https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/cannot-connect-vm-series-firewall-to-panorama-in-aws/m-p/515893#M1672 <P>Downgrade device to 10.0.6 both is work for me. Thank</P> Sun, 25 Sep 2022 06:08:41 GMT TPumtes 2022-09-25T06:08:41Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/cannot-connect-vm-series-firewall-to-panorama-in-aws/m-p/430558#M1313 <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="fwlogs.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/35981iE75BCB9AA8AD68CD/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="fwlogs.png" alt="fwlogs.png" /></span></P><P> </P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="panlogs.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/35980i0BFCDE99E7657A6F/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="panlogs.png" alt="panlogs.png" /></span></P><P> </P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="broke.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/35979iC5119958C41B7784/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="broke.png" alt="broke.png" /></span></P><P> </P><P>Hello,</P><P>&nbsp;</P><P>We are trying to set up a new deployment in AWS consisting of two firewalls managed by a Panorama server.&nbsp;</P><P>&nbsp;</P><P>For starters, we deployed one firewall and one Panorama instance. They are in the same VPC, different subnets. Security groups currently allow all TCP to/from the Panorama server and the firewall.</P><P>&nbsp;</P><P>Both Panorama and the firewall have been licensed successfully and have a device certificate retrieved after generating an OTP.</P><P>&nbsp;</P><P>They are both on version 10.0.7.</P><P>&nbsp;</P><P>The both have the predefined certificates specified under the secure communication settings</P><P>&nbsp;</P><P>So....after specifying the Panorama IP on the firewall, and attempting to add the firewall to Panorama, we see it still has a status of disconnected.</P><P>&nbsp;</P><P>Looking in the system logs on the firewall shows a bunch of entries that basically follow the pattern "connected to Panorama Server", followed immediately by "Disconnected from Panorama Server"</P><P>&nbsp;</P><P>On the Panorama server, the pattern is "'Client authentication successful PAN-OS ver: 10.0.7 Panorama ver:10.0.7 Client IP: x.x.x.x Server IP: y.y.y.y Client CN: xxxxxxxxx", followed by "added bootstrapped device xxxxxxx to candidate configuration", followed by "xxxxxx connected", followed by "Device xxxxx disconnected from the server" all in rapid succession. That last event has "tls-session-disconnected" which makes me think maybe this is cert based (?)</P><P>&nbsp;</P><P>Does anyone know what may cause this behavior? We are brand new to palo, so thinking it may very well be a layer 8 thing, just stumped as to what.</P><P>&nbsp;</P><P>Thanks for the help!</P><P>&nbsp;</P><P>UPDATE: Looks like maybe this is a bug with 10.0.7///downgraded to 10.0.6 and it's connected now.</P><P>&nbsp;</P><P>UPDATE 2: This looks to maybe be a code bug...I downgraded both panorama and the FW to 10.0.6. and everything started to work.</P> Wed, 01 Sep 2021 15:10:10 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/cannot-connect-vm-series-firewall-to-panorama-in-aws/m-p/430558#M1313 JakeKremer 2021-09-01T15:10:10Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/cannot-connect-vm-series-firewall-to-panorama-in-aws/m-p/436589#M1344 <P>Downgrade of devices only worked for me, Panorama is still at 10.0.7 and it works now.</P> Sat, 25 Sep 2021 18:27:44 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/cannot-connect-vm-series-firewall-to-panorama-in-aws/m-p/436589#M1344 DIRTT 2021-09-25T18:27:44Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/cannot-connect-vm-series-firewall-to-panorama-in-aws/m-p/515893#M1672 <P>Downgrade device to 10.0.6 both is work for me. Thank</P> Sun, 25 Sep 2022 06:08:41 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/cannot-connect-vm-series-firewall-to-panorama-in-aws/m-p/515893#M1672 TPumtes 2022-09-25T06:08:41Z