When a data plane (DP) pod is disconnected from the management (MP) pod for more than a minute, the DP strongswan process restarts to reconnect to the MP pod. This results in strongswan exit crash and core file generation. Though this is a harmless response, in the newer PAN-OS versions (10.2.4, 10.1.9, and 11.0.1), the reconnecting mechanism is changed to avoid strongswan exit crash and core file generation.

The CN-Series 10.1.9 firewall is deployed with 125 pods, 250 interfaces template from kubernetes plugin 2.0.2 using the new template K8S-Network-Setup-V1-125 through 10.1.9 panorama. When you downgrade the CN-Series 10.1.9 with 125 pods, 250 interfaces to CN-Series 10.1.8 while keeping K8s Plugin 2.0.2- this will cause an Auto-commit failure on the CN-MGMT pod. This is because CN-Series 10.1.8 template can only support 30 interfaces, while with CN-Series 10.1.9 can support upto 125 pods, 250 interfaces.

Workaround:

1. It is not recommended to install the kubernetes plugin 2.0.2 on Panorama 10.1.8 or earlier version. If you are using Panorama 10.1.8 or earlier version, you must stop using 125 pods, 250 interfaces template.
2. Before downgrading the CN-Series to 10.1.8, perform the following steps from Panorama:
   1. Disassociate the 125 interfaces template from template-stack and then associate the 30 interface Template. Ensure maximum secured application pod count does not exceed 30.
   2. Commit and Push to CN.
   3. Downgrade the CN.

In PAN-OS 10.1.10 and PAN-OS 10.2.4 version, the CN-MGMT pod fails on Kubernetes version 1.25.x.

Workaround: In pan-cn-mgmt.yaml file, go to Containers section, change the command script from:

to: