https://live.paloaltonetworks.com/t5/general-topics/palo-alto-updates-issue-on-multi-vsys-system/m-p/258561#M73320 <P>the original update server is cloud-based so the IP tends to skip around</P> <P>there may be a routing/peering issue with the ip you're trying to reach via your new route</P> Wed, 24 Apr 2019 11:56:57 GMT reaper 2019-04-24T11:56:57Z https://live.paloaltonetworks.com/t5/general-topics/palo-alto-updates-issue-on-multi-vsys-system/m-p/258510#M73308 <P>Hi All,</P><P>&nbsp;</P><P>Hoping an answer can be provided to this multi vsys Palo Alto I am deploying.</P><P>&nbsp;</P><P>I enabled the operational status of one of the virtual firewalls I am providing making it fully internet facing with Globalprotect operating on the outside interface. This is operating without issue.</P><P>&nbsp;</P><P>When I enabled this VSYS to an operational status I had to make changes to the inside routing to get all the BGP sessions established - it was left in a test state by a predecessor - but this is all working well.</P><P>&nbsp;</P><P>What seems to have happened is the software and dynamic updates have stopped updating. I have checked from CLI and from the MGT interface I have internet connectivity and it is routing via the working VSYS without issue. I have also confirmed that from CLI I can see the MGT interface from the internal and it routes as expected.</P><P>&nbsp;</P><P>I can see the traffic going out to internet but the update times out and the log shows as application incomplete.</P><P>&nbsp;</P><P>I have tried to set the update to use the VSYS outside address as the update path through the Service Route Configuration but this produces the same result. In the Service Route Configuration I have the option of Palo Alto Network Services (no Palo Alto Updates option) which I used.</P><P>&nbsp;</P><P>Any ideas? The rule and NAT are there and being used, routing seems to be correct. Things like NTP and DNS are not reporting an issue.</P><P>&nbsp;</P><P>Regards</P><P>&nbsp;</P><P>Adrian</P> Wed, 24 Apr 2019 08:51:08 GMT https://live.paloaltonetworks.com/t5/general-topics/palo-alto-updates-issue-on-multi-vsys-system/m-p/258510#M73308 a.jones 2019-04-24T08:51:08Z https://live.paloaltonetworks.com/t5/general-topics/palo-alto-updates-issue-on-multi-vsys-system/m-p/258518#M73315 <P>Do you have "Verify Update Server Identity" enabled and are you doing ssldecrypt?</P> <P>&nbsp;</P> <P>you could try replacing the updates server with <A href="https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fstaticupdates.paloaltonetworks.com%2F&amp;data=02%7C01%7Cfarzana.mustafa%40arrow.com%7C8b9c9d3efc994bd5dedb08d62fbbdc4e%7C0beb0c359cbb4feb99e5589e415c7944%7C1%7C0%7C636748881236125237&amp;sdata=vu4nqjde8WDG4YhCiyigezaV9tqLrAjZObz6TaZzWr4%3D&amp;reserved=0" target="_blank" rel="nofollow noopener noreferrer">staticupdates.paloaltonetworks.com</A> in case you're having issues connecting to the cloud instance</P> Wed, 24 Apr 2019 10:10:33 GMT https://live.paloaltonetworks.com/t5/general-topics/palo-alto-updates-issue-on-multi-vsys-system/m-p/258518#M73315 reaper 2019-04-24T10:10:33Z https://live.paloaltonetworks.com/t5/general-topics/palo-alto-updates-issue-on-multi-vsys-system/m-p/258520#M73317 <P>I have verify Update Server Identity and currently not doing ssldecrypt.</P><P>&nbsp;</P><P>Strangely, staticupdates.paloaltonetworks.com works. Any idea why the original would stop after making the new Vsys live? It originally went through a test Vsys and route before I made the change but this was 2 weeks ago.</P><P>&nbsp;</P><P>Regards</P><P>&nbsp;</P><P>Adrian</P> Wed, 24 Apr 2019 10:19:46 GMT https://live.paloaltonetworks.com/t5/general-topics/palo-alto-updates-issue-on-multi-vsys-system/m-p/258520#M73317 a.jones 2019-04-24T10:19:46Z https://live.paloaltonetworks.com/t5/general-topics/palo-alto-updates-issue-on-multi-vsys-system/m-p/258561#M73320 <P>the original update server is cloud-based so the IP tends to skip around</P> <P>there may be a routing/peering issue with the ip you're trying to reach via your new route</P> Wed, 24 Apr 2019 11:56:57 GMT https://live.paloaltonetworks.com/t5/general-topics/palo-alto-updates-issue-on-multi-vsys-system/m-p/258561#M73320 reaper 2019-04-24T11:56:57Z https://live.paloaltonetworks.com/t5/general-topics/palo-alto-updates-issue-on-multi-vsys-system/m-p/258623#M73334 <P>Thanks. I have escalated to our support people. All internet traffic works except to these particluar cloud servers. Hopefully they can help.</P><P>&nbsp;</P><P>Regards</P><P>&nbsp;</P><P>Adrian</P> Wed, 24 Apr 2019 14:29:22 GMT https://live.paloaltonetworks.com/t5/general-topics/palo-alto-updates-issue-on-multi-vsys-system/m-p/258623#M73334 a.jones 2019-04-24T14:29:22Z