Known Issues in SD-WAN Plugin 2.1
Table of Contents
Expand all | Collapse all
-
-
-
-
- Features Introduced in Zero Touch Provisioning 2.0
- Known Issues in the Zero Touch Provisioning 2.0.4 Release
- Known Issues in the Zero Touch Provisioning 2.0.3 Release
- Known Issues in the Zero Touch Provisioning 2.0.2 Release
- Known Issues in the Zero Touch Provisioning 2.0.1 Release
- Known Issues in the Zero Touch Provisioning 2.0.0 Release
- Limitations
-
-
Known Issues in SD-WAN Plugin 2.1
List of known issues in SD-WAN 2.1 release.
The following list includes all known
issues that impact an SD-WAN 2.1 release. This list includes both
outstanding issues and issues that are addressed, as well as known issues
that apply more generally or that are not identified by a specific
issue ID. Refer to PAN-OS Release Notes for
additional known issues affecting SD-WAN Plugin 2.1.
PAN-220919
Description of PAN-220919.
Auto VPN creates a virtual SD-WAN interface named sdwan.901 for direct internet access
(DIA) and creates a virtual SD-WAN interface named sdwan.9xx for VPN tunnels. When you
enable Auto VPN, the SD-WAN plugin creates the SD-WAN interfaces automatically. Hence,
it's not necessary for you to create SD-WAN interfaces manually. The SaaS quality
profile works only with one DIA interface that is sdwan.901.
Auto VPN also creates its own default route that uses the sdwan.901 interface as its
egress interface and uses a low metric of 5, so that the sdwan.901 interface is
preferred over the default route you created.
There might be scenarios where you want to create an SD-WAN interface manually (other
than what the SD-WAN plugin creates automatically) like the following:
- Configuring SD-WAN direct internet access (DIA) links only and no VPN connections between the hub and branch locations
- (Not recommended) Deploying SD-WAN manually between SD-WAN sites without Panorama management server
In such cases, you must configure the manually created SD-WAN interface outside of the
SDWAN.9xx range containing a route with a metric higher than the default value.
PAN-215897
Description of PAN-215897.
In a Panorama high availability (HA) deployment, the SD-WAN interface goes down and all
the tunnel interfaces disappear from the NetworkIPSec Tunnels tab when you push the configuration changes from the secondary
Panorama.
Workaround: If you have set up a HA pair in Panorama, don't push the configuration
from the secondary Panorama when the primary Panorama is active. Always push the
configuration changes from the primary Panorama when it's active.
PAN-190173
Pre-shared keys are not synchronized across the Panorama
management servers in a high availability (HA) configuration, leading
to tunnel flaps during an HA failover when you Push to
Devices (CommitPush to Devices or CommitCommit and Push).
This issue is addressed in SD-WAN plugin 2.2.3 and 3.1.0-h6.
PAN-158465
On the Panorama management server running
PAN-OS 10.0.3 or later PAN-OS 10.0 release, reverting or loading
a Panorama configuration (PanoramaSetupOperations)
that impacts the template stack configuration containing the SD-WAN interface
(NetworkInterfacesSD-WAN) erroneously removes
the Security Zone from the SD-WAN interface configuration resulting
in a commit failure.
PLUG-11223
Description of PLUG-11223.
In a high availability (HA) deployment, the SD-WAN tunnel will go down due to a key ID
mismatch when the following events occur in sequence:
- An HA failover
- The SD-WAN plugin cache removes the current HA pair relation from the database when debug plugins sd_wan drop-config-cache all command is executed
- A commit and push fails on either the hub or a branch active node
In certain scenarios, replacing one of the HA devices during the RMA process can cause
the SD-WAN tunnel to go down due to a key ID mismatch. For more details, refer to Replace an SD-WAN Device.
Workaround: Resolve the Key ID mismatch by ensuring that the Peer
Identification of the hub firewall matches with the Local
Identification of the branch firewall and the Local
Identification of the hub firewall matches with the Peer
Identification of the branch firewall.
- Log in to the hub or a branch firewall where the SD-WAN tunnel is down due to Key ID mismatch and select NetworkNetwork ProfilesIKE Gateways.
- Select the IKE gateway of the hub firewall and click Override at the bottom of the screen.
- Copy the Local Identification value from the hub firewall to the Peer Identification value in the branch firewall.
- Copy the Peer Identification value from the hub firewall to the Local Identification value in the branch firewall.
- Click OK and Commit your changes.
This issue is addressed in SD-WAN plugin 2.2.5 , 3.0.8, 3.1.3
, 3.2.1,
3.2.2
, 3.3.0,
and 3.3.2.
After this fix, the key ID may
change after the Panorama commit. Therefore, you must ensure to commit and push to
all the devices in the VPN cluster or clusters.
PLUG-10796
On the Panorama management server, a
commit (CommitCommit
to Panorama) hangs at 99% and causes the
commit queue to fill up, preventing any subsequent commits on Panorama.
This issue is addressed in SD-WAN plugin 2.2.2 and 3.0.2.
PLUG-10165
On the Panorama management server, commits
(CommitCommit to Panorama)
fail if your SD-WAN firewalls associated with the SD-WAN plugin (PanoramaSD-WAN)
configuration are removed from Panorama management (PanoramaManaged DevicesSummary).
Workaround: Remove the SD-WAN configuration after you
remove your SD-WAN firewalls from Panorama management.
- Select PanoramaPlugins and search for sd_wan.
- Remove Config.
- Click OK to confirm removing the SD-WAN configuration from Panorama.
This is addressed in SD-WAN plugin 2.2.2 and 3.0.2.
PLUG-10047
This issue is resolved in SD-WAN version 2.1.2.
You cannot add a branch firewall configured with an MPLS, Satellite,
or Microwave/Radio interface (NetworkNetwork ProfilesSD-WAN Interface
Profile) to a VPN Cluster (PanoramaSD-WANVPN
Clusters) if the hub firewall or any branch
firewall in the VPN Cluster are not also configured with at least
one MPLS, Satellite, or Microwave/Radio interface.
For example, you cannot add a branch firewall configured with
MPLS and Wifi interfaces to a VPN Cluster where the firewall members
do not have at least one MPLS interface configured.
PLUG-9421
The Panorama plugin for SD-WAN is unable to recognize
when the master key (PanoramaMaster Key and Diagnostics)
is updated on the Panorama management server.
Workaround: Select Commit and Commit
and Push to your managed firewalls leveraging SD-WAN
after updating the master key on Panorama.
This issue is addressed in PAN-OS 10.2.1-h1 and SD-WAN plugin
2.2.1.
PLUG-7598
This is resolved in SD-WAN version 2.1.1.
A SD-WAN Interface Profile (NetworkSD-WAN Interface Profile) configured with
a Microwave/Radio Link or Other
Type of Link as the Link Type do not function as a Peer-to-Peer
link.
PLUG-3343
The SD-WAN plugin fails to display any
of the monitoring for a site and cluster with a space in the name.
Workaround: Remove the space from the name and Commit.
PAN-123040
When you try to view network QoS statistics on an SD-WAN
branch or hub, the QoS statistics and the hit count for the QoS
rules don’t display. A workaround exists for this issue. Please
contact Support for information about the workaround.