diff --git a/internal/controller/reconcile-networking.go b/internal/controller/reconcile-networking.go
index e0a868ea..b4135076 100644
--- a/internal/controller/reconcile-networking.go
+++ b/internal/controller/reconcile-networking.go
@@ -264,49 +264,46 @@ func (c *Controller) getUpdatedTenantVirtualServiceObject(cat *v1alpha1.CAPTenan
 }
 
 func (c *Controller) getVirtualServiceHttpRoutes(cat *v1alpha1.CAPTenant, currentCavName string, headers *networkingv1.Headers) ([]*networkingv1.HTTPRoute, error) {
-	var (
-		httpRoutes []*networkingv1.HTTPRoute
-		prevCav    *v1alpha1.CAPApplicationVersion
-		prevDest   *networkingv1.Destination
-		err        error
-	)
-
-	// Lookup previous CAV (if any)
-	if len(cat.Status.PreviousCAPApplicationVersions) > 0 {
-		prevCavName := cat.Status.PreviousCAPApplicationVersions[len(cat.Status.PreviousCAPApplicationVersions)-1]
-		prevCav, err = c.crdInformerFactory.Sme().V1alpha1().CAPApplicationVersions().Lister().CAPApplicationVersions(cat.Namespace).Get(prevCavName)
+	type prevCavInfo struct {
+		cav  *v1alpha1.CAPApplicationVersion
+		dest *networkingv1.Destination
+	}
 
-		if err == nil { // only if found
-			if prevDest, err = c.getVirtualServiceHttpRouteDestination(prevCavName, cat.Namespace); err != nil {
-				return nil, err
-			}
-		} else if !errors.IsNotFound(err) {
-			return nil, err
+	// Get all previous CAVs (skip any that are missing or have no router port info)
+	var prevCavs []prevCavInfo
+	for _, prevCavName := range cat.Status.PreviousCAPApplicationVersions {
+		prevCav, err := c.crdInformerFactory.Sme().V1alpha1().CAPApplicationVersions().Lister().CAPApplicationVersions(cat.Namespace).Get(prevCavName)
+		if err != nil {
+			continue
+		}
+		prevDest, err := c.getVirtualServiceHttpRouteDestination(prevCavName, cat.Namespace)
+		if err != nil {
+			continue
 		}
+		prevCavs = append(prevCavs, prevCavInfo{cav: prevCav, dest: prevDest})
 	}
 
-	// Lookup current CAV destination
+	// Lookup current CAV destination and object
 	currentDest, err := c.getVirtualServiceHttpRouteDestination(currentCavName, cat.Namespace)
 	if err != nil {
 		return nil, err
 	}
-
-	// Retrieve current CAV for logout endpointannotations
 	currentCav, err := c.crdInformerFactory.Sme().V1alpha1().CAPApplicationVersions().Lister().CAPApplicationVersions(cat.Namespace).Get(currentCavName)
 	if err != nil {
 		return nil, err
 	}
 
-	// --- Add routes ---
-	// Logoff/logout routes
-	if prevDest != nil {
-		httpRoutes = append(httpRoutes, buildVirtualServiceLogOffHttpRoute(prevCav.Name, prevCav.Annotations[AnnotationLogoutEndpoint], prevDest, headers))
+	var httpRoutes []*networkingv1.HTTPRoute
+
+	// Logoff routes: all prev CAVs, then current
+	for _, p := range prevCavs {
+		httpRoutes = append(httpRoutes, buildVirtualServiceLogOffHttpRoute(p.cav.Name, p.cav.Annotations[AnnotationLogoutEndpoint], p.dest, headers))
 	}
 	httpRoutes = append(httpRoutes, buildVirtualServiceLogOffHttpRoute(currentCavName, currentCav.Annotations[AnnotationLogoutEndpoint], currentDest, headers))
 
-	// Cookie routes
-	if prevDest != nil {
-		httpRoutes = append(httpRoutes, buildVirtualServiceCookieHttpRoute(prevCav.Name, prevDest))
+	// Cookie routes: all prev CAVs, then current
+	for _, p := range prevCavs {
+		httpRoutes = append(httpRoutes, buildVirtualServiceCookieHttpRoute(p.cav.Name, p.dest))
 	}
 	httpRoutes = append(httpRoutes, buildVirtualServiceCookieHttpRoute(currentCavName, currentDest))
 
diff --git a/internal/controller/testdata/captenant/cat-with-session-affinity-dr-vs-upgrade-to-cav-v3.expected.yaml b/internal/controller/testdata/captenant/cat-with-session-affinity-dr-vs-upgrade-to-cav-v3.expected.yaml
index 31e2106c..821b491a 100644
--- a/internal/controller/testdata/captenant/cat-with-session-affinity-dr-vs-upgrade-to-cav-v3.expected.yaml
+++ b/internal/controller/testdata/captenant/cat-with-session-affinity-dr-vs-upgrade-to-cav-v3.expected.yaml
@@ -46,7 +46,7 @@ apiVersion: networking.istio.io/v1
 kind: VirtualService
 metadata:
   annotations:
-    sme.sap.com/resource-hash: 4ffc680079e1711f962e91fc30cde7cf23e9d6ab260a0ed69de693f0ac2043ea
+    sme.sap.com/resource-hash: 014a26b701fbda31e6fee65adbcc0ff2b580568ef6b9835f847e2dac3e8975f3
     sme.sap.com/owner-identifier: default.test-cap-01-provider
   labels:
     sme.sap.com/owner-generation: "2"
@@ -68,6 +68,22 @@ spec:
     - my-provider.app-domain.test.local
     - my-provider.foo.bar.local
   http:
+  - headers:
+      response:
+        set:
+          Set-Cookie: CAPOP_CAV=test-cap-01-cav-v1;Path=/;HttpOnly;Secure;Max-Age=0
+    match:
+    - headers:
+        Cookie:
+          regex: (^|.*; )CAPOP_CAV=test-cap-01-cav-v1($|; .*)
+      uri:
+        regex: ^|.*(logout|logoff).*
+    route:
+    - destination:
+        host: test-cap-01-cav-v1-app-router-svc.default.svc.cluster.local
+        port:
+          number: 5000
+      weight: 100
   - headers:
       response:
         set:
@@ -100,6 +116,16 @@ spec:
         port:
           number: 5000
       weight: 100
+  - match:
+    - headers:
+        Cookie:
+          regex: (^|.*; )CAPOP_CAV=test-cap-01-cav-v1($|; .*)
+    route:
+    - destination:
+        host: test-cap-01-cav-v1-app-router-svc.default.svc.cluster.local
+        port:
+          number: 5000
+      weight: 100
   - match:
     - headers:
         Cookie: