https://live.paloaltonetworks.com/t5/general-topics/issue-using-ztp-and-a-pa-440/m-p/538118#M110513 <P>sorry to hear your ZTP might need manual intervention. I have seen this before on 10.1.3.</P> <P>The fix was to manually set auth key via cli on the FW as the GUI did not accept the auth key from panorama.</P> <P>&nbsp;</P> <P>&nbsp;</P> <OL> <LI><SPAN>generate the auth keys from panorama when adding FW's</SPAN></LI> <LI><SPAN>use the auth keys from Panorama on the firewall CLI -&nbsp; &nbsp;request authkey set &lt;auth key&gt;</SPAN></LI> </OL> <P><SPAN>2nd step is only possible on the firewall CLI is this is a bug on version 10.1.3.</SPAN></P> <P>&nbsp;</P> <P><SPAN>see this knowledge article which you might need to reset communication between FW &lt;&gt; Panorama</SPAN></P> <P><SPAN><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000wlJpCAI&amp;lang=en_US%E2%80%A9" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000wlJpCAI&amp;lang=en_US%E2%80%A9</A></SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> Mon, 10 Apr 2023 12:28:25 GMT Y-alwaysMe 2023-04-10T12:28:25Z https://live.paloaltonetworks.com/t5/general-topics/issue-using-ztp-and-a-pa-440/m-p/516256#M107199 <P>Hi all,</P> <P>&nbsp;</P> <P><SPAN>We are trying to deploy a PA-440 by ZTP. Everything works fine until the connection to Panorama.</SPAN><BR /><SPAN>PA-440 receives the Panorama IP adresses from the CSP. It autocommits the configuration.</SPAN><BR /><SPAN>After that, the PA-440 is able to connect to Panorama (port TCP 3978) : Handshake TCP is OK, but the connection is closed immediately. Probably because of a problem during the SSL part (certificate issue...).</SPAN></P> <P>&nbsp;</P> <P>We tried in 10.1.3 (the sw version out the box) and in 10.1.6-h6. Panorama is in 10.1.6-h6.<BR /><BR /><SPAN>In the logs (ms.log on PA-440), we can find these messages :</SPAN><BR /><SPAN>2022-09-26 06:00:39.288 -0700 COMM: connection established. sock=28 remote ip=10.253.0.106 port=3978 local port=44874</SPAN><BR /><SPAN>2022-09-26 06:00:39.288 -0700 cms agent: Pre. send buffer limit=46080. s=28</SPAN><BR /><SPAN>2022-09-26 06:00:39.288 -0700 cms agent: Post. send buffer limit=425984. s=28</SPAN><BR /><SPAN>2022-09-26 06:00:39.288 -0700 Error: cs_load_certs_ex(cs_common.c:654): keyfile not exists</SPAN><BR /><SPAN>2022-09-26 06:00:39.288 -0700 Error: pan_cmsa_tcp_channel_setup(src_panos/cms_agent.c:864): cms agent: cs_load_certs_ex failed</SPAN><BR /><SPAN>2022-09-26 06:00:39.288 -0700 cmsa: client will use default context</SPAN><BR /><SPAN>2022-09-26 06:00:39.288 -0700 Warning: pan_cmsa_tcp_channel_setup(src_panos/cms_agent.c:960): client will not use SNI</SPAN><BR /><SPAN>2022-09-26 06:00:39.306 -0700 COMM: connection established. sock=29 remote ip=10.253.0.107 port=3978 local port=54792</SPAN><BR /><SPAN>2022-09-26 06:00:39.306 -0700 cms agent: Pre. send buffer limit=46080. s=29</SPAN><BR /><SPAN>2022-09-26 06:00:39.306 -0700 cms agent: Post. send buffer limit=425984. s=29</SPAN><BR /><SPAN>2022-09-26 06:00:39.306 -0700 Error: cs_load_certs_ex(cs_common.c:654): keyfile not exists</SPAN><BR /><SPAN>2022-09-26 06:00:39.306 -0700 Error: pan_cmsa_tcp_channel_setup(src_panos/cms_agent.c:864): cms agent: cs_load_certs_ex failed</SPAN><BR /><SPAN>2022-09-26 06:00:39.306 -0700 cmsa: client will use default context</SPAN><BR /><SPAN>2022-09-26 06:00:39.306 -0700 Warning: pan_cmsa_tcp_channel_setup(src_panos/cms_agent.c:960): client will not use SNI</SPAN><BR /><SPAN>2022-09-26 06:00:39.326 -0700 Error: pan_cmsa_tcp_channel_setup(src_panos/cms_agent.c:1180): panorama agent: SSL connect error. sock=28 err=1</SPAN><BR /><SPAN>2022-09-26 06:00:39.342 -0700 Error: pan_cmsa_tcp_channel_setup(src_panos/cms_agent.c:1180): panorama agent: SSL connect error. sock=29 err=1</SPAN></P> <P>&nbsp;</P> <P><SPAN>Does anyone already have the same issue ? Can someone help me ?</SPAN></P> <P>&nbsp;</P> <P><SPAN>Thanks in advance.</SPAN></P> <P>&nbsp;</P> <P><SPAN>Sébastien</SPAN></P> Wed, 28 Sep 2022 16:27:16 GMT https://live.paloaltonetworks.com/t5/general-topics/issue-using-ztp-and-a-pa-440/m-p/516256#M107199 lemoines 2022-09-28T16:27:16Z https://live.paloaltonetworks.com/t5/general-topics/issue-using-ztp-and-a-pa-440/m-p/538118#M110513 <P>sorry to hear your ZTP might need manual intervention. I have seen this before on 10.1.3.</P> <P>The fix was to manually set auth key via cli on the FW as the GUI did not accept the auth key from panorama.</P> <P>&nbsp;</P> <P>&nbsp;</P> <OL> <LI><SPAN>generate the auth keys from panorama when adding FW's</SPAN></LI> <LI><SPAN>use the auth keys from Panorama on the firewall CLI -&nbsp; &nbsp;request authkey set &lt;auth key&gt;</SPAN></LI> </OL> <P><SPAN>2nd step is only possible on the firewall CLI is this is a bug on version 10.1.3.</SPAN></P> <P>&nbsp;</P> <P><SPAN>see this knowledge article which you might need to reset communication between FW &lt;&gt; Panorama</SPAN></P> <P><SPAN><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000wlJpCAI&amp;lang=en_US%E2%80%A9" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000wlJpCAI&amp;lang=en_US%E2%80%A9</A></SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> Mon, 10 Apr 2023 12:28:25 GMT https://live.paloaltonetworks.com/t5/general-topics/issue-using-ztp-and-a-pa-440/m-p/538118#M110513 Y-alwaysMe 2023-04-10T12:28:25Z