Known Issues in SD-WAN Plugin 2.0
List of known issues in all SD-WAN 2.0 release.
The following list includes all known issues that impact an SD-WAN 2.0 release. This list includes both outstanding issues and issues that are addressed, as well as known issues that apply more generally or that are not identified by a specific issue ID. Refer to the PAN-OS Release Notes for additional known issues affecting the SD-WAN 2.0 plugin.
On the Panorama management server running PAN-OS 10.0.3 or later PAN-OS 10.0 release, reverting or loading a Panorama configuration (
) that impacts the template stack configuration containing the SD-WAN interface (
) erroneously removes the Security Zone from the SD-WAN interface configuration resulting in a commit failure.
This issue is now resolved.
SD-WAN assigns the same tunnel ID to two tunnels in a hub-and-spoke VPN cluster and a full mesh VPN cluster.
Workaround: If you are upgrading from SD-WAN Plugin 2.0.2 or an earlier release, complete the following steps during a maintenance timeframe.
- Upgrade to SD-WAN Plugin 2.0.3.
- Make a small configuration change of your choice in the SD-WAN cluster configuration. For example, change the SD-WAN hub priority and change it back.
- Issue a local Panorama Commit.
- Push the configuration to all devices in the VPN cluster at once. On the Push Scope Selection, selectForce Template Values.
- In a hub-and-spoke topology, reboot all SD-WAN hubs. If the hubs are an HA pair, follow the HA reboot procedure.
- If you are experiencing duplicate tunnel issues in a full mesh topology, reboot every branch.
This issue is resolved in SD-WAN versions 1.0.6 and 2.0.1 plugin.
Fixed an issue where an interface placed in a predefined zone was removed by the SD-WAN plugin after a commit to the firewall.
On the Panorama management server, upgrading the SD-WAN plugin from versions 1.0.0 or 1.0.1 causes commits to fail.
Workaround: Purge the existing IP subnet cache after upgrading the SD-WAN plugin from version 1.0.0 or 1.0.1.
- If you are already logged in to the Panorama CLI, log out and log back in to the Panorama CLI.
- Issue the following command:admin> debug plugins sd_wan drop-config-cache-ip-addressesCommityour changes.
The SD-WAN plugin fails to display any of the monitoring for a site and cluster with a space in the name.
Workaround:Remove the space from the name and
This issue is resolved in PAN-OS 10.1.
On the Panorama management server, renaming an SD-WAN policy rule (
) creates a new rule UUID and may cause configuration pushes to fail if the SD-WAN policy rule UUID exceeds the rule capacity limit for the managed firewall platform.
Workaround:Before changing the name of an SD-WAN policy rule, log in to the managed firewall CLI to determine the maximum policy rule limit.
admin>show system state filter cfg.general.max* | match rule
In SD-WAN monitoring data (
), a SaaS application associated with multiple SaaS Quality profiles (
) does not display
Multiplein the SaaS Monitoring column.
When a SaaS Quality profile (
) and a Traffic Distribution profile (
SD-WAN Link Management
SaaS Quality Profile
) are associated with an SD-WAN policy rule (
SD-WAN Link Management
Traffic Distribution Profile
), SaaS monitoring probe packets are sent to all links configured in the virtual SD-WAN interface (
) rather than only those specified in the Traffic Distribution profile.
For example, if you create a Traffic Distribution profile that includes Eth1/1 and Eth1/6 but your virtual SD-WAN interface includes Eth1/1, Eth1/4, and Eth1/6, SaaS monitoring occurs on all three links configured in the virtual SD-WAN interface rather than the two specified in the Traffic Distribution profile.
On the Panorama management server, you cannot view the SD-WAN license installed on an SD-WAN firewall (
Workaround:Log in to the Panorama CLI and enter the following command to view the SDWAN license information for your managed firewalls.
admin>request batch license info
PAN-OS 9.1.3 and later releases only) On the Panorama management server, adding, deleting, or modifying the upstream NAT configuration (
) does not display the branch template stack as
out of sync.
Additionally, adding, deleting, or modifying the BGP configuration (
) does not display the hub and branch template stacks as
out of sync. For example, modifying the BGP configuration on the branch firewall does not cause the hub template stack to display as
out of sync, nor does modifying the BGP configuration on the hub firewall cause the branch template stack as
out of sync.
Workaround:After performing a configuration change,
Commit and Pushthe configuration changes to all hub and branch firewalls in the VPN cluster containing the firewall with the modified configuration.
PAN-OS 9.1.2-h1 and later releases only) On the Panorama management server, adding, deleting, or modifying the original subnet IP, or adding a new subnet after you successfully configure a tunnel IP subnet, for the SD-WAN 1.0.2 and later release plugin does not display the managed firewall templates (
Out of Sync.
Workaround: When modifying the original subnet IP, or adding a new subnet, push the template configuration changes to your managed firewalls and
Force Template Values(
Push to Devices
In the current release, SD-WAN auto-provisioning configures hubs and branches in a hub and spoke model, where branches don’t communicate with each other. Expected branch routes are for generic prefixes, which can be configured in the hub and advertised to all branches. Branches with unique prefixes are not published up to the hub.
Workaround:Add any specific prefixes for branches to the hub advertise-list configuration.
When you try to view network QoS statistics on an SD-WAN branch or hub, the QoS statistics and the hit count for the QoS rules don’t display. A workaround exists for this issue. Please contact Support for information about the workaround.
Recommended For You
Recommended videos not found.