IPsec tunnel objects 'tunnel-name' not present in panorama's template-stack 'Service_Conn_Template_Stack'
1311
Created On 10/11/24 16:48 PM - Last Modified 12/12/25 03:20 AM
Symptom
When the same IPSEC tunnel name has been configured for both Remote Networks (RN) and Service Connections (SC), and we attempt to fix this by renaming one of the tunnels, the Commit and Push fails after modifying either one, the Remote Networks (RN) or the Service Connection (SC) IPSEC tunnel name.
Service Connection:
Remote Networks:
The following error message is received:
Operation Commit and Push Status Completed Result Failed Details ipsec tunnel objects 'Company_RN-Tunnel2' not present in panorama's template-stack 'Service_Conn_Template_Stack'. Failed plugin validation Warnings
Environment
- Prisma Access
- PANOS-10.2.8-hx
Cause
- This issue occurs when the same IPSEC tunnel name has been configured for both Remote Networks (RN) and Service Connections (SC).
Resolution
- Begin by modifying the tunnel name. e.g from *Company_Tunnel2* to *Company_RN-Tunnel2* for the Remote Networks (RN) tunnel.
- Try to commit, then observe and confirm that the commit fails with the following error:
'Service_Conn_Template_Stack' is not present in the config for the service connection.
- After modifying the tunnel name for the RN template stack, this unintentionally alters the tunnel name under the SC IPsec tunnel.
Cloud Services > Configuration > Service Connection for the IPsec tunnel.
- Revert the secondary IPsec tunnel name in the Service Connection back to *Company_Tunnel2* and initiate a commit and push.
- The commit should now succeed.
Additional Information
- Having both Remote Networks (RN) and Service Connections (SC) with the same name is a valid Palo Alto (PA) setup. However, this configuration will only negatively impact the alerting in Insights in this case.