Known Issues in VM-Series Plugin 1.0.11

The following list describes known issues in the VM-Series Plugin 1.0.11.

PLUG-4654

In some cases, a VM-Series firewall configuration with SRIOV on KVM might not boot in DPDK mode.
To ensure that firewall boots in DPDK mode, edit the Guest VM XML configuration on the KVM hypervisor as follows:
<cpu mode='host-passthrough' check='none'/>
This ensures that the CPU flags are exposed. To verify that the CPU flags are exposed on the VM:
cat /proc/cpuinfo
In the
flags
output, look for the following flags:
  • For PAN-OS 9.1 with DPDK 1.11, you need
    AVX
    , or
    AES
    and
    SSE
    .
  • For PAN-OS 9.1 or later with DPDK version 18.11, you need
    AVX
    or
    SSE
    .
This behavior is documented in the VM-Series Deployment Guide, version 9.1.

PLUG-4394

On Azure, Active/Passive HA configurations that use a floating IP address sometimes experience loss of traffic after failover.
Upon failover, Azure starts moving the floating IP address from the primary to the secondary. If the HA pair is restored and control returns to the primary before the IP address moves to the secondary, traffic is lost.
Workaround
:
To restore traffic, you must temporarily suspend the primary so that the secondary (which has the floating IP address) is active.
This issue is fixed in VM-Series firewall version 1.0.12.

PLUG-3650

HA behavior is inconsistent for VM-Series firewalls deployed on Azure.
This issue is fixed in VM-Series plugin version 1.0.12.

PLUG-3509

HA behavior is inconsistent for VM-Series firewalls deployed on Azure.
This issue is fixed in VM-Series plugin version 1.0.12.

PLUG-3562

In OCI, if you assign secondary IP addresses to HA interfaces, those IP addresses are incorrectly moved to the passive HA peer in the event of a failover.

Recommended For You