: Known Issues in SD-WAN Plugin 3.1
Focus
Focus

Known Issues in SD-WAN Plugin 3.1

Table of Contents

Known Issues in SD-WAN Plugin 3.1

List of known issues in SD-WAN 3.1 release.
The following list includes all known issues that impact an SD-WAN 3.1 release. This list includes both outstanding issues and issues that are addressed, as well as known issues that apply more generally or that are not identified by a specific issue ID. Refer to PAN-OS Release Notes for additional known issues affecting SD-WAN Plugin 3.1.

PAN-221755

Description of PAN-221755.
In a Panorama high availability (HA) deployment, when you add a new VPN cluster or modify an existing VPN cluster name, the SD-WAN plugin database goes out of sync between the active and passive Panorama.
Workaround: Run commit force from CLI on the active Panorama after an HA configuration sync on the passive Panorama from the active Panorama.

PAN-220919

Description of PAN-220919.
Auto VPN creates a virtual SD-WAN interface named sdwan.901 for direct internet access (DIA) and creates a virtual SD-WAN interface named sdwan.9xx for VPN tunnels. When you enable Auto VPN, the SD-WAN plugin creates the SD-WAN interfaces automatically. Hence, it's not necessary for you to create SD-WAN interfaces manually. The SaaS quality profile works only with one DIA interface that is sdwan.901.
Auto VPN also creates its own default route that uses the sdwan.901 interface as its egress interface and uses a low metric of 5, so that the sdwan.901 interface is preferred over the default route you created.
There might be scenarios where you want to create an SD-WAN interface manually (other than what the SD-WAN plugin creates automatically) like the following:
  • Configuring SD-WAN direct internet access (DIA) links only and no VPN connections between the hub and branch locations
  • (Not recommended) Deploying SD-WAN manually between SD-WAN sites without Panorama management server
In such cases, you must configure the manually created SD-WAN interface outside of the SDWAN.9xx range containing a route with a metric higher than the default value.

PAN-218671

Description of PAN-218671
On the Panorama management server, commits to Panorama fail after you downgrade from:
SD-WAN plugin 3.1.0-h6 on a Panorama appliance running PAN-OS 11.0.1
to
SD-WAN plugin 2.2.3 on a Panorama appliance running PAN-OS 10.1.9.
Workaround: Follow these steps after the downgrade:
  • Export the configuration file from Panorama and change the router name to "vr-name" in the configuration file.
  • Upload and load the updated configuration file back to the Panorama Management server.

PAN-215899

Description of PAN-215899
Configuration synchronization between Panorama HA peers is failing.
Workaround: Run commit force from CLI on the passive Panorama before triggering an HA configuration sync from active Panorama. Whenever sync fails, this workaround can be used.

PAN-215897

Description of PAN-215897.
In a Panorama high availability (HA) deployment, the SD-WAN interface goes down and all the tunnel interfaces disappear from the NetworkIPSec Tunnels tab when you push the configuration changes from the secondary Panorama.
Workaround: If you have set up a HA pair in Panorama, don't push the configuration from the secondary Panorama when the primary Panorama is active. Always push the configuration changes from the primary Panorama when it's active.

PAN-190173

Pre-shared keys are not synchronized across the Panorama management servers in a high availability (HA) configuration, leading to tunnel flaps during an HA failover when you Push to Devices (CommitPush to Devices or CommitCommit and Push).
This issue is addressed in SD-WAN plugin 2.2.3 and 3.1.0-h6.

PLUG-15276

Description of PLUG-15276
(Full mesh topology only) In the SD-WAN VPN cluster, an SD-WAN branch cannot create a VPN tunnel with another SD-WAN branch firewall if the branch firewall is configured behind the NAT device.
This issue is addressed in SD-WAN plugin 3.0.7-h2, 3.1.3 , 3.2.1, 3.3.0, and 3.3.1.

PLUG-14986

Description of PLUG-14986.
(HA deployments only) The SD-WAN tunnel becomes inactive for some duration when the passive firewall is either suspended or rebooted during the HA upgrade process.
This issue is addressed in SD-WAN plugin 3.1.3 and 3.2.1.

PLUG-14559

Description of PLUG-14559.
A commit failure occurs when you attempt to rename the vsys to a name other than vsys1 for a multi-vsys firewall with private link type (in an SD-WAN Interface Profile).
This issue is addressed in SD-WAN plugin 3.0.7, 3.1.3 , 3.2.1 , and 3.3.0.

PLUG-14499

Description of PLUG-14499
(Panorama HA deployments only) The firewalls managed by HA active and passive Panorama would go out of synchronization when you make any changes to an active Panorama SD-WAN configuration (such as modifying the VPN cluster name). After this, even when the SD-WAN configuration changes are pushed from active Panorama to the firewalls, the firewalls remains out of synchronization on passive Panorama. This issue does not occur when changing a non-SD-WAN related configuration.
Workaround: In a Panorama HA deployment, if you make any changes to an existing SD-WAN configuration:
  1. Commit the SD-WAN configuration changes on an active Panorama (where the HA synchronization happens on the passive Panorama automatically)
  2. Trigger manual synchronization from active Panorama to passive Panorama by executing the following CLI command:
    request high-availability sync-to-remote running-config
  3. Push to the firewalls from active Panorama
This issue is addressed in SD-WAN plugin 3.0.7, 3.1.3 , and 3.2.1. However, it is required to follow the workaround when you wish to modify the active Panorama SD-WAN configuration.

PLUG-13536

Description of PLUG-13536.
When you disable Remove Private AS option ('remove-private-as') and attempt to push the configuration from SD-WAN plugin to the branch firewalls, the changes to the Remove Private AS option (SD-WANDevicesBranchBGPIPV4 BGP) does not take effect and remains enabled on the branch firewalls. This issue is seen after upgrading the Panorama management server to 11.0.2 release.
This issue is addressed in SD-WAN plugin 3.1.3, 3.2.1, and 3.3.0.

PLUG-13186

Description of PLUG-13186
After upgrading to PAN-OS 11.0.2 and SD-WAN plugin 3.1.1, SD-WAN branches configured with dynamic IP addressing using FQDN didn't work.
This issue is addressed in SD-WAN plugin 3.0.5 and 3.1.2. Note: When you upgrade to SD-WAN plugin 3.0.5 and 3.1.2, to receive this fix you must first Commit on Panorama and then Push to devices. You cannot upgrade directly to SD-WAN plugin 3.1.2 from any plugin version earlier than 3.1.1. If you are running SD-WAN plugin 3.1.0 or an earlier plugin version on your firewall, you must upgrade to SD-WAN plugin 3.1.1 before you upgrade to SD-WAN plugin 3.1.2.

PLUG-13100

Description of PLUG-13100
On Prisma Access Onboarding tab, the aggregated interfaces don't get listed in the Interface drop-down.
This issue is addressed in SD-WAN plugin 3.0.5, 3.1.3, 3.2.1, and 3.3.0.

PLUG-12900

Description of PLUG-12900.
In certain conditions, the SD-WAN plugin database size grows more than the expected limit.
This issue is addressed in SD-WAN plugin 2.2.5 and 3.1.3.

PLUG-12724

Description of PLUG-12724.
Configuration synchronization between Panorama HA peers fails after downgrading from the following SD-WAN plugin releases.
  • Downgrading from SD-WAN plugin 3.1.0-h6/2.2.4 to SD-WAN plugin 2.2.2 or earlier release.
  • Downgrading from SD-WAN plugin 3.1.0-h6 to SD-WAN plugin 3.0.3 or earlier release.
  • Downgrading from SD-WAN plugin 3.1.0-h6 to SD-WAN plugin 3.1.0 release.
Workaround: Before you downgrade the SD-WAN plugin, clear all the SD-WAN plugin database collections on both active and passive Panorama. After the downgrade, make changes to the cluster (for example, cluster name), commit the configuration changes from the active Panorama, and push the changes to all the devices.

PLUG-12711

Description of PLUG-12711
A commit all from Panorama to an SD-WAN branch firewall configured with only one MPLS will result in a commit failure.
This issue is addressed in SD-WAN plugin 2.2.5 and 3.0.5.

PLUG-12519

Description of PLUG-12519.
(Full mesh topology only) An attempt to initiate re-key simultaneously by the VPN peers lead to SD-WAN VPN tunnel flapping. This issue occurs because both the SD-WAN hub and the branch devices act as an initiator device during the IKE negotiation.
This issue is addressed in SD-WAN plugin 3.0.7-h2 and 3.1.3.

PLUG-12328

Description of PLUG-12328.
When a Panorama managed active-secondary firewall pushes the SD-WAN configuration after an HA failover, the IPSec tunnels are deleted. A Panorama managed active-secondary firewall should retain the IPSec tunnels after pushing the configuration.
This issue is addressed in SD-WAN plugin 3.1.0-h6.

PLUG-12241

Description of PLUG-12241
You won't be able to push the configuration changes (like VPN cluster name) of an already configured VPN cluster to the Panorama management server.
This issue is addressed in SD-WAN plugin 3.1.3 , 3.2.1, and 3.3.0.

PLUG-12224

Description of PLUG-12224.
For an SD-WAN tunnel between a hub and a branch, the hub/branch tunnel interface should have the same IP address on the HA active and passive firewalls, but the hub/branch has different IP addresses on the HA active and passive firewalls.
This issue is addressed in SD-WAN plugin 2.2.4, 2.2.7, 3.0.4, 3.0.8, 3.1.0-h6 , 3.2.2, and 3.3.2. Tunnel ID changes will take effect from SD-WAN plugin 2.2.4. If you are running SD-WAN plugin 2.2.2 and upgrade to 2.2.4, you must regenerate the cluster configuration and push to devices to see those changes.

PLUG-12126

Description of PLUG-12126
The VPN cluster is recreated when the name of an existing VPN cluster is modified. As a result, the pre-shared key and tunnel IP addresses changes causing failure to establish the VPN tunnel (or tunnel flaps).
This issue is addressed in SD-WAN plugin 2.2.6, 3.0.7, and 3.1.3. After this fix, you won't be able to modify the existing VPN cluster name.

PLUG-11789

Description of PLUG-11789.
Pre-shared keys are not synchronized across the Panorama management servers in a high availability (HA) configuration, leading to tunnel flaps during an HA failover when you Push to Devices (Commit > Push to Devices or Commit > Commit and Push).
This issue is addressed in SD-WAN plugin 2.2.3, 3.0.4, and 3.1.0-h6.

PLUG-11761

Description of PLUG-11761.
Prisma Access onboarding is unsuccessful using SD-WAN plugin 2.2.2 and after filling out all the required information, the plugin shows the PHP bit error. Users are unable to onboard Prisma Access on a branch firewall.
This issue is addressed in SD-WAN plugin 2.2.3, 3.0.4, and 3.1.0-h6.

PLUG-11453

Description of PLUG-11453.
A Zone Protection profile, log setting, and User-ID cannot be configured on "zone-internet" created by the SD-WAN plugin on the firewall from Panorama.
This issue is addressed in SD-WAN plugin 2.2.3, 3.0.4, and 3.1.0-h6.

PLUG-11277

Description of PLUG-11277
In an SD-WAN hub-and-spoke topology, where Prisma Access compute nodes (CNs) are configured as a hub connecting to the PAN-OS firewalls, the session gets established on only one compute node when ECMP is disabled. When more than one compute nodes are connected to the PAN-OS firewalls, routes get added from one of the compute nodes only. Even though the branch firewalls learn the routes through BGP from both the Prisma Access compute nodes, the branch installs only one of the BGP routes based on the BGP route selection criteria. Therefore, when a traffic passes from the other compute node, the session does not get established.
This issue is addressed in SD-WAN plugin 2.2.6, 3.0.7, 3.1.3, and 3.2.1.

PLUG-11223

Description of PLUG-11223.
In a high availability (HA) deployment, the SD-WAN tunnel will go down due to a key ID mismatch when the following events occur in sequence:
  • An HA failover
  • The SD-WAN plugin cache removes the current HA pair relation from the database when debug plugins sd_wan drop-config-cache all command is executed
  • A commit and push fails on either the hub or a branch active node
In certain scenarios, replacing one of the HA devices during the RMA process can cause the SD-WAN tunnel to go down due to a key ID mismatch. For more details, refer to Replace an SD-WAN Device.
Workaround: Resolve the Key ID mismatch by ensuring that the Peer Identification of the hub firewall matches with the Local Identification of the branch firewall and the Local Identification of the hub firewall matches with the Peer Identification of the branch firewall.
  1. Log in to the hub or a branch firewall where the SD-WAN tunnel is down due to Key ID mismatch and select NetworkNetwork ProfilesIKE Gateways.
  2. Select the IKE gateway of the hub firewall and click Override at the bottom of the screen.
  3. Copy the Local Identification value from the hub firewall to the Peer Identification value in the branch firewall.
  4. Copy the Peer Identification value from the hub firewall to the Local Identification value in the branch firewall.
  5. Click OK and Commit your changes.
This issue is addressed in SD-WAN plugin 2.2.5 , 2.2.7, 3.0.8, 3.1.3 , 3.2.1, 3.2.2 , 3.3.0, and 3.3.2.
After this fix, the key ID may change after the Panorama commit. Therefore, you must ensure to commit and push to all the devices in the VPN cluster or clusters.

PLUG-3343

The SD-WAN plugin fails to display any of the monitoring for a site and cluster with a space in the name.
Workaround: Remove the space from the name and Commit.