: Known Issues in Panorama Plugin for VMware NSX 2.0.6
Focus
Focus

Known Issues in Panorama Plugin for VMware NSX 2.0.6

Table of Contents

Known Issues in Panorama Plugin for VMware NSX 2.0.6

Th following list describes known issues in the Panorama plugin for VMware NSX 2.0.6.

PLUG-1324

Upgrading the VMware NSX plugin from 2.0.2 to 2.0.3 on the passive peer in a Panorama HA deployment before upgrading the active peer cause the passive peer to become the active because it has the higher version of the plugin. However, the Service Manager status on the new active peer may become
Out of Sync
. The Service Manager status on the new passive peer remains
Registered
.
Workaround:
Perform a manual
NSX Config-Sync
after upgrading the plugin.

PLUG-1321

Deleting the VM-Series firewall from vCenter deactivates the firewall license however the deletion may show as
Failed
in vCenter.
Workaround: Verify that the firewall status is Partially Deactivated on the Managed Devices page on Panorama. In vCenter, manually delete the VM-Series firewall SVM from
Networking & Security
Installation
Service Deployment
.

PLUG-1318

If the active Panorama peer enters maintenance mode due to a
power on
self test failure error, the passive Panorama peer becomes the new active peer. However, after the failover, the HA status incorrectly displays none on the new active peer.

PLUG-1303

When Panorama deploys and then upgrades a new VM-Series firewall for NSX, the firewall toggles between connected and disconnected states. This issue occurs when a beta (-b) or hot fix (-h) PAN-OS image is downloaded on Panorama.
Workaround:
Delete the beta or hot fix image from Panorama.

PLUG-1298

After the VM-Series firewall for NSX is added as a managed device on Panorama, the template status remains blank.
Workaround:
Perform a local commit on Panorama and then a commit on the VM-Series firewall to display the template status on Panorama.

PLUG-1297

After upgrading the VM-Series firewall, the template and shared policy status are
Out of Sync
.
Workaround:
After the firewall is added as a managed device on Panorama, push the template and device group configuration to the VM-Series firewalls.

PLUG-1295

When Panorama deploys and then upgrades a new VM-Series firewall for NSX, it can take up to two hours to complete the deployment if there is slow or inconsistent network connectivity between Panorama and the VM-Series firewall. This occurs when the VM-Series firewall disconnects from Panorama and Panorama cannot verify that the commit succeeded.

PLUG-1288

A commit on Panorama to the managed VM-Series firewalls might fail if the firewalls’ dynamic update version is older than the version on Panorama.
Workaround:
Manually update the dynamic update version on the VM-Series firewall to match the version on Panorama.

PLUG-1287

After the VM-Series firewall is deployed from vCenter, the Shared Policy may be Out of Sync on the Managed Devices page in Panorama.
Workaround: Select
Commit
Push to Devices
. On the Device Groups tab, verify that your device groups and
Include Device and Network Templates
. On the Templates tab, deselect the templates. Click
OK
.

PLUG-1216

The Service Manager status does not immediately go
Out of Sync
after deleting a steering rule from the Partner Security Service section on the vCenter server. You must wait approximately two minutes for the Service Manager status to go
Out of Sync
.

PLUG-1215

In a security-centric deployment, the NSX Config-Sync fails when attempting to regenerate a steering rule that was deleted from NSX Manager (not deleted on Panorama).
Workaround:
Delete the security from the device group on Panorama and add it again. Go to
Panorama
VMware NSX
Steering Rules
and click
Auto-Generate
.
Commit
your changes.

PLUG-1214

NSX Manager allows two different Panorama instances to connect and push configuration. However, this is an unsupported configuration.

PLUG-835

On the vCenter server, under
Networking & Security
Installation
Service Deployments
, the Service Status is
Up
although the Installation Status is
Failed
. If the installation fails, the service status should be
Down
.

PLUG-828

In an operations-centric deployment, the Service Manager status becomes Out of Sync with the reason
Steering Rule is out of sync
when the Partner Security Services are modified on the vCenter server but not on Panorama. The Service Manager status should stay in the Registered state when no changes are made in Panorama.
Workaround:
Select
Panorama
VMware NSX
Service Managers
and click
Synchronize Dynamic Objects
.

PLUG-241

When you delete a steering rule on NSX Manager, the plugin in status becomes out of sync for that NSX Manager on Panorama. Executing an NSX Config Sync does not push the rule change.
Workaround:
Log in to Panorama and select
Panorama
VMware NSX
Service Managers
and click
NSX Config-Sync
to perform a second NSX configuration sync.

PAN-113000

If Panorama reboots while new IP sets are added to an NSX Security Group, NSX sends the new IP addresses to Panorama but Panorama does not receive the updates.
Workaround:
Perform a
Synchronize Dynamic Objects
to update the DAGs with the new IP addresses.

PAN-106302

After a failover event in a Panorama HA deployment, the Service Manager status is
Out of Sync
on the now active Panorama HA peer due to a
auth-key out of sync
error.
Workaround:
Perform two commits on the active Panorama HA peer to resolve this issue.

Recommended For You