: Known Issues in Panorama Plugin for GCP 2.0.0
Focus
Focus

Known Issues in Panorama Plugin for GCP 2.0.0

Table of Contents

Known Issues in Panorama Plugin for GCP 2.0.0

The following list describes known issues in the Panorama plugin for GCP 2.0.0.

PAN-141703

When a Panorama plugin for GCP upgrade is not supported, Panorama does not block the upgrade.
is a related issue.

PAN-141701

If you try to install the Panorama plugin for GCP version 2.0.0 on a Panorama version that is earlier than the stated minimum in the Compatibility Matrix for Panorana Plugins for Public Clouds, the error Package is not found displays because your Panorama version does not support GCP plugin v2.0.0.
PLUG-3882 is a related issue.

PAN-137615

On the Panorama management server, scheduled content updates for managed VM-Series firewalls cause commit failures if the scheduled action is Download Only.
Workaround: From PanoramaDevice DeploymentDynamic UpdatesSchedules, set the scheduled action to Download and Install.

PAN-135489

The static route name field name cannot exceed 31 characters. This implies that the cluster name cannot exceed 24 characters if the cluster is deployed in a peered VPC configuration.
PLUG-3465 is a related issue.

PAN-134171

If VM-Series firewalls from an auto scaling deployment are newly added to Panorama, and you view PanoramaManaged DevicesSummary, the Template column status displays “Out of Sync” or is blank for a brief period of time, before it updates to "In Sync". This delay is due to a limitation in the Panorama server.
The experience is different when you onboard a new application or a GKE service. If onboarding triggers a successful commit, and you view PanoramaManaged DevicesSummary, the Template status column displays "In Sync".

PAN-133081

When you uninstall the Panorama plugin for GCP, the syslog description does not supply the Panorama plugin version.

PAN-131114

If you have a Panorama HA configuration where the Panorama Plugin for GCP v2.0 is installed and you delete the primary-passive Panorama, you see the following message:
Please delete plugin user and commit before uninstalling plugin gcp (running)
This infrequently occurs when the secondary is active and you delete the configuration, commit, and then sync the configuration. If you see the above error message, delete the plugin from the passive Panorama and commit—this deletes the stale GCP user configuration, and you can then uninstall the plugin.
For the related plugin issue, see PLUG-3067.

PAN-129356

On rare occasions, Panorama management server crashes and restarts when you add a device.

PAN-124575

Do not manually stop or start VMs that are a member of a GCP managed instance group (MIG). As described in Instance Groups, the instance group handles high availability, load balancing, auto scaling, autohealing, and more.
If you manually stop a VM-Series firewall that is member of a MIG, the firewall’s UUID is not released (this is the expected behavior in GCP). When a replacement VM-Series firewall restarts, it retains the UUID of the firewall you stopped. This causes a licensing error because Panorama cannot apply a license to the replacement if the UUID is still in use.

PLUG-3882

The minimum Panorama version to support Panorama plugin for GCP version 2.0.0 is version 9.0.4, as noted in the Compatibility Matrix for Panorama Plugins for Public Clouds.
If you try to install the Panorama plugin for GCP version 2.0.0 on a Panorama version that is earlier than the stated minimum version, the error Package is not found displays because your current Panorama version does not support GCP plugin v2.0.0.

PLUG-3748

UDP GKE service or a VM-based application service with a UDP network load balancer is not supported in this release.

PLUG-3747

If you need to change a cluster name, change it before you commit. If you change a cluster name after you commit, you do not see the effect until two polling intervals have passed.
Workaround: Delete the cluster from Panorama, commit and poll services, then add the correct cluster name and commit and poll services.

PLUG-3465

The length of a static route name cannot exceed 31 characters. Consequently, if you are using a Peered VPC configuration to deploy secure auto scaling for a GKE cluster service, your cluster name cannot exceed 24 chars in length.

PLUG-3396

Do not add the Untrust and Trust network interfaces to different virtual routers. If you do, you see an error saying the static route has failed.
When you configure the plugin to secure your auto scaling deployment create a template and template stack. Add a virtual router to your network. Return to the template and add a Layer 3 ethernet interface: select a slot and an interface name for the Untrust security zone, and enable it to create a default route to the default gateway. To the same slot, add a an interface for the Trust security zone and enable it to create a default route. In the virtual router, define virtual router settings for the Trust and Untrust network interfaces you have defined.

PLUG-3137

You cannot upgrade from version 1.0.0 to version 2.0.0.
You must remove the Panorama plugin for GCP version 1.0.0 installation before you attempt to install the Panorama plugin for GCP version 2.0.0.
If you do not remove version 1.0.0, version 2.0.0 consumes the 1.0.0 configuration, which is incompatible.

PLUG-3067

If a stale configuration exists on the primary-passive Panorama, you see the following message, but you cannot delete the Panorama plugin for GCP:
Please delete plugin user and commit before uninstalling plugin gcp (running)
This issue occurs infrequently when you delete an active configuration that includes the Panorama plugin for GCP. If you see the above error message, delete the plugin from the passive Panorama and commit—this deletes the stale GCP user configuration, and you can then uninstall the plugin.
For the related Panorama issue, see PAN-131114.

PLUG-2716

The Panorama web interface does not display an error message if a monitoring definition fails to retrieve tags or IP addresses.
Workaround: From the command line interface use the following command to view error messages or view your VM Monitoring status:
show plugins gcp vm-mon-status

PLUG-2650

Panorama web user interface should not permit users to create multiple monitoring definitions for the same GCP project. Only one monitoring definition per project is supported.

PLUG-2618

You must use the GCP console to create a GCP Service account for VM Monitoring, and save the credentials to a JSON file. The Panorama plugin for GCP setup web interface adds the JSON file during the configuration.

PLUG-2589

The pre-defined tag os-sku is not supported for instances created from custom images.

PLUG-2499

Because your Panorama can have plugin installations for many public or private clouds, it is up to you to create Device Groups and notify groups that do not conflict with other plugin configurations. For example, if you add the same Device Group to a notify group in the Panorama plugin for AWS and the Panorama plugin for GCP, the tags learned by one plugin can be overwritten by another.

PLUG-2380

Upgrade from Panorama plugin for GCP version 1.0.0 to version 2.0.0 is not supported, but the user is not notified or restricted.