Configuring IPv4 and IPv6 IP pool address in Global Protect Gateway is causing all IPv6 return traffic to be dropped by 7K Firewall.

• Configuring IPv4 and IPv6 IP pool address in Global Protect Gateway is causing all IPv6 return traffic to be dropped by 7K Firewall.
• Global counters drops shows this error "flow_tunnel_encap_err: Packet dropped: tunnel encapsulation error".
• Flow basic will show the return traffic is getting dropped by Firewall with error tunnel resolution failure. 

  == 2025-05-19 14:06:49.798 -0500 ==
  Packet received at fastpath stage, tag 3592010, type ATOMIC
  Packet info: len 98 port 536 interface 1026 vsys 1
  wqe index 2096921 packet 0x0x8000000f7ddcf0e6, HA: 0, IC: 0
  Packet decoded dump:
  L2: 8c:60:4f:e9:0c:42->b4:0c:25:e0:40:11, VLAN 1505 (0x8100 0x05e1), type 0x86dd
  IP6: 2607:f8b0:4009:818:0:0:0:200e->2607:f388:101e:82:0:0:0:100
   version 6, traffic class 0x00, flow label 0x00
   payload length 40, next header 58, hop limit 116
  L4 binary dump: 16 bytes
  00000000: 81 00 21 a6 00 01 00 3b 61 62 63 64 65 66 67 68 ..!....; abcdefgh
  Flow fastpath, session 3592010 s2c (set work 0x8000000f765fba00 exclude_video 0 from sp 0x80000005138d16Forwarding lookup, ingress interface 1026
  L3 mode, router 2
  Route found, interface tunnel.4, zone 42, nexthop 2607:f388:101e:82:0:0:0:100
  Packet enters tunnel encap stage, tunnel interface null
  Resolving tunnel 2
  Packet dropped, tunnel resolution failure<<<<<<<

   

• Palo Alto PA 7000 Firewall
• Supported PAN-OS
• Global protect.
• IP pool configured with IPv4 and IPv6 range.

Software Issue.

1. The issue is fixed under PAN-292228.
2. Upgrade to the fixed versions of PAN-OS will resolve the issue.
3. The following versions has the fix.
   1. 12.1.2, 12.2.0, 11.1.11, 11.2.10, 11.2.11, 11.1.14, 10.2.20, 11.1.6-h17,11.1.10-h4.
4. Workaround: Keeping only IPv6 address range in IP pool will allow IPv6 traffic work.