When configuring IKE-gateway in GUI, firewall pops error message "protocol -> ikev2 -> pq-ppk -> negotiation-mode is invalid"

When configuring IKE-gateway in GUI, firewall pops error message "protocol -> ikev2 -> pq-ppk -> negotiation-mode is invalid"

12481
Created On 11/13/24 02:41 AM - Last Modified 07/24/25 07:52 AM


Symptom


While trying to change IKE Gateway configuration from PAN-OS GUI, error message "protocol -> ikev2 -> pq-ppk -> negotiation-mode is invalid" pops up after clicking "OK".

ikegw1.png

Environment


  • Palo Alto Firewalls
  • PAN-OS 11.1.0 to 11.1.4-h3
  • IKE Gateway

 

Cause


Software Issue.

Resolution


  1. The issue is resolved under PAN-233727 in PAN-OS 11.1.4-h4.
  2. Upgrade of the PAN-OS will resolve the issue.

Additional Information


Following workaround is also available.

  1. IKE Gateway > General tab. Temporarily change "Version" from "IKEv1 only mode" or "IKEv2 only mode" to "IKEv2 preferred mode"
  2. Under Advanced Options tab -> IKEv2 -> click checkbox "Enable Post-Quantum Pre-Shared Key(PPK)  and then select Negotiation Mode "Preferred"

ikegw2.png

  1. Click "Enable Post-Quantum Pre-Shared Key(PPK) again to disable it.
  2. Go back to General tab and revert the change in step (1), changing the version to "IKEv1 only mode" or "IKEv2 only mode"
  3. Click OK.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000TpK3CAK&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language