01-24-2017 01:44 AM
Hi all!
I have this problem: when i check new software updates, clicking "check now" button, this error appears: "Failed to check upgrade info due to generic communication error. Please check network connectivity and try again."
Doing a traceroute we see that after the 17th hops the trace stops, all the ping are unsuccesful
17 * paloaltonetit-5.border3.sje011.pnap.net (66.151.155.74) 163.015 ms *
18 * * *
19 * * *
[...]
30 * * *
DNS resolves name correctly (traceroute to updates.paloaltonetworks.com (199.167.52.141)), and as you can see the packet go on Internet.
Can someone please help me? Anyone saw this problem?
Regards,
Daniele Cantarelli
01-24-2017 01:49 AM - edited 01-24-2017 06:13 AM
Hi,
How do you get to the updates.paloaltonetworks.com using mgmt interface or outside (Internet facing interface).
Below KB on how to change service route option fro the device to use a different source ip while "talking" to the external recourses
P.S ping and traceroute are disabled on the server, so don't worry
01-24-2017 01:49 AM - edited 01-24-2017 06:13 AM
Hi,
How do you get to the updates.paloaltonetworks.com using mgmt interface or outside (Internet facing interface).
Below KB on how to change service route option fro the device to use a different source ip while "talking" to the external recourses
P.S ping and traceroute are disabled on the server, so don't worry
01-24-2017 02:04 AM
Hi,
This issue started after the last update of PanOS, it could be possible that the update changed some parameters?
Regards,
Daniele Cantarelli
01-24-2017 02:08 AM - edited 01-24-2017 06:13 AM
Hi,
I don't think so. If it was working fine before please try to use"check now" for few times. l do have these messages from time to time in our lab device.
Thx,
Myky
01-25-2017 06:01 AM
Hi Myky,
it's several days this error occours, and we continue to click on "check now" but nothing change.
Could it be a bug of PanOS? The version is 7.1.7.
Regards,
Daniele Cantarelli
01-25-2017 06:06 AM
Hi,
Do you get dynamic updates downloaded successfully (e.g AV, WildFire or threat prevention)?
Thx,
Myky
01-25-2017 07:04 AM
do you see "check now" at the log with the external interface and did you configure NAT as well?
not the external interface - then change the service route
no NAT and private IP - then used NAT with Public IP
still not working - please show the log entry and rule
01-25-2017 09:26 AM
Hello,
If your not blocking any of the update traffic, have you cheked to see if the licenses are still valid? Perhaps perform a refresh on them.
Device->Licenses-> Retrieve licenses from server
Also make sure you are not SSL decrypting that traffic.
Happened to me when we renewed support.
Regards,
01-26-2017 02:29 AM
hi Myky,
i have the same problem with dynamic updates.
Regards,
Daniele
01-26-2017 02:35 AM
Hi,
Ok as people already mentioned here:
1) check the licenses
2) change the service route to use your external IP to talk to the updates servers
Thx,
Myky
01-26-2017 06:02 AM
@DKanta, to add to this the majority of the time the only thing that you will have to do is retrieve the licenses from the server to get it to function again if it was working previously. I'm not sure why they occasionally drop off but that will usually fix it perfectly fine. If it was working previously there should be no need to change your routing unless you have made other changes to your management port.
01-26-2017 07:12 AM
Hi @BPry,
i tried to retrieve the license (Device->Licences->Retrieve License keys from License server), but this don't work, after some seconds appear the popup: "Failed to install licenses. Failed to get license info. Please try again later."
It seems that all the Palo Alto servers are unreachable.
Regards,
Daniele
01-26-2017 07:16 AM
@DKanta interesting. That definitely does sound like an actual service route issue; are you seeing the issue after updating to 7.1.7 as well?
01-26-2017 07:22 AM
Hi @BPry,
yes, because the PA was updated with online method, not downloading the image and uploading on the PA.
So do you suggest me to change the service route configuration?
Regards,
Daniele
01-26-2017 07:27 AM
@DKanta, at that point I would but it would be nice to get TAC involved if this is a wide-spread issue so that they can address and fix it going forward.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
