topic Re: Cannot push IKE gateway X variable using template (chicken or the egg) in Panorama Discussions

Cannot push IKE gateway X variable using template (chicken or the egg)

SteveBallantyne — Tue, 15 Aug 2023 20:43:29 GMT

I have run into another 'bug' in 11.0.2 where my Palo Alto (PA-440) is trying to apply a configuration in an impossible order. Or, more likely, this is a Panorama bug of some sort.

Screenshot of gateway configuration:

Error message from the attempted push from Panorama:

network -> ike -> gateway -> vpn-xxx-> local-address -> ip '74.xxx.xxx.xxx' is not a valid reference
network -> ike -> gateway -> vpn-xxx -> local-address -> ip is invalid

The error is followed by a SLEW of other errors occurring in sort of a domino fashion.

The problem appears to be that this is a first time push to this device and the IP is invalid to be used for an IKE gateway, because it is not yet assigned to the interface of the PA-440. I opened a support case (02665364) and spent a few hours with support on the issue. But the best advice that they had was to remove the portion of the configuration that is causing the issue. I deleted the IP-Sec tunnel, and the IKE gateway. Then pushed the changes, and got success (verified that the public IP was applied to ethernet1/8 using the X variable . Then I created the IKE gateway with the same settings, and pushed the changes, and also got success. But ... this doesn't help me when I have 10 more devices that I need to configure, and I want to be able to push a VPN tunnel using Panorama and templates.

This appears to be a bug to me, so I am hoping that this gets picked up by engineering, etc?

Re: Cannot push IKE gateway X variable using template (chicken or the egg)

ozheng — Wed, 16 Aug 2023 03:30:09 GMT

Hello SteveBallantyne,

Have you tried to update the value of the variable?
I think you should put the netmask with the address.
For reference, when you use a variable, you can try to set the value normally and you will see it is populated with /xx.

If the netmask is missing, the firewall will take the value as an address object (I guess) and raise the alert you have.

--> to me seems to be working as expected.

(also in the case note, it seems the interface is not configured completely as well - no ip set on x/x interface.)

Olivier

Re: Cannot push IKE gateway X variable using template (chicken or the egg)

SteveBallantyne — Wed, 16 Aug 2023 12:19:52 GMT

Hello Oliver,

Thank you for the feedback - and these are good thoughts! I actually had tried adding the netmask to the IP. It accepted the value when it was used for the IPv4 address attached to the 1/8 interface - but it rejected that value when used for the IKE gateway.

It seems like the PA-440 is fine with the variable and the way that I used it. But I can't have it defined in an IKE gateway because for some reason it tries to apply that part first. And since it's a first time push, there was a lot that went with that template being applied (such as zones, certificates, etc).

I don't imagine that many people have this problem because it implies that you have at least two or more sites, with nearly the same VPN tunnel at each site. But we have a traditional hub and spoke site, and all of the satellite need the same access. And man, would this make my life easier if I could get this to work. 🙂

Re: Cannot push IKE gateway X variable using template (chicken or the egg)

SteveBallantyne — Wed, 16 Aug 2023 13:01:43 GMT

Here is a random thought ...

I am still new to Panorama and templates. I know that I have device groups, templates, and then template *stacks*. Would there be a way that I could trick the PA-440 into applying the changes in the correct order? In other words - one template to apply the external interface IP address - and then another template lower in the stacking order to apply the IKE policy?

EDIT: I may be onto something as it looks like there is a "move up" and "move down" option on templates, which suggests that these would be applied in a specific order!

I am going to work on configuring this and applying it to a new out-of-the-box PA-440.

Re: Cannot push IKE gateway X variable using template (chicken or the egg)

TomYoung — Wed, 16 Aug 2023 13:02:38 GMT

Hi @SteveBallantyne ,

That is a very interesting idea! I would love to know if it works. Sometimes I have commit failures based upon the order of Panorama commits, and I have learned to work around them.

With regard to your issue, I don't see a problem with 2 pushes from Panorama - one for the interface, and then one for the IPsec. That's a lot better than configuring the 10 NGFWs individually. Thoughts?

Thanks,

Tom

Re: Cannot push IKE gateway X variable using template (chicken or the egg)

ozheng — Wed, 16 Aug 2023 13:48:19 GMT

Hello all,

I can try tomorrow in testbed to see the IKE gateway with the variable set to IP/netmask.

Regarding the order of the template in the stack, I would think the order will only change the actual value pushed to the firewall (template inheritance order), you are not pushing template 1 then template 2 and so on and so on (imagine you're pushing x different templates on a PA-220 ... endless commit).

If you need to set up hub and spoke : sdwan plugin? 🙂

Olivier

Re: Cannot push IKE gateway X variable using template (chicken or the egg)

SteveBallantyne — Wed, 16 Aug 2023 19:58:00 GMT

Actually, doing two templates in a stack actually worked on a new device!

I have two templates in a template stack. The first template is 99 percent of the firewall configuration, which includes the interface and a variable that is assigning that interfaces IPv4 address. Then the second template in the stack applies only the VPN configuration.

There is some redundancy, as *both* templates use the same X variables, which are filled with dummy values (on both templates). Then I am overriding those variables with the actual properties on the device level (Managed Devices > Summary > Variables / Edit) which include that external interfaces public IP address.

The only other caveat is when I pushed the configuration to the device for the first time I had to use this combination of settings in Panorama:

Merge with device candidate config - Un-Checked
Include device and network templates - Checked
Force template values - Checked

I will send a note to the case to check this thread, as this seems like a viable solution to this "chicken or the egg" issue. 🙂

Re: Cannot push IKE gateway X variable using template (chicken or the egg)

TomYoung — Wed, 16 Aug 2023 20:45:07 GMT

Hi @SteveBallantyne ,

That is good news! The 1st template is the one on top of the stack?

Thanks,

Tom

Re: Cannot push IKE gateway X variable using template (chicken or the egg)

SteveBallantyne — Wed, 16 Aug 2023 21:16:17 GMT

You got it, Tom! And so long as I wasn't trying to use the default to "smash" the templates together before-hand, the PA-440 seemed to do just fine with applying one template in-full before moving onto the next.

Support is going to work on a KB for this. 🙂

Re: Cannot push IKE gateway X variable using template (chicken or the egg)

ozheng — Thu, 17 Aug 2023 01:17:40 GMT

Hello SteveBallantyne,

Good to hear it works (so there is no bug :D)

Regarding the KB, I don't have the full picture of the case so I will not comment further.

Just for information, you can check this PANCast Episode about the Templates and Template Stacks

Olivier

Re: Cannot push IKE gateway X variable using template (chicken or the egg)

Leightonlee — Wed, 03 Apr 2024 19:19:46 GMT

I have the same issue with config push. really helpful. I have 6 templets moving up or down dont change anything fyi.

Re: Cannot push IKE gateway X variable using template (chicken or the egg)

SteveBallantyne — Wed, 03 Apr 2024 19:27:30 GMT

Hello Leightonlee, which setting is the Palo Alto getting hung up on? Best bet for a solution is to create a new template that includes only that setting and then rearrange it so that your new template is on the top of the stack (if possible).

Re: Cannot push IKE gateway X variable using template (chicken or the egg)

Leightonlee — Thu, 04 Apr 2024 14:55:45 GMT

Warnings:
Duplicate certificate subject found:

Details:Validation Error:
network -> ike -> gateway

I opened a case if the new device is in the device group and the templates as well both interface config and all why this keep happening?

Re: Cannot push IKE gateway X variable using template (chicken or the egg)

kylebrolafski — Tue, 07 May 2024 22:08:39 GMT

I am also running into this issue right this moment. Much like SteveBallantyne's original post, I have a hub-spoke topology where all satellite offices use the same VPN configuration to phone home. I am getting "network -> ike -> gateway -> Primary-1 -> local-address -> ip 'x.x.x.x' is not a valid reference" no matter what shape or form I build the IP Variable with. I have two templates in my stack, the first configures everything L1, VPN, and Routing, the second configures services (AAA, DNS, NTP, etc) that will phone home across the VPN. Following the guidance in this thread did not change my results in any observable way. If I create the IKE Gateway locally on the Firewall with all the same settings, it accepts just fine.

To my knowledge, the position of the Templates in the Stack only apply to conflict resolution between the templates.

Re: Cannot push IKE gateway X variable using template (chicken or the egg)

TomYoung — Tue, 07 May 2024 22:55:25 GMT

Hi @kylebrolafski ,

I think the issue was that the VPN config was committed before the template variable, and therefore did not exist yet. @SteveBallantyne moved the VPN config to a template lower in the stack which appears to have forced the interface and template variable to commit 1st. He also recommends other commit options in the solution.

Thanks,

Tom

Re: Cannot push IKE gateway X variable using template (chicken or the egg)

Leightonlee — Wed, 08 May 2024 14:13:39 GMT

I resolved this by pushing the devices config first and then the templets.

Re: Cannot push IKE gateway X variable using template (chicken or the egg)

kylebrolafski — Wed, 08 May 2024 20:21:54 GMT

The template which configured my VPN was already at the bottom of the stack. Through the suggestion in this thread, I moved it to the top of the stack. The VPN and the Variable are configured within the same template.

I will attempt to create a local configuration with the same naming on the device to let Panorama overwrite it. The larger, yet unspoken issue I am trying to navigate here is having all of my routing completed in the same Template, due to the way the Stack overrides conflicts between Templates within the Stack. Any changes from a single Template would be lost if another Template modified the same Virtual Router's configuration.