Prisma SD-WAN
Addressed Issues in Prisma SD-WAN ION Release 6.3
Table of Contents
Expand All
|
Collapse All
Prisma SD-WAN Docs
-
-
-
- CloudBlade Integrations
- CloudBlades Integration with Prisma Access
-
-
-
-
- 6.5
- 6.4
- 6.3
- 6.2
- 6.1
- 5.6
- New Features Guide
- On-Premises Controller
- Prisma SD-WAN CloudBlades
- Prisma Access CloudBlade Cloud Managed
- Prisma Access CloudBlade Panorama Managed
Addressed Issues in Prisma SD-WAN ION Release 6.3
Learn about the issues addressed in Prisma SD-WAN ION release
6.3.x.
Learn more about the issues addressed in Prisma SD-WAN ION device
release 6.3.
- Addressed Issues in Prisma SD-WAN ION Device Release 6.3.6
- Addressed Issues in Prisma SD-WAN ION Device Release 6.3.5
- Addressed Issues in Prisma SD-WAN ION Device Release 6.3.4
- Addressed Issues in Prisma SD-WAN ION Device Release 6.3.3
- Addressed Issues in Prisma SD-WAN ION Device Release 6.3.2
- Addressed Issues in Prisma SD-WAN ION Device Release 6.3.1
To view the consolidated list of addressed issues across Prisma SD-WAN ION releases, see
here.
Addressed Issues in Prisma SD-WAN ION Device Release 6.3.6
The following table lists the issues addressed in Prisma SD-WAN ION Device Release 6.3.6.
| Issue ID | Description |
|---|---|
| CGSDW-33282 | Resolved an issue where the system would fail to archive and save the logs directory after a process crash or device reboot. |
| CGSDW-33237 | Resolved an issue where control plane traffic, such as VPN Keepalive and LQM packets, was getting dropped. This occurred due to Rx overruns during periods of high DPDK CPU utilization. |
| CGSDW-33141 | Resolved an issue where transit traffic destined for UDP ports 67, 68, or 69 was not being forwarded by the ION data center device to the core network, as it was being incorrectly sent to the kernel instead. |
| CGSDW-32621 | Resolved an issue where Standby ION devices were losing connectivity to the controller after an upgrade from software version 6.1.x to 6.3.5-b4, which was caused by an incorrect local route entry preventing packets from being forwarded. |
| CGSDW-32551 | Resolved an issue where the App-engine daemon would crash with a "slice bounds out of range" error. |
| CGSDW-32172 | Resolved an issue where legitimate DIA (Direct Internet Access) traffic caused DPDK cores to be over utilized, resulting in high latency and device unresponsiveness due to deep internal packet queues. |
| CGSDW-32105 | Resolved an issue where interface address flapping caused BGP, VPN, and HA connections to fail. This was due to a logic error that caused the system to incorrectly update the interface's IP address (often to a null value) in certain conditions, such as with a large number of VPN interfaces. |
| CGSDW-32075 | Resolved an issue where stale route entries caused traffic blackholing after a service link tunnel went down. The fix ensures a route reconciliation is triggered to remove the stale entries. |
| CGSDW-32037 | Resolved an issue where scan traffic was causing devices to crash or reboot due to memory exhaustion in the fp-rte process. The fix implements safeguards to properly throttle and handle this type of traffic to prevent crashes and resource over utilization. |
| CGSDW-31959 | Resolved an issue where the app-engine daemon crashed with a nil pointer dereference in software version 6.3.5-b4. The crash was triggered when a DHCP packet caused a segmentation violation in the dhcp.go file. |
| CGSDW-31920 | Resolved an issue where the fp-rte process would crash at fp_app_path_prefix_remove_from_hash. The crash was caused by a race condition where the reaper thread was prematurely cleaning up a newly added entry due to a timing issue with the reference count increment. |
| CGSDW-31862 | Resolved an issue where an fp-rte crash caused an extended period of device instability and traffic loss. The issue was caused by the HA Manager (HAM) waiting for the core dump file to finish being created before initiating a failover. |
| CGSDW-31860 | Resolved an issue where app-probe traffic would continue indefinitely even after a domain had been successfully resolved. |
| CGSDW-31858 | Resolved an issue where app-probe traffic was still being sent on ION devices, even after the feature was disabled at the site level. This occurred because a fix that correctly disabled the probes was not properly ported to software version 6.3.5-b4. |
| CGSDW-31832 | Resolved an issue where BGP peers configured over a service link would not re-establish a connection after the service link flapped. This occurred because FRR was incorrectly closing the BGP socket, causing peers to remain in an Idle/Active state. |
| CGSDW-31702 | Resolved an issue where the LLDP Tx TTL timer on the ION device was set to 30 seconds, causing connections to fail. The fix increases the timer to 120 seconds to ensure stable LLDP connections. |
| CGSDW-31684 | Resolved an issue where a memory leak in the elmgr process caused its memory usage to continuously increase. |
| CGSDW-31505 | Resolved an issue where LAN-to-LAN traffic stats were incorrectly exported with a private-direct label. The fix ensures that this traffic is now correctly exported with the label unknown. |
| CGSDW-31320 | Resolved an issue where app-engine was incorrectly adding 0.0.0.0 to app-maps based on DNS responses, which caused unrelated traffic to be incorrectly classified as a custom application. The fix ensures that the 0.0.0.0 address is now skipped when received from a DNS response. |
| CGSDW-31237 | Resolved an issue where asymmetric routing for TCP traffic between DIA and GRE Service Links was failing. The fix ensures that flows work correctly when outbound traffic on a non-NAT Internet interface returns via a GRE Service Link. |
| CGSDW-30929 | Resolved an issue where the CPU temperature was not displayed on the controller statistics page for ION 1200S, 3200, and 3200H devices. This was due to an incorrect configuration that prevented the temperature metrics from being populated in the Redis database. |
| CGSDW-30883 | Resolved a timing issue in the rtr_mgr_api that caused an exception when handling wanpath updates and deletes. The crash was due to a race condition where a wanpath update was processed after its corresponding Redis key had been deleted, resulting in an AttributeError: 'NoneType' object has no attribute 'get'. |
| CGSDW-30053 | Resolved an issue where the Active ION device's controller interface lacked Internet access to a specific set of IP addresses. |
| CGSDW-30052 | Resolved an issue where the ION device was not populating ARP responses on the WAN interface. This was caused by a bug in the kernel vhost driver where the transmit queue would get stuck on a corrupted or bad-length packet, preventing other packets (including ARP responses) from being processed. |
| CGSDW-29556 | Resolved an issue where Cgnxinfra, remote login, and service link connections failed on virtual platforms in FIPS mode after upgrading from 6.1.2 to 6.3.5. The issue was due to a change in private key encoding format between the two software versions; the fix adds support for both formats. |
| CGSDW-29432 | Resolved an issue where the Intel NIC would fail to deliver packets with a destination MAC address matching one of its ports. |
| CGSDW-27822 | Resolved an issue where updating a global prefix advertisement resulted in it being set to "None" when a local BGP configuration was also present. |
| CGSDW-23739 | Resolved an issue where app-probe traffic would continue to be sent even after it was disabled at the device level. |
Addressed Issues in Prisma SD-WAN ION Device Release 6.3.5
The following table lists the issues addressed in Prisma SD-WAN ION Device Release 6.3.5.
| Issue ID | Description |
|---|---|
| CGSDW-26686 | Resolved an issue where maximum segment size (MSS) clamping was not happening for a PPPoE interface with DPDK after upgrading from software version 5.6.9. |
| CGSDW-27359 | Resolved an issue of missing application statistics, when a higher number of application performance SLA thresholds were configured. |
| CGSDW-27387 | Resolved an issue where traffic from a Standard VPN tunnel was not being routed to the branch over the fabric through the transit DC on the ION 9000 platform. |
| CGSDW-27462 | Resolved an issue where application flow was being dropped after the application was detected on upgrading the device software to version 6.3.3. |
| CGSDW-27498 | Resolved an issue where the default route was missing on sub-interfaces after a device reboot. |
| CGSDW-27542 | Resolved an issue where the BGP was going down on the active ION device after an HA switchover after upgrading the software version to 6.3.4. |
| CGSDW-27728 | Resolved an issue where the fp-rte process was crashing on an upgrade to software version 6.3.4. |
| CGSDW-28036 | Resolved an issue where the VPN Object Identifiers were changing for every polling request. |
| CGSDW-28049 | Resolved an issue where the dump-support output and dump-support all commands did not capture the syslogs in the ION 9000 platform, if there was a soft link. |
| CGSDW-28187 | Resolved an issue where BGP was not being reestablished after a device reboot. |
| CGSDW-28214 | Resolved an issue wherein a standalone interface of the backup ION device connected via a bypass configuration to the active ION went down, when the active ION device was powered down. |
| CGSDW-28329 | Resolved an issue where a backup DC ION device continued to advertise branch prefixes after a BGP reset. |
| CGSDW-28712 | Resolved an issue where IP addresses were missing on interfaces. |
| CGSDW-29042 | Resolved an issue wherein the LAN sub-interface/virtual interface on a standby ION device in an HA configuration was sending ARPs causing LAN disruption. |
| CGSDW-29116 | Resolved an issue of the fp-rte process restart, when the max number of VPNs for FEC were exceeded. |
Addressed Issues in Prisma SD-WAN ION Device Release 6.3.4
The following table lists the issues addressed in Prisma SD-WAN ION Device Release 6.3.4.
| Issue ID | Description |
|---|---|
| CGSDW-19833 | Disabled NR5G SA mode and enabled NR5G NSA mode for 5G IPv6 connectivity. |
| CGSDW-20234 | Resolved an issue where a virtual interface with sub-interfaces was not passing traffic. |
| CGSDW-20824 | Reduced the downtime in tunnel establishment, such that the ION device re-initiates a new SA with the peer as soon as three tunnel probes fail. |
| CGSDW-21115 | Resolved an issue where the FEC action was not being displayed in the Flow Browser for inbound (DC to branch) traffic. |
| CGSDW-21176 | Resolved an issue where the SVI interface did not pass traffic. |
| CGSDW-21320 | Resolved an issue where the ION device did not respond to DHCP until it was rebooted or there was a change in configuration. |
| CGSDW-21512 |
Enabled default behavior for the bypass pair latch only in the
following scenarios:
|
| CGSDW-22072 | Resolved an issue where the rtr_mgr_api process was holding a lot of memory. |
| CGSDW-22192 | Resolved an issue where core files were being generated and the device was losing connectivity with the controller when traffic on the client side was abruptly stopped and restarted. |
| CGSDW-22259 | Resolved an issue where SNMPv3 was not polling all the interfaces on the ION 9200 platform. |
| CGSDW-22389 | Resolved an issue where the app probe remained operational after a firewall was removed from the active path. |
| CGSDW-22633 | Fixed memory issues that were being caused due to security policy configuration. |
| CGSDW-22700 | Resolved an issue where the branch ION device acting as a DHCP relay in a custom VRF configuration was not forwarding requests to the DHCP server at the DC ION device. |
| CGSDW-23098 | Resolved an issue where overlapping IP addresses were not working as expected in VRF. |
| CGSDW-23221 | Resolved an issue where the ionhwd process was consuming a lot of memory. |
| CGSDW-23395 | Resolved an issue in which the backup ION device continued to attempt to establish a connection with the controller on an upgrade. |
| CGSDW-23397 | Resolved an issue where the snmp_network_discovery service was restarting every hour on a device which had an attached SNMP discovery profile with an SNMPv3 configuration. |
| CGSDW-23429 | Resolved an issue where the remote terminal connection was failing with the used_for_controller interface. |
| CGSDW-23493 | Added CPLD reset reasons to the device reboot reasons for better troubleshooting. |
| CGSDW-23534 | Resolved an issue where the Ingress displayed a zero value for Bandwidth Utilization. |
| CGSDW-23608 | Optimized security policies to prevent the generation of core files for fp-rte. |
| CGSDW-23705 | Resolved an issue where stale entries for VPN paths were being retained in the lqm_results.state database. |
| CGSDW-23881 | Resolved an issue for a potential DDoS vulnerability wherein the flows now time out correctly. |
| CGSDW-23921 | Resolved an issue where BGP sessions were not being re-established after a LAN switch reset for the ION 1200-S platform. |
| CGSDW-23928 | Resolved an issue where the snmpwalk command was returning incorrect information. |
| CGSDW-24099 | Increased the VRF scale for device interfaces. |
| CGSDW-24112 | Resolved an issue where some packages were being skipped for HMAC integrity check during boot up. |
| CGSDW-24262 | Resolved an issue where a route, which was not necessarily the best route, was getting selected as the reachable route. |
| CGSDW-24269 | Resolved an issue where the APPLICATION_CUSTOM_RULE_CONFLICT incident was being raised for system applications. |
| CGSDW-24273 | Resolved an issue where the v6 default routes for Internet and Private WAN were not being removed from the FIB entries even after powering down the interface. |
| CGSDW-24400 | Resolved an issue where the User ID agent was crashing when there were IPv6 entries in NGFW. |
| CGSDW-24482 | Resolved an issue where HMAC integrity check was failing for the controller_ca_chain.pem. |
| CGSDW-24485 | Resolved an issue of FC crashing for flows with path type LAN_TO_PRIVATE_DIRECT. |
| CGSDW-24501 | Resolved issues of higher switchover periods in an HA setup. |
| CGSDW-24875 | Fixed an issue where the LQM service was crashing. |
| CGSDW-25152 | Resolved an issue where custom L3/L4 applications were not being detected properly for UDP traffic after an HA switchover. |
| CGSDW-25179 | Resolved an issue wherein the LAN interface on a standby ION device in an HA configuration was sending ARPs causing LAN disruption. |
| CGSDW-25586 | Resolved an issue where the GRE tunnel was not being established when in FIPS mode. |
| CGSDW-25658 | Resolved an issue of the fp-rte process restarting which was leading to HA fail-over and instability of the device. |
| CGSDW-25738 | Resolved an issue for IPFIX, wherein the socket connect was always binding to the device instead of the IP address for non-used-for-controller interfaces. |
| CGSDW-26226 | Resolved an issue in which the BGP on a DC ION device did not advertise the /25 route to the core router after multiple VPN flaps (due to switchover in the branch). |
| CGSDW-26247 | Resolved an issue where the FC control thread was taking a lot of time to populate fib-leak entries in FIB scale. |
Addressed Issues in Prisma SD-WAN ION Device Release 6.3.3
The following table lists the issues addressed in Prisma SD-WAN ION Device Release 6.3.3.
| Issue ID | Description |
|---|---|
| CGSDW-21181 | Added support for AWS IMDSv2 for metadata. |
| CGSDW-22192 | Resolved an issue where core files were being generated and the device was losing connectivity with the controller when traffic on the client side was abruptly stopped and restarted. |
| CGSDW-22281 | Resolved an issue where the application reachability probes were crashing on a branch ION device. |
Addressed Issues in Prisma SD-WAN ION Device Release 6.3.2
The following table lists the issues addressed in Prisma SD-WAN ION Device Release 6.3.2.
| Issue ID | Description |
|---|---|
| CGSDW-17904 | Resolved an issue where the dump interface status command did not display the Supported Link modes and the Advertised Link modes. |
| CGSDW-18954 | Resolved an issue where IPFIX was not working when the controller interface was configured as the source interface. |
| CGSDW-19542 | Assessed that the ION device is not vulnerable to a Terrapin attack (CVE-2023-48795). |
| CGSDW-19628 | Resolved an issue where return traffic was not seen from the DC ION to the branch ION device. |
| CGSDW-20241 | Resolved an issue of packet loss on ICMP traffic on the non-default VRF. |
| CGSDW-20382 | Assessed that the ION device is not impacted by OpenSSH:CVE-2023-51385 and CVE-2023-51767. |
| CGSDW-20631 | Resolved an issue where the log-agent was not processing all the DHCP messages received from the log-collector-client. |
| CGSDW-20649 | Resolved an issue where the SNMP daemon process was slowly consuming the memory in the ION device suggesting a possible memory leak. |
| CGSDW-20671 | Resolved an issue where incidents related to RADIUS server were raised even when a RADIUS server was not configured. |
| CGSDW-20807 | Resolved an issue where the FIB VPN entries for global VRF were not seen on upgrading the device to software version 6.3.1. |
| CGSDW-20864 | Resolved an issue in which on deleting the only prefix of a VRF at a branch site, the entries leaked to the DC site for the specific VRF were also deleted. |
| CGSDW-21025 | Resolved an issue where the VPN path was not correct in the performance policy path after detaching and reattaching the circuit on the parent interface. |
| CGSDW-21088 | Resolved an issue where the static ARP entry was incorrectly added on the standby ION device. |
| CGSDW-21116 | Resolved an issue where the outbound SSH was not supported on the used-for-controller interface. |
| CGSDW-21119 | Resolved an issue where the bypass pair ports of a device remained in the bypass pair mode even after the device was declaimed. |
| CGSDW-21300 | Resolved an issue where the DHCP server wasn't working with the controller and the LAN interface in the same subnet. |
| CGSDW-21381 | Removed the unused memory which was allocated for the app-id-elem objects. |
| CGSDW-21580 | Resolved an issue where the backup ION device was unable to connect to the controller in an HA deployment. |
| CGSDW-21607 | Resolved a possible sequencing problem that could arise in the ION device if the VRF profile configuration was done after the interface configuration. |
| CGSDW-21698 | Resolved an issue where the static ARP was not getting added on the new active device during an HA switchover. |
| CGSDW-21836 | Resolved an issue where the VRF creation was failing if the SVI name was longer than nine characters. |
| CGSDW-21868 | Resolved an issue where the outbound SSH6 was not working on the ION device. |
Addressed Issues in Prisma SD-WAN ION Device Release 6.3.1
The following table lists the issues addressed in Prisma SD-WAN ION Device Release 6.3.1.
| Issue ID | Description |
|---|---|
| CGSDW-14344 | Resolved an issue where the FC process was crashing when traffic was initiated on an idle ION device. |
| CGSDW-14766 | Resolved an issue wherein the configuration for a BGP peer wasn't removed on deleting the BGP peer. |
| CGSDW-15201 | Resolved an issue where the ingress capacity bandwidth calculation was displaying as zero for some WAN links. |
| CGSDW-15212 | Resolved an issue where a subinterface on a virtual ION device with DPDK was not passing traffic. |
| CGSDW-15258 | Resolved an issue where the device went offline intermittently due to restart of the FC process. |
| CGSDW-15661 | Resolved an issue where memory leak was observed in the VPN process. |
| CGSDW-16172 | Resolved an issue wherein the ION device with ZBFW was treating the first packet block differently for LAN-to-LAN and LAN-to-WAN traffic. |
| CGSDW-16269 | Resolved an issue where high payload traffic sent over Private WAN VPN with a high throughput was dropping. |
| CGSDW-16932 | Updated Zoom Phone application definition with additional prefixes. |
| CGSDW-17031 | Resolved an issue where the fc-monitor process crashed on ION 2000 during port scanning and restart with an out of memory error. |
| CGSDW-17571 | Resolved an issue where incorrect WAN paths were accounted for in the flows. |
| CGSDW-17886 | Resolved an issue where a default route was missing in the route table for ION devices with VRF enabled. |
| CGSDW-18350 | Resolved an issue where the ION device was dropping LAN-to-LAN traffic due to security policy configuration. |
| CGSDW-18816 | Resolved an issue of interface flapping on the ION device after a device software upgrade. |
| CGSDW-19466 | Resolved an issue wherein the device to controller connection was taking a long time to establish after a reboot. |
| CGSDW-19473 | Resolved an issue of FC restarting after 3 days of running scan tests on interfaces. |
| CGSDW-19674 | Resolved an issue where the fc-monitor, fp-metrics, and fp-scm processes were crashing due to buffer overflow in DPDK. |
| CGSDW-19778 | Resolved an issue where the blobfish process kept on restarting during remote access of the ION device. |