Limitations

Limitations related to SD-WAN plugin.
The following are limitations associated with SD-WAN Plugin:

Limitations Introduced in SD-WAN Plugin 2.0

Issue ID
Description
PLUG-5953
Installation of SD-WAN Plugin 2.0 requires Panorama to be running PAN-OS 10.0.2 or a later 10.0 release and should fail on a Panorama running PAN-OS 9.1.x. The issue is that installation of SD-WAN Plugin 2.0 is currently being allowed on a Panorama running PAN-OS 9.1.4.
PAN-156322
If you configure a PA-220 firewall as an SD-WAN branch or hub with an Error Correction Profile for FEC or packet duplication, the branch or hub achieves little or no performance gain due to the CPU limitations on a PA-220 firewall.
PAN-149708
Adaptive SaaS monitoring using a SaaS Quality profile (
Objects
SD-WAN Link Management
SaaS Quality Profile
) is supported only for TCP SaaS applications. Adaptive SaaS monitoring is not supported for any SSL-proxied traffic.

Limitations Introduced in SD-WAN Plugin 1.0

Issue ID
Description
(
SD-WAN Failover from a DIA Link to an MPLS Link
) Direct Internet Access (DIA) failover to MPLS is for traffic with new sessions, not for existing sessions.
(
SD-WAN Failover from a DIA Link to an MPLS Link
) All firewalls in a VPN cluster must have one or more routes to reach the MPLS interface IP addresses on a peer firewall.
PAN-142282
(
SD-WAN Failover from a DIA Link to an MPLS Link
) The first SYN packet for FTP data over MPLS is always dropped in FTP active mode only.
PAN-142213
(
SD-WAN Failover from a DIA Link to an MPLS Link
) The
VPN Data Tunnel Support
setting in an SD-WAN interface profile must be the same on all devices in a cluster: disabled or enabled. Otherwise, hub-initiated traffic will not work, nor will traffic going from a branch to another branch through the hub.
PAN-142180
(
SD-WAN Failover from a DIA Link to an MPLS Link
) When
VPN Data Tunnel Support
is disabled, branch-to-branch traffic doesn’t work if BranchA-to-Hub selects a tunnel over DIA link and Hub-to-BranchB selects the MPLS link.
PAN-127550
Panorama supports only incremental additions for CSV imports when the SD-WAN plugin is enabled. Devices already added are not removed when importing a new CSV device list. If needed, delete devices manually in the web interface or CLI.
PAN-127432
(
SD-WAN Failover from a DIA Link to an MPLS Link
) A predict session cannot be matched for traffic through a tunnel: FTP data sometimes fails on firewalls with multiple data planes. This limitation exists for traffic between a branch and hubs, including DIA traffic that fails over to an MPLS tunnel.

Recommended For You