Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Multiple IKE crypto profiles on individual interfaces for multiple IPSEC tunnels

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Multiple IKE crypto profiles on individual interfaces for multiple IPSEC tunnels

L0 Member

Hi,

 

In 2021 we ran into the issue where it seemed between PA-OS 8.1.x and 9.0.x/9.1.x Palo began either via a feature or bug introduced began enforcing the scenario in the subject line and began dropping tunnels after upgrading and causing issues with HA pairs.

 

Define IKE Crypto Profiles (paloaltonetworks.com)

 

At the time Palo identified the above documentation which appeared to not be enforced until a certain checkpoint in firmware versions.

 

We've performed an upgrade today on a Palo unit which had the above mentioned scenario and after moving to N-1 in the 9.1.x family, we did not identify the same issue occurring. I've been digging through the release notes to try and find where this scenario may have been referenced for enforcement or a fix, however have not been able to confirm a specific scenario beyond:

PAN-OS 9.1.11 Addressed Issues (paloaltonetworks.com)

PAN-116515 but I believe this may be a slightly different scenario.


Just checking to see if there have been any confirmation that this bug or feature has been resolved/reverted in a recent firmware release? Hoping this may be the case as we can get along with upgrading some environments which have been holding off due to issues getting moving on migrating tunnels or modifying IKE crypto profiles to match on partner sides. 

1 REPLY 1

Community Team Member

Hi @Z33Z ,

 

Interesting.  Did you get confirmation that the behavior you saw was an actual bug ?

Without that information it's going to be difficult to confirm if a certain behavior has been 'fixed' since then.

If you have a case# from back then I would reach out to support and get a confirmation on bug/fix.

 

Cheers,

-Kiwi.

 
LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.
  • 1829 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!