>
    Known Issues in Prisma SD-WAN ION Releases
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma SD-WAN
    3. Prisma SD-WAN ION Device Release 6.5
    4. Known Issues in Prisma SD-WAN ION Releases
    Download PDF
    Prisma SD-WAN

    Known Issues in Prisma SD-WAN ION Releases

    Table of Contents

    Known Issues in Prisma SD-WAN ION Releases

    Learn about the known issues in Prisma SD-WAN ION Releases.
    This table lists known issues across Prisma SD-WAN ION releases. Starting with 6.5.0 release, a separate Known Issues document will no longer be published. Refer to this document for 6.5.0 and any supported release.
    Releases marked with an asterisk (*) have reached End-of-Life (EoL). Review the hardware and software End-of-Life (EoL) information for products and releases that have reached End-of-Life (EoL) status.
    Issue IDDescriptionKnown in Release/(s)
    CGSDW-34273A memory leak has been identified in the cgnxinfra process. The leak is triggered by a continuous flap in the controller connection, which is often caused by frequent WebSocket disconnections. This issue can lead to an Out of Memory (OOM) event and may cause the device to reboot.6.3.6
    CGSDW-34254A crash in the hitflagsd process has been observed on devices in L2 mode. The crash is triggered by a large number of continuous VPN flaps, which causes a timing issue in a datapath backend process.6.3.6
    CGSDW-34106After an HA switchover, VPNs configured over bypass ports take longer than expected to reestablish connectivity. This issue is observed on devices with a large number of interfaces, resulting in temporary VPN downtime and traffic loss.6.3.6
    CGSDW-33728A memory leak exists in the deprecated NetFlow extension API when configured on a device. This can lead to the device running out of available memory under high-stress conditions, causing it to reboot.6.3.6
    CGSDW-33555The dpdk-ctrl-port process on devices may crash due to a timing issue during device initialization after a reboot or upgrade. This can delay the initial bootup process and prevent interfaces from coming back up.6.3.6
    CGSDW-33506A crash in the fc-monitor process has been observed on devices after a version upgrade. This is triggered by a corrupted packet that causes a failure in the QAT library during packet handling.6.3.6
    CGSDW-31611The fp-rte process may crash due to a timing issue during device initialization after a reboot or upgrade. The crash results in traffic loss and a delay in the device's bootup process.6.4.2, 6.3.6
    CGSDW-16922The fp-rte process may crash during device initialization after a version upgrade. The crash, which occurs in the port receiver function, is caused by a timing issue with interface and packet handling on devices with a large number of sub-interfaces and can lead to a delay in the initial boot up process.6.4.1, 6.1.5, 6.1.10, 6.1.11, 6.3.6
    CGSDW-33282After any process crash or ION device reboot, the system fails to zip and save the logs directory, leading to unmanaged log accumulation.6.3.5, 6.3.4, 6.3.3
    CGSDW-33237After upgrading to ION device 6.x with DPDK, higher control plane latency is observed, primarily because deeper Rx MAC and Intercore FIFOs introduce head-of-line blocking, particularly impacting applications during high-rate scan traffic.6.5.2, 6.5.1, 6.3.5, 6.3.4, 6.3.3, 6.1.11
    CGSDW-32621After upgrading from 6.1.x to 6.3.5-b4, standby ION devices are losing connectivity to the controller because a local route entry for the LAN-IP, sharing the same subnet as the controller interface gateway, prevents packets from being locally terminated on the standby device.6.3.5, 6.3.4, 6.3.3
    CGSDW-32177After debug logging and filters are enabled, they are not disabled, leading to critical issues and customer outages.6.3.5, 6.3.4, 6.3.3
    CGSDW-31958After upgrading to 6.3.5-b4, Virtual Interfaces are experiencing "recvmsg() No buffer space Available" and "fp_drain_exec Resource temporarily unavailable" errors, leading to connectivity loss on ION devices, specifically observed with VPN and HA communication failures, which resulted in a split-brain scenario.6.3.5, 6.3.4, 6.3.3
    CGSDW-31862After an fp-rte process crash on 6.3.5-b4, a three-minute split-brain scenario occurrs because the HAM process waits for the fp-rte core dump creation to complete, leading to customer traffic impact.6.3.5, 6.3.4, 6.3.3
    CGSDW-31861After configuring enterprise DNS servers on the controller interface, app-probes are being sent relentlessly, leading to continuous CPU spikes and packet drops on lower-end devices, indicating a need for a timeout or limit on probe frequency until a genuine client DNS request fails.6.3.5, 6.3.4, 6.3.3
    CGSDW-31654
    This issue is resolved in ION version 6.4.2-b16.
    		FC crashes at pan_sml_vm_set_field_flag() within the ml7 library.6.5.2, 6.5.1, 6.4.1
    CGSDW-30788fp-rte corefile is generated in asymmetric LAN flow with specific policy.6.5.2, 6.5.1, 6.4.2
    CGSDW-30747After adding or removing Prisma Access tags from site configurations, or removing circuit tags from physical interfaces, the charon process restarts, unexpectedly triggering an HA switchover, which disrupts customer operations, particularly when rebuilding PA tunnels or migrating branches between regions.6.5.2, 6.5.1, 6.4.2, 6.3.5, 6.3.4, 6.3.3, 6.1.11
    CGSDW-30067After deploying ION 3200s in L2 mode on 6.3.4-b2, core.dpdk-ctrl-port issues are observed at ixgbe_dev_clear_queues, indicating a problem with DPDK control plane operations on the device.6.3.5, 6.3.4, 6.3.3
    CGSDW-29960If overlapping IP addresses are configured on a branch site, syslogs are not visible on the DC ION.6.5.2 6.5.1
    CGSDW-29923The SNMPWALK command from the DC server does not work if overlapping IP addresses are configured on the branch site.6.5.2 6.5.1
    CGSDW-27527After experiencing fast path CPU utilization at 100%, device performance degrades for active sessions, exhibiting high latency followed by complete traffic loss and a forwarding system outage, as seen with custom AppMix traffic which recovers only after a device reboot.6.4.2, 6.3.3, 6.3.4
    CGSDW-27241
    This issue is resolved in ION version 6.4.2.
    		After enabling logs for the flow controller, the logs are not rolling over correctly, thus using up all the space in the log directory.6.4.2
    CGSDW-26342Prefixes received from a DC on the WAN path are being distributed back to the DC via the Standard VPN path causing a traffic loop. The workaround is to configure a prefix list which explicitly denies the prefixes coming from the DC on the Standard VPN.6.5.2 6.5.1
    CGSDW-26096A standby DC ION in a DC cluster does not forward the received traffic on the intra-cluster tunnel. 6.5.2 6.5.1
    CGSDW-24973
    This issue is resolved in ION version 6.4.1.
    		Some advertised prefixes are not displayed for a DC ION device after changing the site mode from Control to Disabled and then back to Control.6.4.1
    CGSDW-23582OSPF routes are still advertised to the core BGP router even when the WAN paths for OSPF are deleted.6.4.1
    CGSDW-23395
    This issue is resolved in ION version 6.3.4.
    		After upgrading to device software version 6.3.2-b5, the backup ION device continues to attempt to establish a connection with the controller. If controller port of the device next hop is pointing to ION device LAN interface then use the following workaround for this issue:
    • On the active device, add a static arp entry on the LAN interface which points to the controller interface IP address of the backup device.
    • On the backup device, add a static arp entry on the LAN interface which points to the controller interface IP address of the active device.
    		6.3.2
    CGSDW-22659
    This issue is resolved in ION version 6.4.2.
    		The system does not display the correct interface speed for interfaces where no link is detected, i.e. when the operational status is down.6.1.10
    CGSDW-21451
    This issue is resolved in ION version 6.4.1.
    		After being assigned to a site, the ION device does not receive the VRF context in time. This causes incorrect mapping between interfaces and VRFs.6.3.1
    CGSDW-21409
    This issue is resolved in ION version 6.4.1.
    		FC crashes when many app-map entries are being created, modified, or deleted in parallel. Resolved an issue where the FC was crashing when many app-map entries were being created, modified, or deleted in parallel.
    CGSDW-20864
    This issue is resolved in ION version 6.4.1.
    		If the only prefix of a VRF at a branch site is deleted, then the entries leaked to the DC site for the specific VRF are also deleted. The workaround is to configure at least one dummy global prefix for the VRF at the branch site.6.3.1
    CGSDW-20671
    This issue is resolved in ION version 6.3.2.
    		Incidents related to RADIUS server are raised even when a RADIUS server is not configured.6.3.1
    CGSDW-20649The SNMP daemon process was slowly consuming the memory in the ION device suggesting a possible memory leak.6.3.1
    CGSDW-19707
    This issue is resolved in ION version 6.1.7.
    		The Standard VPN path is not displayed in the list of paths when configured through easy onboarding.6.1.6
    CGSDW-19357
    This issue is resolved in ION version 6.5.1.
    		When a DC ION receives routes for a /32 prefix from both the underlay and overlay, the DC ION tries to split the route and thus the BGP route selection process fails.6.1.9, 6.1.8, 6.1.7, 6.1.6
    CGSDW-19237
    This issue is resolved in ION version 6.1.7.
    		FC crashes due to stack corruption in ION 5200.6.1.
    CGSDW-18905First flow of direct VNC traffic gets denied as the server port in the ION app-def is 0-0.6.1.9, 6.1.8, 6.1.7, 6.1.6
    CGSDW-16031
    This issue is resolved in ION version 6.1.5.
    		There is a delay in bringing down the BGP peer of a data center ION device when the remote end of the interface is shut down.6.1.4
    CGSDW-16005
    This issue is resolved in ION version 6.1.5.
    		Resolved an issue where the app-engine was crashing on an ION 2000 device during continuous traffic flow.6.1.4
    CGSDW-15988
    This issue is resolved in ION version 6.1.5.
    		On upgrading the device software, a parent interface with more than 20 subinterfaces flaps, resulting in flapping of the IP addresses of the subinterfaces.6.1.4
    CGSDW-15970
    This issue is resolved in ION version 6.1.5.
    		When rebooting the active device in an HA configuration on the 2000 platform, the bypass pair of the active device does not pass traffic during reload.6.1.4
    CGSDW-15967
    This issue is resolved in ION version 6.3.2 and 6.1.7.
    		High memory consumption by the ADEM process causes ION device reboot.
    CGSDW-15868
    This issue is resolved in ION version 6.1.5.
    		Resolved an issue wherein high memory consumption by the ADEM process was causing other processes to crash and device to reboot.6.1.4
    CGSDW-15257
    This issue is resolved in ION version 6.1.5.
    		Resolved an issue wherein previously reachable prefixes from a DC ION device became unreachable after upgrading the device software to version 6.1.2.6.1.4
    CGSDW-15027
    This issue is closed.
    		Incorrect SNMP interface bandwidth reported after a software upgrade from ION device version 5.6.6.3.2, 6.1.6
    CGSDW-14980
    This issue is resolved in ION version 6.1.4.
    		Custom applications with L3/L4 prefixes are not detected when used in security policies.6.1.3
    CGSDW-14456The fp-rte process crashes when fetching information on security policy counters and app stats.6.1.3
    CGSDW-14432
    This issue is resolved in ION version 6.2.2 and 6.1.6.
    		The fp-rte process crashes when fetching information on security policy counters and app stats.6.1.5, 6.1.4, 6.1.1
    CGSDW-14344
    This issue is resolved in ION version 6.1.3 and 6.2.2.
    		FC process crashes when traffic is initiated on an idle ION device.6.2.1
    CGSDW-13397
    This issue is resolved in ION version 6.1.6.
    		Core files seen during TCP SYN scan which is using up memory and causing FC to crash.
    CGSDW-12733
    This issue is resolved in ION version 6.4.1.
    		DPD with IKEv2 on Standard VPN does not bring the tunnel down based on the configuration on the DPD timer.6.1.3
    CGSDW-12698
    This issue is resolved in ION version 6.1.5.
    		Network reachability for WAN to LAN traffic failing for non-CGNX sites.6.1.3, 6.1.1
    CGSDW-12113Branch backup ION device displays as partially online following Hood maintenance.6.1.3
    CGSDW-10819
    This issue is resolved in ION version 6.0.3*, 6.1.2, and 6.1.1.
    		On Prisma SD-WAN switching platforms, multicast packets, such as an LLDP packet, received on one interface of a bypass pair will loop between the two interfaces of the bypass pair. The workaround is to upgrade the device to version 6.1.2 or higher.6.1.1
    CGSDW-8389
    This issue is resolved in ION version 6.1.1.
    		Prisma Access tunnels configured manually will not support ADEM.6.1.1
    CGSDW-7806
    This issue is resolved in ION version 6.1.9.
    		The DHCP Relay chooses the secondary IP address instead of the primary IP address for sending a DHCP request.5.6.1
    CGSDW-3440After an NTP time update or manual system time change, SCM fails to poll for stats from services.5.6.13

    © 2025 Palo Alto Networks, Inc. All rights reserved.