429104 | Apigee | OPEN |
Wildcard in proxy basepath results in incorrect request path.
Usage of a wildcard ( To prevent incorrect request path forwarding, avoid using
|
||||||||||||||||||||||
191291501, 191000617 | Apigee | OPEN | Changing the email address of a developer entity will fail in the UI. | ||||||||||||||||||||||
191002224 | hybrid 1.5.0 and later | OPEN |
Changing an email address fails while using the
PUT /organizations/{org_name}/developers/{developer_email}
API.
|
||||||||||||||||||||||
184555974 | hybrid 1.5.0 and later | OPEN | The apigee-logger Fluentd can't parse logs in the OpenShift cluster. | ||||||||||||||||||||||
N/A | Archive deployments | OPEN |
Managing and debugging Apigee archive deployments in the UI is
not supported
In the Apigee UI, you cannot view, confirm deployment status, or manage your archive deployments, as described Deploying an API proxy, or use the Debug UI as described in Using Debug. As a workaround, you can use gcloud or the API to List all archive deployments in an environment and use the Debug API. |
||||||||||||||||||||||
N/A | Archive deployments | OPEN |
Rolling back an archive deployment is not supported
Rolling back an archive deployment is not currently supported. To remove a version of an archive deployment you need to either redeploy a previous version of an archive or delete the environment. |
||||||||||||||||||||||
N/A | Apigee in VS Code | OPEN |
Google Authentication in policies is not supported in Apigee in
Visual Studio Code (VS Code)
Google authentication in ServiceCallout and ExternalCallout policies, as described in Using Google Authentication, is not supported in Apigee in VS Code. |
||||||||||||||||||||||
146222881 | hybrid 1.3.0 and later | OPEN |
Invalid HTTP Header error
Invalid HTTP Header error: The Istio ingress switches all incoming target responses to the HTTP2 protocol. Because the hybrid message processor only supports HTTP1, you may see the following error when an API proxy is called:
If you see this error, you can take either of the following actions to correct the problem:
|
||||||||||||||||||||||
N/A | Integrated portal | OPEN |
SmartDocs
|
||||||||||||||||||||||
N/A | Integrated portal | OPEN |
Portal admin
|
||||||||||||||||||||||
N/A | Integrated portal | OPEN |
Portal features
Search will be integrated into the integrated portal in a future release. |
||||||||||||||||||||||
N/A | Integrated portal | OPEN |
SAML identity provider
Single logout (SLO) with the SAML identity provider is not supported for custom domains. To enable a custom domain with a SAML identity provider, leave the Sign-out URL field blank when you configure SAML settings. |
||||||||||||||||||||||
191815997 | hybrid 1.6.0 and later | OPEN |
If a hybrid customer configures a forward proxy for the API
proxy, Google token will not work unless it has direct access
to *.googleapis.com .
|
||||||||||||||||||||||
N/A | Apigee | FIXED in Apigee 1-12-0-apigee-2 and hybrid 1.12.0 |
API Monitoring and Cloud Monitoring show abnormal spikes
Affected Metrics:
New metrics You can use the new metrics to avoid this issue.
For Apigee hybrid, see: Metrics collection overview and View metrics. |
||||||||||||||||||||||
203778087 | hybrid 1.5.3 and later | OPEN |
apigee-stackdriver-logging-agent currently runs
as root.
Workaround: Disable the logging agent on hybrid. |
||||||||||||||||||||||
205629443 | Apigee | OPEN |
If ServiceCallout is fire and forget (no
<Response> tag), a race condition can occur if
there is another policy that occurs after it.
Workaround: To maintain the fire and forget behavior:
|
||||||||||||||||||||||
207719377 | Apigee | FIXED in Apigee 1-11-0-apigee-1 |
If there is more than one SpikeArrest policy in a bundle,
502 errors will occur.
Workaround: Avoid using more than one SpikeArrest policy in the proxy to prevent the issue. |
||||||||||||||||||||||
209097822 | hybrid 1.5.0 and later Apigee |
OPEN |
Dynamic updates to rate in spike arrest may not reflect
immediately
For a particular key, if there is continuous traffic, the key may not be rate limited at the updated rate. If there is five minutes of no traffic for a particular key, the rate will be reflected. Workaround: Redeploy the proxy with a new reference variable if the rate has to take effect immediately. Or use two conditional spike arrests with different flow variables to adjust the rate. |
||||||||||||||||||||||
221305498 | Apigee | OPEN |
API Monitoring may display fault code of '(not set)'.
API Monitoring of Configurable API Proxies may display a fault code of '(not set)' for responses with a non-2xx status from the target. |
||||||||||||||||||||||
246774745 | Apigee | FIXED |
Value of io.timeout.millis is not honored when
used with multiple dynamic targets.
If a proxy sets two or more |
||||||||||||||||||||||
245664917 | hybrid 1.8.x | OPEN |
Apigee hybrid upgrade error can be ignored
During upgrade to Apigee hybrid 1.8.x, after running
|
||||||||||||||||||||||
300660653 | Apigee | OPEN |
An error should be, but is not, returned when deploying proxies with the same path to multiple environments
that are attached to the same instance and environment group
Deploying proxies with the same path to multiple environments that are attached to
the same instance and environment group is not allowed and should return a warning message
about a base path conflict. Instead, no error is shown and the deployments appear to
succeed. |
||||||||||||||||||||||
301458133 | Apigee | OPEN |
Some proxy deployment attempts return an error that the revision is immutable
When attempting to save a previously deployed proxy, the deployment might fail with
an error stating that the revision is immutable. |
||||||||||||||||||||||
301845257 | Apigee | FIXED | Attempting to deploy more than 800 proxies to an environment group fails with an error. The limit on which an error is returned is lower than 800 when the basepaths are longer than 15 characters. | ||||||||||||||||||||||
N/A | Apigee 1-9-0-apigee-23 | OPEN |
TLS version upgrade required for clients experiencing
Unsupported protocol errors
Updates to the default set of ciphers supported by Apigee
servers to enhance security may result in
|
||||||||||||||||||||||
315874988 | Apigee | OPEN |
With gRPC proxy requests,
gRPC trailers are removed from the response
When a call is made to a gRPC Target Server, the only trailer that's returned is the "grpc-status" trailer. All other trailers are removed from the response. |
||||||||||||||||||||||
341157011 | Apigee | OPEN |
Specs generated with Gemini Code Assist in Cloud Code that also include
non-ASCII UTF-8 characters are not parsed correctly when uploaded to API hub. As a result API hub won't extract operations, definitions, and other metadata correctly. |
||||||||||||||||||||||
338285095 | Apigee | FIXED |
Apps associated with an AppGroup do not appear in the Apps list in the
Apigee UI in Cloud console. As a result, users cannot access the app's App Detail
page in the console. Using search in the console with a partial app name or API key
search for the app is not supported until this issue is resolved. Apigee hybrid organizations are not impacted by this problem, as they use the Classic UI to view the app details. Partial workaround: A list of all apps is available using the APIs. See organizations.apps.list. |
||||||||||||||||||||||
355714868 | Monetization Apigee hybrid |
OPEN |
Recurring, setup, and top-up fee data not captured or billed for
hybrid organizations For hybrid organizations with monetization, the recurring (RECURRING_FEE), setup fee (SETUP_FEE) and top-up fee (TOPUP_FEE) data is not captured or billed for post-paid billing. For pre-paid billing, the wallet deduction occurs for these fees but is not reported. |