There could be a scenario in which all user credentials, keys, and tokens are correct, and the Zscaler Location and VPN credential objects are also created. However, the Prisma SD-WAN VPNs are not created. This can be due to the pre-built IPsec profiles based on Zscaler’s recommended best practices, which have not been allocated to your Prisma SD-WAN tenant. Another reason could be that the custom IPsec profile name specified in your CloudBlade configuration does not exist (or has a typo in it).

This condition can be validated by selecting the Messages link on the CloudBlade tile and looking for an error message similar to the one below.

To verify that these IPsec profiles exist, in Strata Cloud manager, navigate to ManagePrisma SD-WANResourcesConfiguration ProfilesIPsec, and check if the profiles shown in the example below are displayed. If these two profiles are not present, please contact Palo Alto support OR create your own IPsec profile in that name in your CloudBlade configuration.