Validation error: encryption 'aes-256-gcm' is not an allowed keyword

Validation error: encryption 'aes-256-gcm' is not an allowed keyword

3292
Created On 07/07/22 10:29 AM - Last Modified 02/21/24 04:00 AM


Symptom


  • IKE encryption aes-256-gcm added to Panorama
  • When trying to commit the configuration to Firewall (PAN-OS below 10.0.3),  error message "'aes-256-gcm' is not an allowed keyword" is displayed.
Validation Error:
. network -> ike -> crypto-profiles -> ike-crypto-profiles -> ike-profile -> encryption 'aes-256-gcm' is not an allowed keyword
. network -> ike -> crypto-profiles -> ike-crypto-profiles -> ike-profile -> encryption is invalid
. ERROR: line:32: syntax error [kmp_enc_alg { aes-256-gcm]
. (Module: ikemgr)
. Commit failed

 

Environment


  • Panorama with managed Firewalls
  • Panorama PAN-OS 10.0.3 or above.
  • Firewall PAN-OS version 10.0.2 or below

Cause


Support for IKE encryption cipher AES-128-GCM and AES-256-GCM started from PAN-OS 10.0.3.

    Resolution


    1. Upgrade the firewall to the latest Supported version.
    2. Temporarily remove aes-256-gcm from the IKE crypto profile till the upgrade is scheduled.
    Other users also viewed:
    Actions
    • Print
    • Copy Link

      https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000CqOACA0&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail