Known Issues in Panorama Plugin for GCP 2.0.0
Table of Contents
Expand all | Collapse all
-
-
-
-
- Features Introduced in Zero Touch Provisioning 2.0
- Known Issues in the Zero Touch Provisioning 2.0.4 Release
- Known Issues in the Zero Touch Provisioning 2.0.3 Release
- Known Issues in the Zero Touch Provisioning 2.0.2 Release
- Known Issues in the Zero Touch Provisioning 2.0.1 Release
- Known Issues in the Zero Touch Provisioning 2.0.0 Release
- Limitations
-
-
Known Issues in Panorama Plugin for GCP 2.0.0
The following list describes known issues
in the Panorama plugin for GCP 2.0.0.
PAN-141703
When a Panorama plugin for GCP upgrade
is not supported, Panorama does not block the upgrade.
is a related issue.
PAN-141701
If you try to install the Panorama plugin for GCP version
2.0.0 on a Panorama version that is earlier than the stated minimum
in the Compatibility Matrix for Panorana
Plugins for Public Clouds, the error Package is not found displays
because your Panorama version does not support GCP plugin v2.0.0.
PLUG-3882 is a related issue.
PAN-137615
On the Panorama management server, scheduled
content updates for managed VM-Series firewalls cause commit failures
if the scheduled action is Download Only.
Workaround: From PanoramaDevice DeploymentDynamic UpdatesSchedules, set the scheduled
action to Download and Install.
PAN-135489
The static route name field name cannot
exceed 31 characters. This implies that the cluster name cannot
exceed 24 characters if the cluster is deployed in a peered VPC
configuration.
PLUG-3465 is a related issue.
PAN-134171
If VM-Series firewalls from an auto scaling
deployment are newly added to Panorama, and you view PanoramaManaged DevicesSummary, the Template column
status displays “Out of Sync” or is blank for a brief period of
time, before it updates to "In Sync". This delay is due to a limitation
in the Panorama server.
The experience is different when you onboard a
new application or a GKE service. If onboarding triggers a successful
commit, and you view PanoramaManaged DevicesSummary, the Template status
column displays "In Sync".
PAN-133081
When you uninstall the Panorama plugin for GCP, the
syslog description does not supply the Panorama plugin version.
PAN-131114
If you have a Panorama HA configuration
where the Panorama Plugin for GCP v2.0 is installed and you delete
the primary-passive Panorama, you see the following message:
Please delete plugin user and commit before uninstalling plugin gcp (running)
This infrequently occurs when the secondary is active and you
delete the configuration, commit, and then sync the configuration.
If you see the above error message, delete the plugin from the passive Panorama
and commit—this deletes the stale GCP user configuration, and you
can then uninstall the plugin.
For the related plugin issue, see PLUG-3067.
PAN-129356
On rare occasions, Panorama management
server crashes and restarts when you add a device.
PAN-124575
Do not manually stop or start VMs that
are a member of a GCP managed instance group (MIG). As described
in Instance Groups, the instance
group handles high availability, load balancing, auto scaling, autohealing,
and more.
If you manually stop a VM-Series firewall that is member of a
MIG, the firewall’s UUID is not released (this is the expected behavior
in GCP). When a replacement VM-Series firewall restarts, it retains
the UUID of the firewall you stopped. This causes a licensing error
because Panorama cannot apply a license to the replacement if the
UUID is still in use.
PLUG-3882
The minimum Panorama version to support
Panorama plugin for GCP version 2.0.0 is version 9.0.4, as noted
in the Compatibility Matrix for Panorama
Plugins for Public Clouds.
If you try to install the Panorama plugin for
GCP version 2.0.0 on a Panorama version that is earlier than the
stated minimum version, the error Package is not found displays
because your current Panorama version does not support GCP plugin
v2.0.0.
PLUG-3748
UDP GKE service or a VM-based application
service with a UDP network load balancer is not supported in this
release.
PLUG-3747
If you need to change a cluster name,
change it before you commit. If you change a cluster name after
you commit, you do not see the effect until two polling intervals have
passed.
Workaround: Delete the cluster from Panorama,
commit and poll services, then add the correct cluster name and
commit and poll services.
PLUG-3465
The length of a static route name cannot
exceed 31 characters. Consequently, if you are using a Peered VPC
configuration to deploy secure auto scaling for a GKE cluster service,
your cluster name cannot exceed 24 chars in length.
PLUG-3396
Do not add the Untrust and Trust network interfaces
to different virtual routers. If you do, you see an error saying
the static route has failed.
When you configure the plugin to secure
your auto scaling deployment create a template and template
stack. Add a virtual router to your network. Return to the template
and add a Layer 3 ethernet interface: select a slot and an interface
name for the Untrust security zone, and enable it to create a default
route to the default gateway. To the same slot, add a an interface
for the Trust security zone and enable it to create a default route.
In the virtual router, define virtual router settings for the Trust
and Untrust network interfaces you have defined.
PLUG-3137
You cannot upgrade from version 1.0.0 to version 2.0.0.
You must remove the Panorama plugin for GCP version 1.0.0 installation
before you attempt to install the Panorama plugin for GCP version
2.0.0.
If you do not remove version 1.0.0, version 2.0.0 consumes the
1.0.0 configuration, which is incompatible.
PLUG-3067
If a stale configuration exists on the
primary-passive Panorama, you see the following message, but you
cannot delete the Panorama plugin for GCP:
Please delete plugin user and commit before uninstalling plugin gcp (running)
This issue occurs infrequently when you delete
an active configuration that includes the Panorama plugin for GCP.
If you see the above error message, delete the plugin from the passive Panorama
and commit—this deletes the stale GCP user configuration, and you
can then uninstall the plugin.
For the related Panorama issue, see PAN-131114.
PLUG-2716
The Panorama web interface does not display
an error message if a monitoring definition fails to retrieve tags
or IP addresses.
Workaround: From the command line interface
use the following command to view error messages or view your VM
Monitoring status:
show plugins gcp vm-mon-status
PLUG-2650
Panorama web user interface should not
permit users to create multiple monitoring definitions for the same
GCP project. Only one monitoring definition per project is supported.
PLUG-2618
You must use the GCP console to create
a GCP Service account for VM Monitoring, and save the credentials
to a JSON file. The Panorama plugin for GCP setup web interface
adds the JSON file during the configuration.
PLUG-2589
The pre-defined tag os-sku is not supported
for instances created from custom images.
PLUG-2499
Because your Panorama can have plugin
installations for many public or private clouds, it is up to you
to create Device Groups and notify groups that do not conflict with
other plugin configurations. For example, if you add the same Device
Group to a notify group in the Panorama plugin for AWS and the Panorama
plugin for GCP, the tags learned by one plugin can be overwritten
by another.
PLUG-2380
Upgrade from Panorama plugin for GCP
version 1.0.0 to version 2.0.0 is not supported, but the user is
not notified or restricted.