How to Troubleshoot Firewall connectivity to Panorama

Here are some brief steps that can be followed when Panorama is unable to connect to a managed Firewall.

1. Check IP connectivity between the devices (ping / traceroute)
2. Make sure tcp port 3978 is open and available from the device to Panorama (netstat, or packet capture).
   > show netstat all yes numeric yes programs yes | match 3978
3. Make sure that a certificate has been generated or installed on Panorama.
4. Confirm the serial number configured in Panorama (case sensitive).
5. If a permitted IP list is configured for the management interface, make sure that Panorama IP is allowed in the list. By default, it will allow all IPs if a list is not specified.
6. Make sure Panorama is on a version greater than or equal to that of the managed devices. Panorama can manage devices running supported PAN-OS versions of the same or a lower release. 
   We can Inspect ms.log or configd.log for "Unsupported version" messages. e.g
   <lcs-reg-response status="error" code="unsupported-version"><msg>Unsupported version. Connection rejected.</msg></lcs-reg-response>
7. Check MTU settings on the managed device,  as the value may need to be reduced. If a device on the path is fragmenting packets, communication from Managed Device to Panorama will not succeed. Check the MTU settings on intermediate router as well.
8. Verify that there is not a large time difference between the clock (Date/Time) on Panorama and the clock (Date/Time) on the managed device.

9. Ensure the correct Authentication key is added on the Firewall. Refer Authentication-key-for-secure-firewall-onboarding and Recover Connectivity to Panorama.