After checking Dynamic Update under Device tab after clicking on the Check Now button displays the following error:
"Failed to check content upgrade info due to generic communication error. Please check network connectivity and try again."
There can be several reasons that cause this message to appear and they are usually related to how the firewall is able to reach out to the internet.
admin@firewall>ping host www.example.comPING www.example.com (184.108.40.206) 56(84) bytes of data.64 bytes from 220.127.116.11: icmp_seq=1 ttl=52 time=107 ms64 bytes from 18.104.22.168: icmp_seq=2 ttl=52 time=106 ms64 bytes from 22.214.171.124: icmp_seq=3 ttl=52 time=106 ms^C--- www.example.com ping statistics ---3 packets transmitted, 3 received, 0% packet loss, time 2002msrtt min/avg/max/mdev = 106.349/106.643/107.025/0.388 ms
admin@firewall> traceroute host updates.paloaltonetworks.comtraceroute to 126.96.36.199 (188.8.131.52), 30 hops max, 40 byte packets 1 10.192.16.1 (10.192.16.1) 0.522 ms 0.507 ms 0.497 ms 2 1.111-11-1.adsl-static.isp.belgacom.be (184.108.40.206) 32.761 ms 32.753 ms 32.740 ms 3 2.222-22-2.adsl-static.isp.belgacom.be (220.127.116.11) 81.856 ms * * 4 * * * 5 * * * 6 * * * 7 prs-bb4-link.telia.net (18.104.22.168) 82.884 ms * * 8 ash-bb4-link.telia.net (22.214.171.124) 142.306 ms 147.212 ms * 9 sjo-b21-link.telia.net (126.96.36.199) 226.073 ms 222.208 ms 214.858 ms10 internap-ic-140172-sjo-b21.c.telia.net (188.8.131.52) 201.253 ms 198.637 ms 219.945 ms11 184.108.40.206 (220.127.116.11) 225.185 ms 242.096 ms 178.880 ms12 paloaltonetit-5.border3.sje011.pnap.net (18.104.22.168) 194.397 ms * paloaltonetit-5.border3.sje011.pnap.net (22.214.171.124) 206.609 ms13 * * *14 * * *15 * * *16 * * *
A PA-500 we manage was configured with a static IP that was Palo Alto and had been doing dynamic updates then suddenly gave the error, but changing it to the FQDN has helped.
Getting this error message with DNS properly configured and functioning... What are other triggers for this error?
Same problem here. Getting this error message with DNS properly configured and functioning.
The other issue that can cause this error is when the mgmt port does not have internet access or is not able to reach the updates.paloaltonetworks.com address.
Do a trace route source from the mgmt interface to test this from the cli.
I added an intrazone rule, from the untrust internet interface zone - internet ip, to 126.96.36.199 -188.8.131.52, app dns, app defaults. Then set the service route for dns to the interface with the internet access, and associated interface IP. This plus making sure the dns settings in this article corrected the problem.
I was having the issue and found that the issue was caused by decryption while having the "Verify Update Server Identity" check box checked. I tested disabling this option and then enabling back and bypassing decryption for this traffic and both configurations resolved the issue. Of the two I would recommend disabling decryption for this traffic.
This issue is not only related to DNS, the factor could be anything which is blocking the connections.
1) DNS Issue.
2) Routing problem.
3) Traffic block due to configured firewall rules.
4) URL category block.
5) Decrption bypass issue.
6) SSL Interception enabled on the firewall and riverbed.
Followed everything mentioned by stlnet plus I had to change my management interface's gateway to the LAN network's gateway.
step 7 has a typo, should be 'updates.paloaltonetworks.com' not 'updates.paloaltonetwoprks.com'
Given the large number of other predefined SSL decryption exceptions that come already installed I would suggest that Palo Alto add this one to the predefined list.
Thank you for the heads up on the typo, it has been corrected. Have a great day.
i am facing this issue while checking the software, the Firewalls are in acive/passive mode, It is working fine on Active but not on passive. Does that mean the passive can't talk unless it takes over?
Do you have service routes configured?
The passive firewall will normally connect out of the management interface towards the fdefault gateway you configuired to get updates. if this is the same gateway as the primary device updates should work as expected. If you set service routes however, the dataplane interfaces on the passive device will be down, which means the service routes won't be able to connect out
The services routes are configured exactly same on both firewall and donot make use of management interfaces but ethernet.
The passive unit does not have active dataplane interfaces, so service routes will not work while the device is in a passive state
To overcome this scenario, the active peer can sync software and content updates (this is a setting in the dynamic updates on the active member: 'sync to peer')
I already chose that option 'sync to HA peer' while downloading software on active device and it successfully did come up as "Transferring a copy of image to HA peer>> Preloading into software manager >> successfully loaded into software manager"
I can't figure out how to verify that on passive firewall'
> request system software info
Version Size Released on Downloaded
8.1.2 321MB 2018/06/13 05:56:35 yes
8.1.1 321MB 2018/05/01 08:01:27 yes
8.1.0 485MB 2018/03/01 20:11:59 yes
8.0.11-h1 350MB 2018/07/05 22:21:00 no
8.0.10 348MB 2018/05/14 21:53:19 no
Do you mean on passive firewall. I ran the comand above on passive firwall but doesn't show.
I downloaded 7.0.19 on active and choose sync to HA peer and it did successfully, but can not see it.on passive
ah yes, that also requires internet access. Try this:
admin@PA-200> request system software install version <- press tab at end of this command
<value> Upgrade to a software package by version
I am not installing yet but trying to download on passive firewall directly from PA server.
I am figuring out where did the software version go on passive firewall which was downloaded on active firewall and sync'ed to peer passive?
(passive)> request system software install version 6.1.0 6.1.0 6.1.4 6.1.4 7.0.1 7.0.1 7.0.2 7.0.2
I tried these too, but couldn't see 7.0.19 on passive
> request system software download file <tab>
> request system software download version <tab>
does that mean to directly download the software version on passive firewall, it needs to take over active role.?
If i press check now to see the latest version, i get error " failed to check software info......check network connecivity..
Internet connection is there but can't resolve dns ad not able to ping dns
If you do an install on the active unit, you will also be able to sync the install to the peer
A reboot needs to be performed manually (will not be triggered automatically)
There's no need to put the device in active state for all this to work, there' is simply a 'disconnect' due to the passive device using service routes. I'm not entirely sure how to 'see' the image when it is synced over from the peer if the local firewall does not have the capability to refresh the image overview page, it's been many years since I last touched a cluster with the passive device not having internet access, apologies for the confusion.
to directly place the image on the passive you have 2 options that do not require it to be in active state:
-manual upload (download from support site through a browser, upload manually)
-disable service route and connect through a different default gateway via mgmt interface
you can also still sync the download and install through the active peer
The passive box also have internet connection. sorry if there is any confusion.
I am thinking to download it from PA support site and upload it on passive .
the use of a service route makes internet unuseable for the specific feature that is set to the service route, when the firewall is in passive state
if the management interface has internet access you could disable the service route, or go the manual route