Tunnels to hub are down after replacing faulty SDWAN spoke firewall with a new firewall
1016
Created On 01/31/23 14:23 PM - Last Modified 01/17/25 22:24 PM
Symptom
- Tunnels to hub are down after replacing faulty SDWAN firewall with a new one.
- System logs (show log system) report authentication failed message as the reason for the tunnels to hub being down.
"IKE protocol notification message received: received notify type: AUTHENTICATION FAILED."
Environment
- Panorama managed Firewalls
- Supported PAN-OS
- SD-WAN hub and spoke setup
- Spoke Firewall replaced
Cause
- During replacement, the serial number of the firewall is replaced on panorama and pushed to the new firewall.
- The hub does not have the information about this change of serial number.
- Due to the serial number change, the "key" provided by the replaced Spoke Firewall is different than the original key Stored in the hub firewall.
Resolution
- When pushing configuration to replacement spoke firewall, Push the template to hub firewalls as well
- This will ensure the hub firewalls to update the original keys with the new keys for the spoke firewallewall.
- Once the config is pushed to the hub firewalls, the keys are same on both Hub and Spoke firewalls and the tunnels come up without any issues.