unable to connect to Panorama error "TSL-SESSION-DISCONNECTED"

SubaMuthuram — Fri, 08 Oct 2021 08:17:29 GMT

Hi Team,

I am unable to add my gateway to Panorama, It is showing system logs TSL-SESSION-DISCONNECTED in panorama,

It is connecting and disconnecting every minute. When I supply command show devices in panorama, The predefined certificates not taking, The certificate CN name showing empty.

Please help me.

Re: unable to connect to Panorama error "TSL-SESSION-DISCONNECTED"

PavelK — Mon, 11 Oct 2021 21:58:28 GMT

Thank you for posting the issue @SubaMuthuram

Would it be possible to take packet capture from management interface to get more visibility into TLS Handshake? You can use filter: tcpdump filter "port 3978" (https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CleECAS)

On Panorama side, the output from: "show devices all" should for functional registration with predefined certificate return:

Certificate Status:
Certificate subject Name: <Firewall Serial Number>
Certificate expiry at: <Predefined Certificate Expiration Day>
Connected at: <Last Connected Time>
Custom certificate Used: no

Could you please confirm what are you seeing on your side?

Thank you and Regards

Pavel Kucera

Re: unable to connect to Panorama error "TSL-SESSION-DISCONNECTED"

SubaMuthuram — Tue, 12 Oct 2021 01:27:42 GMT

@PavelK , thanks for the deatails, The Frewall model is PA-220-ZTP, Is there any diffrent procedur add ZTP firewalls to Panorama.

The predefined certificate status is not showing in Panorama, Also in the firewall show panorama-certificate comment showing empty.

Re: unable to connect to Panorama error "TSL-SESSION-DISCONNECTED"

PavelK — Tue, 12 Oct 2021 02:06:17 GMT

Thank you for quick reply @SubaMuthuram

I see. For ZTP, there is different procedure: https://docs.paloaltonetworks.com/panorama/10-0/panorama-admin/manage-firewalls/set-up-zero-touch-provisioning/add-ztp-firewalls-to-panorama/add-a-ztp-firewall-to-panorama.html#id182211ac-a31c-4122-a11f-19450ec9ca4e Have you followed this manual?

Kind Regards

Pavel

Re: unable to connect to Panorama error "TSL-SESSION-DISCONNECTED"

AkashThangavel — Wed, 13 Sep 2023 05:56:19 GMT

Hi PavelK,

Connection is not established between the Panorama and PA-445 device.

admin@Panorama> tcpdump filter "port 3978"
Press Ctrl-C to stop capturing

dropped privs to tcpdump
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
^C171 packets captured
173 packets received by filter
0 packets dropped by kernel
admin@Panorama> view-pcap mgmt-pcap mgmt.pcap
reading from file /opt/pan/.debug/mgmtpcap/mgmt.pcap, link-type EN10MB (Ethernet)
11:13:50.460705 IP 192.168.0.234.35266 > 192.168.0.209.pan-panorama: Flags [P.], seq 2147872072:2147872113, ack 1423784632, win 1424, options [nop,nop,TS val 816080192 ecr 1424438131], length 41
11:13:50.461558 IP 192.168.0.209.pan-panorama > 192.168.0.234.35266: Flags [P.], seq 1:42, ack 41, win 2561, options [nop,nop,TS val 1424444132 ecr 816080192], length 41
11:13:50.462033 IP 192.168.0.234.35266 > 192.168.0.209.pan-panorama: Flags [.], ack 42, win 1424, options [nop,nop,TS val 816080193 ecr 1424444132], length 0
11:13:50.736827 IP 192.168.0.234.35402 > 192.168.0.209.pan-panorama: Flags [P.], seq 1434786217:1434786286, ack 3262034349, win 387, options [nop,nop,TS val 816080468 ecr 1424438407], length 69
11:13:50.737330 IP 192.168.0.209.pan-panorama > 192.168.0.234.35402: Flags [P.], seq 1:70, ack 69, win 252, options [nop,nop,TS val 1424444407 ecr 816080468], length 69
11:13:50.737790 IP 192.168.0.234.35402 > 192.168.0.209.pan-panorama: Flags [.], ack 70, win 387, options [nop,nop,TS val 816080469 ecr 1424444407], length 0
11:13:50.863234 IP 192.168.0.235.54942 > 192.168.0.209.pan-panorama: Flags [P.], seq 309000155:309000189, ack 2612794819, win 410, options [nop,nop,TS val 1522304549 ecr 3195316293], length 34
11:13:50.863830 IP 192.168.0.209.pan-panorama > 192.168.0.235.54942: Flags [P.], seq 1:35, ack 34, win 243, options [nop,nop,TS val 3195322293 ecr 1522304549], length 34
11:13:50.864256 IP 192.168.0.235.54942 > 192.168.0.209.pan-panorama: Flags [.], ack 35, win 410, options [nop,nop,TS val 1522304550 ecr 3195322293], length 0
11:13:56.460708 IP 192.168.0.234.35266 > 192.168.0.209.pan-panorama: Flags [P.], seq 41:82, ack 42, win 1424, options [nop,nop,TS val 816086192 ecr 1424444132], length 41
11:13:56.461296 IP 192.168.0.209.pan-panorama > 192.168.0.234.35266: Flags [P.], seq 42:83, ack 82, win 2561, options [nop,nop,TS val 1424450131 ecr 816086192], length 41
11:13:56.461770 IP 192.168.0.234.35266 > 192.168.0.209.pan-panorama: Flags [.], ack 83, win 1424, options [nop,nop,TS val 816086193 ecr 1424450131], length 0
11:13:56.736761 IP 192.168.0.234.35402 > 192.168.0.209.pan-panorama: Flags [P.], seq 69:138, ack 70, win 387, options [nop,nop,TS val 816086468 ecr 1424444407], length 69
11:13:56.737334 IP 192.168.0.209.pan-panorama > 192.168.0.234.35402: Flags [P.], seq 70:139, ack 138, win 252, options [nop,nop,TS val 1424450407 ecr 816086468], length 69
11:13:56.737795 IP 192.168.0.234.35402 > 192.168.0.209.pan-panorama: Flags [.], ack 139, win 387, options [nop,nop,TS val 816086469 ecr 1424450407], length 0
11:13:56.863315 IP 192.168.0.235.54942 > 192.168.0.209.pan-panorama: Flags [P.], seq 34:68, ack 35, win 410, options [nop,nop,TS val 1522310549 ecr 3195322293], length 34
11:13:56.863799 IP 192.168.0.209.pan-panorama > 192.168.0.235.54942: Flags [P.], seq 35:69, ack 68, win 243, options [nop,nop,TS val 3195328293 ecr 1522310549], length 34
11:13:56.864331 IP 192.168.0.235.54942 > 192.168.0.209.pan-panorama: Flags [.], ack 69, win 410, options [nop,nop,TS val 1522310550 ecr 3195328293], length 0
11:14:02.460794 IP 192.168.0.234.35266 > 192.168.0.209.pan-panorama: Flags [P.], seq 82:123, ack 83, win 1424, options [nop,nop,TS val 816092192 ecr 1424450131], length 41
11:14:02.461931 IP 192.168.0.209.pan-panorama > 192.168.0.234.35266: Flags [P.], seq 83:124, ack 123, win 2561, options [nop,nop,TS val 1424456132 ecr 816092192], length 41
11:14:02.462591 IP 192.168.0.234.35266 > 192.168.0.209.pan-panorama: Flags [.], ack 124, win 1424, options [nop,nop,TS val 816092194 ecr 1424456132], length 0
11:14:02.736781 IP 192.168.0.234.35402 > 192.168.0.209.pan-panorama: Flags [P.], seq 138:207, ack 139, win 387, options [nop,nop,TS val 816092468 ecr 1424450407], length 69
11:14:02.737180 IP 192.168.0.209.pan-panorama > 192.168.0.234.35402: Flags [P.], seq 139:208, ack 207, win 252, options [nop,nop,TS val 1424456407 ecr 816092468], length 69
11:14:02.737602 IP 192.168.0.234.35402 > 192.168.0.209.pan-panorama: Flags [.], ack 208, win 387, options [nop,nop,TS val 816092469 ecr 1424456407], length 0
11:14:02.863588 IP 192.168.0.235.54942 > 192.168.0.209.pan-panorama: Flags [P.], seq 68:102, ack 69, win 410, options [nop,nop,TS val 1522316549 ecr 3195328293], length 34
11:14:02.864166 IP 192.168.0.209.pan-panorama > 192.168.0.235.54942: Flags [P.], seq 69:103, ack 102, win 243, options [nop,nop,TS val 3195334293 ecr 1522316549], length 34
11:14:02.864638 IP 192.168.0.235.54942 > 192.168.0.209.pan-panorama: Flags [.], ack 103, win 410, options [nop,nop,TS val 1522316551 ecr 3195334293], length 0
11:14:08.460730 IP 192.168.0.234.35266 > 192.168.0.209.pan-panorama: Flags [P.], seq 123:164, ack 124, win 1424, options [nop,nop,TS val 816098192 ecr 1424456132], length 41

regards,

Akash Thangavel

Network Security Engineer

topic Re: unable to connect to Panorama error "TSL-SESSION-DISCONNECTED" in Panorama Discussions

unable to connect to Panorama error "TSL-SESSION-DISCONNECTED"

Re: unable to connect to Panorama error "TSL-SESSION-DISCONNECTED"

Re: unable to connect to Panorama error "TSL-SESSION-DISCONNECTED"

Re: unable to connect to Panorama error "TSL-SESSION-DISCONNECTED"

Re: unable to connect to Panorama error "TSL-SESSION-DISCONNECTED"