IKEv2 Tunnel mode and Transport mode fails with the reason with TS_UNACCETABLE in system logs

• Palo Alto Networks Firewall is configured as initiator.
• Phase 1 IKEv2 Negotiations fails.
• TS_UNACCEPTABLE message is recorded in the system log (show log system).
• ikemgr.log (less mp-log ikemgr.log) in dump mode display TS construct TS 0.0.0.0 -> 255.255.255.255  followed by TS_UNACCEPTABLE.

-0200  [PNTF]: {    5:     }: ====> IKEv2 CHILD SA NEGOTIATION STARTED AS INITIATOR, non-rekey; gateway .........
-0200  [DEBG]: {    5:    5}: construct TS_r 0.0.0.0 -> 255.255.255.255 ======> check
....(Output Omitted)............
-0200  [PWRN]: {    5:     }: XX.XX.XX.XX[500] - YY.YY.YY.YY[500]:0x564eaf366fd0 received notify type TS_UNACCEPTABLE 

• Palo Alto Networks Firewalls (including Prisma Access)
• Supported PAN-OS
• IPSec tunnel with a third party device

• PAN FW sends "0.0.0.0 - 255.255.255.255" for both "Traffic Selector - Initiator" and "Traffic Selector - Responder" which may be rejected by the other end device.
• Due to this, IKEv2 child SA in may fail between a PA-Firewalls as an initiator and another vendor's device as a responder with a reason TS_UNACCEPTABLE.
• Traffic selectors CANNOT be changed because in IPsec transport mode, proxy IDs cannot be configured.

1. Check the box "Enable Passive Mode" in the Advanced Options of the corresponding IKE gateway.
2. This will avoid the issue by making the PAN FW always a responder.