Check software update failed

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Check software update failed

L3 Networker

Hi all!

 

I have this problem: when i check new software updates, clicking "check now" button, this error appears: "Failed to check upgrade info due to generic communication error. Please check network connectivity and try again."

 

Doing a traceroute we see that after the 17th hops the trace stops, all the ping are unsuccesful

17  * paloaltonetit-5.border3.sje011.pnap.net (66.151.155.74)  163.015 ms *

18  * * *
19  * * *

[...]

30  * * *

 

DNS resolves name correctly (traceroute to updates.paloaltonetworks.com (199.167.52.141)), and as you can see the packet go on Internet.

Can someone please help me? Anyone saw this problem?

 

Regards,

Daniele Cantarelli

1 accepted solution

Accepted Solutions

L6 Presenter

Hi,

 

How do you get to the updates.paloaltonetworks.com using mgmt interface or outside (Internet facing interface). 

 

Below KB on how to change service route option fro the device to use a different source ip while "talking" to the external recourses

 

https://live.paloaltonetworks.com/t5/Configuration-Articles/Setting-a-Service-Route-for-Services-to-...

 

P.S ping and traceroute are disabled on the server, so don't worry 

View solution in original post

16 REPLIES 16

L6 Presenter

Hi,

 

How do you get to the updates.paloaltonetworks.com using mgmt interface or outside (Internet facing interface). 

 

Below KB on how to change service route option fro the device to use a different source ip while "talking" to the external recourses

 

https://live.paloaltonetworks.com/t5/Configuration-Articles/Setting-a-Service-Route-for-Services-to-...

 

P.S ping and traceroute are disabled on the server, so don't worry 

Hi,

This issue started after the last update of PanOS, it could be possible that the update changed some parameters?

 

Regards,

Daniele Cantarelli

Hi,

 

I don't think so. If it was working fine before please try to use"check now" for few times. l do have these messages from time to time in our lab device.

 

Thx,

Myky

Hi Myky,

 

it's several days this error occours, and we continue to click on "check now" but nothing change.

Could it be a bug of PanOS? The version is 7.1.7.

 

Regards,

Daniele Cantarelli

Hi,

 

Do you get dynamic updates downloaded successfully (e.g AV, WildFire or threat prevention)? 

 

Thx,

Myky

L4 Transporter

do you see "check now"  at the log with the external interface and did you configure NAT as well?

not the external interface - then change the service route

no NAT and private IP - then used NAT with Public IP

still not working - please show the log entry and rule

Cyber Elite
Cyber Elite

Hello,

If your not blocking any of the update traffic, have you cheked to see if the licenses are still valid? Perhaps perform a refresh on them.

 

Device->Licenses-> Retrieve licenses from server

 

Also make sure you are not SSL decrypting that traffic.

 

Happened to me when we renewed support.

 

Regards,

 

hi Myky,

 

i have the same problem with dynamic updates.

 

Regards,

Daniele

Hi,

 

Ok as people already mentioned here:

 

1) check the licenses 

2) change the service route to use your external IP to talk to the updates servers

 

service routes.PNG

Thx,

Myky

@DKanta, to add to this the majority of the time the only thing that you will have to do is retrieve the licenses from the server to get it to function again if it was working previously. I'm not sure why they occasionally drop off but that will usually fix it perfectly fine. If it was working previously there should be no need to change your routing unless you have made other changes to your management port. 

Hi @BPry,

 

i tried to retrieve the license (Device->Licences->Retrieve License keys from License server), but this don't work, after some seconds appear the popup: "Failed to install licenses. Failed to get license info. Please try again later."

 

It seems that all the Palo Alto servers are unreachable.

 

Regards,

Daniele

@DKanta interesting. That definitely does sound like an actual service route issue; are you seeing the issue after updating to 7.1.7 as well? 

Hi @BPry,

 

yes, because the PA was updated with online method, not downloading the image and uploading on the PA.

 

So do you suggest me to change the service route configuration?

 

Regards,

Daniele

@DKanta, at that point I would but it would be nice to get TAC involved if this is a wide-spread issue so that they can address and fix it going forward. 

  • 1 accepted solution
  • 19921 Views
  • 16 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!