Known Issues in Panorama Plugin for VMware NSX 2.0.4
Th following list describes known issues in the Panorama plugin for VMware NSX 2.0.4.
Upgrading the VMware NSX plugin from 2.0.2 to 2.0.3 on the passive peer in a Panorama HA deployment before upgrading the active peer cause the passive peer to become the active because it has the higher version of the plugin. However, the Service Manager status on the new active peer may become
Out of Sync. The Service Manager status on the new passive peer remains
Workaround:Perform a manual
NSX Config-Syncafter upgrading the plugin.
Deleting the VM-Series firewall from vCenter deactivates the firewall license however the deletion may show as
Workaround: Verify that the firewall status is Partially Deactivated on the Managed Devices page on Panorama. In vCenter, manually delete the VM-Series firewall SVM from
Networking & Security
If the active Panorama peer enters maintenance mode due to a
power onself test failure error, the passive Panorama peer becomes the new active peer. However, after the failover, the HA status incorrectly displays none on the new active peer.
When Panorama deploys and then upgrades a new VM-Series firewall for NSX, the firewall toggles between connected and disconnected states. This issue occurs when a beta (-b) or hot fix (-h) PAN-OS image is downloaded on Panorama.
Workaround:Delete the beta or hot fix image from Panorama.
After the VM-Series firewall for NSX is added as a managed device on Panorama, the template status remains blank.
Workaround:Perform a local commit on Panorama and then a commit on the VM-Series firewall to display the template status on Panorama.
After upgrading the VM-Series firewall, the template and shared policy status are
Out of Sync.
Workaround:After the firewall is added as a managed device on Panorama, push the template and device group configuration to the VM-Series firewalls.
When Panorama deploys and then upgrades a new VM-Series firewall for NSX, it can take up to two hours to complete the deployment if there is slow or inconsistent network connectivity between Panorama and the VM-Series firewall. This occurs when the VM-Series firewall disconnects from Panorama and Panorama cannot verify that the commit succeeded.
A commit on Panorama to the managed VM-Series firewalls might fail if the firewalls’ dynamic update version is older than the version on Panorama.
Workaround:Manually update the dynamic update version on the VM-Series firewall to match the version on Panorama.
After the VM-Series firewall is deployed from vCenter, the Shared Policy may be Out of Sync on the Managed Devices page in Panorama.
. On the Device Groups tab, verify that your device groups and
Push to Devices
Include Device and Network Templates. On the Templates tab, deselect the templates. Click
Template Last Commitcolumn on
Failedafter upgrading Panorama to 8.1.4.
Workaround:Push the template and device configuration to the VM-Series firewalls.
The Service Manager status does not immediately go
Out of Syncafter deleting a steering rule from the Partner Security Service section on the vCenter server. You must wait approximately two minutes for the Service Manager status to go
Out of Sync.
In a security-centric deployment, the NSX Config-Sync fails when attempting to regenerate a steering rule that was deleted from NSX Manager (not deleted on Panorama).
Workaround:Delete the security from the device group on Panorama and add it again. Go to
NSX Manager allows two different Panorama instances to connect and push configuration. However, this is an unsupported configuration.
On the vCenter server, under
, the Service Status is
Networking & Security
Upalthough the Installation Status is
Failed. If the installation fails, the service status should be
In an operations-centric deployment, the Service Manager status becomes Out of Sync with the reason
Steering Rule is out of syncwhen the Partner Security Services are modified on the vCenter server but not on Panorama. The Service Manager status should stay in the Registered state when no changes are made in Panorama.
Synchronize Dynamic Objects.
When you delete a steering rule on NSX Manager, the plugin in status becomes out of sync for that NSX Manager on Panorama. Executing an NSX Config Sync does not push the rule change.
Workaround:Log in to Panorama and select
NSX Config-Syncto perform a second NSX configuration sync.
If Panorama reboots while new IP sets are added to an NSX Security Group, NSX sends the new IP addresses to Panorama but Panorama does not receive the updates.
Synchronize Dynamic Objectsto update the DAGs with the new IP addresses.
After a failover event in a Panorama HA deployment, the Service Manager status is
Out of Syncon the now active Panorama HA peer due to a
auth-key out of syncerror.
Workaround:Perform two commits on the active Panorama HA peer to resolve this issue.
Recommended For You
Recommended videos not found.