Troubleshooting PAN-Agent connectivity

Reply
L3 Networker

Troubleshooting PAN-Agent connectivity

Hello, I have PAN OS 3.0.5 installed on a cluster (active passive)

The passive device seams to have problem to contact PAN

As you can see from ommand below 10.44.36.125 Agent can't be reached (on active is ok)

(active)> show pan-agent statistics
Name             IP Address      Port    Vsys        State             Users  Gr
ps  IPs       Activity Cnts Link Speed
--------------------------------------------------------------------------------
--------------------------------------
svs00013.ac.ti.ch 10.44.36.125    3750    vsys1       connected, ok     4361   5
     2526      60069         fast

(passive)> show pan-agent statistics

Name             IP Address      Port    Vsys        State             Users  Gr

ps  IPs       Activity Cnts Link Speed

--------------------------------------------------------------------------------

--------------------------------------

svs00013.ac.ti.ch     3750    vsys1       trying to connect 0      0

     0         0             fast

As from below we can ping the Agent ...

(passive)> ping host 10.44.36.125

PING 10.44.36.125 (10.44.36.125) 56(84) bytes of data.

64 bytes from 10.44.36.125: icmp_seq=1 ttl=124 time=0.308 ms

64 bytes from 10.44.36.125: icmp_seq=2 ttl=124 time=0.293 ms

If I try to reset the Connection ...

(passive)> debug device-server reset pan-agent all

Server error : Failed to get response from device server. Please try again later

.

How can I trobleshoot the comunication between PAN FW and the Agent to see where the comunication is wrong ?

Highlighted
L5 Sessionator

Re: Troubleshooting PAN-Agent connectivity

Hi Helenio,

The PAN-agent is only active on the active device in t he HA pair.  It is not active on the passive device.  In the event of a failover, the information is transferred to the newly active device.

Looks like you are familiar with the main troubleshooting comands for the PAN- agent, show pan-agent statistics, show pan-agent user IDs, debug device-server reset pan-agent all.  There are also logs that can be viewed in the PAN-agent iteslf.

Highlighted
L3 Networker

Re: Troubleshooting PAN-Agent connectivity

This sound strange ... how can betransfered Group-user mapping during failover if the active device dies ... this shoul be done before as for TCP sessions. (show pan-agent user on the passive doesn't show any user-group map). This also mean, since the MNGT interface of the passive device is not the same as the active, that a new PAN FW-PAN agent connection as to be establish a new PAN-Agent connectio increasing the failover time ... isn't ? (I'll do a test of failover to see how long this will take) ...

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!