PANOS 10.2.8 NOT recommended: S2S VPN IKEv1, IKEv2 Prefered does not work anymore

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

PANOS 10.2.8 NOT recommended: S2S VPN IKEv1, IKEv2 Prefered does not work anymore

L0 Member

Hi Everybody,

 

We updated from 10.2.7 to 10.2.8 and had a lot of troubles with our Site-2-Site IKEv1, IKEv2 Prefered gateway connections. I'm not sure if the IKE Version is the root problem, but that was the pattern that was visible in the short time for this change.

Phase 1 came not up, initiated in both directions.

 

There are the msg in the logs:

 

Us-2-endpoint: 'IKE phase-1 negotiation is failed as responder, main mode. Failed SA:

Endpoint-2-us: the logs said always "Connection Timeout".

 

Sophos, FritzBox and Azure were the other endpoints, we were not able to etablish phase 1. After Downgrading to 10.2.7 everything worked, also with 10.2.7-h3 is everything working.

 

We did not seen in the traffic monitor any traffic for the phase1, although we otherwise saw this connection traffic in an intrazone (Untrust-2-Untrust) rule. With PANOS 10.2.7 and H3 it was visible again

 

Also without Zone Protection, the connection came not up, it was like something was blocking the connection, without generating logs.

 

I didn't find something in the release notes that point to this issue. Somebody else with this experience?

 

 

 

Happy firewalling

2 REPLIES 2

L0 Member

There are two NAT rules (destination-translation) for the Exchange2019 mail server, starting from version 1.2.8 they stopped working. They work for some time, then they are blocked, there is no information in the logs.

In version 1.2.9 the same thing.

Community Team Member

Thanks for providing valuable insight @FabioHufschmid ! If you ever have the time, please open up a support ticket and share details of your findings. 

LIVEcommunity team member
Stay Secure,
Jay
Don't forget to Like items if a post is helpful to you!

Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.
  • 1323 Views
  • 2 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!