>
    Strata Copilot
    Addressed Issues in Prisma SD-WAN ION Release 6.5
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma SD-WAN
    3. Prisma SD-WAN ION Device Release 6.5
    4. Addressed Issues in Prisma SD-WAN ION Release 6.5
    Download PDF
    Prisma SD-WAN

    Addressed Issues in Prisma SD-WAN ION Release 6.5

    Table of Contents

    Addressed Issues in Prisma SD-WAN ION Release 6.5

    Learn about the issues addressed in Prisma SD-WAN ION releases.
    Learn about the issues addressed in Prisma SD-WAN ION device release 6.5.
    Ensure you select the appropriate build version that aligns with your main release train. If you're looking to download the latest build for a specific release version and it is not available in your system, please contact Palo Alto Networks Support to request access or assistance.

    Addressed Issues in Prisma SD-WAN ION Device Release 6.5.3

    The following table lists the issues addressed in Prisma SD-WAN ION device release 6.5.3.
    Issue IDDescription
    CGSDW-27822Resolved an issue where global prefix advertisements were set to "None" when local BGP configurations were present. This occurred due to incorrect data handling during global configuration updates. The system now correctly preserves advertisement settings during BGP global updates.
    CGSDW-36948Resolved an issue on Gen2 platforms with UFC ports where static route-reachability probes failed due to an internal binding error.
    CGSDW-36431Resolved an issue where an invalid configuration from the controller caused the fwmgr process to restart and prevented backup ION devices from connecting to the controller.
    CGSDW-36419Resolved an issue where the rtr_mgr_api process unexpectedly restarted due to memory corruption within the Python regex library.
    CGSDW-36417Resolved an issue where the firewall dropped TCP packets when out-of-order packets exceeded the threshold and buffering reached per-flow or per-thread limits. The firewall now forwards these packets instead of dropping them.
    CGSDW-36302Resolved an issue on ION 3200 appliances in L2 mode where low packet buffer (mbuf) allocation caused system timeouts. This occurred because the buffer reservation logic for virtual interfaces exceeded available memory when supporting multiple Switch Virtual Interfaces (SVI).
    CGSDW-36098Resolved an issue where hard or soft resets for BGP peers failed when initiated from the controller web interface due to stale entries.
    CGSDW-36058Resolved an issue where TACACS authentication failed due to a memory leak in the authentication process (authd). This leak occurred over time based on the volume of authentication requests and prevented users from logging in.
    CGSDW-35936Resolved an issue in data center clusters where dual ION devices incorrectly continued to advertise prefixes from a secondary branch site after the primary branch site route was restored. This occurred because routes learned from the secondary branch were not withdrawn following primary path recovery.
    CGSDW-35596Resolved an issue on Data Center ION (DC ION) devices where internal routing rules were not correctly programmed after toggling the site state. When the site state changed from disabled to active or control, interface-based rules failed to recreate, preventing proper traffic handling across interfaces.
    CGSDW-33885Resolved an issue where successful SSH authentications incorrectly generated authentication failure logs. This was caused by an internal configuration setting that triggered false-positive error messages during the login process.
    CGSDW-31501Resolved an issue on ION 3200 series devices where the default gateway was not configured for ISP interfaces following an unclaim operation and subsequent configuration updates. This was caused by an internal logic error that failed to correctly process interface settings when the device role was not explicitly defined.
    CGSDW-30788Resolved an issue where multiple processes restarted and disrupted production traffic. This occurred when LAN asymmetry and Zone-Based Firewall (ZBFW) caused blocked flows to reach the PP_2 process.
    CGSDW-30052Resolved an issue where ION devices stopped responding to ARP requests on WAN interfaces. This was caused by an internal transmit queue becoming unresponsive after encountering a malformed packet, which prevented the processing of subsequent network traffic.
    CGSDW-16922Resolved an issue where ION devices unexpectedly crashed during a reboot or software upgrade due to a startup timing conflict. The service initialization logic has been updated to ensure the data plane is fully ready before processing commands.
    CGSDW-35622Resolved an issue where data traffic incorrectly egressed the DC ION device via the controller port.
    CGSDW-35111Resolved an issue where the RX/TX statistics displayed in the UI sometimes showed values higher than the maximum interface link speed.
    CGSDW-33282Resolved an issue where the system failed to automatically archive the /log/syslog directory following a process crash or device reboot.
    CGSDW-32858Resolved an issue where multi-hop BGP learnt routes on the DC device were not re-distributed to the Branch. This omission occurred because the system failed to correctly resolve the BGP next-hop via the default route.
    CGSDW-32105Resolved an issue where the interface address flapped, which caused instability in BGP, VPN, and HA connections.
    CGSDW-30565Resolved an issue where traffic was lost after a VPN switchover was triggered on the Spoke device. This occurred because the system failed to update the bridge vector with the new WAN interface details, causing traffic to be forwarded to the old, down VPN interface.
    CGSDW-30073Resolved an issue that caused the event_forward process to repeatedly restart on the ION device. This occurred due to a technical incompatibility in the system's priority queue handling following the Python upgrade.
    CGSDW-30067Resolved an issue that caused the dpdk-ctrl-port process to crash on the ION device operating in L2 mode.

    Addressed Issues in Prisma SD-WAN ION Device Hotfix Release 6.5.3-b16

    The following table lists the issues addressed in Prisma SD-WAN ION device hotfix release 6.5.3-b16.
    Issue IDDescription
    CGSDW-35803Added the latest ADEM package to device software version 6.5.3-b16.

    Addressed Issues in Prisma SD-WAN ION Device Hotfix Release 6.5.3-b15

    The following table lists the issues addressed in Prisma SD-WAN ION device hotfix release 6.5.3-b15.
    Issue IDDescription
    CGSDW-38328Resolved an issue in validating the certificates.
    CGSDW-38592Resolved an issue in IPv6 packet handling.

    Addressed Issues in Prisma SD-WAN ION Device Hotfix Release 6.5.3-b11

    The following table lists the issues addressed in Prisma SD-WAN ION device hotfix release 6.5.3-b11.
    Issue IDDescription
    CGSDW-37749
    Resolved an issue where the fc and ifspd processes could restart due to a rare timing conflict within the QoS module's interface handling logic during VPN updates. The control plane logic has been improved to manage VPN update operations correctly, eliminating the timing issue and preventing potential fc crashes.

    Addressed Issues in Prisma SD-WAN ION Device Hotfix Release 6.5.3-i-b10

    The following table lists the issues addressed in Prisma SD-WAN ION device hotfix release 6.5.3-i-b10.
    Issue IDDescription
    CGSDW-38328Resolved an issue in validating the certificates.
    CGSDW-38592Resolved an issue in IPv6 packet handling.
    CGSDW-35803Added the latest ADEM package to device software version 6.5.3-i-b10.

    Addressed Issues in Prisma SD-WAN ION Device Hotfix Release 6.5.3-b9

    The following table lists the issues addressed in Prisma SD-WAN ION device hotfix release 6.5.3-b9.
    Issue IDDescription
    CGSDW-37825Resolved an issue where global prefixes advertised into Prisma SD-WAN were not advertised to spoke locations with BGP configured following an upgrade from 6.5.2-b7 to 6.5.3-b5. This occurred because the installation of all prefixes was incorrectly blocked when two peers were configured in the same view or VRF.
    CGSDW-36362Resolved an issue where the system randomly identified Layer 7 (L7) custom applications as SSL despite an existing application-map cache. This occurred because the application engine sent SSL updates to the Flow Controller (FC) that overrode destination IP and port mappings.
    CGSDW-32907Resolved an issue where the MRL service became unresponsive without generating log activity or system cores. This occurred when a critical background thread encountered an exception and terminated without being automatically restarted. The system now includes a monitoring thread to track the health of critical MRL threads and restarts the service if a failure is detected.
    CGSDW-37218Resolved an issue where ION 9200 and 5200 Hub devices dropped packets with a size of 1468 bytes. This occurred because the Maximum Receive Unit (MRU) on sub-interfaces was insufficient for packets with double VLAN tags. The system now supports a minimum MRU of 1526 to account for two VLAN tags and CRC.

    Addressed Issues in Prisma SD-WAN ION Device Hotfix Release 6.5.2-b7

    The following table lists the issues addressed in Prisma SD-WAN ION device hotfix release 6.5.2-b7.
    Issue IDDescription
    CGSDW-35066Resolved an issue where the system did not apply the mandatory RekeyLimit requirement for SSH sessions in FIPS mode.
    CGSDW-34931Resolved an issue where BGP sessions configured over the Service Link closed when the link flapped.
    CGSDW-34901Resolved an issue where the MIC/MAC process crashed when receiving an invalid or incomplete response from the cloud or internal bootstrap service.
    CGSDW-34799Resolved an issue where the connected route for the control interface was not leaked correctly.
    CGSDW-34798Resolved an issue where the distribution of leaked branch prefixes was not handled correctly in the hub device after an High Availability (HA) failover occurred.
    CGSDW-34797Resolved an issue where leaked WAN path prefixes were advertised to the core router through the backup hub.
    CGSDW-34768Resolved an issue where SD-WAN fabric traffic blackholed on a spoke device after a VPN switchover.
    CGSDW-34457Resolved an issue where the ifspd process crashed during overnight traffic testing.
    CGSDW-34413Resolved an issue where the device's SSH algorithms did not fully comply with the FIPS-CC Protection Profile.
    CGSDW-34408Resolved an issue where the GCM algorithm was not accepted for standard IPsec tunnels when the device ran in FIPS mode.
    CGSDW-34180Resolved an issue where OCSP requests contained invalid and duplicate HTTP frames.
    CGSDW-33993Resolved an issue where the data path thread experienced a memory leak, causing the FC process to restart.
    CGSDW-33102Resolved an issue where the CLI became stuck and SSH failed when running regression scripts.
    CGSDW-33096Resolved an issue where multiple ifspd cores were observed on ION devices.
    CGSDW-33093Resolved an issue where BGP sessions did not establish in a VRF instance.
    CGSDW-33066Resolved an issue where the Controller interface did not program the default gateway on the device after an upgrade or reboot.
    CGSDW-32818Resolved an issue where the Blobfish process crashed when you initiated a remote access operation from the controller.
    CGSDW-32694Resolved an issue where the event forward process restarted on the ION device.
    CGSDW-32627Resolved an issue where the MAC address showed as "None" in the controller portal for an ION device onboarded via bootstrapping.
    CGSDW-32560Resolved an issue where the ION device did not populate ARP responses on the WAN interface.
    CGSDW-32517Resolved an issue where the unknown unicast filter did not apply correctly to switch port 0 (front panel port 1) when configuring a Link Aggregation Group (LAG) on the ION device.
    CGSDW-32510Resolved an issue where the Forwarding Plane process crashed while removing an application path prefix from a hash table.
    CGSDW-32487Resolved an issue where the system incorrectly applied VRF configuration on the ION device.
    CGSDW-32464Resolved an issue where sensitive private key information was exposed in the Remote Access logs.
    CGSDW-32297Resolved an issue where Syslog Flow Export did not work when flow logging was enabled in the configuration.
    CGSDW-32267Resolved an issue where the Element Manager process restarted on ION 1200 devices. This issue occurred when the system logged controller connection status with a null hostname.
    CGSDW-32019Resolved an issue where daemon logs filled continuously after a logging error occurred. This excessive logging resulted from a loop in the logging process where an initial error message repeatedly triggered new error messages.
    CGSDW-31654Resolved an issue where the Flow Control (FC) process crashed at an internal system function (pan_sml_vm_set_field_flag).
    CGSDW-31613Resolved an issue where the system failed to claim a device due to a MIC/MAC failure.
    CGSDW-31151Resolved an issue where the system failed to establish a Syslog server connection when the User-to-Firewall Connectivity (UFC) interface was specified as the source interface.
    CGSDW-31117Resolved an issue where Secure Fabric tunnels did not re-establish between Branch Gateway (BG) locations following an HA failover.
    CGSDW-30950Resolved an issue where the system displayed an internal exception during WAN path updates or deletions due to a timing conflict.
    CGSDW-30863Resolved an issue where an exception appeared in daemon logs for the wpa_bw_check program. This exception resulted from a Python 2 to Python 3 conversion error.
    CGSDW-30773Resolved an issue where the device did not connect back after successful bootstrap.
    CGSDW-30461Resolved an issue where the FP-RTE process experienced increasing memory consumption and leakage due to an inefficient memory allocator.
    CGSDW-28274Resolved an issue where the dump interface config or dump interface status CLI commands did not show the associated physical interface information for Layer 3 (L3) Loopback interfaces.

    Addressed Issues in Prisma SD-WAN ION Device Release 6.5.2

    The following table lists the issues addressed in Prisma SD-WAN ION device release 6.5.2.
    Issue IDDescription
    CGSDW-30242Resolved an issue where the ION device sometimes displayed an internal reboot code (code: 0x08) with the reason Unknown after an unexpected shutdown.
    CGSDW-30125Resolved an issue where the ION device failed to apply a DNS caching size of 0. This prevented administrators from disabling the DNS cache functionality through configuration.
    CGSDW-30053Resolved an issue where the Active ION device's controller interface could not reach certain IP addresses.
    CGSDW-29793Resolved an issue where the ION device incorrectly created two separate flows for traffic passing through a GRE tunnel.
    CGSDW-29207Resolved an issue where the ION device incorrectly created application probes for WAN-to-WAN initiation failure flows. The system wrongly populated the probe's destination port using the flow's source port, resulting in the creation of many unnecessary probes for the same destination.
    CGSDW-28326Resolved an issue where IPv6 ping commands failed to reach a VPN Forwarding Information Base (FIB) host when using the LAN interface IP address as the source IP address on the ION device.
    CGSDW-29793Resolved an issue where two separate flows were created on the spoke device for traffic passing through a GRE tunnel.
    CGSDW-27990Resolved an issue involving memory leaks in the Flow Collector (FC) related to Redis notifications.
    CGSDW-30125Resolved an issue where a value of zero entered for Cache Size in the DNS profile from the web interface was not being pushed to the ION device.
    CGSDW-29207Resolved an issue for WAN to WAN flow failures in Branch Gateway sites, where the app probe entries were being created with the flow's source port as the probe destination port.
    CGSDW-27805Resolved an issue of the SNMP agent not responding for a higher number of VPN tunnels.

    Addressed Issues in Prisma SD-WAN ION Device Release 6.5.1

    The following table lists the issues addressed in Prisma SD-WAN ION device release 6.5.1.
    Issue IDDescription
    CGSDW-29207Resolved an issue where the ION device incorrectly created application probes for WAN-to-WAN initiation failure flows. The system wrongly populated the probe's destination port using the flow's source port, resulting in the creation of many unnecessary probes for the same destination.
    CGSDW-28697Resolved an issue where the ION device incorrectly created two flows instead of one for traffic in scenarios involving route leaking with a Service Link (SL) and a Custom Virtual Routing and Forwarding (VRF).
    CGSDW-28458Resolved an issue where the ION device stopped passing traffic after raising the DEVICESW_CONCURRENT_FLOWLIMIT_EXCEEDED alarm.
    CGSDW-28329Resolved an issue where the backup-DC ION device incorrectly advertised branch prefixes when a core-facing BGP peer flapped.
    CGSDW-28214Resolved an issue where the standalone interface on the standby ION device went down when the active ION device was powered down.
    CGSDW-28187Resolved an issue where the ION device failed to initiate a SYN request over TCP port 179 to establish BGP with its peer after a reboot.
    CGSDW-28049Resolved an issue where the dump-support and dump-support all commands failed to capture the system logs and core dumps on the ION device.
    CGSDW-28036Resolved an issue where VPN OIDs changed with every polling request on the ION device.
    CGSDW-27728Resolved an issue that caused the fp-rte process to crash on the ION device, leading to an immediate High Availability (HA) failover.
    CGSDW-27588Resolved an issue where the Performance Policy Alarm failed to display the complete WAN interface information. This occurred because the ION device did not translate the WAN interface ID to its corresponding name when the name was initially empty.
    CGSDW-27542Resolved an issue where BGP failed to establish connectivity after the ION device transitioned to the High Availability (HA) active state. This occurred because the ION device incorrectly processed BGP configuration messages while in standby mode.
    CGSDW-27498Resolved an issue where the default route was missing on subinterfaces after the ION device rebooted. This issue affected virtual interfaces created on specific ports where subinterfaces were then configured on those virtual ports.
    CGSDW-27359Resolved an issue where application and TCPP global statistics were missing when a high number of application thresholds (50 or more) were configured. This scale issue occurred because the ION device failed to send statistics in a timely manner, causing the data to arrive out of order and resulting in the loss of both types of statistics.
    CGSDW-25254Resolved an issue where a memory buffer (mbuffer) leak was observed in Branch Gateway ION devices. When memory became exhausted, this leak caused VPN disconnections and the loss of connection to the controller.
    CGSDW-23739Resolved an issue where the ION device continued to generate and observe application probe flows even after the feature was disabled in the user interface. The fix ensures that flow observation and generation cease immediately after the feature is disabled.
    CGSDW-22911Resolved an issue that caused the fp-rte process to crash on the ION device when QoS was enabled for UDP traffic on a WAN-to-LAN flow. This failure was due to a timing issue that occurred when one of multiple existing VPNs flapped. The crash happened because packets in the ingress QoS pipeline incorrectly referenced a deallocated structure. The fix ensures that the QoS pipeline safely handles VPN state changes.
    CGSDW-30550Resolved an issue where a memory leak or continuous memory increase was observed in the fp-rte process
    CGSDW-29207Resolved an issue for WAN to WAN flow failures in Branch Gateway sites, where the app probe entries were being created with the flow's source port as the probe destination port.
    CGSDW-28697Resolved an issue where two flows were being created for a VPN tunnel with global VRF configured.
    CGSDW-28458Resolved an issue where the ION Device was not passing traffic after the DEVICESW_CONCURRENT_FLOWLIMIT_EXCEEDED alarm was generated.
    CGSDW-28329Resolved an issue where a backup DC ION device continued to advertise branch prefixes after a BGP reset.
    CGSDW-28214Resolved an issue wherein a stand-alone interface of the backup ION device connected via a bypass configuration to the active ION went down, when the active ION device was powered down.
    CGSDW-28187Resolved an issue where BGP was not being reestablished after a device reboot.
    CGSDW-28049Resolved an issue where the dump-support output and dump-support all commands did not capture the syslogs in the ION 9000 platform, if there was a soft link.
    CGSDW-28036Resolved an issue where the VPN Object Identifiers were changing for every polling request.
    CGSDW-27827Resolved an issue where event logs and SNMP alerts were triggered opposite to the action on the web interface.
    CGSDW-27728Resolved an issue where the fp-rte process was crashing on an upgrade to software version 6.3.4.
    CGSDW-27697Resolved an issue where statistics were not displayed due to memory issues.
    CGSDW-27588Resolved an issue where the WAN Interface was displaying the ID instead of the name on the web interface.
    CGSDW-27542Resolved an issue where the BGP was going down on the active ION device after an HA switchover after upgrading the software version to 6.3.4.
    CGSDW-27498Resolved an issue where the default route was missing on sub-interfaces after a device reboot.
    CGSDW-27241After enabling logs for the flow controller, the logs are not rolling over correctly, thus using up all the space in the log directory.
    CGSDW-27359Resolved an issue of missing application statistics, when a higher number of application performance SLA thresholds were configured.
    CGSDW-25658Resolved an issue of the fp-rte process restarting which was leading to HA failover and instability of the device.
    CGSDW-25152Resolved an issue where custom L3/L4 applications were not being detected properly for UDP traffic after an HA switchover.
    CGSDW-23881Resolved an issue for a potential DDoS vulnerability wherein the flows now time out correctly.
    CGSDW-19357When a DC ION receives routes for a /32 prefix from both the underlay and overlay, the DC ION tries to split the route and thus the BGP route selection process fails.
    CGSDW-19117Resolved an issue where the LQM session wasn't get reestablished after a vpnd process crash.

    © 2026 Palo Alto Networks, Inc. All rights reserved.