Known Issues in Panorama Plugin for VMware NSX 2.0.4
Table of Contents
Expand all | Collapse all
-
-
-
-
- Features Introduced in Zero Touch Provisioning 2.0
- Known Issues in the Zero Touch Provisioning 2.0.4 Release
- Known Issues in the Zero Touch Provisioning 2.0.3 Release
- Known Issues in the Zero Touch Provisioning 2.0.2 Release
- Known Issues in the Zero Touch Provisioning 2.0.1 Release
- Known Issues in the Zero Touch Provisioning 2.0.0 Release
- Limitations
-
-
Known Issues in Panorama Plugin for VMware NSX 2.0.4
Th following list describes known issues
in the Panorama plugin for VMware NSX 2.0.4.
PLUG-1324
Upgrading the VMware NSX plugin from
2.0.2 to 2.0.3 on the passive peer in a Panorama HA deployment before
upgrading the active peer cause the passive peer to become the active
because it has the higher version of the plugin. However, the Service
Manager status on the new active peer may become Out
of Sync. The Service Manager status on the new passive
peer remains Registered.
Workaround: Perform a manual NSX Config-Sync after
upgrading the plugin.
PLUG-1321
Deleting the VM-Series firewall from
vCenter deactivates the firewall license however the deletion may
show as Failed in vCenter.
Workaround: Verify that the firewall status is Partially Deactivated
on the Managed Devices page on Panorama. In vCenter, manually delete
the VM-Series firewall SVM from Networking
& SecurityInstallationService Deployment.
PLUG-1318
If the active Panorama peer enters maintenance
mode due to a power on self test failure
error, the passive Panorama peer becomes the new active peer. However, after
the failover, the HA status incorrectly displays none on the new
active peer.
PLUG-1303
When Panorama deploys and then upgrades a new VM-Series
firewall for NSX, the firewall toggles between connected and disconnected
states. This issue occurs when a beta (-b) or hot fix (-h) PAN-OS
image is downloaded on Panorama.
Workaround: Delete the beta or hot fix image from Panorama.
PLUG-1298
After the VM-Series firewall for NSX is added as a managed
device on Panorama, the template status remains blank.
Workaround: Perform a local commit on Panorama and then
a commit on the VM-Series firewall to display the template status
on Panorama.
PLUG-1297
After upgrading the VM-Series firewall, the template
and shared policy status are Out of Sync.
Workaround: After the firewall is added as a managed device
on Panorama, push the template and device group configuration to
the VM-Series firewalls.
PLUG-1295
When Panorama deploys and then upgrades
a new VM-Series firewall for NSX, it can take up to two hours to
complete the deployment if there is slow or inconsistent network
connectivity between Panorama and the VM-Series firewall. This occurs when
the VM-Series firewall disconnects from Panorama and Panorama cannot
verify that the commit succeeded.
PLUG-1288
A commit on Panorama to the managed VM-Series firewalls
might fail if the firewalls’ dynamic update version is older than
the version on Panorama.
Workaround: Manually update the dynamic update version
on the VM-Series firewall to match the version on Panorama.
PLUG-1287
After the VM-Series firewall is deployed from vCenter,
the Shared Policy may be Out of Sync on the Managed Devices page
in Panorama.
Workaround: Select CommitPush to Devices. On the Device
Groups tab, verify that your device groups and Include
Device and Network Templates. On the Templates tab,
deselect the templates. Click OK.
PLUG-1280
The Template Last Commit column
on PanoramaManaged
DevicesSummary displays Failed after
upgrading Panorama to 8.1.4.
Workaround: Push the template and device
configuration to the VM-Series firewalls.
PLUG-1216
The Service Manager status does not immediately go Out
of Sync after deleting a steering rule from the Partner
Security Service section on the vCenter server. You must wait approximately
two minutes for the Service Manager status to go Out
of Sync.
PLUG-1215
In a security-centric deployment, the NSX Config-Sync
fails when attempting to regenerate a steering rule that was deleted
from NSX Manager (not deleted on Panorama).
Workaround: Delete the security from the device group
on Panorama and add it again. Go to PanoramaVMware NSXSteering Rules and
click Auto-Generate. Commit your
changes.
PLUG-1214
NSX Manager allows two different Panorama instances
to connect and push configuration. However, this is an unsupported
configuration.
PLUG-835
On the vCenter server, under Networking & SecurityInstallationService Deployments, the Service
Status is Up although the Installation Status
is Failed. If the installation fails, the
service status should be Down.
PLUG-828
In an operations-centric deployment, the Service Manager
status becomes Out of Sync with the reason Steering Rule
is out of sync when the Partner Security Services are
modified on the vCenter server but not on Panorama. The Service Manager
status should stay in the Registered state when no changes are made
in Panorama.
Workaround: Select PanoramaVMware NSXService Managers and
click Synchronize Dynamic Objects.
PLUG-241
When you delete a steering rule on NSX
Manager, the plugin in status becomes out of sync for that NSX Manager
on Panorama. Executing an NSX Config Sync does not push the rule
change.
Workaround: Log in to Panorama and select PanoramaVMware NSXService Managers and click NSX
Config-Sync to perform a second NSX configuration sync.
PAN-113000
If Panorama reboots while new IP sets are added to an
NSX Security Group, NSX sends the new IP addresses to Panorama but
Panorama does not receive the updates.
Workaround: Perform a Synchronize Dynamic Objects to
update the DAGs with the new IP addresses.
PAN-106302
After a failover event in a Panorama HA deployment,
the Service Manager status is Out of Sync on
the now active Panorama HA peer due to a auth-key out of sync error.
Workaround: Perform two commits on the active Panorama
HA peer to resolve this issue.