Incorrect object displayed on PA-5220 during Tunnel negotiation.

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Incorrect object displayed on PA-5220 during Tunnel negotiation.

L0 Member

This is a slightly confusing issue that I am facing so please bare with me with regards to the explanation.


We have a PA-5220 configured with multiple IPSec Tunnels connecting to community sites, the community sites have either a PA-220 or PA-440 on the other end. Recently when setting up a new IPSec Tunnel (Southmead_Health) we noticed one of the community sites go down (BEH_Lorry). When checking the monitor it appears that the negotiation process is displaying the Southmead_Health object for the ike start and then the BEH_Lorry for all further steps as below:


The BEH_Lorry Tunnel completes and comes up as expected but we are really confused as to why the process is picking up the wrong object during the tunnel negotiation. Any advice on what to look at would be appreciated. We have 20+ tunnels configured and have never come across something like this before.





Cyber Elite
Cyber Elite

do all remote sites have a static IP/unique IP and are they configured as such (static remote IP)

if you're using 'dynamic' this could be the cause of this issue, you can remediate this by setting peer identification in the tunnel configuration so the dynamic peers identify themselves with a unique attribute (fqdn, email,....) 


Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!