Cannot download PAN-OS in passive device

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Cannot download PAN-OS in passive device

L4 Transporter

Hello,

 

When I try to download PAN-OS software directly to the passive firewall it says “Failed to check upgrade info due to generic communication error. Please check network connectivity and try again”. It is working fine in Active device.

 

Is it the case in active/passive scenario, the passive can’t talk unless it takes over? I have checked all the interfaces and connectivity looks fine.

 

Thanks in advance.

4 REPLIES 4

L4 Transporter

Both active / passive unit should  be able to check and download updates from PAN.

 

Please check the following,

 

Is the management port setup on the passive unit? DNS configured?  compare the setting 

 

Login to cli, and try ping your local gateway for the management port, 4.2.2.2, 8.8.8.8, make sure you have reachability. 

 

try ping updates.paloaltonetworks.com, ping will fail, but you should get a name resolved (check for the DNS setting).

 

login to WebUI, go to device -> services -> update server, make sure it is point to updates.paloaltonetwrosks.com

 

Make sure your device clock is correct with time zone.

 

Also, try fail over the firewall, and see if it is able to download?  That will sounds like a configuration issue. (maybe service route, configuration?)

 

Also, you don't need to go to the passive ifrewall to download, you can just download the active firewall and sync to the passive one as well.

 

 

L6 Presenter

Which interface are you using for updates? Management interface as it is default settings?

If you are using some other interface (through service route configuration) you won't be able to download updates as that interface is always inactive on passive cluster member.

@Farzana,

As @santonic stated the management interface is going to be your friend here and actually allow this to work as you want. Otherwise you'll never actually have an active route unless you're on the active firewall. 

Also check the service routing settings

 

Device > Setup > Service > Service Route Configuration.

 

 

  • 5740 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!