The earliest recollection of this bug is traced back to PAN-OS 12.1.3 - May 13, 2026. This bug is fixed in PAN-OS versions 12.1.6. Fixed an issue on PAN-OS 12.1 releases where intermittent traffic drops occurred over IPSec VPN tunnels to third-party firewalls during the IPSec rekey due to the firewall failing to inform the peer to delete the old SA after moving to the new one. On firewalls running PAN-OS 12.1, IPsec VPN tunnels to third-party peer devices may experience intermittent traffic loss during rekey operations. When a new Security Association (SA) forms before the old SA expires, traffic may stop flowing until the older SA naturally expires or you manually clear it. During this time, the output of show vpn ipsec-sa may show two SAs for the same proxy ID. This issue primarily affects tunnels to third-party peer devices and does not occur with Palo Alto Networks to Palo Alto Networks tunnels. Workaround: Manually clear the affected Security Association using the command clear vpn ipsec-sa tunnel to restore connectivity. For more information: https://docs.paloaltonetworks.com/ngfw/release-notes/12-1/pan-os-12-1-3-known-and-addressed-issues/pan-os-12-1-3-known-issues https://docs.paloaltonetworks.com/ngfw/release-notes/12-1/pan-os-12-1-5-known-and-addressed-issues/pan-os-12-1-5-known-issues https://docs.paloaltonetworks.com/ngfw/release-notes/12-1/pan-os-12-1-6-known-and-addressed-issues/pan-os-12-1-6-addressed-issues