When terminating IPSec VPN tunnels on a Palo Alto Networks firewall, consider that:
The terminating interface must be associated with the same zone as the external port where the tunnel packets enter the firewall. If terminating the tunnel on an aggregate ethernet interface, the aggregate interface must also be bound to the external interface (where the tunnel packets enter the firewall).
The interface is where the original packet (IKE packet) entered the firewall.