Device Disconnected from Panorama

Announcements

Changes to the LIVEcommunity experience are coming soon... Here's what you need to know.

Reply
s.williams1
L4 Transporter

Device Disconnected from Panorama

I added the Device yesterday to Panorama and everything was fine. Logs were shipping to Panorama from device as expected and at about 9:50 PM, I see a stop in the logs so I assume the device became disconnected at that point. From the device I can ping the Panorama so connectivity is there. No changes were made last night. 

 

What else can I check?

kiwi
Community Team Member

Hi @s.williams1,

 

There are a couple of checks you could perform.

 

I'd start by verifying that the device & panorama have connectivity, i.e.:

 

On Device

admin@PA-4050> show panorama-status

Panorama Server 1 : 10.30.1.134

State : Unknown

 

Verify logrcvr status on the device:

admin@PA-4050> show system software status | match logrcvr

Process  logrcvr              running  (pid: 1606)

Restart may be required if not running. 

 

On the device verify logs are being actively written to the appliance, forwarding, etc..:

admin@PA-4050> debug log-receiver statistics

 

Logging statistics

------------------------------ -----------

Log incoming rate:             30/sec

Log written rate:              30/sec

Corrupted packets:             0

Corrupted URL packets:         0

Logs discarded (queue full):   0

Traffic logs written:          7071520

URL logs written:              725

Anti-virus logs written:       0

Spyware logs written:          0

Attack logs written:           0

Vulnerability logs written:    0

Fileext logs written:          2993

URL cache age out count:       440

URL cache full count:          0

Traffic alarms dropped due to sysd write failures: 0

Traffic alarms dropped due to global rate limiting: 0

Traffic alarms dropped due to each source rate limiting: 0

Traffic alarms generated count:  0

Log Forward in queue count:    0

Log Forward count:             7070916

Log Forward discarded (queue full) count: 0

Log Forward discarded (send error) count: 0

 

On Panorama (verify if devices are connected):

admin@Panorama> show devices connected

Serial               Hostname        IP              Connected

--------------------------------------------------------------------------

0001A100236          PA-4050         10.30.14.80     yes

 

Verify logging status on Panorama (last log forwarded from device, etc...):

admin@Panorama> show logging-status device <device_serial_number>

      Type              Last Log rcvd      Last SeqNo. rcvd       Last Log generated

    config        2017/04/03 18:02:01                   145      2017/01/19 16:12:17

    system        2017/03/30 11:18:01                 15835      2017/01/19 16:13:49

    threat

   traffic

  hipmatch

 

If there is a gap in logging (logs not forwarding to Panorama) & connectivity to/from devices does not appear to be an issue, etc…, you could issue the following commands in sequence on Panorama via CLI to restart the log-forwarding process :

 

  1. request log-fwd-ctrl device <serial number> action stop
  2. request log-fwd-ctrl device <serial number> action live (let this run for about 1 minute or so & verify logging-status)
    Note:Think of "action live" as a function similar to UDP syslog/best-effort. In this mode, there will be no sanity checks/lost log checks, etc... Logging is literally "live" with no buffering.
  3. Finally, issue the following command: request log-fwd-ctrl device <serial number> action start
    Note: Action Start (default behavior) is buffered log forwarding. Reasoning behind the buffering is for Panorama to perform various checks (lost log checks, etc...), from last acked, etc...

 

Afterwards, issue the following command from CLI on Panorama as well as verify via the WebUI/Monitor tab:

admin@Panorama> show logging-status device <device_serial_number>

      Type            Last Log rcvd    Last SeqNo. rcvd       Last Log generated

    config      2017/04/19 20:02:01                 235      2017/04/19 20:00:17

    system      2017/04/19 12:18:01               19935      2017/04/19 12:08:49

    threat

   traffic

  hipmatch

 

Hope this helps,

-Kiwi.

s.williams1
L4 Transporter

All checks out. The device shows disconnected so it doesnt show ip in many outputs. The logs are running good ont he local device just not connected to Panorama so therefore not forwarding. 

 

From device I can ping Panorama, and Panorama I can ping device, no firewalls are in between. 

 

Silly question, but can a device that is currently not on support be managed in the Panorama?

 

The only thing I see in the logs is the Panorama going out to updates.paloaltonetworks.com and doing some kind of deployment job update license task?

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!