: Known Issues in Panorama Plugin for Azure 2.0.x
Focus
Focus

Known Issues in Panorama Plugin for Azure 2.0.x

Table of Contents

Known Issues in Panorama Plugin for Azure 2.0.x

In addition to the following known issues in the Panorama plugin for Azure version 2.0.1, refer to the PAN-OS Release Notes to learn about the known issues for PAN-OS 8.1.x or PAN-OS 9.0.x:

PLUG-3797

When upgrading the Panorama plugin for Azure on peers configured as an HA pair, if you upgrade the plugin on the secondary peer first and the peer becomes active, the primary (now passive) cannot function as an HA peer.
Workaround—When upgrading the Panorama plugin for Azure on peers that are configured as an HA pair, you must install the plugin on the primary peer first and commit your changes immediately, and then install the same plugin version on the secondary peer and commit your changes immediately.
This issue is fixed in Panorama plugin for Azure version, 2.0.2.

PLUG-3478

Spaces and special characters in user-defined tags are now treated differently. In previous releases both spaces and special characters caused a tag to be ignored. In the current release, user-defined tags containing empty spaces can be retrieved, provided they do not include special characters.
  • An empty space in a user-defined tag is replaced with “/”, allowing the tag to be retrieved.
    For example, if your tag is finance and accounts, the tag can be retrieved.
  • User-defined tags with special characters are ignored and not retrieved.
    For example, if your tag is finance&accounts, your tag is ignored and the log shows the following message:
    admin@Panorama> less plugins-log plugin_azure.log
    2020-02-27 12:20:46.018 -0800 DEBUG::
    Tag azure.tag.Tag-spcl-char.<finance>&<accounts>
    has unsupported chars..
    Ignoring...
Workaround—Modify the tag to remove special characters.
This issue is fixed in the Panorama plugin for Azure, version 2.0.2.

PLUG-2074

After a VM Scale Set (VMSS) is deleted, wait until the resource group deletion is complete before you attempt to delicense the VMs. When the deletion is complete, issue the following command:
request plugins azure force-delicense-deleted-vms

PLUG-1901

If the service name is not unique across namespaces (for example, Staging and Production) the IP addresses associated with both services are mapped to the same tag and policy enforcement is the same for the services across both namespaces.Instead of using the default tags on Panorama, use the label selector to filter tags based on namespace, and use the filter results as part of the address group.

PLUG-1876

On rare occasions, you see a message indicating the template configuration is out of sync. Check the syslog and push the configuration to your managed devices.

PLUG-1874

On rare occasions, the license server reuses the serial number of an active device, and Panorama deactivates the device. Remove the device from the auto scale group.

PLUG-1646

Azure plugin 2.0 does not support deployments with a proxy server.

PLUG-1613

Downgrade is not supported for plugin versions.

PLUG-1766

On AzureAutoScaling Definition it can take from three to five minutes to list the Protected Applications and Services.

PLUG-1711

VNET peering between AKS clusters and Inbound Resource Groups sometimes causes a delay in scheduling and pods are in the Pending, Terminating, or Unknown state. If this happens, restart the nodes.