Prisma SD-WAN
Addressed Issues in Prisma SD-WAN ION Releases
Table of Contents
Expand All
|
Collapse All
Prisma SD-WAN Docs
-
-
- Prisma SD-WAN Controller
-
- CloudBlade Integrations
- CloudBlades Integration with Prisma Access
-
-
-
-
- 6.5
- 6.4
- 6.3
- 6.1
- 5.6
- Prisma SD-WAN Controller
- Prisma SD-WAN On-Premises Controller
- Prisma SD-WAN CloudBlades
- Prisma Access CloudBlade Cloud Managed
- Prisma Access CloudBlade Panorama Managed
Addressed Issues in Prisma SD-WAN ION Releases
Learn about the issues addressed in Prisma SD-WAN ION
releases.
Learn about the issues addressed in Prisma SD-WAN ION device
release 6.5.
Ensure you select the appropriate build version that aligns with your main
release train. If you're looking to download the latest build for a specific
release version and it is not available in your system, please contact Palo Alto
Networks Support to request access or assistance.
- Addressed Issues in Prisma SD-WAN ION Device Release 6.5.3
- Addressed Issues in Prisma SD-WAN ION Device Hotfix Release 6.5.2-b7
- Addressed Issues in Prisma SD-WAN ION Device Release 6.5.2
- Addressed Issues in Prisma SD-WAN ION Device Release 6.5.1
Addressed Issues in Prisma SD-WAN ION Device Release 6.5.3
The following table lists the issues addressed in Prisma SD-WAN ION device release 6.5.3.
| Issue ID | Description |
|---|---|
| CGSDW-36948 | Resolved an issue on Gen2 platforms with UFC ports where static route-reachability probes failed due to an internal binding error. |
| CGSDW-36431 | Resolved an issue where an invalid configuration from the controller caused the fwmgr process to restart and prevented backup ION devices from connecting to the controller. |
| CGSDW-36419 | Resolved an issue where the rtr_mgr_api process unexpectedly restarted due to memory corruption within the Python regex library. |
| CGSDW-36417 | Resolved an issue where the firewall dropped TCP packets when out-of-order packets exceeded the threshold and buffering reached per-flow or per-thread limits. The firewall now forwards these packets instead of dropping them. |
| CGSDW-36302 | Resolved an issue on ION 3200 appliances in L2 mode where low packet buffer (mbuf) allocation caused system timeouts. This occurred because the buffer reservation logic for virtual interfaces exceeded available memory when supporting multiple Switch Virtual Interfaces (SVI). |
| CGSDW-36098 | Resolved an issue where hard or soft resets for BGP peers failed when initiated from the controller web interface due to stale entries. |
| CGSDW-36058 | Resolved an issue where TACACS authentication failed due to a memory leak in the authentication process (authd). This leak occurred over time based on the volume of authentication requests and prevented users from logging in. |
| CGSDW-35936 | Resolved an issue in data center clusters where dual ION devices incorrectly continued to advertise prefixes from a secondary branch site after the primary branch site route was restored. This occurred because routes learned from the secondary branch were not withdrawn following primary path recovery. |
| CGSDW-35596 | Resolved an issue on Data Center ION (DC ION) devices where internal routing rules were not correctly programmed after toggling the site state. When the site state changed from disabled to active or control, interface-based rules failed to recreate, preventing proper traffic handling across interfaces. |
| CGSDW-33885 | Resolved an issue where successful SSH authentications incorrectly generated authentication failure logs. This was caused by an internal configuration setting that triggered false-positive error messages during the login process. |
| CGSDW-31501 | Resolved an issue on ION 3200 series devices where the default gateway was not configured for ISP interfaces following an unclaim operation and subsequent configuration updates. This was caused by an internal logic error that failed to correctly process interface settings when the device role was not explicitly defined. |
| CGSDW-30788 | Resolved an issue where multiple processes restarted and disrupted production traffic. This occurred when LAN asymmetry and Zone-Based Firewall (ZBFW) caused blocked flows to reach the PP_2 process. |
| CGSDW-30052 | Resolved an issue where ION devices stopped responding to ARP requests on WAN interfaces. This was caused by an internal transmit queue becoming unresponsive after encountering a malformed packet, which prevented the processing of subsequent network traffic. |
| CGSDW-16922 | Resolved an issue where ION devices unexpectedly crashed during a reboot or software upgrade due to a startup timing conflict. The service initialization logic has been updated to ensure the data plane is fully ready before processing commands. |
| CGSDW-35622 | Resolved an issue where data traffic incorrectly egressed the DC ION device via the controller port. |
| CGSDW-35111 | Resolved an issue where the RX/TX statistics displayed in the UI sometimes showed values higher than the maximum interface link speed. |
| CGSDW-33282 | Resolved an issue where the system failed to automatically archive the /log/syslog directory following a process crash or device reboot. |
| CGSDW-32858 | Resolved an issue where multi-hop BGP learnt routes on the DC device were not re-distributed to the Branch. This omission occurred because the system failed to correctly resolve the BGP next-hop via the default route. |
| CGSDW-32105 | Resolved an issue where the interface address flapped, which caused instability in BGP, VPN, and HA connections. |
| CGSDW-30565 | Resolved an issue where traffic was lost after a VPN switchover was triggered on the Spoke device. This occurred because the system failed to update the bridge vector with the new WAN interface details, causing traffic to be forwarded to the old, down VPN interface. |
| CGSDW-30073 | Resolved an issue that caused the event_forward process to repeatedly restart on the ION device. This occurred due to a technical incompatibility in the system's priority queue handling following the Python upgrade. |
| CGSDW-30067 | Resolved an issue that caused the dpdk-ctrl-port process to crash on the ION device operating in L2 mode. |
Addressed Issues in Prisma SD-WAN ION Device Hotfix Release 6.5.2-b7
The following table lists the issues addressed in Prisma SD-WAN ION device hotfix release 6.5.2-b7.
| Issue ID | Description |
|---|---|
| CGSDW-35066 | Resolved an issue where the system did not apply the mandatory RekeyLimit requirement for SSH sessions in FIPS mode. |
| CGSDW-34931 | Resolved an issue where BGP sessions configured over the Service Link closed when the link flapped. |
| CGSDW-34901 | Resolved an issue where the MIC/MAC process crashed when receiving an invalid or incomplete response from the cloud or internal bootstrap service. |
| CGSDW-34799 | Resolved an issue where the connected route for the control interface was not leaked correctly. |
| CGSDW-34798 | Resolved an issue where the distribution of leaked branch prefixes was not handled correctly in the hub device after an High Availability (HA) failover occurred. |
| CGSDW-34797 | Resolved an issue where leaked WAN path prefixes were advertised to the core router through the backup hub. |
| CGSDW-34768 | Resolved an issue where SD-WAN fabric traffic blackholed on a spoke device after a VPN switchover. |
| CGSDW-34457 | Resolved an issue where the ifspd process crashed during overnight traffic testing. |
| CGSDW-34413 | Resolved an issue where the device's SSH algorithms did not fully comply with the FIPS-CC Protection Profile. |
| CGSDW-34408 | Resolved an issue where the GCM algorithm was not accepted for standard IPsec tunnels when the device ran in FIPS mode. |
| CGSDW-34180 | Resolved an issue where OCSP requests contained invalid and duplicate HTTP frames. |
| CGSDW-33993 | Resolved an issue where the data path thread experienced a memory leak, causing the FC process to restart. |
| CGSDW-33102 | Resolved an issue where the CLI became stuck and SSH failed when running regression scripts. |
| CGSDW-33096 | Resolved an issue where multiple ifspd cores were observed on ION devices. |
| CGSDW-33093 | Resolved an issue where BGP sessions did not establish in a VRF instance. |
| CGSDW-33066 | Resolved an issue where the Controller interface did not program the default gateway on the device after an upgrade or reboot. |
| CGSDW-32818 | Resolved an issue where the Blobfish process crashed when you initiated a remote access operation from the controller. |
| CGSDW-32694 | Resolved an issue where the event forward process restarted on the ION device. |
| CGSDW-32627 | Resolved an issue where the MAC address showed as "None" in the controller portal for an ION device onboarded via bootstrapping. |
| CGSDW-32560 | Resolved an issue where the ION device did not populate ARP responses on the WAN interface. |
| CGSDW-32517 | Resolved an issue where the unknown unicast filter did not apply correctly to switch port 0 (front panel port 1) when configuring a Link Aggregation Group (LAG) on the ION device. |
| CGSDW-32510 | Resolved an issue where the Forwarding Plane process crashed while removing an application path prefix from a hash table. |
| CGSDW-32487 | Resolved an issue where the system incorrectly applied VRF configuration on the ION device. |
| CGSDW-32464 | Resolved an issue where sensitive private key information was exposed in the Remote Access logs. |
| CGSDW-32297 | Resolved an issue where Syslog Flow Export did not work when flow logging was enabled in the configuration. |
| CGSDW-32267 | Resolved an issue where the Element Manager process restarted on ION 1200 devices. This issue occurred when the system logged controller connection status with a null hostname. |
| CGSDW-32019 | Resolved an issue where daemon logs filled continuously after a logging error occurred. This excessive logging resulted from a loop in the logging process where an initial error message repeatedly triggered new error messages. |
| CGSDW-31654 | Resolved an issue where the Flow Control (FC) process crashed at an internal system function (pan_sml_vm_set_field_flag). |
| CGSDW-31613 | Resolved an issue where the system failed to claim a device due to a MIC/MAC failure. |
| CGSDW-31151 | Resolved an issue where the system failed to establish a Syslog server connection when the User-to-Firewall Connectivity (UFC) interface was specified as the source interface. |
| CGSDW-31117 | Resolved an issue where Secure Fabric tunnels did not re-establish between Branch Gateway (BG) locations following an HA failover. |
| CGSDW-30950 | Resolved an issue where the system displayed an internal exception during WAN path updates or deletions due to a timing conflict. |
| CGSDW-30863 | Resolved an issue where an exception appeared in daemon logs for the wpa_bw_check program. This exception resulted from a Python 2 to Python 3 conversion error. |
| CGSDW-30773 | Resolved an issue where the device did not connect back after successful bootstrap. |
| CGSDW-30461 | Resolved an issue where the FP-RTE process experienced increasing memory consumption and leakage due to an inefficient memory allocator. |
| CGSDW-28274 | Resolved an issue where the dump interface config or dump interface status CLI commands did not show the associated physical interface information for Layer 3 (L3) Loopback interfaces. |
Addressed Issues in Prisma SD-WAN ION Device Release 6.5.2
The following table lists the issues addressed in Prisma SD-WAN ION device release 6.5.2.
| Issue ID | Description |
|---|---|
| CGSDW-30242 | Resolved an issue where the ION device sometimes displayed an internal reboot code (code: 0x08) with the reason Unknown after an unexpected shutdown. |
| CGSDW-30125 | Resolved an issue where the ION device failed to apply a DNS caching size of 0. This prevented administrators from disabling the DNS cache functionality through configuration. |
| CGSDW-30053 | Resolved an issue where the Active ION device's controller interface could not reach certain IP addresses. |
| CGSDW-29793 | Resolved an issue where the ION device incorrectly created two separate flows for traffic passing through a GRE tunnel. |
| CGSDW-29207 | Resolved an issue where the ION device incorrectly created application probes for WAN-to-WAN initiation failure flows. The system wrongly populated the probe's destination port using the flow's source port, resulting in the creation of many unnecessary probes for the same destination. |
| CGSDW-28326 | Resolved an issue where IPv6 ping commands failed to reach a VPN Forwarding Information Base (FIB) host when using the LAN interface IP address as the source IP address on the ION device. |
| CGSDW-29793 | Resolved an issue where two separate flows were created on the spoke device for traffic passing through a GRE tunnel. |
| CGSDW-27990 | Resolved an issue involving memory leaks in the Flow Collector (FC) related to Redis notifications. |
| CGSDW-30125 | Resolved an issue where a value of zero entered for Cache Size in the DNS profile from the web interface was not being pushed to the ION device. |
| CGSDW-29207 | Resolved an issue for WAN to WAN flow failures in Branch Gateway sites, where the app probe entries were being created with the flow's source port as the probe destination port. |
| CGSDW-27805 | Resolved an issue of the SNMP agent not responding for a higher number of VPN tunnels. |
Addressed Issues in Prisma SD-WAN ION Device Release 6.5.1
The following table lists the issues addressed in Prisma SD-WAN ION device release 6.5.1.
| Issue ID | Description |
|---|---|
| CGSDW-29207 | Resolved an issue where the ION device incorrectly created application probes for WAN-to-WAN initiation failure flows. The system wrongly populated the probe's destination port using the flow's source port, resulting in the creation of many unnecessary probes for the same destination. |
| CGSDW-28697 | Resolved an issue where the ION device incorrectly created two flows instead of one for traffic in scenarios involving route leaking with a Service Link (SL) and a Custom Virtual Routing and Forwarding (VRF). |
| CGSDW-28458 | Resolved an issue where the ION device stopped passing traffic after raising the DEVICESW_CONCURRENT_FLOWLIMIT_EXCEEDED alarm. |
| CGSDW-28329 | Resolved an issue where the backup-DC ION device incorrectly advertised branch prefixes when a core-facing BGP peer flapped. |
| CGSDW-28214 | Resolved an issue where the standalone interface on the standby ION device went down when the active ION device was powered down. |
| CGSDW-28187 | Resolved an issue where the ION device failed to initiate a SYN request over TCP port 179 to establish BGP with its peer after a reboot. |
| CGSDW-28049 | Resolved an issue where the dump-support and dump-support all commands failed to capture the system logs and core dumps on the ION device. |
| CGSDW-28036 | Resolved an issue where VPN OIDs changed with every polling request on the ION device. |
| CGSDW-27728 | Resolved an issue that caused the fp-rte process to crash on the ION device, leading to an immediate High Availability (HA) failover. |
| CGSDW-27588 | Resolved an issue where the Performance Policy Alarm failed to display the complete WAN interface information. This occurred because the ION device did not translate the WAN interface ID to its corresponding name when the name was initially empty. |
| CGSDW-27542 | Resolved an issue where BGP failed to establish connectivity after the ION device transitioned to the High Availability (HA) active state. This occurred because the ION device incorrectly processed BGP configuration messages while in standby mode. |
| CGSDW-27498 | Resolved an issue where the default route was missing on subinterfaces after the ION device rebooted. This issue affected virtual interfaces created on specific ports where subinterfaces were then configured on those virtual ports. |
| CGSDW-27359 | Resolved an issue where application and TCPP global statistics were missing when a high number of application thresholds (50 or more) were configured. This scale issue occurred because the ION device failed to send statistics in a timely manner, causing the data to arrive out of order and resulting in the loss of both types of statistics. |
| CGSDW-25254 | Resolved an issue where a memory buffer (mbuffer) leak was observed in Branch Gateway ION devices. When memory became exhausted, this leak caused VPN disconnections and the loss of connection to the controller. |
| CGSDW-23739 | Resolved an issue where the ION device continued to generate and observe application probe flows even after the feature was disabled in the user interface. The fix ensures that flow observation and generation cease immediately after the feature is disabled. |
| CGSDW-22911 | Resolved an issue that caused the fp-rte process to crash on the ION device when QoS was enabled for UDP traffic on a WAN-to-LAN flow. This failure was due to a timing issue that occurred when one of multiple existing VPNs flapped. The crash happened because packets in the ingress QoS pipeline incorrectly referenced a deallocated structure. The fix ensures that the QoS pipeline safely handles VPN state changes. |
| CGSDW-30550 | Resolved an issue where a memory leak or continuous memory increase was observed in the fp-rte process |
| CGSDW-29207 | Resolved an issue for WAN to WAN flow failures in Branch Gateway sites, where the app probe entries were being created with the flow's source port as the probe destination port. |
| CGSDW-28697 | Resolved an issue where two flows were being created for a VPN tunnel with global VRF configured. |
| CGSDW-28458 | Resolved an issue where the ION Device was not passing traffic after the DEVICESW_CONCURRENT_FLOWLIMIT_EXCEEDED alarm was generated. |
| CGSDW-28329 | Resolved an issue where a backup DC ION device continued to advertise branch prefixes after a BGP reset. |
| CGSDW-28214 | Resolved an issue wherein a stand-alone interface of the backup ION device connected via a bypass configuration to the active ION went down, when the active ION device was powered down. |
| CGSDW-28187 | Resolved an issue where BGP was not being reestablished after a device reboot. |
| CGSDW-28049 | Resolved an issue where the dump-support output and dump-support all commands did not capture the syslogs in the ION 9000 platform, if there was a soft link. |
| CGSDW-28036 | Resolved an issue where the VPN Object Identifiers were changing for every polling request. |
| CGSDW-27827 | Resolved an issue where event logs and SNMP alerts were triggered opposite to the action on the web interface. |
| CGSDW-27728 | Resolved an issue where the fp-rte process was crashing on an upgrade to software version 6.3.4. |
| CGSDW-27697 | Resolved an issue where statistics were not displayed due to memory issues. |
| CGSDW-27588 | Resolved an issue where the WAN Interface was displaying the ID instead of the name on the web interface. |
| CGSDW-27542 | Resolved an issue where the BGP was going down on the active ION device after an HA switchover after upgrading the software version to 6.3.4. |
| CGSDW-27498 | Resolved an issue where the default route was missing on sub-interfaces after a device reboot. |
| CGSDW-27241 | After enabling logs for the flow controller, the logs are not rolling over correctly, thus using up all the space in the log directory. |
| CGSDW-27359 | Resolved an issue of missing application statistics, when a higher number of application performance SLA thresholds were configured. |
| CGSDW-25658 | Resolved an issue of the fp-rte process restarting which was leading to HA failover and instability of the device. |
| CGSDW-25152 | Resolved an issue where custom L3/L4 applications were not being detected properly for UDP traffic after an HA switchover. |
| CGSDW-23881 | Resolved an issue for a potential DDoS vulnerability wherein the flows now time out correctly. |
| CGSDW-19357 | When a DC ION receives routes for a /32 prefix from both the underlay and overlay, the DC ION tries to split the route and thus the BGP route selection process fails. |
| CGSDW-19117 | Resolved an issue where the LQM session wasn't get reestablished after a vpnd process crash. |