Known Issues in VM-Series Plugin 1.0.11

The following list describes known issues in the VM-Series Plugin 1.0.11.

PLUG-4654

In some cases, a VM-Series firewall configuration with SRIOV on KVM might not boot in DPDK mode.
To ensure that firewall boots in DPDK mode, edit the Guest VM XML configuration on the KVM hypervisor as follows:
<cpu mode='host-passthrough' check='none'/>
This ensures that the CPU flags are exposed. To verify that the CPU flags are exposed on the VM:
cat /proc/cpuinfo
In the
flags
output, look for the following flags:
  • For PAN-OS 9.1 with DPDK 1.11, you need
    AVX
    , or
    AES
    and
    SSE
    .
  • For PAN-OS 9.1 or later with DPDK version 18.11, you need
    AVX
    or
    SSE
    .
This behavior is documented in the VM-Series Deployment Guide, version 9.1.

PLUG-4394

On Azure, Active/Passive HA configurations that use a floating IP address sometimes experience loss of traffic after failover.
Upon failover, Azure starts moving the floating IP address from the primary to the secondary. If the HA pair is restored and control returns to the primary before the IP address moves to the secondary, traffic is lost.
Workaround
:
To restore traffic, you must temporarily suspend the primary so that the secondary (which has the floating IP address) is active.
This issue is fixed in VM-Series plugin version 1.0.12.

PLUG-3721

On VM-Series firewalls deployed using a flexible Pay-As-You-Go (PAYG) license, the
Dashboard
and under
Device
Licenses
in the web interface or using
request license info
in the CLI displays the capacity license as VM-300 regardless of the capacity license applied.
Workaround
: Execute the command
show system info
to verify the capacity license applied to your VM-Series firewall.

PLUG-3650

HA behavior is inconsistent for VM-Series firewalls deployed on Azure.
This issue is fixed in VM-Series plugin version 1.0.12.

PLUG-3509

HA behavior is inconsistent for VM-Series firewalls deployed on Azure.
This issue is fixed in VM-Series plugin version 1.0.12.

PLUG-3562

In OCI, if you assign secondary IP addresses to HA interfaces, those IP addresses are incorrectly moved to the passive HA peer in the event of a failover.

Recommended For You