topic Re: Issue with connecting Expedition to Panorama - Error35 in Expedition Discussions

Issue with connecting Expedition to Panorama - Error35

Liam_Wynne — Fri, 23 Sep 2022 09:48:23 GMT

Expedition Version: 1.2.38

I am trying to connect an expedition to Panorama 10.1.6h3 (VMware)

When I try to add an API key using username/password I get "Error Code 35: The connection with the device cannot be established. Please, report Error Code for improvement"

I generated an API key for the panorama so I tried that method by adding API key on expedition.

As I found that error 35 relates to SSL Communication I checked that area. The Panorama has an SSL/TLS profile on it's management interface with a cert from their own trusted root CA. I loaded the root CA for the certificate into the Ubuntu CA certificate store as presumed the issue was the expedition could not communicate on SSL with the panorama until it had the root CA to trust the certificate on it's management interface. The CA cert is present and active on Ubuntu as a trusted CA cert. However I still am receiving the same error Error 35 when I add API via username/password option and when I have API key added and try to retrieve contents it does not download. With either method I see logs on the panorama on 443 indicating session end reason of tcp-rst-from-client

So it looks like there still an issue with establishing an SSL session to allow retrieval of contents etc

Does anyone have any ideas how I might try to resolve this?

Re: Issue with connecting Expedition to Panorama - Error35

lychiang — Fri, 23 Sep 2022 15:16:00 GMT

@Liam_Wynne could you please review /home/userSpace/devices/debug.txt , it might give more detail root cause on why the connection is not working.

Re: Issue with connecting Expedition to Panorama - Error35

Liam_Wynne — Mon, 26 Sep 2022 11:53:37 GMT

Thanks Lychiang - I checked this log and it confirmed issue was SSL negotiation.

Re: Issue with connecting Expedition to Panorama - Error35

lychiang — Mon, 26 Sep 2022 18:25:10 GMT

@Liam_Wynne In Expedition to avoid SSL Certificates errors we are trusting all source, so it should not be a certificate error. “Curl error code 35” is happening when the SSL handshake is failing, something is blocking the SSL connection between Expedition and the Panorama.

You could test the connection by executing directly the call using the Expedition CLI:

curl --insecure https://PANORAMA_IP:PANORAMA_PORT/api?type=keygen -d user=PANORAMA_USER -d password=PANORAMA_PWD

For example:

curl --insecure https://10.11.29.168:443/api?type=keygen -d user=admin -d password=paloalto

This command should return API key as result.

Please execute the above command and see if you are getting any errors, also please validate that there’s nothing between Expedition and Panorama that could be blocking the traffic.