just to give a baseline - hardware are pa-5220, running 10.1.6-h6, HA (active/passive), device managed by Panorama.
Long story short - one of the firewalls got stuck on a reboot cycle where the firewall would reboot every 85 minutes. The data plane would not come up during this time and support processed a RMA.
For the fun part:
our initial attempt to restore, after upgrading the same software level as working firewall, we used a device state backup, everything sync up properly, when we tried to pass traffic through the new firewall we saw the following strange behavior:
source zone and destination zone was not showing up in the logs
some zones were being identified but was incorrect, for instance DMZ, is showing up as Trust
destination country was reporting incorrectly, for instance traffic for United States is showing up for Uruguay
traffic seems to be flowing properly even though rules were not being identified in the logs
2nd restore attempt we used a back from a day before the firewall failed, we had no issues with synching up in this case as well. this gave us a better experience.
all traffic flows looks good on the log, zones and rules were being identified properly
destination country looks good as well
the one problem we noticed was that the IPSEC tunnels would not come up - after troubleshooting with support even a simple command "ping source x.x.x.x host y.y.y.y" where x.x.x.x is one of the firewall interface ip results in "bind: Cannot assign requested address". We checked for "untagged sub interface" like suggested by others but none found.
Any feedback, suggestions would be appreciated. A TAC support is currently open and waiting feedback as well.
... View more