Dynamic Updates Display Error after Clicking on Check Now Button

Printer Friendly Page

Symptom

After checking Dynamic Update under Device tab after clicking on the Check Now button displays the following error:

"Failed to check content upgrade info due to generic communication error. Please check network connectivity and try again."

dnsserver.PNG

 

Cause

There can be several reasons that cause this message to appear and they are usually related to how the firewall is able to reach out to the internet.

 

Resolution

 

  1. Verify the firewall has DNS servers configured to be able to resolve updates.paloaltonetworks.com:
    From the WebGUI, go to Device > Setup > Services:DNS server.pngDNS servers
  2. Ensure the firewall has an appropriate Default Gateway and interface speed and duplex are set to match the switch it is connected to Management interface.pngManagement interface properties
  3. Make sure the firewall is able to resolve FQDNs:
    admin@firewall>ping host www.example.com
    PING www.example.com (93.184.216.34) 56(84) bytes of data.
    64 bytes from 93.184.216.34: icmp_seq=1 ttl=52 time=107 ms
    64 bytes from 93.184.216.34: icmp_seq=2 ttl=52 time=106 ms
    64 bytes from 93.184.216.34: icmp_seq=3 ttl=52 time=106 ms
    ^C
    --- www.example.com ping statistics ---
    3 packets transmitted, 3 received, 0% packet loss, time 2002ms
    rtt min/avg/max/mdev = 106.349/106.643/107.025/0.388 ms
  4. Traceroute out to updates.paloaltonetworks.com verify the correct path is taken (the final host will not reply)
    admin@firewall> traceroute host updates.paloaltonetworks.com
    traceroute to 199.167.52.141 (199.167.52.141), 30 hops max, 40 byte packets
    1  10.192.16.1 (10.192.16.1)  0.522 ms  0.507 ms  0.497 ms
    2  1.111-11-1.adsl-static.isp.belgacom.be (1.11.111.1)  32.761 ms  32.753 ms  32.740 ms
    3  2.222-22-2.adsl-static.isp.belgacom.be (2.22.222.2)  81.856 ms * *
    4  * * *
    5  * * *
    6  * * *
    7  prs-bb4-link.telia.net (213.155.136.222)  82.884 ms * *
    8  ash-bb4-link.telia.net (62.115.122.159)  142.306 ms  147.212 ms *
    9  sjo-b21-link.telia.net (80.91.248.188)  226.073 ms  222.208 ms  214.858 ms
    10  internap-ic-140172-sjo-b21.c.telia.net (213.248.81.134)  201.253 ms  198.637 ms  219.945 ms
    11  66.151.144.15 (66.151.144.15)  225.185 ms  242.096 ms  178.880 ms
    12  paloaltonetit-5.border3.sje011.pnap.net (66.151.155.74)  194.397 ms * paloaltonetit-5.border3.sje011.pnap.net (66.151.155.74)  206.609 ms
    13  * * *
    14  * * *
    15  * * *
    16  * * *
  5. Verify Service Routes are set as expected, some services may need to be redirected over a dataplane interface in case the management network is isolatedservice route configuration.pngUse Default or Custom settings
  6. Make sure the firewall is allowed to make outbound connections through the security policy: firewall policy policy.pngNote there is no URL filtering or file blocking profile
  7. If ssl decryption is used, "Verify Update Server Identity" may need to be disabled if updates.paloaltonetworks.com is not excluded from decryptionVerify Server Identity.pngVerify Update Server Identity

 

Tags (7)
Comments

A PA-500 we manage was configured with a static IP that was Palo Alto and had been doing dynamic updates then suddenly gave the error, but changing it to the FQDN has helped.

Getting this error message with DNS properly configured and functioning...  What are other triggers for this error?

Same problem here. Getting this error message with DNS properly configured and functioning.

The other issue that can cause this error is when the mgmt port does not have internet access or is not able to reach the updates.paloaltonetworks.com address.

 

Do a trace route source from the mgmt interface to test this from the cli.

I added an intrazone rule, from the untrust internet interface zone - internet ip, to 8.8.8.8 -4.2.2.2, app dns, app defaults.   Then set the service route for dns to the interface with the internet access, and associated interface IP.  This plus making sure the dns settings in this article corrected the problem.  

I was having the issue and found that the issue was caused by decryption while having the "Verify Update Server Identity" check box checked. I tested disabling this option and then enabling back and bypassing decryption for this traffic and both configurations resolved the issue. Of the two I would recommend disabling decryption for this traffic. 

 

image.png

This issue is not only related to DNS, the factor could be anything which is blocking the connections.

1) DNS Issue.

2) Routing problem.

3) Traffic block due to configured firewall rules.

4) URL category block.

5) Decrption bypass issue.

6) SSL Interception enabled on the firewall and riverbed.

Followed everything mentioned by stlnet plus I had to change my management interface's gateway to the LAN network's gateway. 

 

MGMT.PNG

step 7 has a typo, should be 'updates.paloaltonetworks.com' not 'updates.paloaltonetwoprks.com' 

 

Given the large number of other predefined SSL decryption exceptions that come already installed I would suggest that Palo Alto add this one to the predefined list.

Thank you for the heads up on the typo, it has been corrected.  Have a great day.

Hi

i am facing this issue while checking the software, the Firewalls are in acive/passive mode, It is working fine on Active but not on passive. Does that mean the passive can't talk unless it takes over?

hi @R_Sharma

Do you have service routes configured?

 

The passive firewall will normally connect out of the management interface towards the fdefault gateway you configuired to get updates. if this is the same gateway as the primary device updates should work as expected. If you set service routes however, the dataplane interfaces on the passive device will be down, which means the service routes won't be able to connect out

The services routes are configured exactly same on both firewall and donot make use of management interfaces but ethernet.

 

Regards

hi @R_Sharma

The passive unit does not have active dataplane interfaces, so service routes will not work while the device is in a passive state

 

To overcome this scenario, the active peer can sync software and content updates (this is a setting in the dynamic updates on the active member: 'sync to peer')

 

sync to peer.png 

I already chose that option 'sync to HA peer' while downloading software on active device and it successfully did come up as  "Transferring a copy of image to HA peer>> Preloading into software manager >> successfully loaded into software manager"

I can't figure out how to verify that on passive firewall'

 

Regards

 

hi @R_Sharma

> request system software info

Version               Size          Released on Downloaded
-------------------------------------------------------------------------
8.1.2                321MB 2018/06/13  05:56:35        yes
8.1.1                321MB 2018/05/01  08:01:27        yes
8.1.0                485MB 2018/03/01  20:11:59        yes
8.0.11-h1            350MB 2018/07/05  22:21:00         no
8.0.10               348MB 2018/05/14  21:53:19         no

hi @R_Sharma

> request system software info

Version               Size          Released on Downloaded
-------------------------------------------------------------------------
8.1.2                321MB 2018/06/13  05:56:35        yes
8.1.1                321MB 2018/05/01  08:01:27        yes
8.1.0                485MB 2018/03/01  20:11:59        yes
8.0.11-h1            350MB 2018/07/05  22:21:00         no
8.0.10               348MB 2018/05/14  21:53:19         no

Hi @reaper

 

Do you mean on passive firewall. I ran the comand above on passive firwall but doesn't show.

I downloaded 7.0.19 on active and choose sync to HA peer and it did successfully, but can not see it.software.pngon passive

ah yes,  that also requires internet access. Try this:

 

admin@PA-200> request system software install version  <- press tab at end of this command
  8.1.0    8.1.0
  8.1.1    8.1.1
  8.1.2    8.1.2
  <value>  Upgrade to a software package by version

Hi

I am not installing yet but trying to download on passive firewall directly from PA server.

I am figuring out where did the software version  go on passive firewall which was downloaded on active firewall and sync'ed to peer passive?

 

(passive)> request system software install version
  6.1.0    6.1.0
  6.1.4    6.1.4
  7.0.1    7.0.1
  7.0.2    7.0.2
 

 

 

Hi @reaper

I tried these too, but couldn't see 7.0.19 on passive

 

> request system software download  file <tab>

> request system software download version <tab>

 

does that mean to directly download the software version on passive firewall, it needs to take over active role.?

If i press check now to see the latest version, i get error " failed to check software info......check network connecivity..

Internet connection is there but can't resolve dns ad not able to ping dns

 

If you do an install on the active unit, you will also be able to sync the install to the peer

A reboot needs to be performed manually (will not be triggered automatically)

 

There's no need to put the device in active state for all this to work, there' is simply a 'disconnect' due to the passive device using service routes. I'm not entirely sure how to 'see' the image when it is synced over from the peer if the local firewall does not have the capability to refresh the image overview page, it's been many years since I last touched a cluster with the passive device not having internet access, apologies for the confusion.

 

to directly place the image on the passive you have 2 options that do not require it to be in active state:

-manual upload (download from support site through a browser, upload manually)

-disable service route and connect through a different default gateway via mgmt interface

 

you can also still sync the download and install through the active peer

 

 

Hi @reaper

 

The passive box also have internet connection. sorry if there is any confusion.

I am thinking to download it from PA support site and upload it on passive .

 

hi @R_Sharma

 

the use of a service route makes internet unuseable for the specific feature that is set to the service route, when the firewall is in passive state

if the management interface has internet access you could disable the service route, or go the manual route