Hello Everyone, I have an issue while migrating from PA-5020(HA - 8.1.15-h3) to PA-5220( HA - 8.1.15-h3) Firewalls. 1) did .xml running config file export from 5020 and import into the 5220, but got an error message while commit. Involved PA TAC engineer and SE, could not be able to resolve this issue, just they said its a panos bug, upgrade higher version PANOS, and they need some time to do research but we were time sensitive in our environment and some objects are control from panorama. 2) Decided and made a replica of the config from the CLI. On maintenance day, Unplugged cables from 5020 and plugged into the 5220. Everything works as expected but 60% of IPSec VPN tunnels to AWS didn't come up. It took a few minutes to come up ( Some VPN tunnels to AWS came up within 2 minutes , some came up after 20 minutes or so ..). After trying to disable/enable, refreshing tunnels, checking IKE phase1, phase2 parameters etc, still had same issue. Later we rolled back to 5020. Does anyone have the same issue ? is there any suggestions for this ? Why do IPSec VPN tunnels to AWS take such a longer time or didn't come up at all? it's only an issue with AWS cloud not with others. example azure.
... View more