Palo Alto Updates Issue on Multi VSYS system

L2 Linker

Palo Alto Updates Issue on Multi VSYS system

Hi All,

 

Hoping an answer can be provided to this multi vsys Palo Alto I am deploying.

 

I enabled the operational status of one of the virtual firewalls I am providing making it fully internet facing with Globalprotect operating on the outside interface. This is operating without issue.

 

When I enabled this VSYS to an operational status I had to make changes to the inside routing to get all the BGP sessions established - it was left in a test state by a predecessor - but this is all working well.

 

What seems to have happened is the software and dynamic updates have stopped updating. I have checked from CLI and from the MGT interface I have internet connectivity and it is routing via the working VSYS without issue. I have also confirmed that from CLI I can see the MGT interface from the internal and it routes as expected.

 

I can see the traffic going out to internet but the update times out and the log shows as application incomplete.

 

I have tried to set the update to use the VSYS outside address as the update path through the Service Route Configuration but this produces the same result. In the Service Route Configuration I have the option of Palo Alto Network Services (no Palo Alto Updates option) which I used.

 

Any ideas? The rule and NAT are there and being used, routing seems to be correct. Things like NTP and DNS are not reporting an issue.

 

Regards

 

Adrian

Tags (3)
Community Manager

Re: Palo Alto Updates Issue on Multi VSYS system

Do you have "Verify Update Server Identity" enabled and are you doing ssldecrypt?

 

you could try replacing the updates server with staticupdates.paloaltonetworks.com in case you're having issues connecting to the cloud instance


Help the community: Like helpful comments and mark solutions
Reaper out
L2 Linker

Re: Palo Alto Updates Issue on Multi VSYS system

I have verify Update Server Identity and currently not doing ssldecrypt.

 

Strangely, staticupdates.paloaltonetworks.com works. Any idea why the original would stop after making the new Vsys live? It originally went through a test Vsys and route before I made the change but this was 2 weeks ago.

 

Regards

 

Adrian

Community Manager

Re: Palo Alto Updates Issue on Multi VSYS system

the original update server is cloud-based so the IP tends to skip around

there may be a routing/peering issue with the ip you're trying to reach via your new route


Help the community: Like helpful comments and mark solutions
Reaper out
L2 Linker

Re: Palo Alto Updates Issue on Multi VSYS system

Thanks. I have escalated to our support people. All internet traffic works except to these particluar cloud servers. Hopefully they can help.

 

Regards

 

Adrian

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!