Prisma SD-WAN
Addressed Issues in Prisma SD-WAN ION Release 6.3
Table of Contents
Expand All
|
Collapse All
Prisma SD-WAN Docs
-
-
-
- CloudBlade Integrations
- CloudBlades Integration with Prisma Access
-
-
-
-
- 6.5
- 6.4
- 6.3
- 6.1
- 5.6
- Prisma SD-WAN On-Premises Controller
- Prisma SD-WAN CloudBlades
- Prisma Access CloudBlade Cloud Managed
- Prisma Access CloudBlade Panorama Managed
Addressed Issues in Prisma SD-WAN ION Release 6.3
Learn about the issues addressed in Prisma SD-WAN ION release 6.3.x.
Learn more about the issues addressed in Prisma SD-WAN ION device release 6.3.
- Addressed Issues in Prisma SD-WAN ION Device Release 6.3.6
- Addressed Issues in Prisma SD-WAN ION Device Release 6.3.5
- Addressed Issues in Prisma SD-WAN ION Device Release 6.3.4
- Addressed Issues in Prisma SD-WAN ION Device Release 6.3.3
- Addressed Issues in Prisma SD-WAN ION Device Release 6.3.2
- Addressed Issues in Prisma SD-WAN ION Device Release 6.3.1
Addressed Issues in Prisma SD-WAN ION Device Release 6.3.6
The following section lists the issues addressed in Prisma SD-WAN ION Device Release 6.3.6 and various Hotfixes.
Release 6.3.6
| Issue ID | Description |
|---|---|
| CGSDW-37882 | Resolved an issue where the system failed to create IP rules and routes for the LAN interface. |
| CGSDW-37642 | Resolved an issue where the Layer 7 (L7) system application was incorrectly identified as ssl instead of the cached application-map entry. This occurred because the application engine sent an ssl update to the FC, which overrode the previous DNS-based application detection for the destination IP address and port. |
| CGSDW-37607 | Resolved an issue where the security policy size was incorrect when a large number of security policy prefixes were used. This occurred because the security policy size calculation did not account for empty Control Flow Unit (CFU) hash tables in the security prefix trie nodes after the User-ID feature was added. This issue resulted in inaccurate size data, specifically in non-User-ID deployments with a high scale of source prefixes. |
| CGSDW-37539 | Resolved an issue where HA links experienced premature TCP connection timeouts and sent unnecessary GARPs. |
| CGSDW-37487 | Resolved an issue where the system incorrectly removed a Supplicant (STA) from the switch FDB table during a RADIUS idle timeout. This occurred because hostapd failed to validate the MAC address due to an incorrect binary path in swinspect and a failure in the grep logic, which searched for a standard address instead of a compact MAC string. |
| CGSDW-37382 | Resolved an issue where Serial Inline High Availability (HA) ION devices failed to respond to ARP requests after a switchover. A software synchronization error prevented the system from clearing the IP address on the bypass interface during an Active-to-Backup transition. |
| CGSDW-37241 | Resolved an issue where high memory utilization occurred during security policy compilation in large-scale deployments with complex zone-to-interface mappings. Frequent changes to zone assignments caused an unnecessary expansion of the compiled security policy, even when prefixes and services remained static. |
| CGSDW-36754 | Resolved an issue where a race condition between the data path thread and the metrics thread caused a FC metrics failure and an ifspd process crash. |
| CGSDW-36339 | Resolved an issue where the wanpaths_vni database failed to migrate correctly during an upgrade from a version earlier than 6.3.x to a version later than 6.3.1. |
| CGSDW-36237 | Resolved an issue where LAN-to-WAN traffic dropped even when VPN paths remained active. This occurred because missing service labels caused the Layer 3 (L3) reachability state to incorrectly report as down. |
| CGSDW-36220 | Resolved an issue where ION devices failed to connect to the China Controller because the required CA chain was missing from the bundled trust store. |
| CGSDW-36187 | Resolved an issue where application probes were not deleted when application reachability was disabled. This occurred when multiple destination ports were used for the same application probe. The system updated the most recent failing port value, which caused the deletion logic to search for the incorrect port. As a result, the original probe remained active while the application probe state was incorrectly marked as disabled. |
| CGSDW-36123 | Resolved an issue where IPv6 BGP peer reset requests from the controller UI were not correctly handled, preventing BGP reset from occurring. This issue only affected IPv6 peers and not IPv4 peers. |
| CGSDW-36098 | Resolved an issue where performing a hard or soft reset of a BGP peer from the Controller UI would fail. This occurred because stale operation entries remained in the database if a reset was attempted while a site was disabled, preventing the routing manager from processing subsequent requests. |
| CGSDW-36056 | Resolved an issue where SNMPWALK operations were slow or timed out on devices with a high interface count. The delay occurred even under zero-traffic conditions and was observable during both local and remote queries. |
| CGSDW-35936 | Resolved an issue where, in a data center cluster with two data center IONs (DC1 and DC2), both IONs advertised the same prefixes learned from a branch site, even after the original route from the primary branch was restored. This occurred when a secondary branch site advertised the same prefixes to a data center ION while the primary branch site was down, and the routes from the secondary branch were not withdrawn after the primary branch recovered. |
| CGSDW-35329 | Resolved an issue on ION 3200 devices where the emif process would experience a watchdog timeout and socket reset errors during frequent PPPoE interface flaps. This was caused by a deadlock between the main event loop and the PPPoE daemon poller routine during interface stop sequences. |
| CGSDW-35022 | Resolved an issue where standard VPN tunnels experienced flapping due to the premature deletion of multiple Internet Key Exchange (IKE) sessions. Previously, the system immediately deleted sessions upon detecting duplicates, leading to unintended traffic interruptions. |
| CGSDW-33254 | Resolved an issue where fp-cli and fp-rte processes could crash when processing fragmented traffic during a link status change or system upgrade. The crash was caused by a non-atomic memory update during port synchronization, which resulted in a "torn read" by the data plane. This led to the system attempting to access a null memory pointer when a physical interface (such as an IGB port) transitioned to a DOWN state. |
| CGSDW-32071 | Resolved an issue where the firewall unexpectedly rebooted due to a supervisord process exception. The exception occurred during parsing, which was introduced after the Python 2 to Python 3 migration. |
| CGSDW-31637 | Resolved an issue where the MRLservice could become unresponsive without generating log activity or system cores. This occurred when a critical background thread encountered an exception and terminated without being automatically restarted. |
| CGSDW-31522 | Resolved an issue where the flow browser failed to display traffic records for LAN-to-LAN communication when ZBFW was configured. This occurred because flow records were not being transmitted to the controller when traffic matched a user-defined intra-zone security policy. |
| CGSDW-28636 | Resolved an issue where the CLI command inspect slab-allocator memory failed to execute on Data Center (DC) nodes. Previously, running this command caused the system to become unresponsive, requiring a forceful termination that led to a system crash. |
| CGSDW-34703 | Resolved an issue where mem leak as one of the bwm_server worker threads stuck on some recv_msg call. |
| CGSDW-33141 | Resolved an issue where Transit Traffic to dst port 67/68/69 are not forwarded by ION (Hub) to its core. |
| CGSDW-32037 | Resolved an issue where Scan traffic should not cause the device to crash/reboot. |
| CGSDW-33282 | Resolved an issue where Archive and save logs directory after any process crash or device reboot. |
| CGSDW-31944 | Resolved an issue where snmpd: High Memory Usage. |
| CGSDW-31702 | Resolved an issue where Hello, and the dead timer for LLDP on our ION is 30 seconds. |
| CGSDW-33237 | Resolved an issue where Control Plane Traffic prioritisation in ION. |
| CGSDW-31862 | Resolved an issue where Split brain for 3 minutes after fp-rte crash - 6.3.5-b4. |
| CGSDW-32903 | Resolved an issue where Flow getting ESTABLISHED with SYN and SYN-ACK only. |
| CGSDW-32621 | Resolved an issue where After upgrade from 6.1.x to 6.3.5-b4 Standby IONs are losing connectivity to controller. |
| CGSDW-32172 | Resolved an issue where Legitimate DIA traffic flows cause DPDK cores to be overutilized. |
| CGSDW-32075 | Resolved an issue where Stale route entry present when we have route learnt over Mutliple service links. |
| CGSDW-32551 | Resolved an issue where App-engine Crash: slice bounds out of range [:-1]. |
| CGSDW-31832 | Resolved an issue where frr closes bgp socket configured over servicelink when it flaps. |
| CGSDW-31959 | Resolved an issue where 6.3.5-b4 app-engine crash dhcp.go line 99 nil pointer dereference. |
| CGSDW-31858 | Resolved an issue where App-probe is disabled on element level, but we are still sending probes in 6.3.5-b4. |
| CGSDW-31505 | Resolved an issue where Stats are getting exported with label as private-direct for LAN to LAN traffic. |
| CGSDW-31320 | Resolved an issue where Avoid adding 0.0.0.0 to DNS based app-maps. |
| CGSDW-31237 | Resolved an issue where Propagate the fix to 6.3.6 from 5.6 release. |
| CGSDW-30883 | Resolved an issue where rtr_mgr_api exception observed due to timing issue in handling wanpaths update & delete. |
| CGSDW-29556 | Resolved an issue where FIPS: Cgnxinfra, remote login and service link connections are failing. |
| CGSDW-30069 | Resolved an issue where the ADEM probe was not working for the private app over the secure fabric. |
| CGSDW-30052 | Resolved an issue where ION not populating ARP responses on the WAN interface. |
Hotfix Release 6.3.6-b6
| Issue ID | Description |
|---|---|
| CGSDW-35903 | Resolved an issue where 6.3.6-b3 SNMP Counters ifInOctets and ifOutOctets are stalled causing BW utilization update issue for customers. |
| CGSDW-35884 | Resolved an issue where the PPPoE manager in the element manager (emif) process leaked resources, including memory and goroutines. |
| CGSDW-35843 | Resolved a memory leak in the bwm_server process caused by a worker thread becoming stuck on a recv_msg system call. |
| CGSDW-35784 | Resolved an issue where Port to 6.3.6 - SDWAN Element - Vulnerability: SHA1 deprecated setting for SSH. |
| CGSDW-35761 | Resolved an issue where 6.3.6 Porting : ION3200> admin status is incorrect from snmpwalk retrievals. |
| CGSDW-35701 | Resolved an issue where LAN egress out route table entry was missing in Active ION post switch-over. |
| CGSDW-35622 | Resolved an issue where data traffic was leaving out of the controller port of the DC ION because the controller prefix was not getting updated with the core peer IP. |
| CGSDW-35415 | Resolved a memory leak in the multicast process observed during continuous multicast traffic and join requests. |
| CGSDW-34795 | Resolved an issue where the default VRF remained down following an HA failover or upgrade. |
| CGSDW-34214 | Validated support for vION on Alibaba Cloud. |
Addressed Issues in Prisma SD-WAN ION Device Release 6.3.5
The following section lists the issues addressed in Prisma SD-WAN ION Device Release 6.3.5 and various Hotfixes.
Release 6.3.5
| Issue ID | Description |
|---|---|
| CGSDW-33555 | Resolved an issue on PA-9000 Series Hub devices where the processes crashed repeatedly. |
| CGSDW-31958 | Resolved an issue on ION devices where virtual interfaces encountered buffer exhaustion. |
| CGSDW-31611 | Resolved a process crash in the init_lan_to_wan_direction function on ION 3200 devices. |
| CGSDW-28329 | Resolved an issue where Backup-DC also advertising branch prefixes when the vyos peer flaps. |
| CGSDW-28214 | Resolved an issue where interface connected via bypass pair on ION2 goes down when ION1 is powered down. |
| CGSDW-28049 | Resolved an issue where dump-support all command does not capture syslog if there is a softlink. |
| CGSDW-28036 | Resolved an issue where The VPN OIDs are changing for each polling request. |
| CGSDW-27728 | Resolved an issue where fp-rte crash on 6.3.4-b2 leading to HA failover HW 5200. |
| CGSDW-26686 | Resolved an issue where Not seeing mss clamping happening for PPPoE interface with dpdk on 6.1.6. |
| CGSDW-27527 | Resolved an issue where the Fast Path CPU reached 100% utilization when processing custom AppMix traffic. |
| CGSDW-29116 | Resolved an issue where fp-rte restart is seen when fec applied exceeds the max limit. |
| CGSDW-29042 | Resolved an issue where LAN sub-interface on passive ION sending ARPs causing LAN disruption. |
| CGSDW-28712 | Resolved an issue where ifspd - unexpected end of data and other issues noted. |
| CGSDW-28187 | Resolved an issue where ION does not initiate SYN request over TCP 179 to establish BGP. |
| CGSDW-27498 | Resolved an issue where Default route is missing on sub interfaces after element is rebooted. |
| CGSDW-27462 | Resolved an issue where Flow dropped after app reclassification. |
| CGSDW-27542 | Resolved an issue where BGP Went Down when ION1 was made active during MW. |
| CGSDW-27359 | Resolved an issue where global stats are missing when high app thresholds are configured. |
| CGSDW-27387 | Resolved an issue where Traffic from Standard VPN is not routed to Branch through transit DC. |
Hotfix Release 6.3.5-b13
| Issue ID | Description |
|---|---|
| CGSDW-33696 | Resolved an issue where environments with large LAN subnets experienced high CPU utilization, latency, and packet loss. |
| CGSDW-33608 | Resolved a memory leak in the data path thread that led to Flow Controller (FC) restarts. |
| CGSDW-33422 | Resolved an issue where the log-agent, device_cert, and arp-monitor services remained active even when Device-ID was not enabled. |
Hotfix Release 6.3.5-b12
| Issue ID | Description |
|---|---|
| CGSDW-33480 | Resolved an issue where the BGP TCP listen socket was incorrectly deleted on Spoke devices when a BGP view was removed. |
| CGSDW-33008 | Resolved an issue where the fast path routing engine (fp-rte) experienced memory leaks and fragmentation under heavy workloads. |
| CGSDW-32984 | Resolved an issue where the resourcemgmt service caused high CPU and memory consumption. |
Hotfix Release 6.3.5-b11
| Issue ID | Description |
|---|---|
| CGSDW-33040 | Resolved an issue where the controller interface failed to program the default gateway following a device upgrade or reboot. |
| CGSDW-32910 | Resolved an issue where traffic failed to pass through bypass pairs following an HA failover. |
| CGSDW-32542 | Resolved an issue on HUB devices where the system incorrectly generated lan/state entries for every site prefix added. |
| CGSDW-32648 | Resolved an issue where the emif process could enter a deadlock, triggering watchdog restarts and interface flaps. |
| CGSDW-32270 | Resolved an issue where the firewall adds 0.0.0.0 to DNS-based application maps. |
Hotfix Release 6.3.5-b9
| Issue ID | Description |
|---|---|
| CGSDW-31276 | Resolved an issue where the fast path routing engine (fp-rte) crashed at fp_nf_bulk_hook. |
Hotfix Release 6.3.5-b8
| Issue ID | Description |
|---|---|
| CGSDW-30481 | Resolved an issue on WASP and SCAM platforms where packets were being dropped and recorded as interface errors. |
| CGSDW-27990 | Resolved an issue where the Flow Controller (FC) experienced memory leaks due to JSON object management. |
| CGSDW-31065 | Resolved an issue where the CPU temperature was not displayed on the controller statistics page. |
| CGSDW-26319 | Resolved an issue where the fast path routing engine (fp-rte) crashed during high-traffic scenarios. |
| CGSDW-27805 | Resolved an issue where the SNMP agent was not responding when a higher number of VPN tunnels were monitored. |
Hotfix Release 6.3.5-b6
| Issue ID | Description |
|---|---|
| CGSDW-30052 | Resolved an issue where ION not populating ARP responses on the WAN interface. |
Hotfix Release 6.3.5-b5
| Issue ID | Description |
|---|---|
| CGSDW-28326 | Resolved an issue where IPv6 ping commands were unable to ping a VPN FIB host using the LAN interface IP. |
Addressed Issues in Prisma SD-WAN ION Device Release 6.3.4
The following section lists the issues addressed in Prisma SD-WAN ION Device Release 6.3.4 and various Hotfixes.
Release 6.3.4
| Issue ID | Description |
|---|---|
| CGSDW-22259 | Resolved an issue where SNMPv3 not polling all interfaces on 9200s. |
| CGSDW-21320 | Resolved an issue where DHCP Non responsive on ION1200 SVI until config change or reboot. |
| CGSDW-21176 | Resolved an issue where Failed VLAN configuration not recovered. |
| CGSDW-21115 | Resolved an issue where FEC Action Not Being Displayed in FB For Inbound (DC to Branch). |
| CGSDW-20824 | Resolved an issue where Flush ipsec sa for service-link if service-link probe fails and times out. |
| CGSDW-26226 | Resolved an issue where DC HUB does not advertise route with /25 to core in certain scenarios. |
| CGSDW-26247 | Resolved an issue where fc-monitor crash seen in 9K with 6.3.4-a45. |
| CGSDW-24262 | Resolved an issue where Select only bestpath as reachable route. |
| CGSDW-25738 | Resolved an issue where Fixing issue in IPFIX socket connect. |
| CGSDW-22633 | Resolved an issue where FC security policy build time & memory optimisation improvement. |
| CGSDW-25586 | Resolved an issue where GRE with FIPS mode is not working. |
| CGSDW-25152 | Resolved an issue where L3/L4 UDP apps classified as unknown post switchover. |
| CGSDW-24485 | Resolved an issue where FC process restart on 6.1.6. |
| CGSDW-24482 | Resolved an issue where HMAC Integrity failing for controller ca chain. |
| CGSDW-24269 | Resolved an issue where APP CUSTOM RULE CONFLICT (GOOGLE-MEET) is raised for a system app. |
| CGSDW-24112 | Resolved an issue where HMAC Integrity Check is skipped for python packages. |
| CGSDW-24400 | Resolved an issue where UserID Agent crashes with IPv6 mapping. |
| CGSDW-24273 | Resolved an issue where Interface shut is not removing v6 default route from FIB entry. |
| CGSDW-24099 | Resolved an issue where some interfaces lack ip rule programming with 2K VRFs. |
| CGSDW-22072 | Resolved an issue where Handling rtr_mgr_api memory increase. |
| CGSDW-20234 | Resolved an issue where Virtual interface not passing traffic. |
| CGSDW-23395 | Resolved an issue where Backup ION lost controller connections intermittently after upgrade. |
| CGSDW-19833 | Resolved an issue where T-Mobile 5G IPv6 connectivity issues. |
| CGSDW-23397 | Resolved an issue where snmp_network_discovery service is restarting every 1 hour. |
| CGSDW-22389 | Resolved an issue where Removing firewall doesn't stop app probe for a public direct path. |
| CGSDW-23221 | Resolved an issue where ionhwd process consuming high memory. |
| CGSDW-23098 | Resolved an issue where Overlapping IPs is broken in VRF. |
| CGSDW-22700 | Resolved an issue where Overlay dhcp-relay do not work with custom VRF. |
Addressed Issues in Prisma SD-WAN ION Device Release 6.3.3
The following section lists the issues addressed in Prisma SD-WAN ION Device Release 6.3.3 and various Hotfixes.
Release 6.3.3
| Issue ID | Description |
|---|---|
| CGSDW-22192 | Resolved an issue where core.fp-rte failure occurred during abrupt traffic stops. |
| CGSDW-22281 | Resolved an issue where app-probe crash seen in branch device. |
| CGSDW-21181 | Resolved an issue where vION needs support for AWS IMDSv2 for metadata. |
Addressed Issues in Prisma SD-WAN ION Device Release 6.3.2
The following section lists the issues addressed in Prisma SD-WAN ION Device Release 6.3.2 and various Hotfixes.
Release 6.3.2
| Issue ID | Description |
|---|---|
| CGSDW-20631 | Resolved an issue where log-agent failed to process all DHCP messages. |
| CGSDW-21868 | Resolved an issue where outbound SSH6 connections were not functioning correctly. |
| CGSDW-21580 | Resolved an issue where backup IONs were unable to establish connection to the controller. |
| CGSDW-21836 | Resolved an issue where SVI VRF creation failed if the name exceeded 9 characters. |
| CGSDW-21116 | Resolved an issue where outbound SSH was not supported on controller interfaces. |
| CGSDW-21607 | Resolved an issue where sequencing of VRF and interface config caused setup errors. |
| CGSDW-21698 | Resolved an issue where static ARP entries were not added correctly during config updates. |
| CGSDW-21300 | Resolved an issue where DHCP server failed with same subnet controller/LAN ports. |
| CGSDW-19628 | Resolved an issue where return traffic from Hub to Branch was invisible in Flow Browser. |
| CGSDW-21381 | Resolved an issue where unused App-ID element memory was not released. |
| CGSDW-21025 | Resolved an issue where service link path was incorrectly cached post-detachment. |
| CGSDW-20241 | Resolved an issue where ICMP traffic experienced packet loss in non-default VRFs. |
| CGSDW-20382 | Addressed security vulnerabilities in OpenSSH (CVE-2023-51385). |
| CGSDW-19542 | Ensured ION devices are protected against SSH Terrapin attacks. |
| CGSDW-21088 | Resolved an issue where static ARP entries were incorrectly applied to standby devices. |
| CGSDW-17904 | Resolved an issue where interface status command failed to display link modes. |
| CGSDW-20864 | Resolved an issue where leaked VPN prefixes were incorrectly removed on the Hub device. |
| CGSDW-20807 | Resolved an issue where VPN forwarding entries for global VRF were invisible post-upgrade. |
| CGSDW-20649 | Resolved a memory leak in the SNMP daemon process. |
| CGSDW-20671 | Resolved false RADIUS server unreachable incidents. |
Addressed Issues in Prisma SD-WAN ION Device Release 6.3.1
The following section lists the issues addressed in Prisma SD-WAN ION Device Release 6.3.1 and various Hotfixes.
Release 6.3.1
| Issue ID | Description |
|---|---|
| CGSDW-17886 | Resolved an issue where traffic failed to flow correctly over service links. |
| CGSDW-16932 | Resolved an issue where the Zoom Phone application definition was missing required prefixes. |
| CGSDW-16269 | Resolved fragment reassembly performance issues. |
| CGSDW-21512 | Resolved inconsistent bypass pair latch behavior during power-off. |
| CGSDW-21119 | Resolved bypass ports remaining in bypass mode after device declaim. |
| CGSDW-19674 | Resolved memory corruption in DPDK mempools. |
| CGSDW-16172 | Resolved ZBFW treatment inconsistency for LAN traffic. |
| CGSDW-19778 | Resolved remote access process restarts during active sessions. |
| CGSDW-19466 | Resolved slow device-to-controller connection establishment post-reboot. |
| CGSDW-15212 | Resolved virtual interface traffic failures on specific ION models. |
| CGSDW-18816 | Resolved missing interface gateway IPs due to flapping post-upgrade. |
| CGSDW-18954 | Resolved IPFIX issues with controller interface source. |
| CGSDW-15661 | Resolved memory leak in VPN process during ZeroMQ operations. |
| CGSDW-15258 | Resolved intermittent offline status due to FC restarts. |
| CGSDW-15201 | Resolved zero value display for ingress bandwidth utilization. |
| CGSDW-14766 | Resolved stale BGP config persistence after peer deletion. |