Known Issues in SD-WAN Plugin 2.0
Table of Contents
Expand all | Collapse all
-
-
-
-
-
- Features Introduced in Enterprise Data Loss Prevention 4.0.3
- Known Issues in Enterprise DLP Plugin 4.0.3
- Features Introduced in Enterprise Data Loss Prevention 4.0.2
- Known Issues in Enterprise DLP Plugin 4.0.2
- Features Introduced in Enterprise Data Loss Prevention 4.0.1
- Known Issues in Enterprise DLP Plugin 4.0.1
- Features Introduced in Enterprise Data Loss Prevention 4.0.0
- Known Issues in Enterprise DLP Plugin 4.0.0
-
- Features Introduced in Enterprise Data Loss Prevention 3.0.8
- Features Introduced in Enterprise Data Loss Prevention 3.0.7
- Features Introduced in Enterprise Data Loss Prevention 3.0.6
- Features Introduced in Enterprise Data Loss Prevention 3.0.5
- Features Introduced in Enterprise Data Loss Prevention 3.0.4
- Features Introduced in Enterprise Data Loss Prevention 3.0.3
- Features Introduced in Enterprise Data Loss Prevention 3.0.2
- Features Introduced in Enterprise Data Loss Prevention 3.0.1
- Features Introduced in Enterprise Data Loss Prevention 3.0.0
- Known Issues in Enterprise Data Loss Prevention 3.0.8
- Known Issues in Enterprise Data Loss Prevention 3.0.7
- Known Issues in Enterprise Data Loss Prevention 3.0.6
- Known Issues in Enterprise Data Loss Prevention 3.0.5
- Known Issues in Enterprise Data Loss Prevention 3.0.4
- Known Issues in Enterprise Data Loss Prevention (DLP) Plugin 3.0.3
- Known Issues in Enterprise Data Loss Prevention (DLP) Plugin 3.0.0
-
- Features Introduced in Enterprise Data Loss Prevention 1.0.8
- Features Introduced in Enterprise Data Loss Prevention 1.0.3
- Features Introduced in Enterprise Data Loss Prevention 1.0.1
- Known Issues in Enterprise Data Loss Prevention (DLP) Plugin 1.0.8
- Known Issues in Enterprise Data Loss Prevention (DLP) Plugin 1.0.7
- Known Issues in Enterprise Data Loss Prevention (DLP) Plugin 1.0.6
- Known Issues in Enterprise Data Loss Prevention (DLP) Plugin 1.0.4
- Known Issues in Enterprise Data Loss Prevention (DLP) Plugin 1.0.3
- Known Issues in Enterprise Data Loss Prevention (DLP) Plugin 1.0.2
- Known Issues in Enterprise Data Loss Prevention (DLP) Plugin 1.0.1
- Features Introduced in the Enterprise Data Loss Prevention (DLP) Cloud Service
- Limitations
-
-
Known Issues in SD-WAN Plugin 2.0
List of known issues in all SD-WAN 2.0 release.
The following list includes all known issues that impact
an SD-WAN 2.0 release. This list includes both outstanding issues
and issues that are addressed, as well as known issues that apply
more generally or that are not identified by a specific issue ID. Refer
to the PAN-OS Release Notes for
additional known issues affecting the SD-WAN 2.0 plugin.
PAN-220919
Description of PAN-220919.
Auto VPN creates a virtual SD-WAN interface named sdwan.901 for direct internet access
(DIA) and creates a virtual SD-WAN interface named sdwan.9xx for VPN tunnels. When you
enable Auto VPN, the SD-WAN plugin creates the SD-WAN interfaces automatically. Hence,
it's not necessary for you to create SD-WAN interfaces manually. The SaaS quality
profile works only with one DIA interface that is sdwan.901.
Auto VPN also creates its own default route that uses the sdwan.901 interface as its
egress interface and uses a low metric of 5, so that the sdwan.901 interface is
preferred over the default route you created.
There might be scenarios where you want to create an SD-WAN interface manually (other
than what the SD-WAN plugin creates automatically) like the following:
- Configuring SD-WAN direct internet access (DIA) links only and no VPN connections between the hub and branch locations
- (Not recommended) Deploying SD-WAN manually between SD-WAN sites without Panorama management server
In such cases, you must configure the manually created SD-WAN interface outside of the
SDWAN.9xx range containing a route with a metric higher than the default value.
PAN-215897
Description of PAN-215897.
In a Panorama high availability (HA) deployment, the SD-WAN interface goes down and all
the tunnel interfaces disappear from the tab when you push the configuration changes from the secondary
Panorama.
Network
IPSec Tunnels
Workaround
: If you have set up a HA pair in Panorama, don't push the configuration
from the secondary Panorama when the primary Panorama is active. Always push the
configuration changes from the primary Panorama when it's active.PAN-190173
Pre-shared keys are not synchronized across the Panorama
management servers in a high availability (HA) configuration, leading
to tunnel flaps during an HA failover when you or ).
Push to
Devices
(Commit
Push to Devices
Commit
Commit and Push
This issue is addressed in SD-WAN plugin 2.2.3 and 3.1.0-h6.
PAN-158465
On the Panorama management server running
PAN-OS 10.0.3 or later PAN-OS 10.0 release, reverting or loading
a Panorama configuration ()
that impacts the template stack configuration containing the SD-WAN interface
() erroneously removes
the Security Zone from the SD-WAN interface configuration resulting
in a commit failure.
Panorama
Setup
Operations
Network
Interfaces
SD-WAN
PLUG-11223
Description of PLUG-11223.
In a high availability (HA) deployment, the SD-WAN tunnel will go down due to a key ID
mismatch when the following events occur in sequence:
- An HA failover
- The SD-WAN plugin cache removes the current HA pair relation from the database whendebug plugins sd_wan drop-config-cache allcommand is executed
- A commit and push fails on either the hub or a branch active node
In certain scenarios, replacing one of the HA devices during the RMA process can cause
the SD-WAN tunnel to go down due to a key ID mismatch. For more details, refer to Replace an SD-WAN Device.
Workaround
: Resolve the Key ID mismatch by ensuring that the Peer
Identification
of the hub firewall matches with the Local
Identification
of the branch firewall and the Local
Identification
of the hub firewall matches with the Peer
Identification
of the branch firewall.- Log in to the hub or a branch firewall where the SD-WAN tunnel is down due to Key ID mismatch and select.NetworkNetwork ProfilesIKE Gateways
- Select the IKE gateway of the hub firewall and clickOverrideat the bottom of the screen.
- Copy theLocal Identificationvalue from the hub firewall to thePeer Identificationvalue in the branch firewall.
- Copy thePeer Identificationvalue from the hub firewall to theLocal Identificationvalue in the branch firewall.
- ClickOKandCommityour changes.
This issue is addressed in SD-WAN plugin 2.2.5
,
3.1.3
.PLUG-10796
On the Panorama management server, a
commit () hangs at 99% and causes the
commit queue to fill up, preventing any subsequent commits on Panorama.
Commit
Commit
to Panorama
This issue is addressed in SD-WAN plugin 2.2.2 and 3.0.2.
PLUG-9421
The Panorama plugin for SD-WAN is unable to recognize
when the master key ()
is updated on the Panorama management server.
Panorama
Master Key and Diagnostics
Workaround:
Select Commit
and Commit
and Push
to your managed firewalls leveraging SD-WAN
after updating the master key on Panorama.This issue is addressed in PAN-OS 10.2.1-h1 and SD-WAN plugin
2.2.1.
PLUG-7605
This issue is resolved in SD-WAN plugin 2.0.3.
SD-WAN assigns the same tunnel ID to two tunnels
in a hub-and-spoke VPN cluster and a full mesh VPN cluster.
Workaround
: If you are upgrading from SD-WAN Plugin 2.0.2 or earlier 2.0 version, complete
the following steps during a maintenance timeframe. - Upgrade to SD-WAN Plugin 2.0.3.
- Make a small configuration change of your choice in the SD-WAN cluster configuration. For example, change the SD-WAN hub priority and change it back.
- Issue a local Panorama Commit.
- Push the configuration to all devices in the VPN cluster at once. On the Push Scope Selection, selectForce Template Values.
- In a hub-and-spoke topology, reboot all SD-WAN hubs. If the hubs are an HA pair, follow the HA reboot procedure.
- If you are experiencing duplicate tunnel issues in a full mesh topology, reboot every branch.
PLUG-7598
This is resolved in SD-WAN version 2.1.1.
A SD-WAN Interface Profile () configured with
a
Network
SD-WAN Interface Profile
Microwave/Radio Link
or Other
Type of Link
as the Link Type do not function as a Peer-to-Peer
link.PLUG-6118
This issue is resolved in SD-WAN
versions 1.0.6 and 2.0.1 plugin.
Fixed an issue where an interface placed in a predefined zone
was removed by the SD-WAN plugin after a commit to the firewall.
PLUG-4189
On the Panorama management server, upgrading
the SD-WAN plugin from versions 1.0.0 or 1.0.1 causes commits to
fail.
Workaround
: Purge the existing IP subnet cache after upgrading
the SD-WAN plugin from version 1.0.0 or 1.0.1.- If you are already logged in to the Panorama CLI, log out and log back in to the Panorama CLI.
- Issue the following command:admin> debug plugins sd_wan drop-config-cache-ip-addressesIn the Panorama web interface, selectandPanoramaSD-WANVPN ClustersVPN Address PoolAddthe appropriate VPN pool addresses.Commityour changes.
PLUG-3343
The SD-WAN plugin fails to display any
of the monitoring for a site and cluster with a space in the name.
Workaround:
Remove the space from the name and Commit
.PAN-158767
This issue is resolved in PAN-OS 10.1.
On the Panorama management server, renaming an
SD-WAN policy rule () creates a new rule
UUID and may cause configuration pushes to fail if the SD-WAN policy
rule UUID exceeds the rule capacity limit for the managed firewall
platform.
Policies
SD-WAN
Workaround:
Before changing the name of an SD-WAN policy
rule, log in to the managed firewall CLI to determine the maximum
policy rule limit.admin>show system state filter cfg.general.max* | match rule
PAN-156049
When a SaaS Quality profile () and a
Traffic Distribution profile () are associated with
an SD-WAN policy rule (), SaaS monitoring probe
packets are sent to all links configured in the virtual SD-WAN interface
() rather than only those
specified in the Traffic Distribution profile.
Objects
SD-WAN Link Management
SaaS Quality Profile
Objects
SD-WAN Link Management
Traffic
Distribution Profile
Policies
SD-WAN
Network
Interfaces
SD-WAN
For example, if you create a Traffic Distribution profile that
includes Eth1/1 and Eth1/6 but your virtual SD-WAN interface includes
Eth1/1, Eth1/4, and Eth1/6, SaaS monitoring occurs on all three
links configured in the virtual SD-WAN interface rather than the
two specified in the Traffic Distribution profile.
This issue is addressed in PAN-OS 10.0.3.
PAN-152825
On the Panorama management server, you cannot view the
SD-WAN license installed on an SD-WAN firewall ().
Panorama
Device Deployment
Licenses
Workaround:
Log in to the Panorama CLI and
enter the following command to view the SDWAN license information
for your managed firewalls.admin>request batch license info
This issue is addressed in PAN-OS 10.0.1.
PAN-146485
()
does not display the branch template stack as
PAN-OS 9.1.3 and later releases only
) On the
Panorama management server, adding, deleting, or modifying the upstream
NAT configuration (Panorama
SD-WAN
Devices
out of sync
.Additionally, adding, deleting, or modifying the BGP configuration
() does not display the
hub and branch template stacks as
Panorama
SD-WAN
Devices
out of sync
.
For example, modifying the BGP configuration on the branch firewall
does not cause the hub template stack to display as out of sync
,
nor does modifying the BGP configuration on the hub firewall cause
the branch template stack as out of sync
.Workaround:
After performing a configuration change, Commit
and Push
the configuration changes to all hub and branch
firewalls in the VPN cluster containing the firewall with the modified
configuration.PAN-144889
() as
PAN-OS 9.1.2-h1 and later releases only
) On
the Panorama management server, adding, deleting, or modifying the
original subnet IP, or adding a new subnet after you successfully
configure a tunnel IP subnet, for the SD-WAN 1.0.2 and later release
plugin does not display the managed firewall templates (Panorama
Managed Devices
Summary
Out of Sync
.Workaround
: When modifying the original subnet IP, or
adding a new subnet, push the template configuration changes to
your managed firewalls and Force Template Values
(Commit
Push to Devices
Edit Selections
PAN-123040
When you try to view network QoS statistics on an SD-WAN
branch or hub, the QoS statistics and the hit count for the QoS
rules don’t display. A workaround exists for this issue. Please
contact Support for information about the workaround.