Windows VSA Client Upgrade Required When Running VOS 22.1.4-B (Build ≥ Nov 2025) or Later | EIP caching enhancement

Advisory: Windows VSA Client Upgrade Required When Running Gateway 22.1.4 (Build ≥ Nov 2025) or Later

Affected Versions:

  - VSA Client: Windows 7.9.x and earlier

  - SASE Gateway VOS: 22.1.4-B builds dated November 2025 or later

Issue Summary:

A gateway-side optimization introduced in VOS 22.1.4-B (PR 133364) correctly removes the EIP posture cache when a VPN session disconnects, resolving a memory exhaustion condition on SASE gateways under load. However, Windows VSA clients running version 7.9.x have a known defect (PR 139747) where EIP posture is not re-submitted during fast reconnection using saved tunnel credentials ("Connect on Discover" flow). When these two components are combined, users who reconnect to a gateway within the token-expiry window will have no current endpoint posture registered, which may affect policy enforcement.

Impact:

  - EIP-based access policies may not be enforced correctly for users on VSA Client 7.9.x reconnecting to updated gateways.

  - No impact to initial connections or full reauthentication flows.

  - No impact to VSA clients on macOS or Linux.

Resolution:

  Upgrade all Windows VSA clients to version 7.10.1 or later. This release corrects the EIP posture submission sequence for all connection paths, including fast reconnect with saved tunnel credentials.

  No gateway-side workaround is available. Downgrading the gateway VOS image is not recommended, as the memory fix (PR 133364) addresses a production-critical stability issue.

References: PR 139747, PR 133364