Jmora, thanks for the reply. TBH I forgot about this thread. I should have followed up. When 8.1.13 became generally recommended, we upgraded our remote PA220s to that version, leaving our central PA5220s on 8.1.10 as we couldn't get an upgrade window for them at that time. Upgrading just the PA220s to 8.1.13 fixed the issue. Although I have no official TAC confirmation or bug ID, based on my experience it appears the issues was fixed sometime between 8.1.10 and 8.1.13. I'd assume it will not be a concern for anyone using 8.1.13 and newer. Thanks
... View more
Just wanted to add to this discussion in the hopes that it may help others. Recently upgraded my central PA cluster from 8.1.6 to 8.1.10. We have about a dozen remote sites with PA devices still on 8.1.6 (planned to phase their PANOS upgrades in throughout the year). They connect back to the central PA cluster. They all use Site to Site IPSec VPNs, with IKEv2 protocol, certificated based authentication, with certificates using RSA SHA256 as the hashing algorithm w/ cert key as RSA 2048 (I make note of both here because I get them mixed up in my head) . This setup has been working as far back as 7.1.x days. A few days go after upgrading our central PA cluster from 8.1.6 to 8.1.10, all of the site to site tunnels to my remote devices went down. Contacted PAN TAC and was told that using IKEv2, and certificated based VPN authentication with certificates using RSA SHA256 was no longer a "supported behavior" in 8.1.10. Their suggestion was to 1. roll back OS on central PA cluster, 2. change to IKEv2 with pre-shared keys, 3. change to IKEv1 using our current cert auth config, or 4. re-generate and re-import all our VPN certificates using RSA SHA128. I didn't like any of those options, but I decided to try switching to IKEv1 as it seemed like the easiest change. This solved all our issues, and the VPN tunnels came back. The downside was I had to go onsite to several of the remote locations to make the change, since they were cut off. As a side note, I've now switched those remote locations to "IKEv2 preferred" setting under IKE Gateway. That will allow them to try to fall-back to IKEv1 if the peer is not supporting IKEv2 (assuming IKEv1 is configured and profiles are matching on both central and remote sides). I believe having this enabled before would have saved me from making trips to the remote locations to manually switch them to IKEv1. I still would have had to change the central PA cluster to IKEv1, but that is always reachable via OoB Mgmt. The last communication I got back from PAN TAC was that their previous statement was incorrect, and certificates using RSA SHA256 should be supported in 8.1.10. They asked me to test upgrading one of the remote PAs from 8.1.6 to 8.1.10 to match the central PA cluster. I did, and then set my IKE gateways on each device back to using IKEv2. To my surprise everything worked again using IKEv2 with both PAs running 8.1.10. I've never had an issue with our PA remotes running a few versions behind our central PA cluster. In summary, its my opinion that something must have changed with 8.1.10 in regard to IKE and cert based VPN auth. What ever changed seems to now require both sides to be running 8.1.10 (if you have a PA to PA site to site VPN), when using IKEv2, with cert based Auth on certs using RSA SHA256 (I can only speak to certs using RSA SHA256, SHA1 may not be affected).
... View more