Trouble with Expedition Import Config and API Key Generation

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Trouble with Expedition Import Config and API Key Generation

L1 Bithead

Hello all,
I am running into an issue with importing configs where it just seems to sit and never progress. I am importing a config from a Palo on the same network, so it's not being blocked by the firewall. I show allows in the logs when I checked anyways.

So i exported the config, added the device on Expedition, and tried to upload the XML file, and it just sits there. I have let it sit for about an hour and nothing.

I also have an issue with generating the API key. It just loads a blank remote exception page. I have deleted and readded devices and XML roles/accounts on the firewall, and able to generate a key via CLI, but trying to setup the link on Expedition just fails.

Any suggestions would be appreciated. Thanks.

6 REPLIES 6

L6 Presenter

Hi @CoryGearhart Few things to check:

1. Make sure your expedition are running the latest version v1.2.50 

2. Make sure the account you use to generate API key has read permission on API , use the local account in firewall .

3. Check if the management interface of the firewall has any acl that permit only specific IPs , if it is , you will need to add expedition IP in the allowed list

4. Review the /home/userSpace/devices/debug.txt  on Expedition for error messages.

L1 Bithead

@lychiang 
Expedition is on v 1.2.51
I made a role labeled XMLAdmin, with all settings under XML API set to enable, then i made a user account and specified that role:

CoryGearhart_0-1676064619360.png

CoryGearhart_1-1676064661769.png

 

 

When i ran the Curl command on the CLI on Expedition itself, the key is generated. So that part seems to be working as intended. I copy the key from there and try adding it under Expedition and get the blank exception page.

I am not very well versed in Linux, so any tips on how to review that would be appreciated.

 

L1 Bithead

Bumping this to see if anyone has any suggestions.

L1 Bithead

Here's what the debug.txt file states:

* Trying 10.40.100.220:443...
* TCP_NODELAY set
* Connected to 10.40.100.220 (10.40.100.220) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-SHA
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: C=US; ST=CA; L=Santa Clara; O=Palo Alto Networks; CN=013201027270; emailAddress=support@paloaltonetworks.com
* start date: Jul 26 08:03:24 2022 GMT
* expire date: Jul 27 08:03:24 2023 GMT
* issuer: C=US; ST=CA; L=Santa Clara; O=Palo Alto Networks; CN=013201027270; emailAddress=support@paloaltonetworks.com
* SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
> GET /api?type=keygen&user=XMLAdmin&password=xxxxxxxxx HTTP/1.1
Host: 10.40.100.220
Accept: */*

* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Mon, 13 Feb 2023 13:29:28 GMT
< Content-Type: application/xml; charset=UTF-8
< Content-Length: 200
< Connection: keep-alive
< X-FRAME-OPTIONS: SAMEORIGIN
< X-XSS-Protection: 1; mode=block
< X-Content-Type-Options: nosniff
< Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:;
< Strict-Transport-Security: max-age=31536000
< Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Pragma: no-cache
< Set-Cookie: PHPSESSID=d98c61162ab831ffca9e33d7b48945c4; path=/; secure; HttpOnly
< Allow: GET, HEAD, POST, PUT, DELETE, OPTIONS
<
* Connection #0 to host 10.40.100.220 left intact

Are you able to generate the ApI key from Expedition GUI as shown in the screenshot ? That's the first step needs to be working. If it's not working, I will try below troubleshoot steps:

1. Ping from expedition CLI to the panorama and

2. Ping form panorama CLI to expedition 

3. When you enter the login credential in the expedition GUI , click add , check on the panorama system log or authentication log see if there is connection attempt from expedition IP

 

Screen Shot 2023-02-13 at 10.56.38 AM.png

Thanks for the suggestions. Here is what i show:

CoryGearhart_0-1676378509654.png

So I see successes from the Expedition GUI to the firewall. 

CoryGearhart_1-1676378537345.png

I get the above when generating the key. Why this has me stumped. Everything points that this should be working.



  • 2536 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!