https://live.paloaltonetworks.com/t5/general-topics/ts-agent-ssl-error/m-p/485115#M104493 <P>Hi Pavel,</P><P>We are not using a SSL decryption at all, and we use URL filtering but a very specific rules that are not about traffic from FW to terminal server.</P><P>Also we are using default service routing (so using management interface)</P> Thu, 05 May 2022 08:09:02 GMT MMerlier 2022-05-05T08:09:02Z https://live.paloaltonetworks.com/t5/general-topics/ts-agent-ssl-error/m-p/484804#M104457 <P>Hello,&nbsp;</P><P>&nbsp;</P><P>I've been trying to add a new TS agent on my firewalls. As there is no redistribution for user-{ip+port} mapping, I want to map the TS agent to 2 FWs. Backend FW is connected correctly, Frontend FW is in error.</P><P>I can capture the following between FW and TS agent :</P><P>- FW to TS : SYN</P><P>- TS to FW : SYN/ACK&nbsp;</P><P>- FW to TS : ACK</P><P>- FW to TS : RST</P><P>&nbsp;</P><P>I've got the following error:</P><P>show user ts-agent state</P><P>not-conn:idle(Error: Failed to Connect to 1.1.1.1(source: 2.2.2.2), SSL error: error:00000000:lib(0):func(0):reason(0)(5) )</P><P>&nbsp;</P><P>Also on TS agent side I've got the following error:</P><P>05/04/22 12:33:57[Info 1571]: Client thread 2 with IP 2.2.2.2 is started.<BR />05/04/22 12:33:57[Error 1946]: SSL 2 accept error: 5-10054!<BR />05/04/22 12:33:57[Info 1659]: Connection 2.2.2.2/39560 closed.</P><P>&nbsp;</P><P>The thing is that there is no certificate configured for any user ID agent.</P><P>I tried to restart user-id process on the FW with no success.</P><P>&nbsp;</P><P>Does someone have an idea ?</P><P>&nbsp;</P> Wed, 04 May 2022 12:25:05 GMT https://live.paloaltonetworks.com/t5/general-topics/ts-agent-ssl-error/m-p/484804#M104457 MMerlier 2022-05-04T12:25:05Z https://live.paloaltonetworks.com/t5/general-topics/ts-agent-ssl-error/m-p/484868#M104462 <P>Thank you for the post&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/96479">@MMerlier</a></P><P>&nbsp;</P><P>is there any URL Filtering / SSL inspection between Firewall and TS Agent? There might be an issue similar what is described in this KB:&nbsp;<A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClKSCA0" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClKSCA0</A></P><P>&nbsp;</P><P>Kind Regards</P><P>Pavel</P> Wed, 04 May 2022 13:32:11 GMT https://live.paloaltonetworks.com/t5/general-topics/ts-agent-ssl-error/m-p/484868#M104462 PavelK 2022-05-04T13:32:11Z https://live.paloaltonetworks.com/t5/general-topics/ts-agent-ssl-error/m-p/485115#M104493 <P>Hi Pavel,</P><P>We are not using a SSL decryption at all, and we use URL filtering but a very specific rules that are not about traffic from FW to terminal server.</P><P>Also we are using default service routing (so using management interface)</P> Thu, 05 May 2022 08:09:02 GMT https://live.paloaltonetworks.com/t5/general-topics/ts-agent-ssl-error/m-p/485115#M104493 MMerlier 2022-05-05T08:09:02Z https://live.paloaltonetworks.com/t5/general-topics/ts-agent-ssl-error/m-p/534341#M109973 <P>Did you ever get to the root cause of this? I am having the same issue which just started today and no recent changes. Getting the same error with firewalls sending their user id data to panorama.&nbsp;</P> Tue, 14 Mar 2023 11:50:04 GMT https://live.paloaltonetworks.com/t5/general-topics/ts-agent-ssl-error/m-p/534341#M109973 MikeGeo 2023-03-14T11:50:04Z https://live.paloaltonetworks.com/t5/general-topics/ts-agent-ssl-error/m-p/584149#M116704 <P>Did you manage to find a solution on this issue?&nbsp;&nbsp;</P> Thu, 18 Apr 2024 05:17:20 GMT https://live.paloaltonetworks.com/t5/general-topics/ts-agent-ssl-error/m-p/584149#M116704 rcandeloza 2024-04-18T05:17:20Z