M-100 Not Connecting to Panorama, Error Message on the M-100: error while loading serial number""

M-100 Not Connecting to Panorama, Error Message on the M-100: error while loading serial number""

0
Created On 09/26/18 19:16 PM - Last Modified 07/19/22 23:12 PM


Resolution


Issue

Panorama cannot connect to the M-100 hardware.

The mp-log ms.log file on the M-100 shows the following:

unable to load number from /opt/pancfg/mgmt/cms/ssl/internal/serial

error while loading serial number

18016:error:0D066096:asn1 encoding routines:a2i_ASN1_INTEGER:short line:f_int.c:215:

Mar 06 16:07:29 Error: regenerate_panorama_ca_signed_cert(pan_system_settings.c:6696): cert generation failed: Failed to generate self signed certificate and key

Mar 06 16:07:29 Error: pan_system_setting_change_cms_cert_settings(pan_system_settings.c:6787): Failed to generate Panorama certificate. Devices may not be able to connect.Mar 06 16:07:29 db quota for traffic set to 12938 MB

Details

Verify by using the following indicators:

  • Unable to connect to port 3978 from Panorama
  • Netstat output does not reflect anything listening on 3978 on the member
  • Ping works successfully
  • Local.cert on both of the boxes is the CN of the cert is the management IP address of the secondary Panorama server.  So on both members they have the same local.cert.
  • Run the following CLI command > show panorama-certificates on both members, and the secondary unit (Passive) has no certs at all


Primary member:

-rw-r--r-- 1 root root 5.8K Jan 30 14:00 client.pem

-rw-r--r-- 1 root root 5.8K Feb 14 15:16 client_001901000475.pem

-rw-r--r-- 1 root root 5.8K Feb 14 12:40 client_002201000535.pem

-rw-r--r-- 1 root root 5.8K Feb 14 12:40 client_002201000536.pem

-rw-r--r-- 1 root root 5.8K Jan 30 14:00 client_009201000401.pem

-rw-r--r-- 1 root root 5.8K Jan 30 14:00 server.pem

Secondary member:

<nothing listed>

The secondary unit needs to have the server.pem file in order to start the services to listen for Panorama.

Cause

The file system is preventing the serial number from being read correctly. Because of this, port 3798 is not listening for Panorama.

Resolution

In order to restore functionality to the device, perform a factory reset on the hardware.

For additional information on a hardware factory reset, reference the following document: How to Factory Reset a Palo Alto Networks Device

owner: jdeliio
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm4FCAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail