topic Re: Cannot connect Log Collector to Panorama in Panorama Discussions

Cannot connect Log Collector to Panorama

alan-griffiths — Fri, 14 Oct 2022 11:56:30 GMT

Going mad here trying to connect a dedicated log collector to a Panorama HA pair.

Followed this procedure

https://docs.paloaltonetworks.com/panorama/10-1/panorama-admin/set-up-panorama/set-up-the-panorama-virtual-appliance/set-up-the-panorama-virtual-appliance-as-a-log-collector

I get a far as step 12, but after the commit it never reports connected and I never get a status.

The log collector is reporting disconnected

admin@Panorama> show panorama-status Panorama Server 1 : 10.201.24.12 Connected : no HA state : disconnected Panorama Server 2 : 10.201.25.12 Connected : no HA state : disconnected

The log is constantly cycling this

2022-10-14 11:44:47.330 +0000 CMSA: Source bind sock to 10.201.25.13 2022-10-14 11:44:47.330 +0000 COMM: Source bind sock 18 to 10.201.25.13 before connect to remote ip [10.201.25.12] @port 3978 2022-10-14 11:44:47.331 +0000 COMM: connection established. sock=18 remote ip=10.201.25.12 port=3978 local port=45361 2022-10-14 11:44:47.331 +0000 cms agent: Pre. send buffer limit=87040. s=18 2022-10-14 11:44:47.331 +0000 cms agent: Post. send buffer limit=425984. s=18 2022-10-14 11:44:47.331 +0000 Warning: pan_cmsa_tcp_channel_setup(src_panos/cms_agent.c:905): SC3A: client will use sni:'a83fdd6a-3842-4806-962b-4af693a2744d' and ccn:'353cea78-6757-45ac-9073-8fa13c4e2090' 2022-10-14 11:44:47.331 +0000 SC3: CA: 'a83fdd6a-3842-4806-962b-4af693a2744d', CC/CSR: '353cea78-6757-45ac-9073-8fa13c4e2090' 2022-10-14 11:44:47.335 +0000 CMSA: Source bind sock to 10.201.25.13 2022-10-14 11:44:47.335 +0000 COMM: Source bind sock 19 to 10.201.25.13 before connect to remote ip [10.201.24.12] @port 3978 2022-10-14 11:44:47.336 +0000 SC3: context initialized using SNI: a83fdd6a-3842-4806-962b-4af693a2744d 2022-10-14 11:44:47.336 +0000 cmsa: client will use SNI: a83fdd6a-3842-4806-962b-4af693a2744d 2022-10-14 11:44:47.336 +0000 COMM: connection established. sock=19 remote ip=10.201.24.12 port=3978 local port=39935 2022-10-14 11:44:47.336 +0000 cms agent: Pre. send buffer limit=87040. s=19 2022-10-14 11:44:47.336 +0000 cms agent: Post. send buffer limit=425984. s=19 2022-10-14 11:44:47.336 +0000 Warning: pan_cmsa_tcp_channel_setup(src_panos/cms_agent.c:905): SC3A: client will use sni:'a83fdd6a-3842-4806-962b-4af693a2744d' and ccn:'353cea78-6757-45ac-9073-8fa13c4e2090' 2022-10-14 11:44:47.336 +0000 Error: pan_cmsa_tcp_channel_setup(src_panos/cms_agent.c:1208): panorama agent: SSL connect error. sock=18 err=1 2022-10-14 11:44:47.337 +0000 SC3: CA: 'a83fdd6a-3842-4806-962b-4af693a2744d', CC/CSR: '353cea78-6757-45ac-9073-8fa13c4e2090' 2022-10-14 11:44:47.341 +0000 SC3: context initialized using SNI: a83fdd6a-3842-4806-962b-4af693a2744d 2022-10-14 11:44:47.341 +0000 cmsa: client will use SNI: a83fdd6a-3842-4806-962b-4af693a2744d 2022-10-14 11:44:47.342 +0000 Error: pan_cmsa_tcp_channel_setup(src_panos/cms_agent.c:1208): panorama agent: SSL connect error. sock=19 err=1

Repeated the process multiple times, but same failure every time. Both sides are running 10.1.6-h6

Re: Cannot connect Log Collector to Panorama

PavelK — Sun, 16 Oct 2022 21:42:57 GMT

Hello @alan-griffiths

thanks for the post.

1.) Could you make sure that log collector has the same time and time zone as Panorama?

2.) Could you make sure that log collector has set DNS server?

3.) Could you make sure that log collector has device management license applied?

Kind Regards

Pavel

Re: Cannot connect Log Collector to Panorama

Felixcao — Thu, 20 Oct 2022 15:07:12 GMT

hi Alan-Griffiths：

your panorama ha state display disconnected，so i think you should recovery ha state then check log collector connect stats.

Re: Cannot connect Log Collector to Panorama

alan-griffiths — Mon, 24 Oct 2022 11:28:00 GMT

Hi, sorry for late reply, was on leave last week. I have validated 1) and 2), but what is the command to check 3)?

Re: Cannot connect Log Collector to Panorama

PavelK — Mon, 24 Oct 2022 12:30:32 GMT

Thank you for reply @alan-griffiths

you can check it from cli by: request license info

This license: "Device Management License" should be listed under Feature.

Kind Regards

Pavel

Re: Cannot connect Log Collector to Panorama

alan-griffiths — Mon, 24 Oct 2022 13:52:17 GMT

Confirmed device mgt license is present.

Re: Cannot connect Log Collector to Panorama

PavelK — Tue, 25 Oct 2022 02:03:28 GMT

Hello @alan-griffiths

thank you for reply.

Could you confirm the PAN-OS version of both Panorama as well as Log Collector?

Could you confirm that Log Collector's certificate is not expired? Navigate to: https://<Log Collector IP>:3978

Could you confirm what logs on Panorama side says?

Kind Regards

Pavel

Re: Cannot connect Log Collector to Panorama

alan-griffiths — Tue, 25 Oct 2022 09:37:18 GMT

Both Panorama and LC are running 10.1.6-h6.

Confirmed LC cert is still valid.

Panorama log is filled with these

2022-10-25 09:34:50.101 +0000 Error: sni_ssl_servername_cb(src_cms/cms_server.c:654): Unknown SNI: 'ae25c29c-0b84-4ff3-8b7e-5a2877411c8a'. 139678775854848:error:1408A0E2:SSL routines:SSL3_GET_CLIENT_HELLO:clienthello tlsext:s3_srvr.c:1181: 2022-10-25 09:34:52.147 +0000 Error: sni_ssl_servername_cb(src_cms/cms_server.c:654): Unknown SNI: 'a83fdd6a-3842-4806-962b-4af693a2744d'. 139678809425664:error:1408A0E2:SSL routines:SSL3_GET_CLIENT_HELLO:clienthello tlsext:s3_srvr.c:1181: 2022-10-25 09:35:00.456 +0000 Error: sni_ssl_servername_cb(src_cms/cms_server.c:654): Unknown SNI: 'ae25c29c-0b84-4ff3-8b7e-5a2877411c8a'. 139678792640256:error:1408A0E2:SSL routines:SSL3_GET_CLIENT_HELLO:clienthello tlsext:s3_srvr.c:1181: 2022-10-25 09:35:02.500 +0000 Error: sni_ssl_servername_cb(src_cms/cms_server.c:654): Unknown SNI: 'a83fdd6a-3842-4806-962b-4af693a2744d'. 139678733891328:error:1408A0E2:SSL routines:SSL3_GET_CLIENT_HELLO:clienthello tlsext:s3_srvr.c:1181: 2022-10-25 09:35:10.811 +0000 Error: sni_ssl_servername_cb(src_cms/cms_server.c:654): Unknown SNI: 'ae25c29c-0b84-4ff3-8b7e-5a2877411c8a'. 139678826211072:error:1408A0E2:SSL routines:SSL3_GET_CLIENT_HELLO:clienthello tlsext:s3_srvr.c:1181: 2022-10-25 09:35:12.847 +0000 Error: sni_ssl_servername_cb(src_cms/cms_server.c:654): Unknown SNI: 'a83fdd6a-3842-4806-962b-4af693a2744d'. 139678775854848:error:1408A0E2:SSL routines:SSL3_GET_CLIENT_HELLO:clienthello tlsext:s3_srvr.c:1181: 2022-10-25 09:35:21.164 +0000 Error: sni_ssl_servername_cb(src_cms/cms_server.c:654): Unknown SNI: 'ae25c29c-0b84-4ff3-8b7e-5a2877411c8a'. 139678826211072:error:1408A0E2:SSL routines:SSL3_GET_CLIENT_HELLO:clienthello tlsext:s3_srvr.c:1181: 2022-10-25 09:35:23.202 +0000 Error: sni_ssl_servername_cb(src_cms/cms_server.c:654): Unknown SNI: 'a83fdd6a-3842-4806-962b-4af693a2744d'.

Re: Cannot connect Log Collector to Panorama

nvieira — Mon, 31 Oct 2022 20:54:23 GMT

I opened a support ticket for this exact issue. This KB article solved the issue for me:

https://docs.paloaltonetworks.com/panorama/10-1/panorama-admin/troubleshooting/recover-managed-device-connectivity-to-panorama

I skipped over step 2.2 because there was no managed device to reset.

Good luck.

Re: Cannot connect Log Collector to Panorama

alan-griffiths — Tue, 01 Nov 2022 10:11:11 GMT

Ah, you're about 6 hours too late. I'd just opened a ticket and got the same info. The Palo documentation is baffling. There are two separate pages detailing how to configure dedicated log collector. One page includes a step to reset the sc3 the other one doesn't.

This is the page support told me to use https://docs.paloaltonetworks.com/panorama/10-1/panorama-admin/manage-log-collection/log-collection-deployments/deploy-panorama-with-dedicated-log-collectors