>
    Known Issues in CN-Series 10.x
    Focus
    Download PDF
    Focus
    1. Home
    2. CN-Series
    3. CN-Series 10.x
    4. Known Issues in CN-Series 10.x
    Download PDF
    CN-Series

    Known Issues in CN-Series 10.x

    Table of Contents

    Known Issues in CN-Series 10.x

    Review the list of known issues for CN-Series 10.x.
    Issue ID
    Description
    PAN-207845
    On the CN-Series firewall deployed as a Kubernetes Service, the CN-NGFW pods might not come up as expected on some host operating systems.
    Workaround: Modify the CN-NGFW yaml file by setting the security context to priveleged:true.
    securityContext:
            capabilities:
              add: ["ALL"]
            privileged: true
    PAN-205310
    When a data plane (DP) pod is disconnected from the management (MP) pod for more than a minute, the DP strongswan process restarts to reconnect to the MP pod. This results in strongswan exit crash and core file generation. Though this is a harmless response, in the newer PAN-OS versions (10.2.4, 10.1.9, and 11.0.1), the reconnecting mechanism is changed to avoid strongswan exit crash and core file generation.
    PAN-211381
    The CN-Series 10.1.9 firewall is deployed with 125 pods, 250 interfaces template from kubernetes plugin 2.0.2 using the new template K8S-Network-Setup-V1-125 through 10.1.9 panorama. When you downgrade the CN-Series 10.1.9 with 125 pods, 250 interfaces to CN-Series 10.1.8 while keeping K8s Plugin 2.0.2- this will cause an Auto-commit failure on the CN-MGMT pod. This is because CN-Series 10.1.8 template can only support 30 interfaces, while with CN-Series 10.1.9 can support upto 125 pods, 250 interfaces.
    Workaround:
    1. It is not recommended to install the kubernetes plugin 2.0.2 on Panorama 10.1.8 or earlier version. If you are using Panorama 10.1.8 or earlier version, you must stop using 125 pods, 250 interfaces template.
    2. Before downgrading the CN-Series to 10.1.8, perform the following steps from Panorama:
      1. Disassociate the 125 interfaces template from template-stack and then associate the 30 interface Template. Ensure maximum secured application pod count does not exceed 30.
      2. Commit and Push to CN.
      3. Downgrade the CN.
    PAN-213188
    In PAN-OS 10.1.10 and PAN-OS 10.2.4 version, the CN-MGMT pod fails on Kubernetes version 1.25.x.
    Workaround: In pan-cn-mgmt.yaml file, go to Containers section, change the command script from:
    command: ["/sbin/pan_start"]
    to:
    command: ["/bin/bash", "-c", "mv /sbin/cgroups_setup /root/; /sbin/pan_start"]
    CN-177
    The inbound traffic to secured applications fails to work with PAN-CNI 3.0.3 and 3.0.4 for Azure Kubernetes Service (AKS).
    Workaround: Use PAN-CNI 3.0.2 for AKS to deploy the CN-Series firewall successfully.
    PLUG-17100
    When onboarding an OpenShift 4.15 cluster, the cluster validation fails with an SSL certificate error.
    Workaround: If the Kubernetes plugin cannot connect to the Kubernetes API server, use IP address instead of DNS name in the API server configuration setup.

    © 2024 Palo Alto Networks, Inc. All rights reserved.