there are stated following restrictions about importing PAC credentials:
Thank you very much Sheraz for your qualifed response. Now the real case based on which I've triggered this topic. We're using HA setup of two ASA firewalls with multi-context mode. In this particular case the primary unit hosts all active contexts. OS upgrade have been performed on this HA ASA solution. After OS upgrade the PAC credentials were no longer present at all... neither on active or standby context. Do you have any explanation why this could happen? Upgrade was done from 9.6(4) to 9.8(4).
What I can tell you more is that the backup unit was upgraded and reloaded first. This would mean that all the time of backup unit upgrade/reload the primary was active and I assume PAC credentials were in place.
I would assume that during reload of upgraded primary unit, the PAC credentials *potentially* could not be used by already upgraded secondary unit due to theoretical OS version difference stateful failover incompatibility, but based on the "owner" status of PAC credentials by active context on primary unit I would assume it will be taken by active context from internal keystore and used like before upgrade. And therefore TrustSec security groups should be enumerated without issues.
My only understanding is that there's a bug or whathever incompatibility for using keystore (structure change?) which breaks possibility to take the stored PAC credentials...
or anything else?
One more hypotetical question: in case that administrator mistakenly import same PAC file (i.e. credentials created for specific device) to two different firewalls - could this be a reason for PAC credential expiration on both ASA firewalls?