Troubleshoot Pre-Shared Key Mismatch

2025-01-22 17:26:22.700 -0800  [PERR]: { 1: }: 192.168.20.2[500] - 172.16.20.2[500]:0x7fa610013da0 authentication failure
2025-01-22 17:26:22.700 -0800  [INFO]: { 1: }: 192.168.20.2[500] - 172.16.20.2[500]:0x7fa610013da0 authentication result: failure
2025-01-22 17:26:22.703 -0800  [PERR]: { 4: }: 192.168.20.2[500] - 172.16.40.2[500]:0x7fa6100249f0 authentication failure
2025-01-22 17:26:22.703 -0800  [INFO]: { 4: }: 192.168.20.2[500] - 172.16.40.2[500]:0x7fa6100249f0 authentication result: failure

• (Versions earlier to SD-WAN plugin 2.2.6 and 3.0.7) When a name of an SD-WAN cluster is changed, a new pre-shared key will be generated along with the tunnel IP addresses. When you commit and push the changes to one or some of the cluster devices, then the new keys will be applied to only those devices. The remaining devices in the SD-WAN cluster will maintain the old key.
  (SD-WAN plugin 2.2.6 and later releases, SD-WAN plugin 3.0.7 and later releases) You can’t rename the SD-WAN cluster name. Therefore, there is no relationship between the pre-shared key and cluster name.
• (Versions earlier to SD-WAN plugin 2.2.3, 3.0.4, and 3.1.0) In case of Panorama failover, if you choose to commit and push the configuration changes to selective firewalls rather than to all the firewalls in an SD-WAN cluster, it will lead to a pre-shared key mismatch. Because the pre-shared key isn’t synchronized between the Panorama and the firewalls.
• (All SD-WAN plugin versions) If the IKE key is refreshed (PanoramaSD-WAN4VPN Clusters) for the SD-WAN plugin, a new pre-shared key is generated. Hence, if a commit-push isn’t sent to all members in the cluster after key refresh that will lead to a key mismatch, which in turn, takes down the tunnels between the applicable tunnel peers.
  The IKE key specifies the pre-shared key that is used for authentication. Refreshing the IKE key is recommended only if it is needed. Because refreshing the IKE key will update all the SD-WAN tunnels in the VPN cluster. It also requires simultaneous configuration push to all branch and hub devices. The IKE key and KeyID are different attributes altogether.

• If the SD-WAN devices have out-of-band access directly to Panorama outside of the SD-WAN tunnels, then execute a commit and push to all the devices in the VPN cluster. This ensures that all devices in the VPN cluster are configured with the same pre-shared key.
• Override the IKE gateway for a specific tunnel peer between the target devices by manually entering a temporary pre-shared key that matches on both sides.
  To override the gateway:
  • Log in to the managed device.
  • Navigate to NetworkNetwork ProfilesIKE Gateways.
  • Manually enter the temporary pre-shared key that matches on both sides.
  • Override and commit the changes locally.
  Commit the changes locally. Once the tunnel recovers, revert the change without committing it locally.
  Once the tunnel recovers, revert the changes:

  • Navigate to the same gateway (NetworkNetwork ProfilesIKE Gateways) and revert.
  Enable Merge with Device Candidate Config in the Push Selection Scope, commit, and push from Panorama.