Known Issues in SD-WAN Plugin 3.0
Table of Contents
Expand all | Collapse all
-
-
-
-
-
- Features Introduced in Enterprise Data Loss Prevention 4.0.3
- Known Issues in Enterprise DLP Plugin 4.0.3
- Features Introduced in Enterprise Data Loss Prevention 4.0.2
- Known Issues in Enterprise DLP Plugin 4.0.2
- Features Introduced in Enterprise Data Loss Prevention 4.0.1
- Known Issues in Enterprise DLP Plugin 4.0.1
- Features Introduced in Enterprise Data Loss Prevention 4.0.0
- Known Issues in Enterprise DLP Plugin 4.0.0
-
- Features Introduced in Enterprise Data Loss Prevention 3.0.8
- Features Introduced in Enterprise Data Loss Prevention 3.0.7
- Features Introduced in Enterprise Data Loss Prevention 3.0.6
- Features Introduced in Enterprise Data Loss Prevention 3.0.5
- Features Introduced in Enterprise Data Loss Prevention 3.0.4
- Features Introduced in Enterprise Data Loss Prevention 3.0.3
- Features Introduced in Enterprise Data Loss Prevention 3.0.2
- Features Introduced in Enterprise Data Loss Prevention 3.0.1
- Features Introduced in Enterprise Data Loss Prevention 3.0.0
- Known Issues in Enterprise Data Loss Prevention 3.0.8
- Known Issues in Enterprise Data Loss Prevention 3.0.7
- Known Issues in Enterprise Data Loss Prevention 3.0.6
- Known Issues in Enterprise Data Loss Prevention 3.0.5
- Known Issues in Enterprise Data Loss Prevention 3.0.4
- Known Issues in Enterprise Data Loss Prevention (DLP) Plugin 3.0.3
- Known Issues in Enterprise Data Loss Prevention (DLP) Plugin 3.0.0
-
- Features Introduced in Enterprise Data Loss Prevention 1.0.8
- Features Introduced in Enterprise Data Loss Prevention 1.0.3
- Features Introduced in Enterprise Data Loss Prevention 1.0.1
- Known Issues in Enterprise Data Loss Prevention (DLP) Plugin 1.0.8
- Known Issues in Enterprise Data Loss Prevention (DLP) Plugin 1.0.7
- Known Issues in Enterprise Data Loss Prevention (DLP) Plugin 1.0.6
- Known Issues in Enterprise Data Loss Prevention (DLP) Plugin 1.0.4
- Known Issues in Enterprise Data Loss Prevention (DLP) Plugin 1.0.3
- Known Issues in Enterprise Data Loss Prevention (DLP) Plugin 1.0.2
- Known Issues in Enterprise Data Loss Prevention (DLP) Plugin 1.0.1
- Features Introduced in the Enterprise Data Loss Prevention (DLP) Cloud Service
- Limitations
-
-
Known Issues in SD-WAN Plugin 3.0
Known issues in the SD-WAN Plugin 3.0.
The following list includes all known
issues that impact an SD-WAN 3.0 release. This list includes both outstanding
issues and issues that are addressed, as well as known issues that
apply more generally or that are not identified by a specific issue
ID. Refer to PAN-OS Release Notes for
additional known issues affecting SD-WAN Plugin 3.0.
PAN-220919
Description of PAN-220919.
Auto VPN creates a virtual SD-WAN interface named sdwan.901 for direct internet access
(DIA) and creates a virtual SD-WAN interface named sdwan.9xx for VPN tunnels. When you
enable Auto VPN, the SD-WAN plugin creates the SD-WAN interfaces automatically. Hence,
it's not necessary for you to create SD-WAN interfaces manually. The SaaS quality
profile works only with one DIA interface that is sdwan.901.
Auto VPN also creates its own default route that uses the sdwan.901 interface as its
egress interface and uses a low metric of 5, so that the sdwan.901 interface is
preferred over the default route you created.
There might be scenarios where you want to create an SD-WAN interface manually (other
than what the SD-WAN plugin creates automatically) like the following:
- Configuring SD-WAN direct internet access (DIA) links only and no VPN connections between the hub and branch locations
- (Not recommended) Deploying SD-WAN manually between SD-WAN sites without Panorama management server
In such cases, you must configure the manually created SD-WAN interface outside of the
SDWAN.9xx range containing a route with a metric higher than the default value.
PAN-215899
Description of PAN-215899
Configuration synchronization between Panorama HA peers is failing.
Workaround
: Run commit force from CLI on the passive Panorama before triggering an
HA configuration sync from active Panorama. Whenever sync fails, this workaround can be
used. PAN-215897
Description of PAN-215897.
In a Panorama high availability (HA) deployment, the SD-WAN interface goes down and all
the tunnel interfaces disappear from the tab when you push the configuration changes from the secondary
Panorama.
Network
IPSec Tunnels
Workaround
: If you have set up a HA pair in Panorama, don't push the configuration
from the secondary Panorama when the primary Panorama is active. Always push the
configuration changes from the primary Panorama when it's active.PAN-190173
Pre-shared keys are not synchronized across the Panorama
management servers in a high availability (HA) configuration, leading
to tunnel flaps during an HA failover when you or ).
Push to
Devices
(Commit
Push to Devices
Commit
Commit and Push
This issue is addressed in SD-WAN plugin 2.2.3 and 3.1.0-h6.
PAN-123040
When you try to view network QoS statistics on an SD-WAN
branch or hub, the QoS statistics and the hit count for the QoS
rules don’t display. A workaround exists for this issue. Please
contact Support for information about the workaround.
PLUG-14809
Description of PLUG-14809
A commit error will be thrown when you attempt to disable multiple virtual routers
feature on the SD-WAN hub by executing the following CLI command:
set plugins sd-wan devices
device-serial-number
multi-vr-support noPLUG-14559
Description of PLUG-14559.
A commit failure occurs when you attempt to rename the vsys to a name other than vsys1
for a multi-vsys firewall with private link type (in an
SD-WAN Interface
Profile
). This issue is addressed in SD-WAN plugin 3.0.7.
PLUG-14499
Description of PLUG-14499
(
Panorama HA deployments only
) The firewalls managed by HA active and passive
Panorama would go out of synchronization when you make any changes to an active Panorama
SD-WAN configuration (such as modifying the VPN cluster name). After this, even when
the SD-WAN configuration changes are pushed from active Panorama to the firewalls, the
firewalls remains out of synchronization on passive Panorama. This issue does not occur
when changing a non-SD-WAN related configuration. Workaround
: In a Panorama HA deployment, if you make any changes to an existing
SD-WAN configuration: - Commit the SD-WAN configuration changes on an active Panorama (where the HA synchronization happens on the passive Panorama automatically)
- Trigger manual synchronization from active Panorama to passive Panorama by executing the following CLI command:request high-availability sync-to-remote running-config
- Push to the firewalls from active Panorama
This issue is addressed in SD-WAN plugin 3.0.7. However, it is required to follow the workaround when you wish to
modify the active Panorama SD-WAN configuration.
PLUG-14475
Description of PLUG-14475
PAN-OS does not support forwarding traffic in clear text (when the
VPN Data
Tunnel Support
is disabled on the SD-WAN Interface
Profile
) outside of the SD-WAN VPN tunnel when multiple virtual routers
support on the SD-WAN hub feature is enabled.PLUG-14402
Description of PLUG-14402
The return merchandise authentication (RMA) process won't be successful if you delete the
replacement firewall without removing it from the SD-WAN plugin first.
This issue is addressed in SD-WAN plugin 2.2.6
and
3.0.7
. Follow the instructions to replace an SD-WAN
device.PLUG-13186
Description of PLUG-13186
After upgrading to PAN-OS 11.0.2 and SD-WAN plugin 3.1.1, SD-WAN branches configured with
dynamic IP addressing using FQDN didn't work.
This issue is addressed in SD-WAN plugin 3.0.5 and 3.1.2. Note: When you upgrade to
SD-WAN plugin 3.0.5 and 3.1.2, to receive this fix you must first Commit on Panorama
and then Push to devices. You cannot upgrade directly to SD-WAN plugin 3.1.2 from
any plugin version earlier than 3.1.1. If you are running SD-WAN plugin 3.1.0 or an
earlier plugin version on your firewall, you must upgrade to SD-WAN plugin 3.1.1
before you upgrade to SD-WAN plugin 3.1.2.
PLUG-13152
Description of PLUG-13152
The SD-WAN plugin creates predefined zones automatically that does not require any user
configuration. Hence, we have removed the following predefined zones tabs from the
SD-WAN plugin web interface:
- Zone Internet
- Zone to Hub
- Zone to Branch
- Zone Internal
This issue is addressed in SD-WAN plugin 2.2.5 and 3.0.5.
PLUG-13100
Description of PLUG-13100
On
Prisma Access Onboarding
tab, the aggregated interfaces don't
get listed in the Interface
drop-down.This issue is addressed in SD-WAN plugin 3.0.5.
PLUG-12711
Description of PLUG-12711
A commit all from Panorama to an SD-WAN branch firewall configured with only one MPLS
will result in a commit failure.
This issue is addressed in SD-WAN plugin 2.2.5 and 3.0.5.
PLUG-12540
Description of PLUG-12540
No data displays for "Link Performance-OK" under the SD-WAN monitoring tab.
PLUG-12389
Description of PLUG-12389.
When you import a Panorama configuration from an existing deployment to another Panorama
management server, the following commit error is thrown:
sd-wan. IP address from vpn address pool subnet/subnets are exhausted.
Please add a new subnet or make changes to vpn cluster Failed plugin
validation
Workaround:
Before using an existing Panorama configuration on another Panorama
management server, be sure to delete the existing VPN pool and add a new pool.
Optionally, you can also add one or more VPN address pools.This issue is addressed in SD-WAN plugin 3.0.6.
PLUG-12224
Description of PLUG-12224.
For an SD-WAN tunnel between a hub and a branch, the hub/branch tunnel interface should
have the same IP address on the HA active and passive firewalls, but the hub/branch has
different IP addresses on the HA active and passive firewalls.
This issue is addressed in SD-WAN plugin 2.2.4, 3.0.4, and 3.1.0-h6. Tunnel ID
changes will take effect from SD-WAN plugin 2.2.4. If you are running SD-WAN plugin
2.2.2 and upgrade to 2.2.4, you must regenerate the cluster configuration and push
to devices to see those changes.
PLUG-12126
Description of PLUG-12126
The VPN cluster is recreated when the name of an existing VPN cluster is modified. As a
result, the pre-shared key and tunnel IP addresses changes causing failure to establish
the VPN tunnel (or tunnel flaps).
This issue is addressed in SD-WAN plugin 2.2.6,
3.0.7
. After this fix,
you won't be able to modify the existing VPN cluster name.PLUG-11789
Description of PLUG-11789.
Pre-shared keys are not synchronized across the Panorama management servers in a high
availability (HA) configuration, leading to tunnel flaps during an HA failover when you
Push to Devices (Commit > Push to Devices or Commit > Commit and Push).
This issue is addressed in SD-WAN plugin 2.2.3, 3.0.4, and 3.1.0-h6.
PLUG-11761
Description of PLUG-11761.
Prisma Access onboarding is unsuccessful using SD-WAN plugin 2.2.2 and after filling out
all the required information, the plugin shows the PHP bit error. Users are unable to
onboard Prisma Access on a branch firewall.
This issue is addressed in SD-WAN plugin 2.2.3, 3.0.4, and 3.1.0-h6.
PLUG-11453
Description of PLUG-11453.
A Zone Protection profile, log setting, and User-ID cannot be configured on
"zone-internet" created by the SD-WAN plugin on the firewall from Panorama.
This issue is addressed in SD-WAN plugin 2.2.3, 3.0.4, and 3.1.0-h6.
PLUG-11383
Description of PLUG-11383.
SD-WAN plugin fails to get Prisma Access connection details for the onboarding
process.
This issue is addressed in SD-WAN plugin 2.2.3 and 3.0.4.
PLUG-11290
SD-WAN Monitoring ()
displays
Panorama
SD-WAN
Monitoring
No Data
for App Performance
and Link Performance.This issue is addressed in SD-WAN plugin 3.0.3.
PLUG-11277
Description of PLUG-11277
In an SD-WAN hub-and-spoke topology, where Prisma Access compute nodes (CNs) are
configured as a hub connecting to the PAN-OS firewalls, the session gets established on
only one compute node when ECMP is disabled. When more than one compute nodes are
connected to the PAN-OS firewalls, routes get added from one of the compute nodes only.
Even though the branch firewalls learn the routes through BGP from both the Prisma
Access compute nodes, the branch installs only one of the BGP routes based on the BGP
route selection criteria. Therefore, when a traffic passes from the other compute node,
the session does not get established.
This issue is addressed in SD-WAN plugin 2.2.6,
3.0.7
.PLUG-11223
Description of PLUG-11223.
In a high availability (HA) deployment, the SD-WAN tunnel will go down due to a key ID
mismatch when the following events occur in sequence:
- An HA failover
- The SD-WAN plugin cache removes the current HA pair relation from the database whendebug plugins sd_wan drop-config-cache allcommand is executed
- A commit and push fails on either the hub or a branch active node
In certain scenarios, replacing one of the HA devices during the RMA process can cause
the SD-WAN tunnel to go down due to a key ID mismatch. For more details, refer to Replace an SD-WAN Device.
Workaround
: Resolve the Key ID mismatch by ensuring that the Peer
Identification
of the hub firewall matches with the Local
Identification
of the branch firewall and the Local
Identification
of the hub firewall matches with the Peer
Identification
of the branch firewall.- Log in to the hub or a branch firewall where the SD-WAN tunnel is down due to Key ID mismatch and select.NetworkNetwork ProfilesIKE Gateways
- Select the IKE gateway of the hub firewall and clickOverrideat the bottom of the screen.
- Copy theLocal Identificationvalue from the hub firewall to thePeer Identificationvalue in the branch firewall.
- Copy thePeer Identificationvalue from the hub firewall to theLocal Identificationvalue in the branch firewall.
- ClickOKandCommityour changes.
This issue is addressed in SD-WAN plugin 2.2.5 .
PLUG-11062
Description of PLUG-11062.
When configuring upstream NAT on the SD-WAN plugin, the drop-down does not list AE
interface or subinterface, even though the firewall is configured with AE interface or
subinterface.
This issue is addressed in SD-WAN plugin 2.2.3 and 3.0.4.
PLUG-10796
On the Panorama management server, a
commit () hangs at 99% and causes the
commit queue to fill up, preventing any subsequent commits on Panorama.
Commit
Commit
to Panorama
This issue is addressed in SD-WAN plugin 2.2.2 and 3.0.2.
PLUG-10457
After successful upgrade to SD-WAN 2.1.0
and later releases, the Panorama management server takes 10 minutes
to commit () configuration changes regardless
of what configuration change was made.
Commit
Commit
to Panorama
This issue is addressed in SD-WAN plugin 2.2.2 and 3.0.2
.PLUG-10433
On the Panorama management server, commits
()
fail if any managed firewall ()
is
Commit
Commit to Panorama
Panorama
Managed Devices
Summary
Disconnected
when the SD-WAN plugin
is installed.This issue is addressed in SD-WAN plugin version 3.0.2.
PLUG-10432
The SD-WAN plugin is unable to retrieve
the Prisma Service IP, preventing the onboard of Prisma Access tenants.
This is addressed in SD-WAN plugin 2.2.2 and 3.0.2.
PLUG-10274
Panorama 10.2.1 may fail to synchronize configuration
between high availability (HA) peers after commit when SD-WAN plugin
3.0.1 is installed. When the secondary Panorama HA peer fails to
synchronize after committing, the HA status becomes unsynchronized.
In this case, a commit error is thrown for synchronization failure
between HA peers.
This issue is addressed in SD-WAN plugin 3.0.2.
PLUG-10165
On the Panorama management server, commits
()
fail if your SD-WAN firewalls associated with the SD-WAN plugin ()
configuration are removed from Panorama management ().
Commit
Commit to Panorama
Panorama
SD-WAN
Panorama
Managed Devices
Summary
Workaround:
Remove the SD-WAN configuration after you
remove your SD-WAN firewalls from Panorama management. - Selectand search forPanoramaPluginssd_wan.
- Remove Config.
- ClickOKto confirm removing the SD-WAN configuration from Panorama.
This is addressed in SD-WAN plugin 2.2.2 and 3.0.2.
PLUG-3343
The SD-WAN plugin fails to display any
of the monitoring for a site and cluster with a space in the name.
Workaround:
Remove the space from the name and Commit
.