duplicate ipsec tunnels

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

duplicate ipsec tunnels

L1 Bithead

Hello Comunity,

 

I have a weird issue, we upgrade a cluster to 10.1.5-h1 from a 9.1 version, after the upgrade on the gui i see all the ipsec tunnels duplicated for example i had an ipsec tunnel called vpn_consult, after the upgrade i had 2 ipsec tunnels called vpn_consult, all the tunnels are working, and in the merge-running-config.xml, i see all the tunnels ok, so, no double entries on the config xml.

 

someone have see this problem?

26 REPLIES 26

L0 Member

Thanks Raido, 10.2.3-h2 fixed it.

L0 Member

I went from 9.1.13 to 10.1.8. i did see this weird behavior when my firewalls were on 10.0.11 along the upgrade path. No actions taken. just upgrade.

RSS

L0 Member

I have the exact same issue.

2 VPN tunnels are pushed from panorama. But the managed firewalls show 4 tunnels -- 2 from panorama and 2 on local firewalls.

However, no VPN configuration can be on the firewalls. And these 4 tunnels are replicated.

Why do you keep firewall operating system on old version and don't upgrade to preferred version?

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Raido,

We can't use PAN-OS v10.2 yet.

Which V10.1 version has the fix as well?

Cyber Elite
Cyber Elite

10.1.9 was just released so it is under monitoring.

10.1.8-h2 is preferred.

 

Raido_Rattameister_0-1675798409646.png

 

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Did you find a fix for this?

 

Running PANOS 10.0.11, but don't want to upgrade to 10.1 as authentication changes

Cyber Elite
Cyber Elite

What are you challenges with 10.1 that stop from upgrade?

10.0 is end of life and won't get any updates.

 

Raido_Rattameister_0-1678908156271.png

 

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

L1 Bithead

There are changes to the default behavior between 10.0.x and 10.1 so upgrading one satelliate to 10.1.x isnt an option without changes to the whole estate

 

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-release-notes/changes-to-default-behavior/chang...

Cyber Elite
Cyber Elite

Whoever is running "whole estate" is doing bad job of keeping it on end of life 10.0

Whole environment should be upgraded in this case to be secure.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

L1 Bithead

Majority of the estate is running 9.1.x which is still in support. Some 850s deployed with 10.0.11

 

The jump to 10.1.x would cause an issue.

 

Thanks for looking

Cyber Elite
Cyber Elite

Now this makes sense.

I guess you are stuck until estate migrates over.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011
  • 11230 Views
  • 26 replies
  • 2 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!