https://live.paloaltonetworks.com/t5/general-topics/multiple-ike-crypto-profiles-on-individual-interfaces-for/m-p/474192#M103353 <P>Hi,</P><P>&nbsp;</P><P>In 2021 we ran into the issue where it seemed between PA-OS 8.1.x and 9.0.x/9.1.x Palo began either via a feature or bug introduced began enforcing the scenario in the subject line and began dropping tunnels after upgrading and causing issues with HA pairs.</P><P>&nbsp;</P><P><A href="https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/vpns/set-up-site-to-site-vpn/define-cryptographic-profiles/define-ike-crypto-profiles.html" target="_blank" rel="noopener">Define IKE Crypto Profiles (paloaltonetworks.com)</A></P><P>&nbsp;</P><P>At the time Palo identified the above documentation which appeared to not be enforced until a certain checkpoint in firmware versions.</P><P>&nbsp;</P><P>We've performed an upgrade today on a Palo unit which had the above mentioned scenario and after moving to N-1 in the 9.1.x family, we did not identify the same issue occurring. I've been digging through the release notes to try and find where this scenario may have been referenced for enforcement or a fix, however have not been able to confirm a specific scenario beyond:</P><P><A title="https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-release-notes/pan-os-9-1-addressed-issues/pan-os-9-1-11-addressed-issues.html" href="https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-release-notes/pan-os-9-1-addressed-issues/pan-os-9-1-11-addressed-issues.html" target="_blank" rel="noopener noreferrer">PAN-OS 9.1.11 Addressed Issues (paloaltonetworks.com)</A></P><P>PAN-116515 but I believe this may be a slightly different scenario.</P><P><BR />Just checking to see if there have been any confirmation that this bug or feature has been resolved/reverted in a recent firmware release? Hoping this may be the case as we can get along with upgrading some environments which have been holding off due to issues getting moving on migrating tunnels or modifying IKE crypto profiles to match on partner sides.&nbsp;</P> Fri, 18 Mar 2022 02:12:49 GMT Z33Z 2022-03-18T02:12:49Z https://live.paloaltonetworks.com/t5/general-topics/multiple-ike-crypto-profiles-on-individual-interfaces-for/m-p/474192#M103353 <P>Hi,</P><P>&nbsp;</P><P>In 2021 we ran into the issue where it seemed between PA-OS 8.1.x and 9.0.x/9.1.x Palo began either via a feature or bug introduced began enforcing the scenario in the subject line and began dropping tunnels after upgrading and causing issues with HA pairs.</P><P>&nbsp;</P><P><A href="https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/vpns/set-up-site-to-site-vpn/define-cryptographic-profiles/define-ike-crypto-profiles.html" target="_blank" rel="noopener">Define IKE Crypto Profiles (paloaltonetworks.com)</A></P><P>&nbsp;</P><P>At the time Palo identified the above documentation which appeared to not be enforced until a certain checkpoint in firmware versions.</P><P>&nbsp;</P><P>We've performed an upgrade today on a Palo unit which had the above mentioned scenario and after moving to N-1 in the 9.1.x family, we did not identify the same issue occurring. I've been digging through the release notes to try and find where this scenario may have been referenced for enforcement or a fix, however have not been able to confirm a specific scenario beyond:</P><P><A title="https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-release-notes/pan-os-9-1-addressed-issues/pan-os-9-1-11-addressed-issues.html" href="https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-release-notes/pan-os-9-1-addressed-issues/pan-os-9-1-11-addressed-issues.html" target="_blank" rel="noopener noreferrer">PAN-OS 9.1.11 Addressed Issues (paloaltonetworks.com)</A></P><P>PAN-116515 but I believe this may be a slightly different scenario.</P><P><BR />Just checking to see if there have been any confirmation that this bug or feature has been resolved/reverted in a recent firmware release? Hoping this may be the case as we can get along with upgrading some environments which have been holding off due to issues getting moving on migrating tunnels or modifying IKE crypto profiles to match on partner sides.&nbsp;</P> Fri, 18 Mar 2022 02:12:49 GMT https://live.paloaltonetworks.com/t5/general-topics/multiple-ike-crypto-profiles-on-individual-interfaces-for/m-p/474192#M103353 Z33Z 2022-03-18T02:12:49Z https://live.paloaltonetworks.com/t5/general-topics/multiple-ike-crypto-profiles-on-individual-interfaces-for/m-p/475438#M103458 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/210564">@Z33Z</a> ,</P> <P>&nbsp;</P> <P>Interesting.&nbsp; Did you get confirmation that the behavior you saw was an actual bug ?</P> <P>Without that information it's going to be difficult to confirm if a certain behavior has been 'fixed' since then.</P> <P>If you have a case# from back then I would reach out to support and get a confirmation on bug/fix.</P> <P>&nbsp;</P> <P>Cheers,</P> <P>-Kiwi.</P> <DIV id="ConnectiveDocSignExtentionInstalled" data-extension-version="1.0.4">&nbsp;</DIV> Thu, 24 Mar 2022 08:28:55 GMT https://live.paloaltonetworks.com/t5/general-topics/multiple-ike-crypto-profiles-on-individual-interfaces-for/m-p/475438#M103458 kiwi 2022-03-24T08:28:55Z