Issue with connecting Expedition to Panorama - Error35

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Issue with connecting Expedition to Panorama - Error35

L1 Bithead

Hi

 

Expedition Version: 1.2.38

 

I am trying to connect an expedition to Panorama 10.1.6h3 (VMware)

 

When I try to add an API key using username/password I get "Error Code 35: The connection with the device cannot be established. Please, report Error Code for improvement"

 

I generated an API key for the panorama so I tried that method by adding API key on expedition. 

 

As I found that error 35 relates to SSL Communication I checked that area. The Panorama has an SSL/TLS profile on it's management interface with a cert from their own trusted root CA.   I loaded the root CA for the certificate into the Ubuntu CA certificate store as presumed the issue was the expedition could not communicate on SSL with the panorama until it had the root CA to trust the certificate on it's management interface.  The CA cert is present and active on Ubuntu as a trusted CA cert. However I still am receiving the same error   Error 35 when I add API via username/password option and when I have API key added and try to retrieve contents it does not download.   With either method I see logs on the panorama on 443 indicating session end reason of  tcp-rst-from-client

 

So it looks like there still an issue with establishing an SSL session to allow retrieval of contents etc

 

Does anyone have any ideas how I might try to resolve this?

3 REPLIES 3

L6 Presenter

@Liam_Wynne could you please review /home/userSpace/devices/debug.txt , it might give more detail root cause on why the connection is not working. 

Thanks Lychiang - I checked this log and it confirmed issue was SSL negotiation.

@Liam_Wynne In Expedition to avoid SSL Certificates errors we are trusting all source, so it should not be a certificate error. “Curl error code 35” is happening when the SSL handshake is failing, something is blocking the SSL connection between Expedition and the Panorama.


You could test the connection by executing directly the call using the Expedition CLI:

curl --insecure https://PANORAMA_IP:PANORAMA_PORT/api?type=keygen -d user=PANORAMA_USER -d password=PANORAMA_PWD



For example:

curl --insecure https://10.11.29.168:443/api?type=keygen -d user=admin -d password=paloalto  

 

This command should return API key as result. 

 

Please execute the above command and see if you are getting any errors, also please validate that there’s nothing between Expedition and Panorama that could be blocking the traffic.

  • 1812 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!