Importing firewall configuration to 10.1 panorama resulting in issues with private-keys/PSKs encryption/decryption

Importing firewall configuration to 10.1 panorama resulting in issues with private-keys/PSKs encryption/decryption

7329
Created On 04/28/22 03:06 AM - Last Modified 12/07/22 02:22 AM


Symptom


  • After importing firewall to panorama 10.1 IP-sec tunnels are down
  • ikemgr.log and system logs we observe auth key failure

Environment


  • Firewall managed by Panorama
  • PAN-OS 10.1.x

Cause


Root cause is the config doesn't get decrypted correctly using current/default master-key when importing firewall config to panorama when no master-key is provided during import

Resolution


Resolution 
Upgrade to PAN-OS 10.2.1 or 10.1.6


Workaround 1
We can configure master-key on firewall and provide that when importing configuration to panorama.

Workaround 2
We can set a new pre-shared key in the panorama and then push the changes to the firewall

Workaround 3
Import the backup saved configuration and commit the changes.
 

Additional Information


PAN-188009
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000oNkMCAU&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language