Disconnected from Log collector Server

Reply
L4 Transporter

Disconnected from Log collector Server

 

Tonight we got email alerts that our firewalls are disonncted from the log collecors-M500

 

Below is ms log from the PA

 

2019-04-05 01:38:55.024 -0600 MS: disconnected from log-collector. waitcount=1
2019-04-05 01:38:55.024 -0600 lcs agent: channel teardown (to 10.7.1.139) complete.
2019-04-05 01:38:55.035 -0600 Error: pan_conn_ext_send_base(cs_conn.c:2601): connmgr: send failure. no conn entry: devid=log-collector
2019-04-05 01:38:55.035 -0600 Error: pan_cfg_log_buffer_nsend(pan_cfg_log_buffer.c:172): Failed to send the logrec to log collector
2019-04-05 01:38:55.035 -0600 Error: pan_log_buffer_cursor_next(pan_cfg_log_buffer.c:1538): logbuffer: failed to send 10 'system' logs to cms
2019-04-05 01:39:00.025 -0600 COMM: connection established. sock=50 remote ip=10.7.1.139 port=3978 local port=47854
2019-04-05 01:39:00.025 -0600 lcs agent: Pre. send buffer limit=22600. s=50
2019-04-05 01:39:00.025 -0600 lcs agent: Post. send buffer limit=1048576. s=50
2019-04-05 01:39:02.057 -0600 lcs agent: ssl channel established. sock=50 ssl=0x121a3400
2019-04-05 01:39:02.058 -0600 Error: pan_mgmt_get_sysd_string(pan_cfg_status_handler.c:372): failed to fetch cfg.saas.custid
2019-04-05 01:39:02.059 -0600 Error: pan_get_current_gp_datafile_release_date(pan_cfg_utils.c:5526): Failed to parse file /opt/pancfg/mgmt/global-protect/av-data/av_data_file.dat
2019-04-05 01:39:02.179 -0600 lcs agent: registration request sent. len=29215 sock=50
2019-04-05 01:39:02.260 -0600 connmgr: connection entry added: devid=log-collector sock=50, clientid=0
2019-04-05 01:39:02.261 -0600 connected to Log Collector 007307001117 (key log-collector)
2019-04-05 01:39:02.278 -0600 received a log-fwd-ctrl(start-from-lastack) message from panorama
2019-04-05 01:39:02.278 -0600 Logbuffer: start_from[0] LastAck
2019-04-05 01:39:02.278 -0600 Logbuffer: start_from[1] LastAck
2019-04-05 01:39:02.278 -0600 Logbuffer: start_from[2] LastAck
2019-04-05 01:39:02.278 -0600 Logbuffer: start_from[3] LastAck
2019-04-05 01:39:02.278 -0600 Logbuffer: start_from[4] LastAck
2019-04-05 01:39:02.278 -0600 Logbuffer: start_from[5] LastAck
2019-04-05 01:39:02.278 -0600 Logbuffer: start_from[6] LastAck
2019-04-05 01:39:02.278 -0600 Logbuffer: start_from[7] LastAck
2019-04-05 01:39:02.278 -0600 Logbuffer: start_from[8] LastAck
2019-04-05 01:39:02.278 -0600 Logbuffer: start_from[9] LastAck
2019-04-05 01:39:02.278 -0600 Logbuffer: start_from[10] LastAck
2019-04-05 01:39:02.278 -0600 Logbuffer: start_from[11] LastAck
2019-04-05 01:39:02.278 -0600 Logbuffer: start_from[12] LastAck
2019-04-05 01:39:02.278 -0600 Logbuffer: start_from[13] LastAck
2019-04-05 01:39:02.278 -0600 Logbuffer: start_from[14] LastAck
2019-04-05 01:39:02.278 -0600 Logbuffer: start_from[15] LastAck
2019-04-05 01:39:02.278 -0600 Logbuffer: start_from[16] LastAck
2019-04-05 01:39:02.278 -0600 Logbuffer: start_from[17] LastAck
2019-04-05 01:39:02.278 -0600 Logbuffer: start_from[18] LastAck
2019-04-05 01:39:02.278 -0600 Logbuffer: start_from[19] LastAck
2019-04-05 01:39:02.484 -0600 Error: pan_log_query_expr_get_time_envelope(pan_logdb.c:2598): failed to determine time envelope
2019-04-05 01:39:02.484 -0600 latest logid for hipmatch: 0, recvtime: 0
2019-04-05 01:39:02.484 -0600 Error: pan_log_query_expr_get_time_envelope(pan_logdb.c:2598): failed to determine time envelope
2019-04-05 01:39:21.651 -0600 latest logid for userid: 0, recvtime: 0
2019-04-05 01:39:21.652 -0600 Error: pan_log_query_expr_get_time_envelope(pan_logdb.c:2598): failed to determine time envelope
2019-04-05 01:39:21.652 -0600 latest logid for gtp: 0, recvtime: 0
2019-04-05 01:39:21.653 -0600 Error: pan_log_query_expr_get_time_envelope(pan_logdb.c:2598): failed to determine time envelope
2019-04-05 01:39:21.653 -0600 latest logid for auth: 0, recvtime: 0
2019-04-05 01:40:07.274 -0600 Error: pan_conn_entry_write_lock_timeout(cs_conn.c:4227): connmgr: get wr lock timeout. result=110
2019-04-05 01:40:42.276 -0600 Error: pan_conn_entry_write_lock_timeout(cs_conn.c:4227): connmgr: get wr lock timeout. result=110
2019-04-05 01:41:17.282 -0600 Error: pan_conn_entry_write_lock_timeout(cs_conn.c:4227): connmgr: get wr lock timeout. result=110
2019-04-05 01:41:52.285 -0600 Error: pan_conn_entry_write_lock_timeout(cs_conn.c:4227): connmgr: get wr lock timeout. result=110
2019-04-05 01:42:22.024 -0600 Error: csSendWithTimeoutChunk(cs_comm_utils.c:443): COMMS: sock=50. SSL write error fatal. code=5 error=Broken pipe(32) retrycount=0 len=8052 remain=8052 sent=-1
2019-04-05 01:42:22.024 -0600 Error: cs_msg_tcp_send_ex(cs_transport.c:165): COMM: failed to send payload. result=0 len=8052 ctype=3 dtype=1 mtype=0 sock=50 ssl=0x121a3400
2019-04-05 01:42:22.024 -0600 Device lcs agent log-collector disconnected
2019-04-05 01:42:22.024 -0600 connmgr: shutdown channel. sock=50 ssl=0x121a3400
2019-04-05 01:42:22.024 -0600 connmgr: connection entry not removed for pending refcount. devid=log-collector cesock=50 sockfd=4294967295 refcount=1
2019-04-05 01:42:22.024 -0600 Error: pan_cfg_log_buffer_nsend(pan_cfg_log_buffer.c:172): Failed to send the logrec to log collector
2019-04-05 01:42:22.024 -0600 Error: pan_log_buffer_cursor_next(pan_cfg_log_buffer.c:1538): logbuffer: failed to send 10 'traffic' logs to cms
2019-04-05 01:42:22.024 -0600 COMMS: ssl write - shutdown exit. sock=50 err=0 sslerr=1 errnum=336396495(protocol is shutdown)
2019-04-05 01:42:22.024 -0600 Error: cs_msg_tcp_send_ex(cs_transport.c:154): COMM: failed to send header. result=0 len=12 ctype=3 dtype=7 mtype=0 sock=50 ssl=0x121a3400
2019-04-05 01:42:22.024 -0600 Error: pan_lcsa_tcp_channel_loop(src_panos/lcs_agent.c:2678): lcs agent: failed send probe. tcp send failure. sock=50 ssl=0x121a3400
2019-04-05 01:42:22.024 -0600 connmgr: connection entry removed. devid=log-collector sock=50 result=0
2019-04-05 01:42:22.024 -0600 connmgr: unlock - remove conn entry. devid=log-collector sock=50 result=0
2019-04-05 01:42:22.024 -0600 lcs agent: peer watch. sock=50 curtime=25052064 recvtime=25051889 proctime=25051889 sendtime=25052064 errcount=1
2019-04-05 01:42:22.024 -0600 COMMS: ssl read - zero byte. sock=50 err=0 sslerr=6 errnum=0((null))
2019-04-05 01:42:22.024 -0600 Error: cs_recv_tcp_data(cs_comm_utils.c:641): COMMS: could not read header. sock=50 ssl=0x121a3400 len=-1 hdrlen=0

L7 Applicator

Re: Disconnected from Log collector Server

@MP18,

Based off the logs it looks like the connection to 10.7.1.139 is spotty and the firewall can't form a good connection to the log collector. Is this working now or has it stayed disconnected? 

L4 Transporter

Re: Disconnected from Log collector Server

now all the firewalls are connected to log collector.

this happended few times tonight.

 

is this physical connection issue or some bug?

L4 Transporter

Re: Disconnected from Log collector Server

i checked the network each device and interface between PA and log collectores no issues.

L4 Transporter

Re: Disconnected from Log collector Server

Seems we are only using management interface of m500.

How can i use other interfaces of m500 to collect logs from the firewalls?

 

 

L7 Applicator

Re: Disconnected from Log collector Server

@MP18,

Best practice on this would to actually seperate out interfaces for log collection, and a seperate one for collector group comms. Depending on how many devices you have communicating to the M500 you actually might benefit from having multiple interfaces configured from log collection, not just a single interface. 

 

Documentation on the Log Collector interface settings can be found starting HERE in the documentation. 

L4 Transporter

Re: Disconnected from Log collector Server

Will do this now going forward.

Thanks for confirming that.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!