After upgrading to VMware Aria Automation 8.18.1, users encounter an HTTP 421 Misdirected Request error when attempting to log into multiple tenants consecutively.

Typically, the first tenant login is successful.
However, when the user navigates to a second tenant URL, the browser or API client fails to load the page.

This issue is also observed within the product UI where the VMware Aria Automation Orchestrator integration is unable to access locked resources, resulting in the following error:

HTTP 421 Misdirected Request - server2.example.com is not capable of providing a response.

Aria Automation 8.18.1 (and subsequent Patches) which is using multi-organization tenant configurations.

The issue is caused by the transition of the Ingress controller in version 8.18.1 from Traefik to Envoy/Contour.

In high-performance environments using NSX Advanced Load Balancer (Avi) with "Connection Multiplexing" enabled, the following conflict occurs:

- Connection Coalescing: Modern browsers attempt to reuse an existing HTTP/2 connection for multiple hostnames (tenants) if they resolve to the same IP and share a TLS certificate.

- Strict SNI Validation: Unlike previous versions, the Envoy proxy in 8.18.1 performs strict Server Name Indication (SNI) validation. It compares the SNI from the initial TLS handshake against the Host header of the incoming request.

- Mismatch: When a coalesced connection established for tenant1.example.com is used to send a request for tenant2.example.com, Envoy detects the mismatch and returns a 421 Misdirected Request status code per RFC 7540 (HTTP/2).

To resolve this issue, you must disable Connection Multiplexing on the Load Balancer to ensure each tenant request maintains a unique, validated connection.

1. Log in to the NSX Advanced Load Balancer (Avi) administration console.
2. Navigate to Applications > Virtual Services.
3. Locate and edit the Virtual Service configured for your VMware Aria Automation environment.
4. Go to the Profiles section and click the edit icon for the Application Profile (usually a System-HTTP or custom HTTP profile).
5. In the General tab, locate the Connection Multiplexing setting.
6. Uncheck/Disable the Connection Multiplexing checkbox.
7. Click Save on the Profile and then Save on the Virtual Service.

Once disabled, the Load Balancer will no longer attempt to pool and reuse connections in a way that conflicts with Envoy's SNI validation, allowing seamless access across all tenants.

For the reasons outlined above, Connection Multiplexing is not supported for use with multi-organization tenant configurations for Aria Automation 8.18.1.