: Known Issues in Panorama Plugin for VMware NSX 3.2.0
Focus
Focus

Known Issues in Panorama Plugin for VMware NSX 3.2.0

Table of Contents

Known Issues in Panorama Plugin for VMware NSX 3.2.0

The following list describes known issues in the Panorama plugin for VMware NSX 3.2.0.

PLUG-6842

This fix addresses an issue where an update to a Panorama device group did not synchronize the dynamic address group IP addresses on the VM-Series firewalls in the updated group.
This issue is fixed in Panorama Plugin for NSX, version 3.2.1.

PLUG-6658

vSphere 7.0.0 only supports vSphere Web Client HTML5. When you create an NSX Manager > Service Definition, the web UI does not display an option for ESXi 7.0.0. Furthermore, you cannot add a manual entry for ESXi 7.0.0 because the web client does not have configuration access to NSXService DefinitionsManageDeployment.
This issue is fixed in Panorama Plugin for NSX, version 3.2.1. With this fix, Panorama Plugin for VMware NSX service definitions support ESXi 7.0.0.

PLUG-6379

The plugin does not correctly handle using the same template to configure different stacks. As a result, NSX-T Manager cannot map the correct zones or service profiles to the correct service definitions. To work around this issue, use unique templates.
This issue is fixed in Panorama Plugin for NSX, version 3.2.1.

PLUG-6051

When the NSX manager is added in Panorama, the status displays UNKNOWN, and after adding the service definition, you see the error message out of sync. This occurs when the Azure configuration is as follows: VNET 1 has public access, VNET2 hosts an NSX deployment but does not have public access, and an express route connects VNET1 and VNET2. A ping between the private NSX manager IP address and Panorama works.
This issue is fixed in Panorama Plugin for NSX, version 3.2.1. With this fix, if the Panorama IP address is not found on the DHCP server, the VM-Series firewall retrieves it from the system disk.

PLUG-6012

If you upgrade the Panorama plugin for VMware NSX from 3.1.0 to 3.2.0 on the passive Panorama HA peer, the passive peer will become the active Panorama HA peer.
Workaround: Upgrade the Panorama plugin for VMware NSX on the active Panorama HA peer first.
Fixed in the Panorama plugin for VMware NSX 3.2.0 and 2.0.6. If you upgrade from 2.0.6 or 3.2.0 to any future release, upgrade the passive HA peer followed by the active peer.

PLUG-5994

After a Panorama HA failover, the service manager might become Out of Sync with the message Services list is missing on Panorama...Downloading new one.
Workaround: Execute the command request plugins reset-plugin only plugin plugin-name vmware_nsx on Panorama.

PLUG-5987

If you downgrade to the Panorama plugin for VMware NSX 3.1.0 after creating an NSX-T service definition with Health Check as Enabled (default) while the Panorama plugin for VMware NSX 3.2.0 is installed on Panorama, the service definition create on plugin 3.2.0 will be Out-of-Sync after downgrade due to a mismatch in Health Check configuration (changed to Disabled).
Workaround: Set Health Check to Enable on the out-of-sync service definition and Commit your changes.

PLUG-5756

If you have two Panorama appliances installed in an HA with multiple plugins installed, Panorama might not receive updated IP-tag information after failover. This occurs when one of the installed plugins is not configured on Panorama because Panorama is waiting to receive an IP address update for the unconfigured plugin or plugins.
Workaround: Unisntall the unconfigured plugin or plugins. It is recommended that you do not install a plugin that you do not plan to configure right away.
Alternatively, you can use the following commands to work around this issue. Execute the command request plugins dau plugin-name <plugin-name> unblock-device-push yes for each unconfigured plugin on each Panorama instance to prevent Panorama from waiting for updates for disabled plugins. If you configure the other plugins, execute the command request plugins dau plugin-name <plugin-name> unblock-device-push no. If you do not, your firewalls may lose some IP-tag information.
The commands describe are not persistent and must be used again for any subsequent failover events.

PLUG-5692

When you enable Device Certificate and add PIN ID and PIN value to an existing NSX-V service definition that had Device Certificate disabled, the PIN ID and PIN value are not pushed to NSX-V Manager.

PLUG-5475

If Panorama HA failover occurs while Panorama is disconnected from NSX-V Manager, the Service Manager section of NSX-V Manager will display the IP address of the formerly active (now passive) Panorama peer. This occurs after failover and the connection between Panorama and NSX-V Manager is reestablished.
Workaround: Perform a manual config sync in Panorama to display the correct Panorama IP address in NSX-V Manager.

PLUG-2959

Panorama incorrectly allows the modification of the NSX-T plugin configuration while in a suspended state. Do not attempt to modify the NSX-T plugin configuration on a suspended Panorama; this action is not supported.

PLUG-2950

After a Panorama failover event, if there are some configuration objects in NSX-T Manager but not Panorama, you must manually remove those objects from NSX-T Manager.
Workaround: Contact VMware for information about manually removing the objects from NSX-T Manager.

PLUG-2767

In a Panorama HA pair, NSX-T plugin configuration is not automatically synchronized to the passive Panorama if the passive Panorama comes up after the active Panorama.
Workaround: On the Panorama dashboard, Synchronize to Peer on the HA widget.

PLUG-2630

You cannot use a service-definition across multiple service managers; each service definition is mapped to a unique service manager.

PLUG-2226

When a device group is added or removed from an existing notify group, existing dynamic address groups are not updated to reflect the device group change.
Workaround: Synchronize Dynamic Objects on PanoramaVMwareNSX-TService Manager to update dynamic address groups.

PLUG-1787

The connection between NSX-T Manager and Panorama goes Out of Sync if you change the NSX-T Manager IP address configured on Panorama.
Workaround: To change the NSX-T Manager IP address, you must completely reconfigure and reinstall your VM-Series firewall on NSX-T deployment. If there are active firewall in your deployment, you must remove those before deleting the service manager. You must delete the Service Manager configuration from Panorama and add it again with the new IP address. To delete the Service Manager, you must remove the rest of your VM-Series on NSX-T configuration from Panorama.

PLUG-1618

You can open the NSX Manager Objects window from PanoramaVMwareNSX-TService Managers but displays no information.