Known Issues in Panorama Plugin for VMware NSX 3.2.1

The following list describes known issues in the Panorama plugin for VMware NSX 3.2.1.


After a Panorama HA failover, the service manager might become
Out of Sync
with the message
Services list is missing on Panorama...Downloading new one
: Execute the command
request plugins reset-plugin only plugin plugin-name vmware_nsx
on Panorama.


If you downgrade to the Panorama plugin for VMware NSX 3.1.0 after creating an NSX-T service definition with Health Check as
(default) while the Panorama plugin for VMware NSX 3.2.0 is installed on Panorama, the service definition create on plugin 3.2.0 will be
after downgrade due to a mismatch in Health Check configuration (changed to
: Set
Health Check
on the out-of-sync service definition and
your changes.


If you have two Panorama appliances installed in an HA with multiple plugins installed, Panorama might not receive updated IP-tag information after failover. This occurs when one of the installed plugins is not configured on Panorama because Panorama is waiting to receive an IP address update for the unconfigured plugin or plugins.
: Unisntall the unconfigured plugin or plugins. It is recommended that you do not install a plugin that you do not plan to configure right away.
Alternatively, you can use the following commands to work around this issue. Execute the command
request plugins dau plugin-name <plugin-name> unblock-device-push yes
for each unconfigured plugin on each Panorama instance to prevent Panorama from waiting for updates for disabled plugins. If you configure the other plugins, execute the command
request plugins dau plugin-name <plugin-name> unblock-device-push no
. If you do not, your firewalls may lose some IP-tag information.
The commands describe are not persistent and must be used again for any subsequent failover events.


When you enable Device Certificate and add PIN ID and PIN value to an existing NSX-V service definition that had Device Certificate disabled, the PIN ID and PIN value are not pushed to NSX-V Manager.


If Panorama HA failover occurs while Panorama is disconnected from NSX-V Manager, the Service Manager section of NSX-V Manager will display the IP address of the formerly active (now passive) Panorama peer. This occurs after failover and the connection between Panorama and NSX-V Manager is reestablished.
: Perform a manual config sync in Panorama to display the correct Panorama IP address in NSX-V Manager.


Panorama incorrectly allows the modification of the NSX-T plugin configuration while in a suspended state. Do not attempt to modify the NSX-T plugin configuration on a suspended Panorama; this action is not supported.


After a Panorama failover event, if there are some configuration objects in NSX-T Manager but not Panorama, you must manually remove those objects from NSX-T Manager.
: Contact VMware for information about manually removing the objects from NSX-T Manager.


In a Panorama HA pair, NSX-T plugin configuration is not automatically synchronized to the passive Panorama if the passive Panorama comes up after the active Panorama.
: On the Panorama dashboard, Synchronize to Peer on the HA widget.


You cannot use a service-definition across multiple service managers; each service definition is mapped to a unique service manager.


When a device group is added or removed from an existing notify group, existing dynamic address groups are not updated to reflect the device group change.
Workaround: Synchronize Dynamic Objects on
Service Manager
to update dynamic address groups.


The connection between NSX-T Manager and Panorama goes
Out of Sync
if you change the NSX-T Manager IP address configured on Panorama.
: To change the NSX-T Manager IP address, you must completely reconfigure and reinstall your VM-Series firewall on NSX-T deployment. If there are active firewall in your deployment, you must remove those before deleting the service manager. You must delete the Service Manager configuration from Panorama and add it again with the new IP address. To delete the Service Manager, you must remove the rest of your VM-Series on NSX-T configuration from Panorama.


You can open the NSX Manager Objects window from
Service Managers
but displays no information.

Recommended For You