Cannot download PAN-OS in passive device

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L4 Transporter

Cannot download PAN-OS in passive device

Hello,

 

When I try to download PAN-OS software directly to the passive firewall it says “Failed to check upgrade info due to generic communication error. Please check network connectivity and try again”. It is working fine in Active device.

 

Is it the case in active/passive scenario, the passive can’t talk unless it takes over? I have checked all the interfaces and connectivity looks fine.

 

Thanks in advance.

Highlighted
L4 Transporter

Both active / passive unit should  be able to check and download updates from PAN.

 

Please check the following,

 

Is the management port setup on the passive unit? DNS configured?  compare the setting 

 

Login to cli, and try ping your local gateway for the management port, 4.2.2.2, 8.8.8.8, make sure you have reachability. 

 

try ping updates.paloaltonetworks.com, ping will fail, but you should get a name resolved (check for the DNS setting).

 

login to WebUI, go to device -> services -> update server, make sure it is point to updates.paloaltonetwrosks.com

 

Make sure your device clock is correct with time zone.

 

Also, try fail over the firewall, and see if it is able to download?  That will sounds like a configuration issue. (maybe service route, configuration?)

 

Also, you don't need to go to the passive ifrewall to download, you can just download the active firewall and sync to the passive one as well.

 

 

Highlighted
L5 Sessionator

Which interface are you using for updates? Management interface as it is default settings?

If you are using some other interface (through service route configuration) you won't be able to download updates as that interface is always inactive on passive cluster member.

Highlighted
Cyber Elite

@Farzana,

As @santonic stated the management interface is going to be your friend here and actually allow this to work as you want. Otherwise you'll never actually have an active route unless you're on the active firewall. 

Highlighted
L4 Transporter

Also check the service routing settings

 

Device > Setup > Service > Service Route Configuration.

 

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!