dns-signature cloud service connection refused.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

dns-signature cloud service connection refused.

L1 Bithead

Greetings:

I am seeing in the System Log the following message "dns-signature cloud service connection refused"  Checking the traffic logs the management IP address is not being blocked.  Where do I look to resolve this error message?   Thank you.

15 REPLIES 15

Cyber Elite
Cyber Elite

@Steve_Dussault 

This also happens if connection to cloud is refused.

Make sure Firewall management interface has connection to cloud 

Try this command

 

show dns-proxy dns-signature info

 

Regards

MP

Help the community: Like helpful comments and mark solutions.

MP18:

Here is the results of the command.  The firewall has Internet access but for some reason cannot connect to the cloud service?

 

 show dns-proxy dns-signature info

Cloud URL: dns.service.paloaltonetworks.com:443

Last Result: Timeout was reached ( 11 sec ago )

Last Server Address:

Parameter Exchange: Interval 1800 sec

Whitelist Refresh: Interval 86400 sec ( Due 83823 sec )

Request Waiting Transmission: 0

Request Pending Response: 0

Cache Size: 8


 ping host dns.service.paloaltonetworks.com
PING dns.service.paloaltonetworks.com (130.211.8.196) 56(84) bytes of data.
^C
--- dns.service.paloaltonetworks.com ping statistics ---
12 packets transmitted, 0 received, 100% packet loss, time 11013ms

 

ping host updates.paloaltonetworks.com
PING updates.gcp.gslb.paloaltonetworks.com (34.96.84.34) 56(84) bytes of data.
64 bytes from 34.84.96.34.bc.googleusercontent.com (34.96.84.34): icmp_seq=1 ttl=113 time=231 ms
64 bytes from 34.84.96.34.bc.googleusercontent.com (34.96.84.34): icmp_seq=3 ttl=113 time=229 ms
64 bytes from 34.84.96.34.bc.googleusercontent.com (34.96.84.34): icmp_seq=4 ttl=113 time=227 ms
64 bytes from 34.84.96.34.bc.googleusercontent.com (34.96.84.34): icmp_seq=5 ttl=113 time=228 ms
64 bytes from 34.84.96.34.bc.googleusercontent.com (34.96.84.34): icmp_seq=8 ttl=113 time=228 ms
64 bytes from 34.84.96.34.bc.googleusercontent.com (34.96.84.34): icmp_seq=9 ttl=113 time=231 ms
64 bytes from 34.84.96.34.bc.googleusercontent.com (34.96.84.34): icmp_seq=10 ttl=113 time=228 ms

show dns-proxy dns-signature info

Cloud URL: dns.service.paloaltonetworks.com:443

Last Result: Timeout was reached ( 11 sec ago )

Last Server Address:

Parameter Exchange: Interval 1800 sec

Whitelist Refresh: Interval 86400 sec ( Due 83823 sec )

Request Waiting Transmission: 0

Request Pending Response: 0

Cache Size: 8


 ping host dns.service.paloaltonetworks.com
PING dns.service.paloaltonetworks.com (130.211.8.196) 56(84) bytes of data.
^C
--- dns.service.paloaltonetworks.com ping statistics ---
12 packets transmitted, 0 received, 100% packet loss, time 11013ms

 

ping host updates.paloaltonetworks.com
PING updates.gcp.gslb.paloaltonetworks.com (34.96.84.34) 56(84) bytes of data.
64 bytes from 34.84.96.34.bc.googleusercontent.com (34.96.84.34): icmp_seq=1 ttl=113 time=231 ms
64 bytes from 34.84.96.34.bc.googleusercontent.com (34.96.84.34): icmp_seq=3 ttl=113 time=229 ms
64 bytes from 34.84.96.34.bc.googleusercontent.com (34.96.84.34): icmp_seq=4 ttl=113 time=227 ms
64 bytes from 34.84.96.34.bc.googleusercontent.com (34.96.84.34): icmp_seq=5 ttl=113 time=228 ms
64 bytes from 34.84.96.34.bc.googleusercontent.com (34.96.84.34): icmp_seq=8 ttl=113 time=228 ms
64 bytes from 34.84.96.34.bc.googleusercontent.com (34.96.84.34): icmp_seq=9 ttl=113 time=231 ms
64 bytes from 34.84.96.34.bc.googleusercontent.com (34.96.84.34): icmp_seq=10 ttl=113 time=228 ms

 

 

L1 Bithead

MP:

 

Here is the output of the command.  The firewall does have Internet access and can resolve DNS queries.

 

show dns-proxy dns-signature info

Cloud URL: dns.service.paloaltonetworks.com:443

Last Result: Timeout was reached ( 11 sec ago )

Last Server Address:

Parameter Exchange: Interval 1800 sec

Whitelist Refresh: Interval 86400 sec ( Due 83823 sec )

Request Waiting Transmission: 0

Request Pending Response: 0

Cache Size: 8


 ping host dns.service.paloaltonetworks.com
PING dns.service.paloaltonetworks.com (130.211.8.196) 56(84) bytes of data.
^C
--- dns.service.paloaltonetworks.com ping statistics ---
12 packets transmitted, 0 received, 100% packet loss, time 11013ms

 

ping host updates.paloaltonetworks.com
PING updates.gcp.gslb.paloaltonetworks.com (34.96.84.34) 56(84) bytes of data.
64 bytes from 34.84.96.34.bc.googleusercontent.com (34.96.84.34): icmp_seq=1 ttl=113 time=231 ms
64 bytes from 34.84.96.34.bc.googleusercontent.com (34.96.84.34): icmp_seq=3 ttl=113 time=229 ms
64 bytes from 34.84.96.34.bc.googleusercontent.com (34.96.84.34): icmp_seq=4 ttl=113 time=227 ms
64 bytes from 34.84.96.34.bc.googleusercontent.com (34.96.84.34): icmp_seq=5 ttl=113 time=228 ms
64 bytes from 34.84.96.34.bc.googleusercontent.com (34.96.84.34): icmp_seq=8 ttl=113 time=228 ms
64 bytes from 34.84.96.34.bc.googleusercontent.com (34.96.84.34): icmp_seq=9 ttl=113 time=231 ms
64 bytes from 34.84.96.34.bc.googleusercontent.com (34.96.84.34): icmp_seq=10 ttl=113 time=228 ms

 

 

I have the identical issue, have you been able to resolve it?

I worked with TAC and we were not able to resolve the issue.  The firewall is located in China so we believe the issue had to do with "The Firewall of China".  The issue since has resolved itself.

I'll open a TAC case also since the Timeout enhancement has not helped.

Tnx!

L1 Bithead

It seems you have to enable paloalto-dns-security app.

Does anyone have a solution for this? All our firewalls in China are unable to reach "dns.service.paloaltonetworks.com". The result are random DNS requests getting sinkholed and delayed.

 

show dns-proxy dns-signature info

Cloud URL: dns.service.paloaltonetworks.com:443

Telemetry URL: io.dns.service.paloaltonetworks.com:443

Last Result: Timeout was reached ( 5 sec ago )

 

Hi Cmuchong,

 

Have you tried what @KoShy said? Allowing the paloalto-dns-security app.

This has helped me.

 

Br,

@cmuchong 

 

IF you have checked this url link https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000001Uc6CAE

 

Then still same issue then please open up TAC case.

 

Regards

MP

Help the community: Like helpful comments and mark solutions.

L1 Bithead

Thanks all, the solution finally was to upgrade to  9.1.11,10.0.7,10.1.1 (PAN-163800). If upgrade is not possible then a workaround is to use an in-country DNS (within China). 

L1 Bithead

Looking for resolution for this one and I see no updates for almost 3 months.  

 

My device are not in China and have the same issue.

 

Any help out there?

L0 Member

I came across this issue and the mgmt internet was in it's own zone, but the zone had the attached security profiles. The firewall lost it's connection to the update server and all traffic and URLs were unable to be classified with a category. Adding a security rule for that zone and IP with no security policies fix the issue for me.

  • 14926 Views
  • 15 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!