duplicate ipsec tunnels

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

duplicate ipsec tunnels

L1 Bithead

Hello Comunity,

 

I have a weird issue, we upgrade a cluster to 10.1.5-h1 from a 9.1 version, after the upgrade on the gui i see all the ipsec tunnels duplicated for example i had an ipsec tunnel called vpn_consult, after the upgrade i had 2 ipsec tunnels called vpn_consult, all the tunnels are working, and in the merge-running-config.xml, i see all the tunnels ok, so, no double entries on the config xml.

 

someone have see this problem?

26 REPLIES 26

Cyber Elite
Cyber Elite

See if resetting your gui helps:

 

Https://<your firewall>/debug 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

how reset GUI, just entering to that URL?

L3 Networker

Yeah I get this too. It is a graphic issue only as the duplicates do not appear in the CLI, and are true duplicates which is not possible under config validation.

I manage multiple different customer environments and it seems to have on upgrade to 10.0 or 10.1 (I have not tested 10.2). It has happened consistently on every upgrade I've done. All of these are panorama managed and the tunnels show one Panorama inherited tunnel (correct) and a duplicate copy of the same as firewall local (incorrect).

 

If any one finds a way to fix it please let us know as it is annoying and confusing to customers.

Forgot to mention that it also appears in Panorama. The template shows a single copy of the VPN, however the Template stack shows 2 copies of all tunnels (all of them coming from the same Template which only has a single copy).

Weird bug.

L1 Bithead

I found this on a reddit forum, it looks like someone encounter the same, but i couldnt find this PAN-191466 code to confirm it

 

"This problem is being cause by a recently discovered issue called PAN-191466. From what I read in our internal database of Panorama issues, this problems started in Panorama 10.1.5 and has not been resolved yet. There were no workarounds listed, but I would assume that going to 10.1.4 or earlier would fix the issue, but I cannot verify this. The future Release Notes will announce when this issue is resolved. Below is some information on this issue."

* The Panorama override option is not available in the template stack to modify the IPSec tunnel settings after the Panorama 10.1.5 upgrade.

* Duplicate IPSec tunnel objects gets created on Firewall/Panorama (Template-stack) WebUI after upgrading after the Panorama 10.1.5 upgrade.

We faced the same issue after upgrading from 10.0.7 to 10.1.5-h1.

 

Any recommendation to fix this yet..?

it looks like it will be fix on 10.1.6, but still no confirmation or the error code been public on the palo alto. At least they should public the bug

L0 Member

Hello, has anyone had the opportunity to test the 10.1.6 and check if it was fixed there?

 

I can confirm the duplicate tunnels & no override available is fixed in 10.1.6

L1 Bithead

10.1.6 resolved this for me as well.

L0 Member

Anyone share the bug ID for duplicate IPSEC tunnels showing on Palo Alto/Panorama in 10.1.5 version ?

 

L0 Member

This has been fixed in Pan-os 10.1.8.

L0 Member

I have firewalls running 10.2.0 and Panorama running 10.2.3. I am still seeing this problem - no duplicate tunnels on Panorama but every tunnel duplicated on the firewall.

Cyber Elite
Cyber Elite

Preferred version for 10.2.x branch is 10.2.3-h2

It does not have duplicate tunnels there.

10.2.0 is old and has CVEs fixed in later releases.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011
  • 8865 Views
  • 26 replies
  • 2 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!