https://live.paloaltonetworks.com/t5/general-topics/problems-after-rma-of-an-active-passive-pair/m-p/524841#M108567 <P>just to give a baseline - hardware are pa-5220, running 10.1.6-h6, HA (active/passive), device managed by Panorama.</P> <P>&nbsp;</P> <P>Long story short - one of the firewalls got stuck on a reboot cycle where the firewall would reboot every 85 minutes. The data plane would not come up during this time and support processed a RMA.&nbsp;</P> <P>&nbsp;</P> <P>For the fun part:</P> <P>our initial attempt to restore, after upgrading the same software level as working firewall, we used a device state backup, everything sync up properly, when we tried to pass traffic through the new firewall we saw the following strange behavior:</P> <OL> <LI>source zone and destination zone was not showing up in the logs</LI> <LI>some zones were being identified but was incorrect, for instance DMZ, is showing up as Trust</LI> <LI>destination country was reporting incorrectly, for instance traffic for United States is showing up for Uruguay</LI> <LI>traffic seems to be flowing properly even though rules were not being identified in the logs</LI> </OL> <P>2nd restore attempt we used a back from a day before the firewall failed, we had no issues with synching up in this case as well. this gave us a better experience.</P> <OL> <LI>all traffic flows looks good on the log, zones and rules were being identified properly</LI> <LI>destination country looks good as well</LI> <LI>the one problem we noticed was that the IPSEC tunnels would not come up - after troubleshooting with support even a simple command "ping source x.x.x.x host y.y.y.y" where x.x.x.x is one of the firewall interface ip results in "bind: Cannot assign requested address". &nbsp; We checked for "untagged sub interface" like suggested by others but none found.</LI> </OL> <P>Any feedback, suggestions would be appreciated. A TAC support is currently open and waiting feedback as well.</P> <P>&nbsp;</P> <P>Thanks.</P> <P>&nbsp;</P> Thu, 22 Dec 2022 07:08:51 GMT RREALICA 2022-12-22T07:08:51Z https://live.paloaltonetworks.com/t5/general-topics/problems-after-rma-of-an-active-passive-pair/m-p/524841#M108567 <P>just to give a baseline - hardware are pa-5220, running 10.1.6-h6, HA (active/passive), device managed by Panorama.</P> <P>&nbsp;</P> <P>Long story short - one of the firewalls got stuck on a reboot cycle where the firewall would reboot every 85 minutes. The data plane would not come up during this time and support processed a RMA.&nbsp;</P> <P>&nbsp;</P> <P>For the fun part:</P> <P>our initial attempt to restore, after upgrading the same software level as working firewall, we used a device state backup, everything sync up properly, when we tried to pass traffic through the new firewall we saw the following strange behavior:</P> <OL> <LI>source zone and destination zone was not showing up in the logs</LI> <LI>some zones were being identified but was incorrect, for instance DMZ, is showing up as Trust</LI> <LI>destination country was reporting incorrectly, for instance traffic for United States is showing up for Uruguay</LI> <LI>traffic seems to be flowing properly even though rules were not being identified in the logs</LI> </OL> <P>2nd restore attempt we used a back from a day before the firewall failed, we had no issues with synching up in this case as well. this gave us a better experience.</P> <OL> <LI>all traffic flows looks good on the log, zones and rules were being identified properly</LI> <LI>destination country looks good as well</LI> <LI>the one problem we noticed was that the IPSEC tunnels would not come up - after troubleshooting with support even a simple command "ping source x.x.x.x host y.y.y.y" where x.x.x.x is one of the firewall interface ip results in "bind: Cannot assign requested address". &nbsp; We checked for "untagged sub interface" like suggested by others but none found.</LI> </OL> <P>Any feedback, suggestions would be appreciated. A TAC support is currently open and waiting feedback as well.</P> <P>&nbsp;</P> <P>Thanks.</P> <P>&nbsp;</P> Thu, 22 Dec 2022 07:08:51 GMT https://live.paloaltonetworks.com/t5/general-topics/problems-after-rma-of-an-active-passive-pair/m-p/524841#M108567 RREALICA 2022-12-22T07:08:51Z https://live.paloaltonetworks.com/t5/general-topics/problems-after-rma-of-an-active-passive-pair/m-p/525205#M108623 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/87287">@RREALICA</a>&nbsp;,</P> <P>&nbsp;</P> <P>Have you received any feedback from TAC yet?&nbsp;</P> Tue, 27 Dec 2022 16:24:55 GMT https://live.paloaltonetworks.com/t5/general-topics/problems-after-rma-of-an-active-passive-pair/m-p/525205#M108623 JayGolf 2022-12-27T16:24:55Z https://live.paloaltonetworks.com/t5/general-topics/problems-after-rma-of-an-active-passive-pair/m-p/525382#M108652 <P>Issues has been resolved - that's the good news. We are going to push to get a RCA in this case since the problems encountered does not seem normal.</P> <P>&nbsp;</P> <P>1. To fix the error "<SPAN>bind: Cannot assign requested address"- create a dummy/temporary L3 interface, commit, test and then remove&nbsp;the dummy/temporary L3 interface. &nbsp;No amount of reboots, "commit force" by different levels of TAC did not make a difference. Also TAC mentioned there's a cli command to refresh the interface and zones but we did not try this.</SPAN></P> <P>&nbsp;</P> <P><SPAN>2. Another problem came about where the IPSEC VPNs were not coming - this turns out&nbsp;the ISAKMP process is not properly starting up or not listening for IPSEC traffic. &nbsp;Check for ISAKMP via "show netstat listening yes | match isakmp" to see if the firewall is listening for&nbsp;the traffic - restart of ISAKMP process resolved the issue - a reboot of the firewall also may have been best after fixing the interface related issues.</SPAN></P> <P>&nbsp;</P> <P>Thanks.</P> Wed, 28 Dec 2022 16:57:51 GMT https://live.paloaltonetworks.com/t5/general-topics/problems-after-rma-of-an-active-passive-pair/m-p/525382#M108652 RREALICA 2022-12-28T16:57:51Z