Support Center > Search Results > SecureKnowledge Details
R77.30 vSEC Gateway for ACI managed by R80 vSEC Controller Known Limitations Technical Level

This article lists all of the R77.30 vSEC Gateway for ACI managed by R80 vSEC Controller specific known limitations.

This is a live document that may be updated without special notice. We recommend registering to our weekly updates in order to stay up to date. To register go to UserCenter > ASSETS / INFO > My Subscriptions.


Important notes:


Table of Contents

  • General Limitations
  • vSEC Gateway for ACI Limitations
    • Service Insertion
    • IPS blade
    • Identity Awareness blade
  • Security Management Server Limitations
  • vSEC Controller Limitations
  • Cisco APIC Limitations


ID Symptoms
General Limitations

vSEC objects (Data Center Servers and Data Center Objects) are not supported in:

  • NAT policy

(vSEC objects are based on Identity Awareness Access Roles, which are not supported in NAT rules)

- L4-L7 Device deployment with Device Type set as VIRTUAL is certified only on VMware infrastructure.
vSEC Gateway for ACI Limitations
Service Insertion

When using vSEC Controller for ACI, the Default GW for servers needs to be defined as a BD Subnet in order for IP entries of silent endpoints not to be aged out by the fabric.

In this scenario, the VS connectors can be configured as:

  • L2-adjacent ('General') - GoTo deployments can define a dummy IP address as Default GW for the subnet.
    In this case, a VRF split is necessary in order to prevent firewall bypass.
  • L3-adjacent
- A single logical device mapped to a VSX Gateway can be used to deploy either all-routed (GoTo), or all-bridged (GoThrough) Virtual Systems.
- Portgroup VLAN trunking is not supported by ACI for virtual devices.
- Up to 10 vNICs are supported per virtual device deployed on VMware ESXi.
- Removed Virtual Systems do not retain manual configuration that was defined after the provisioning process.
- Dynamic routing configuration via Device Package is not supported.
Dynamic routing requires manual configuration in Gaia Clish.
- Virtual System configured in bridged (GoThrough) mode can only be connected to two Bridge Domains (BD).
To deploy additional Virtual Systems, specify a different Instance Name in the L4-L7 Device Parameters.
- IPv6 is not supported.
- APIC VLAN pools must be in the range 2-4094.
- Communication is required between APIC and the Check Point vSEC Controller in order to allow provisioning process.
- In Cisco ACI, traffic leaving the firewall service is implicitly allowed to pass to any other EPG that is deployed on the firewall (according to the routing table), which may not have a corresponding contract rule in the fabric.
The security policy installed on the Virtual System must deny connectivity not defined by an ACI contract.
- Only Firewall software blade and Identity Awareness software blade are activated automatically on a Virtual System.
After the provisioning process, the administrator can activate additional software blades.

Automatically deleting a Virtual System, on which other software blades than Firewall and Identity Awareness are enabled, is not supported.

Workaround: Manually disable the other software blades in SmartConsole prior to removal of the Virtual System.

A change in one of the following device parameters configuration on the APIC will trigger re-deployment of the Virtual System:

  • Instance-Name
  • Security-Policy-Name
  • Security-Domain
This will cause downtime for any traffic passing through this Virtual System.

Name length for Virtual System is limited to 100 characters.

The following name combination should not exceed 100 characters:

  • On non Multi-Domain Security Management Server:
    <VSX name>--<Instance-Name>--<Security-Policy-Name>
  • On Multi-Domain Security Management Server:
    <VSX name>--<Instance-Name>--<Security-Policy-Name>--<Security-Domain>

Naming conventions: The names of the following elements should not contain "--" (two consecutive dashes):

  • VSX object on vSEC Controller
  • "Security Policy Name" in L4-L7 service parameters on the APIC
  • "Instance Name" in L4-L7 service parameters on the APIC
02007159 Naming conventions: "Instance Name" field should not contain underscore ("_") character.

Naming conventions: The following device parameters fields should start with a letter, and end with a letter or a digit:

  • Instance-Name
  • Security-Policy-Name
  • Security-Domain
02007325 Interfaces created by service graph provisioning process are always internal.
The Virtual System has ability to configure Anti-Spoofing based on the routing entries.
If needed, user should configure routing entries based on his traffic.
02007288 Health and Counters (statistics) are not calculated for the L4-L7 Logical Device and for the Deployed Devices.
Device health should be monitored using Check Point vSEC Controller.
02007163 A Bridge Domain (BD) can be connected only to one Virtual System on a given Logical Device.
02137612 VSX Gateway must be installed with a security policy as part of device preparation process.
IPS blade
- In order to use the IPS blade, you must enable the "Perform IPS inspection on all traffic" option in VSX Gateway object.
This is required because all the interfaces created by the provisioning process are defined as "internal".
  1. In SmartConsole, go to Objects menu - click on Object Explorer
  2. Locate and right-click on the VSX Gateway object - select Edit...
  3. Go to IPS pane
  4. In the Protection Scope section, select "Perform IPS inspection on all traffic" and confirm
  5. Click on OK to close the VSX Gateway properties
  6. Close/minimize the Object Explorer
  7. Install policy on this VSX Gateway
Identity Awareness blade
- Identity Awareness blade cannot be enabled on Virtual System in Bridge mode (this was disabled by design due to the requirement of having an interface with IP address, to which the identities would be sent).
Security Management Server / Multi-Domain Security Management Server Limitations
- Provisioning process will fail, if the Virtual System properties are being edited in another administrative session.
- In Multi-Domain Security Management Server environment, VSX object name must be unique across all Domain Management Servers.
- In Multi-Domain Security Management Server environment, MDS and Domain Server should have the same status (Active, Backup).
The administrator should make sure that the Active Domain Servers, which are managed by the Cisco APIC, are always located on the Active MDS machine.
vSEC Controller Limitations
Refer to R80 SEC Controller Known Limitations
Cisco APIC Limitations

Deployed Graph: VRF change - correct indication is not sent to Cisco ACI device.

  • Scenario 1: There is a deployed Graph, and administrator changes the VRF of one of the Bridge Domains (BDs) - no indication is sent to Cisco ACI device by the Cisco APIC.
  • Scenario 2: There is a deployed Graph, and administrator changes the VRF of both Bridge Domains (BDs) - new deployed notification is received, but the Cisco ACI device that was already deployed with the old VRF, is not removed in the Cisco APIC.

Both scenarios are known issues by Cisco.

Workaround: Remove the Deployed Devices that are related to Cisco ACI device before changing the VRF.
This solution is about products that are no longer supported and it will not be updated

Give us Feedback
Please rate this document