https://live.paloaltonetworks.com/t5/general-topics/download-pan-os-from-gui-failing-potential-mtu-problem/m-p/198972#M59015 <P>Ok folks</P><P>&nbsp;</P><P>Here's an interesting one for you.</P><P>&nbsp;</P><P>This is to do with connectivity between Panorama and updates.paloaltonetworks.com</P><P>&nbsp;</P><P>We can retrieve licence info and download list of updates available for downloads (SW and Threats), but when clicking on download link the connection fails with standard connectivity to updates.palo error, try again later.</P><P>&nbsp;</P><P>This is long shot, but has anyone seen this before?</P><P>&nbsp;</P><P>PAN-OS 8.0.2 VM base image, intending to upgrade to 8.0.7 if the download worked <span class="lia-unicode-emoji" title=":confused_face:">😕</span></P><P>&nbsp;</P><P>Ajaz Nawaz</P><P>JNCIE-SEC No.254</P><P>CCIE-RS No.15721</P> Tue, 06 Feb 2018 09:41:49 GMT nawaza 2018-02-06T09:41:49Z https://live.paloaltonetworks.com/t5/general-topics/download-pan-os-from-gui-failing-potential-mtu-problem/m-p/198972#M59015 <P>Ok folks</P><P>&nbsp;</P><P>Here's an interesting one for you.</P><P>&nbsp;</P><P>This is to do with connectivity between Panorama and updates.paloaltonetworks.com</P><P>&nbsp;</P><P>We can retrieve licence info and download list of updates available for downloads (SW and Threats), but when clicking on download link the connection fails with standard connectivity to updates.palo error, try again later.</P><P>&nbsp;</P><P>This is long shot, but has anyone seen this before?</P><P>&nbsp;</P><P>PAN-OS 8.0.2 VM base image, intending to upgrade to 8.0.7 if the download worked <span class="lia-unicode-emoji" title=":confused_face:">😕</span></P><P>&nbsp;</P><P>Ajaz Nawaz</P><P>JNCIE-SEC No.254</P><P>CCIE-RS No.15721</P> Tue, 06 Feb 2018 09:41:49 GMT https://live.paloaltonetworks.com/t5/general-topics/download-pan-os-from-gui-failing-potential-mtu-problem/m-p/198972#M59015 nawaza 2018-02-06T09:41:49Z https://live.paloaltonetworks.com/t5/general-topics/download-pan-os-from-gui-failing-potential-mtu-problem/m-p/198986#M59016 <P>Have you tried re-running 'check now' ?</P> <P>&nbsp;</P> <P>Have you followed the connection through a firewall (packetcapture + global counters) to see what may be happiening, have you seen MTU error messages?</P> <P>&nbsp;</P> <P>MTU issues can be fixed by changing the MTU and/or setting TCP MSS rewrites, but you'll want to investigate the connection to see what is actually happening before changing these settings</P> Tue, 06 Feb 2018 10:39:08 GMT https://live.paloaltonetworks.com/t5/general-topics/download-pan-os-from-gui-failing-potential-mtu-problem/m-p/198986#M59016 reaper 2018-02-06T10:39:08Z https://live.paloaltonetworks.com/t5/general-topics/download-pan-os-from-gui-failing-potential-mtu-problem/m-p/198994#M59021 <P>hmmm..</P><P>&nbsp;</P><P>So its nothing to do with MTU after all.</P><P>&nbsp;</P><P>Currently investigating but updates.paloaltonetworks.com is resolving to :</P><P>&nbsp;</P><P>a92-122-165-117.deploy.akamaitechnologies.com.https</P><P>&nbsp;</P><P>But... in front of Panorama there is a perimeter SRX fw allowing updates.paloaltonetworks.com ONLY !</P><P>&nbsp;</P><P>admin@asfdsadfasdf&gt; view-pcap mgmt-pcap mgmt.pcap</P><P>17:22:58.515102 IP &lt;ip-addr-removed&gt;.36347 &gt; a92-122-165-117.deploy.akamaitechnologies.com.https: S 1831023988:1831023988(0) win 14600 &lt;mss 1460,sackOK,timestamp 2046968 0,nop,wscale 7&gt;<BR />17:22:59.192528 IP fl-7034162.sc.reg.net.51362 &gt; &lt;ip-addr-removed&gt;.https: P 17867:18679(812) ack 17555 win 256<BR />17:22:59.192544 IP &lt;ip-addr-removed&gt;.https &gt; fl-7034162.sc.reg.net.51362: . ack 18679 win 330</P><P>&nbsp;</P><P>So it seems we need to introduce another policy on SRXs but they are native fw's not next-gen, so dynamic policy is not an option.</P><P>&nbsp;</P><P>Stay tuned !</P><P>&nbsp;</P><P>Ajaz</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 06 Feb 2018 11:36:41 GMT https://live.paloaltonetworks.com/t5/general-topics/download-pan-os-from-gui-failing-potential-mtu-problem/m-p/198994#M59021 nawaza 2018-02-06T11:36:41Z https://live.paloaltonetworks.com/t5/general-topics/download-pan-os-from-gui-failing-potential-mtu-problem/m-p/199126#M59047 <P>Ok so Palo use CDN (Content Delivery Network e.g Akamai), to deliver dynamic updates and downloads. If your network does not allow for the 'Dynamic' nature of CDN in terms of DNS, then modify your update server from:</P><P>&nbsp;</P><P>updates.paloaltonetworks.com</P><P>&nbsp;</P><P>TO</P><P>&nbsp;</P><P>staticupdates.paloaltonetworks.com</P><P>&nbsp;</P><P>Or.. architect your network to tolerate and act upon dynamic DNS</P><P>&nbsp;</P><P>Also please take look at this for further details:</P><P><A href="https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/threat-prevention/content-delivery-network-infrastructure-for-dynamic-updates" target="_blank">https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/threat-prevention/content-delivery-network-infrastructure-for-dynamic-updates</A></P><P>&nbsp;</P><P>Hope this helps !</P><P>&nbsp;</P><P>Ajaz</P> Wed, 07 Feb 2018 14:43:39 GMT https://live.paloaltonetworks.com/t5/general-topics/download-pan-os-from-gui-failing-potential-mtu-problem/m-p/199126#M59047 nawaza 2018-02-07T14:43:39Z