- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
I’ve recently ran into an issue where I’m using IKEv2 preferred and the two firewalls are using different versions of PAN-OS. It will fail with “invalid sig.”. If both firewalls are the same PAN-OS version (this has been happening on 9.1.11-9.1-13h3… I don’t have any other versions to test), it works fine. But since I can’t update all firewalls at the same time, there are periods of time where they are different versions and that results in the tunnel dropping.
Additionally, as I’m using IKEv2 preferred, I assumed that when IKEv2 failed, it would use IKEv1 but that doesn’t seem to be the case.
Are both of these expected behaviors? There must be something I am missing.
I don't know the exact detail of the implementstion of "IKEv2 preferred" but I only had issues with this in the past. I recommend you to use IKEv2 only. Once the tunnel is successfully connected it will not suddenly fail to establish and then do a fallback to IKEv1. If it really fails in such a situation, then it probably is because of an (unlikely) MITM attack.
I could set it to IKEv2 only but the same problem arises; as soon as the the two firewalls are on different versions of PAN-OS, IKEv2 fails. I would have thought that would be the use case for IKEv2 preferred but it doesn’t seem it.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!