Hi, In 2021 we ran into the issue where it seemed between PA-OS 8.1.x and 9.0.x/9.1.x Palo began either via a feature or bug introduced began enforcing the scenario in the subject line and began dropping tunnels after upgrading and causing issues with HA pairs. Define IKE Crypto Profiles (paloaltonetworks.com) At the time Palo identified the above documentation which appeared to not be enforced until a certain checkpoint in firmware versions. We've performed an upgrade today on a Palo unit which had the above mentioned scenario and after moving to N-1 in the 9.1.x family, we did not identify the same issue occurring. I've been digging through the release notes to try and find where this scenario may have been referenced for enforcement or a fix, however have not been able to confirm a specific scenario beyond: PAN-OS 9.1.11 Addressed Issues (paloaltonetworks.com) PAN-116515 but I believe this may be a slightly different scenario. Just checking to see if there have been any confirmation that this bug or feature has been resolved/reverted in a recent firmware release? Hoping this may be the case as we can get along with upgrading some environments which have been holding off due to issues getting moving on migrating tunnels or modifying IKE crypto profiles to match on partner sides.
... View more