topic PANOS 10.2.8 NOT recommended: S2S VPN IKEv1, IKEv2 Prefered does not work anymore in Next-Generation Firewall Discussions https://live.paloaltonetworks.com/t5/next-generation-firewall/panos-10-2-8-not-recommended-s2s-vpn-ikev1-ikev2-prefered-does/m-p/580988#M2854 <P>Hi Everybody,</P> <P>&nbsp;</P> <P>We updated from 10.2.7 to 10.2.8 and had a lot of troubles with our Site-2-Site IKEv1, IKEv2 Prefered gateway connections. I'm not sure if the IKE Version is the root problem,&nbsp;but that was the pattern that was visible in the short time for this change.</P> <P>Phase 1 came not up, initiated in both directions.</P> <P>&nbsp;</P> <P>There are the msg in the logs:</P> <P>&nbsp;</P> <P><EM><SPAN class="ui-provider a b c d e f g h i j k l m n o p q r s t u v w x y z ab ac ae af ag ah ai aj ak">Us-2-endpoint: 'IKE phase-1 negotiation is failed as responder, main mode. Failed SA:</SPAN></EM></P> <P><EM>Endpoint-2-us: the logs said always "Connection Timeout".</EM></P> <P>&nbsp;</P> <P>Sophos, FritzBox and Azure were the other endpoints, we were not able to etablish phase 1. After Downgrading to 10.2.7 everything worked, also with 10.2.7-h3 is everything working.</P> <P>&nbsp;</P> <P>We did not seen in the traffic monitor any traffic for the phase1, although we otherwise saw this connection traffic in an intrazone (Untrust-2-Untrust) rule. With PANOS 10.2.7 and H3 it was visible again</P> <P>&nbsp;</P> <P>Also without Zone Protection, the connection came not up, it was like something was blocking the connection, without generating logs.</P> <P>&nbsp;</P> <P>I didn't find something in the release notes that point to this issue. Somebody else with this&nbsp;experience?</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Happy firewalling</P> Wed, 20 Mar 2024 06:01:30 GMT FabioHufschmid 2024-03-20T06:01:30Z PANOS 10.2.8 NOT recommended: S2S VPN IKEv1, IKEv2 Prefered does not work anymore https://live.paloaltonetworks.com/t5/next-generation-firewall/panos-10-2-8-not-recommended-s2s-vpn-ikev1-ikev2-prefered-does/m-p/580988#M2854 <P>Hi Everybody,</P> <P>&nbsp;</P> <P>We updated from 10.2.7 to 10.2.8 and had a lot of troubles with our Site-2-Site IKEv1, IKEv2 Prefered gateway connections. I'm not sure if the IKE Version is the root problem,&nbsp;but that was the pattern that was visible in the short time for this change.</P> <P>Phase 1 came not up, initiated in both directions.</P> <P>&nbsp;</P> <P>There are the msg in the logs:</P> <P>&nbsp;</P> <P><EM><SPAN class="ui-provider a b c d e f g h i j k l m n o p q r s t u v w x y z ab ac ae af ag ah ai aj ak">Us-2-endpoint: 'IKE phase-1 negotiation is failed as responder, main mode. Failed SA:</SPAN></EM></P> <P><EM>Endpoint-2-us: the logs said always "Connection Timeout".</EM></P> <P>&nbsp;</P> <P>Sophos, FritzBox and Azure were the other endpoints, we were not able to etablish phase 1. After Downgrading to 10.2.7 everything worked, also with 10.2.7-h3 is everything working.</P> <P>&nbsp;</P> <P>We did not seen in the traffic monitor any traffic for the phase1, although we otherwise saw this connection traffic in an intrazone (Untrust-2-Untrust) rule. With PANOS 10.2.7 and H3 it was visible again</P> <P>&nbsp;</P> <P>Also without Zone Protection, the connection came not up, it was like something was blocking the connection, without generating logs.</P> <P>&nbsp;</P> <P>I didn't find something in the release notes that point to this issue. Somebody else with this&nbsp;experience?</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Happy firewalling</P> Wed, 20 Mar 2024 06:01:30 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/panos-10-2-8-not-recommended-s2s-vpn-ikev1-ikev2-prefered-does/m-p/580988#M2854 FabioHufschmid 2024-03-20T06:01:30Z Re: PANOS 10.2.8 NOT recommended: S2S VPN IKEv1, IKEv2 Prefered does not work anymore https://live.paloaltonetworks.com/t5/next-generation-firewall/panos-10-2-8-not-recommended-s2s-vpn-ikev1-ikev2-prefered-does/m-p/583989#M3001 <P><SPAN class="jCAhz ChMk0b"><SPAN class="ryNqvb">There are two NAT rules (destination-translation) for the Exchange2019 mail server, starting from version 1.2.8 they stopped working.</SPAN></SPAN> <SPAN class="jCAhz ChMk0b"><SPAN class="ryNqvb">They work for some time, then they are blocked, there is no information in the logs.</SPAN></SPAN></P> <P><SPAN class="jCAhz ChMk0b"><SPAN class="ryNqvb">In version 1.2.9 the same thing.</SPAN></SPAN></P> Wed, 17 Apr 2024 10:03:28 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/panos-10-2-8-not-recommended-s2s-vpn-ikev1-ikev2-prefered-does/m-p/583989#M3001 MILAVITSA 2024-04-17T10:03:28Z Re: PANOS 10.2.8 NOT recommended: S2S VPN IKEv1, IKEv2 Prefered does not work anymore https://live.paloaltonetworks.com/t5/next-generation-firewall/panos-10-2-8-not-recommended-s2s-vpn-ikev1-ikev2-prefered-does/m-p/584706#M3046 <P>Thanks for providing valuable insight <SPAN><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/289740">@FabioHufschmid</a></SPAN> ! If you ever have the time, please open up a support ticket and share details of your findings.&nbsp;</P> Wed, 24 Apr 2024 02:04:03 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/panos-10-2-8-not-recommended-s2s-vpn-ikev1-ikev2-prefered-does/m-p/584706#M3046 JayGolf 2024-04-24T02:04:03Z