Error "network -> tunnel -> ipsec constraints failed : Maximum number of tunnels exceeded"

Error "network -> tunnel -> ipsec constraints failed : Maximum number of tunnels exceeded"

2665
Created On 08/21/21 22:11 PM - Last Modified 07/07/25 21:01 PM


Symptom


While commit the changes which is getting failed that prompted with error as;

Validation Error:
network -> tunnel -> ipsec constraints failed : Maximum number of tunnels exceeded
network -> tunnel -> ipsec is invalid
network -> tunnel is invalid
network is invalid


There is a limit on the maximum number of Proxy IDs per Phase 2.

Environment


  • PA-3220
  • PAN-OS 9.1.x 
     

Cause


This happened during migrating configuration 
The validation error 'Maximum number of tunnels exceeded' is due to the Proxy ID configuration for each IPSec VPN tunnel


 

Resolution


Verify the maximum number of IPSec tunnels supported by each platform is reached using the following commands
  
> show vpn tunnel 
> show system state | match general.max-tunnel

If we are reaching the maximum number of IPSec tunnels supported do the following;
  • Remove unused tunnels 
  • We need to reduce the proxie ID 
  • SuperNet the proxy IDs. For example, instead of using 10.1.0.0/16, 10.2.0.0/16, the range can be supernetted to 10.0.0.0/8 to avoid multiple entries.

Additional Information


WHAT IS THE MAXIMUM NUMBER OF IPSEC VPN TUNNELS SUPPORTED ON FIREWALL

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PPBgCAO
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000oMRTCA2&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language