selector tunnel_out src is ambiguous, using the first one of the expanded addresses

selector tunnel_out src is ambiguous, using the first one of the expanded addresses

13725
Created On 07/24/19 15:01 PM - Last Modified 06/09/20 20:50 PM


Question


The following messages were seen in the Logs after configuring IKEv2 tunnel on the Palo Alto Firewall. 
'selector VPN-to-SDRS-DR(GW-to-SDRS-DR)_out src is ambiguous, using the first one of the expanded addresses'

Would like to clarify the meaning of the above message.

Environment


  • Palo Alto Firewall.
  • PAN-OS 7.1.22.
  • IPsec IKEv2 tunnel.

Answer


This is just a warning in IKEv2 that there is no traffic selector, so taking all defaults.
PANW FW takes defaults for proxy id's if it is not configured:

Default:
Local Proxy id = '0.0.0.0/0'
Remote Proxy id = '0.0.0.0/0'

Even when there is no traffic selector PANW FW still do the check and notify that it is ambiguous because you are basically specifying any traffic to into tunnel.


 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMRgCAO&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail