Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
10-06-2020 05:22 AM
Greetings:
I am seeing in the System Log the following message "dns-signature cloud service connection refused" Checking the traffic logs the management IP address is not being blocked. Where do I look to resolve this error message? Thank you.
10-06-2020 06:42 AM
This also happens if connection to cloud is refused.
Make sure Firewall management interface has connection to cloud
Try this command
show dns-proxy dns-signature info
Regards
10-06-2020 09:39 AM
MP18:
Here is the results of the command. The firewall has Internet access but for some reason cannot connect to the cloud service?
show dns-proxy dns-signature info
Cloud URL: dns.service.paloaltonetworks.com:443
Last Result: Timeout was reached ( 11 sec ago )
Last Server Address:
Parameter Exchange: Interval 1800 sec
Whitelist Refresh: Interval 86400 sec ( Due 83823 sec )
Request Waiting Transmission: 0
Request Pending Response: 0
Cache Size: 8
ping host dns.service.paloaltonetworks.com
PING dns.service.paloaltonetworks.com (130.211.8.196) 56(84) bytes of data.
^C
--- dns.service.paloaltonetworks.com ping statistics ---
12 packets transmitted, 0 received, 100% packet loss, time 11013ms
ping host updates.paloaltonetworks.com
PING updates.gcp.gslb.paloaltonetworks.com (34.96.84.34) 56(84) bytes of data.
64 bytes from 34.84.96.34.bc.googleusercontent.com (34.96.84.34): icmp_seq=1 ttl=113 time=231 ms
64 bytes from 34.84.96.34.bc.googleusercontent.com (34.96.84.34): icmp_seq=3 ttl=113 time=229 ms
64 bytes from 34.84.96.34.bc.googleusercontent.com (34.96.84.34): icmp_seq=4 ttl=113 time=227 ms
64 bytes from 34.84.96.34.bc.googleusercontent.com (34.96.84.34): icmp_seq=5 ttl=113 time=228 ms
64 bytes from 34.84.96.34.bc.googleusercontent.com (34.96.84.34): icmp_seq=8 ttl=113 time=228 ms
64 bytes from 34.84.96.34.bc.googleusercontent.com (34.96.84.34): icmp_seq=9 ttl=113 time=231 ms
64 bytes from 34.84.96.34.bc.googleusercontent.com (34.96.84.34): icmp_seq=10 ttl=113 time=228 ms
10-06-2020 11:28 AM
show dns-proxy dns-signature info
Cloud URL: dns.service.paloaltonetworks.com:443
Last Result: Timeout was reached ( 11 sec ago )
Last Server Address:
Parameter Exchange: Interval 1800 sec
Whitelist Refresh: Interval 86400 sec ( Due 83823 sec )
Request Waiting Transmission: 0
Request Pending Response: 0
Cache Size: 8
ping host dns.service.paloaltonetworks.com
PING dns.service.paloaltonetworks.com (130.211.8.196) 56(84) bytes of data.
^C
--- dns.service.paloaltonetworks.com ping statistics ---
12 packets transmitted, 0 received, 100% packet loss, time 11013ms
ping host updates.paloaltonetworks.com
PING updates.gcp.gslb.paloaltonetworks.com (34.96.84.34) 56(84) bytes of data.
64 bytes from 34.84.96.34.bc.googleusercontent.com (34.96.84.34): icmp_seq=1 ttl=113 time=231 ms
64 bytes from 34.84.96.34.bc.googleusercontent.com (34.96.84.34): icmp_seq=3 ttl=113 time=229 ms
64 bytes from 34.84.96.34.bc.googleusercontent.com (34.96.84.34): icmp_seq=4 ttl=113 time=227 ms
64 bytes from 34.84.96.34.bc.googleusercontent.com (34.96.84.34): icmp_seq=5 ttl=113 time=228 ms
64 bytes from 34.84.96.34.bc.googleusercontent.com (34.96.84.34): icmp_seq=8 ttl=113 time=228 ms
64 bytes from 34.84.96.34.bc.googleusercontent.com (34.96.84.34): icmp_seq=9 ttl=113 time=231 ms
64 bytes from 34.84.96.34.bc.googleusercontent.com (34.96.84.34): icmp_seq=10 ttl=113 time=228 ms
10-06-2020 11:42 AM
MP:
Here is the output of the command. The firewall does have Internet access and can resolve DNS queries.
show dns-proxy dns-signature info
Cloud URL: dns.service.paloaltonetworks.com:443
Last Result: Timeout was reached ( 11 sec ago )
Last Server Address:
Parameter Exchange: Interval 1800 sec
Whitelist Refresh: Interval 86400 sec ( Due 83823 sec )
Request Waiting Transmission: 0
Request Pending Response: 0
Cache Size: 8
ping host dns.service.paloaltonetworks.com
PING dns.service.paloaltonetworks.com (130.211.8.196) 56(84) bytes of data.
^C
--- dns.service.paloaltonetworks.com ping statistics ---
12 packets transmitted, 0 received, 100% packet loss, time 11013ms
ping host updates.paloaltonetworks.com
PING updates.gcp.gslb.paloaltonetworks.com (34.96.84.34) 56(84) bytes of data.
64 bytes from 34.84.96.34.bc.googleusercontent.com (34.96.84.34): icmp_seq=1 ttl=113 time=231 ms
64 bytes from 34.84.96.34.bc.googleusercontent.com (34.96.84.34): icmp_seq=3 ttl=113 time=229 ms
64 bytes from 34.84.96.34.bc.googleusercontent.com (34.96.84.34): icmp_seq=4 ttl=113 time=227 ms
64 bytes from 34.84.96.34.bc.googleusercontent.com (34.96.84.34): icmp_seq=5 ttl=113 time=228 ms
64 bytes from 34.84.96.34.bc.googleusercontent.com (34.96.84.34): icmp_seq=8 ttl=113 time=228 ms
64 bytes from 34.84.96.34.bc.googleusercontent.com (34.96.84.34): icmp_seq=9 ttl=113 time=231 ms
64 bytes from 34.84.96.34.bc.googleusercontent.com (34.96.84.34): icmp_seq=10 ttl=113 time=228 ms
01-04-2021 04:10 AM
I have the identical issue, have you been able to resolve it?
01-04-2021 04:19 AM
I worked with TAC and we were not able to resolve the issue. The firewall is located in China so we believe the issue had to do with "The Firewall of China". The issue since has resolved itself.
01-04-2021 04:41 AM
I'll open a TAC case also since the Timeout enhancement has not helped.
Tnx!
01-25-2021 09:45 PM
It seems you have to enable paloalto-dns-security app.
03-17-2022 08:43 AM
Does anyone have a solution for this? All our firewalls in China are unable to reach "dns.service.paloaltonetworks.com". The result are random DNS requests getting sinkholed and delayed.
show dns-proxy dns-signature info
Cloud URL: dns.service.paloaltonetworks.com:443
Telemetry URL: io.dns.service.paloaltonetworks.com:443
Last Result: Timeout was reached ( 5 sec ago )
03-18-2022 09:54 AM
IF you have checked this url link https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000001Uc6CAE
Then still same issue then please open up TAC case.
Regards
05-22-2022 07:05 AM - edited 05-22-2022 07:09 AM
Thanks all, the solution finally was to upgrade to 9.1.11,10.0.7,10.1.1 (PAN-163800). If upgrade is not possible then a workaround is to use an in-country DNS (within China).
06-03-2022 02:11 PM
Looking for resolution for this one and I see no updates for almost 3 months.
My device are not in China and have the same issue.
Any help out there?
09-15-2023 08:37 AM - edited 09-15-2023 08:38 AM
I came across this issue and the mgmt internet was in it's own zone, but the zone had the attached security profiles. The firewall lost it's connection to the update server and all traffic and URLs were unable to be classified with a category. Adding a security rule for that zone and IP with no security policies fix the issue for me.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
