: Known Issues in the SD-WAN Plugin 1.0 Releases
Focus
Focus

Known Issues in the SD-WAN Plugin 1.0 Releases

Table of Contents

Known Issues in the SD-WAN Plugin 1.0 Releases

List of known issues in all SD-WAN 1.0 releases.
The following list includes all known issues that impact an SD-WAN 1.0 release. This list includes both outstanding issues and issues that are addressed, as well as known issues that apply more generally or that are not identified by a specific issue ID. Refer to the PAN-OS Release Notes for additional known issues affecting the SD-WAN 1.0 plugin.

PAN-220919

Description of PAN-220919.
Auto VPN creates a virtual SD-WAN interface named sdwan.901 for direct internet access (DIA) and creates a virtual SD-WAN interface named sdwan.9xx for VPN tunnels. When you enable Auto VPN, the SD-WAN plugin creates the SD-WAN interfaces automatically. Hence, it's not necessary for you to create SD-WAN interfaces manually. The SaaS quality profile works only with one DIA interface that is sdwan.901.
Auto VPN also creates its own default route that uses the sdwan.901 interface as its egress interface and uses a low metric of 5, so that the sdwan.901 interface is preferred over the default route you created.
There might be scenarios where you want to create an SD-WAN interface manually (other than what the SD-WAN plugin creates automatically) like the following:
  • Configuring SD-WAN direct internet access (DIA) links only and no VPN connections between the hub and branch locations
  • (Not recommended) Deploying SD-WAN manually between SD-WAN sites without Panorama management server
In such cases, you must configure the manually created SD-WAN interface outside of the SDWAN.9xx range containing a route with a metric higher than the default value.

PAN-215897

Description of PAN-215897.
In a Panorama high availability (HA) deployment, the SD-WAN interface goes down and all the tunnel interfaces disappear from the NetworkIPSec Tunnels tab when you push the configuration changes from the secondary Panorama.
Workaround: If you have set up a HA pair in Panorama, don't push the configuration from the secondary Panorama when the primary Panorama is active. Always push the configuration changes from the primary Panorama when it's active.

PAN-190173

Pre-shared keys are not synchronized across the Panorama management servers in a high availability (HA) configuration, leading to tunnel flaps during an HA failover when you Push to Devices (CommitPush to Devices or CommitCommit and Push).
This issue is addressed in SD-WAN plugin 2.2.3 and 3.1.0-h6.

PAN-158465

On the Panorama management server running PAN-OS 10.0.3 or later PAN-OS 10.0 release, reverting or loading a Panorama configuration (PanoramaSetupOperations) that impacts the template stack configuration containing the SD-WAN interface (NetworkInterfacesSD-WAN) erroneously removes the Security Zone from the SD-WAN interface configuration resulting in a commit failure.

PLUG-11223

Description of PLUG-11223.
In a high availability (HA) deployment, the SD-WAN tunnel will go down due to a key ID mismatch when the following events occur in sequence:
  • An HA failover
  • The SD-WAN plugin cache removes the current HA pair relation from the database when debug plugins sd_wan drop-config-cache all command is executed
  • A commit and push fails on either the hub or a branch active node
In certain scenarios, replacing one of the HA devices during the RMA process can cause the SD-WAN tunnel to go down due to a key ID mismatch. For more details, refer to Replace an SD-WAN Device.
Workaround: Resolve the Key ID mismatch by ensuring that the Peer Identification of the hub firewall matches with the Local Identification of the branch firewall and the Local Identification of the hub firewall matches with the Peer Identification of the branch firewall.
  1. Log in to the hub or a branch firewall where the SD-WAN tunnel is down due to Key ID mismatch and select NetworkNetwork ProfilesIKE Gateways.
  2. Select the IKE gateway of the hub firewall and click Override at the bottom of the screen.
  3. Copy the Local Identification value from the hub firewall to the Peer Identification value in the branch firewall.
  4. Copy the Peer Identification value from the hub firewall to the Local Identification value in the branch firewall.
  5. Click OK and Commit your changes.
This issue is addressed in SD-WAN plugin 2.2.5 , 2.2.7, 3.0.8, 3.1.3 , 3.2.1, 3.2.2 , 3.3.0, and 3.3.2.
After this fix, the key ID may change after the Panorama commit. Therefore, you must ensure to commit and push to all the devices in the VPN cluster or clusters.

PLUG-9421

The Panorama plugin for SD-WAN is unable to recognize when the master key (PanoramaMaster Key and Diagnostics) is updated on the Panorama management server.
Workaround: Select Commit and Commit and Push to your managed firewalls leveraging SD-WAN after updating the master key on Panorama.
This issue is addressed in PAN-OS 10.2.1-h1 and SD-WAN plugin 2.2.1.

PLUG-8189

This issue is resolved in SD-WAN Plugin version 1.0.6.
Fixed an SD-WAN Plugin issue where Panorama was unnecessarily allotting IP addresses for IPSec tunnels between an MPLS and non-MPLS interface, which cannot use an IPSec tunnel.

PLUG-7598

This is resolved in SD-WAN version 2.1.1.
A SD-WAN Interface Profile (NetworkSD-WAN Interface Profile) configured with a Microwave/Radio Link or Other Type of Link as the Link Type do not function as a Peer-to-Peer link.

PLUG-6118

This issue is resolved in SD-WAN versions 1.0.6 and 2.0.1 plugin.
Fixed an issue where an interface placed in a predefined zone was removed by the SD-WAN plugin after a commit to the firewall.

PLUG-4189

On the Panorama management server, upgrading the SD-WAN plugin from versions 1.0.0 or 1.0.1 causes commits to fail.
Workaround: Purge the existing IP subnet cache after upgrading the SD-WAN plugin from version 1.0.0 or 1.0.1.
  1. If you are already logged in to the Panorama CLI, log out and log back in to the Panorama CLI.
  2. Issue the following command:
    admin> debug plugins sd_wan drop-config-cache-ip-addresses
  3. In the Panorama web interface, select PanoramaSD-WANVPN ClustersVPN Address Pool and Add the appropriate VPN pool addresses.
  4. Commit your changes.

PLUG-3343

The SD-WAN plugin fails to display any of the monitoring for a site and cluster with a space in the name.
Workaround: Remove the space from the name and Commit.

PAN-146485

(PAN-OS 9.1.3 and later releases only) On the Panorama management server, adding, deleting, or modifying the upstream NAT configuration (PanoramaSD-WANDevices) does not display the branch template stack as out of sync.
Additionally, adding, deleting, or modifying the BGP configuration (PanoramaSD-WANDevices) does not display the hub and branch template stacks as out of sync. For example, modifying the BGP configuration on the branch firewall does not cause the hub template stack to display as out of sync, nor does modifying the BGP configuration on the hub firewall cause the branch template stack as out of sync.
Workaround: After performing a configuration change, Commit and Push the configuration changes to all hub and branch firewalls in the VPN cluster containing the firewall with the modified configuration.

PAN-144889

(PAN-OS 9.1.2-h1 and later releases only) On the Panorama management server, adding, deleting, or modifying the original subnet IP, or adding a new subnet after you successfully configure a tunnel IP subnet, for the SD-WAN 1.0.2 and later release plugin does not display the managed firewall templates (PanoramaManaged DevicesSummary) as Out of Sync.
Workaround: When modifying the original subnet IP, or adding a new subnet, push the template configuration changes to your managed firewalls and Force Template Values (CommitPush to DevicesEdit Selections).

PAN-144073

This issue is now resolved. See PAN-OS 9.1.2-h1 Addressed Issues.
On the Panorama management server, hub and branch firewall latency, jitter, and packet loss data is not updated when monitoring SD-WAN link performance (PanoramaSD-WANMonitoring).

PAN-127813

In the current release, SD-WAN auto-provisioning configures hubs and branches in a hub and spoke model, where branches don’t communicate with each other. Expected branch routes are for generic prefixes, which can be configured in the hub and advertised to all branches. Branches with unique prefixes are not published up to the hub.
Workaround: Add any specific prefixes for branches to the hub advertise-list configuration.

PAN-123040

When you try to view network QoS statistics on an SD-WAN branch or hub, the QoS statistics and the hit count for the QoS rules don’t display. A workaround exists for this issue. Please contact Support for information about the workaround.