https://live.paloaltonetworks.com/t5/next-generation-firewall/connection-to-panorama-for-new-deployment-failing/m-p/577253#M2651 <P>Hi,</P> <P>&nbsp;</P> <P>I have the following issue I am running panorama 10.2.7h3 my new device P440 is also running 10.2.7h3.</P> <P>When I want to onboard the device into panorama it is not working.</P> <P>I am onboarding the device with Authenticatio keys.</P> <P>Following the below procedure.</P> <P><A href="https://docs.paloaltonetworks.com/panorama/10-2/panorama-admin/manage-firewalls/add-a-firewall-as-a-managed-device" target="_blank">Add a Firewall as a Managed Device (paloaltonetworks.com)</A></P> <P>I have also reset the secure communication on the PA440&nbsp; and tried removing adding the serials from panorama.</P> <P>The connection doesn't come up.</P> <P>In the ms.log file i am getting the following.</P> <P>Seems to be related to SSL.</P> <P>2024-02-14 15:49:05.844 +0100 COMM: connection established. sock=24 remote ip=10.255.125.50 port=3978 local port=54018<BR />2024-02-14 15:49:05.844 +0100 cms agent: Pre. send buffer limit=46080. s=24<BR />2024-02-14 15:49:05.844 +0100 cms agent: Post. send buffer limit=425984. s=24<BR />2024-02-14 15:49:05.844 +0100 Error: cs_load_certs_ex(cs_common.c:544): keyfile not exists<BR />2024-02-14 15:49:05.844 +0100 Error: pan_cmsa_tcp_channel_setup(src_panos/cms_agent.c:1340): cms agent: cs_load_certs_ex failed2024-02-14 15:49:05.845 +0100 cmsa: client will use default context<BR />2024-02-14 15:49:05.846 +0100 Error: _get_current_cert(sc3_utils.c:117): sdb node 'cfg.ms.ca' does not exist ret -5<BR />2024-02-14 15:49:05.846 +0100 Error: sc3_ca_exists(sc3_certs.c:229): SC3: Failed to get the current CA name.<BR />2024-02-14 15:49:05.846 +0100 Warning: sc3_init_sc3(sc3_utils.c:360): SC3: Failed to get the Current CC name<BR />2024-02-14 15:49:05.846 +0100 SC3: CA: '', CC/CSR: 'd41d48e6-c7da-4a61-8307-79ce0cc33ff7'<BR />2024-02-14 15:49:05.846 +0100 Error: _get_current_cert(sc3_utils.c:117): sdb node 'cfg.ms.ca' does not exist ret -5<BR />2024-02-14 15:49:05.846 +0100 Warning: sc3_get_current_sc3(sc3_utils.c:184): SC3: failed to get SNI<BR />2024-02-14 15:49:05.846 +0100 Warning: sc3_get_current_sc3(sc3_utils.c:187): SC3: failed to get CCN<BR />2024-02-14 15:49:05.847 +0100 Warning: sc3_init_sctx(sc3_ctx.c:302): SC3: not set, skip cert loading<BR />2024-02-14 15:49:05.847 +0100 SC3A: using SNI (from AK): 4591c212-e525-4d70-92fb-4f5243dff4af<BR />2024-02-14 15:49:05.847 +0100 SC3A: using sc3 ctx with no cert<BR />2024-02-14 15:49:05.901 +0100 Error: pan_cmsa_tcp_channel_setup(src_panos/cms_agent.c:1719): panorama agent: SSL connect error. sock=24 err=5</P> <P>&nbsp;</P> <P>Am i missing something?&nbsp;</P> <P>taking a pcap also show that panoram is just resetting the connection.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="zGomez_0-1707923254038.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/57627iC1F2A46ED602CCE6/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="zGomez_0-1707923254038.png" alt="zGomez_0-1707923254038.png" /></span></P> <P>Any help on this would be appreciated.<BR /><BR /></P> Wed, 14 Feb 2024 15:08:30 GMT zGomez 2024-02-14T15:08:30Z https://live.paloaltonetworks.com/t5/next-generation-firewall/connection-to-panorama-for-new-deployment-failing/m-p/577253#M2651 <P>Hi,</P> <P>&nbsp;</P> <P>I have the following issue I am running panorama 10.2.7h3 my new device P440 is also running 10.2.7h3.</P> <P>When I want to onboard the device into panorama it is not working.</P> <P>I am onboarding the device with Authenticatio keys.</P> <P>Following the below procedure.</P> <P><A href="https://docs.paloaltonetworks.com/panorama/10-2/panorama-admin/manage-firewalls/add-a-firewall-as-a-managed-device" target="_blank">Add a Firewall as a Managed Device (paloaltonetworks.com)</A></P> <P>I have also reset the secure communication on the PA440&nbsp; and tried removing adding the serials from panorama.</P> <P>The connection doesn't come up.</P> <P>In the ms.log file i am getting the following.</P> <P>Seems to be related to SSL.</P> <P>2024-02-14 15:49:05.844 +0100 COMM: connection established. sock=24 remote ip=10.255.125.50 port=3978 local port=54018<BR />2024-02-14 15:49:05.844 +0100 cms agent: Pre. send buffer limit=46080. s=24<BR />2024-02-14 15:49:05.844 +0100 cms agent: Post. send buffer limit=425984. s=24<BR />2024-02-14 15:49:05.844 +0100 Error: cs_load_certs_ex(cs_common.c:544): keyfile not exists<BR />2024-02-14 15:49:05.844 +0100 Error: pan_cmsa_tcp_channel_setup(src_panos/cms_agent.c:1340): cms agent: cs_load_certs_ex failed2024-02-14 15:49:05.845 +0100 cmsa: client will use default context<BR />2024-02-14 15:49:05.846 +0100 Error: _get_current_cert(sc3_utils.c:117): sdb node 'cfg.ms.ca' does not exist ret -5<BR />2024-02-14 15:49:05.846 +0100 Error: sc3_ca_exists(sc3_certs.c:229): SC3: Failed to get the current CA name.<BR />2024-02-14 15:49:05.846 +0100 Warning: sc3_init_sc3(sc3_utils.c:360): SC3: Failed to get the Current CC name<BR />2024-02-14 15:49:05.846 +0100 SC3: CA: '', CC/CSR: 'd41d48e6-c7da-4a61-8307-79ce0cc33ff7'<BR />2024-02-14 15:49:05.846 +0100 Error: _get_current_cert(sc3_utils.c:117): sdb node 'cfg.ms.ca' does not exist ret -5<BR />2024-02-14 15:49:05.846 +0100 Warning: sc3_get_current_sc3(sc3_utils.c:184): SC3: failed to get SNI<BR />2024-02-14 15:49:05.846 +0100 Warning: sc3_get_current_sc3(sc3_utils.c:187): SC3: failed to get CCN<BR />2024-02-14 15:49:05.847 +0100 Warning: sc3_init_sctx(sc3_ctx.c:302): SC3: not set, skip cert loading<BR />2024-02-14 15:49:05.847 +0100 SC3A: using SNI (from AK): 4591c212-e525-4d70-92fb-4f5243dff4af<BR />2024-02-14 15:49:05.847 +0100 SC3A: using sc3 ctx with no cert<BR />2024-02-14 15:49:05.901 +0100 Error: pan_cmsa_tcp_channel_setup(src_panos/cms_agent.c:1719): panorama agent: SSL connect error. sock=24 err=5</P> <P>&nbsp;</P> <P>Am i missing something?&nbsp;</P> <P>taking a pcap also show that panoram is just resetting the connection.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="zGomez_0-1707923254038.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/57627iC1F2A46ED602CCE6/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="zGomez_0-1707923254038.png" alt="zGomez_0-1707923254038.png" /></span></P> <P>Any help on this would be appreciated.<BR /><BR /></P> Wed, 14 Feb 2024 15:08:30 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/connection-to-panorama-for-new-deployment-failing/m-p/577253#M2651 zGomez 2024-02-14T15:08:30Z https://live.paloaltonetworks.com/t5/next-generation-firewall/connection-to-panorama-for-new-deployment-failing/m-p/577274#M2656 <P>I am having this same problem with 10.2.6 on both Panorama and FW 3220. I just spent two days with support and they are escalating.</P> <P>&nbsp;</P> <P>I even changed my MGMT Interface MTU as recommended by this article even though I am not seeing large packets.<BR /><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000wkjSCAQ&amp;lang=en_US%E2%80%A9" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000wkjSCAQ&amp;lang=en_US%E2%80%A9</A></P> Wed, 14 Feb 2024 20:58:34 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/connection-to-panorama-for-new-deployment-failing/m-p/577274#M2656 StanleyWilson 2024-02-14T20:58:34Z https://live.paloaltonetworks.com/t5/next-generation-firewall/connection-to-panorama-for-new-deployment-failing/m-p/577297#M2657 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/211799">@zGomez</a>&nbsp;</P> <P>&nbsp;</P> <P>it looks like you might be hitting an issue in this KB:&nbsp;<A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000wkjSCAQ" target="_self"> Managed Firewalls showing disconnected from the Panorama even though network connectivity is good</A>. Could you check whether following this KB resolves the issue?</P> <P>&nbsp;</P> <P>Kind Regards</P> <P>Pavel</P> Thu, 15 Feb 2024 04:50:22 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/connection-to-panorama-for-new-deployment-failing/m-p/577297#M2657 PavelK 2024-02-15T04:50:22Z https://live.paloaltonetworks.com/t5/next-generation-firewall/connection-to-panorama-for-new-deployment-failing/m-p/577623#M2672 <P>Hi Pavel,</P> <P>&nbsp;</P> <P>I have followed the above article but this did not solve my problem(first thing i tried actually).&nbsp; It turned out that I needed to allow SSL on the policy as an application, it was no longer recognized as panorama on the first connection.<BR /><BR /></P> <P>I really have no idea why this is and what has changed.&nbsp; Since the panorama app id allow implicitly ssl on the first connection. (connection to panorma was passing multiple firewalls )<BR /><BR /></P> <P>But is solved my panorama connection by allowing ssl in the policy.</P> Mon, 19 Feb 2024 07:25:14 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/connection-to-panorama-for-new-deployment-failing/m-p/577623#M2672 zGomez 2024-02-19T07:25:14Z https://live.paloaltonetworks.com/t5/next-generation-firewall/connection-to-panorama-for-new-deployment-failing/m-p/579826#M2797 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/211799">@zGomez</a></P> <P>&nbsp;</P> <P>thank you for reply.</P> <P>&nbsp;</P> <P>I see. You might have been hitting an issue described in this KB: <A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000kI94CAE" target="_self">Why is traffic on port 3978 Identified as SSL application instead of Panorama application?</A>.</P> <P>&nbsp;</P> <P>Kind Regards</P> <P>Pavel</P> Fri, 08 Mar 2024 22:19:45 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/connection-to-panorama-for-new-deployment-failing/m-p/579826#M2797 PavelK 2024-03-08T22:19:45Z