After HA failover IKE SA negotiation fails with "INVALID_SPI" message

After HA failover IKE SA negotiation fails with "INVALID_SPI" message

3591
Created On 11/29/22 03:49 AM - Last Modified 02/07/25 22:34 PM


Symptom


  • Peer device repeatedly sends INVALID_SPI payload.
  • This happens after a HA failover on Palo Alto Firewall.
  • IKEmgr log (less mp-log ikemgr.log) shows abort after INVALID_SPI payload is received.

Environment


  • Palo Alto Firewalls
  • PAN OS- 9.1.13-h3
  • High Availability (HA) Failover
  • IPsec Tunnels

Cause


  • Software Issue.

Resolution


  1. The issue is resolved under PAN-202247 in 11.0.0, 9.1.16, 10.2.4, 10.1.9,
  2. Upgrading to one of the above versions will resolve this issue.
Workaround:
  1. Use tunnel monitoring. Peer IP should be the peer IP of the last entry in Proxy ID list (if there are multiple ProxyIDs). This way, PanOS will detect sooner that the tunnel is down and attempt to negotiate IKE again.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000kFNwCAM&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail