Download PAN-OS from GUI failing, potential MTU Problem ...

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Download PAN-OS from GUI failing, potential MTU Problem ...

L2 Linker

Ok folks

 

Here's an interesting one for you.

 

This is to do with connectivity between Panorama and updates.paloaltonetworks.com

 

We can retrieve licence info and download list of updates available for downloads (SW and Threats), but when clicking on download link the connection fails with standard connectivity to updates.palo error, try again later.

 

This is long shot, but has anyone seen this before?

 

PAN-OS 8.0.2 VM base image, intending to upgrade to 8.0.7 if the download worked 😕

 

Ajaz Nawaz

JNCIE-SEC No.254

CCIE-RS No.15721

1 accepted solution

Accepted Solutions

Ok so Palo use CDN (Content Delivery Network e.g Akamai), to deliver dynamic updates and downloads. If your network does not allow for the 'Dynamic' nature of CDN in terms of DNS, then modify your update server from:

 

updates.paloaltonetworks.com

 

TO

 

staticupdates.paloaltonetworks.com

 

Or.. architect your network to tolerate and act upon dynamic DNS

 

Also please take look at this for further details:

https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/threat-prevention/content-delivery-n...

 

Hope this helps !

 

Ajaz

View solution in original post

3 REPLIES 3

Cyber Elite
Cyber Elite

Have you tried re-running 'check now' ?

 

Have you followed the connection through a firewall (packetcapture + global counters) to see what may be happiening, have you seen MTU error messages?

 

MTU issues can be fixed by changing the MTU and/or setting TCP MSS rewrites, but you'll want to investigate the connection to see what is actually happening before changing these settings

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

hmmm..

 

So its nothing to do with MTU after all.

 

Currently investigating but updates.paloaltonetworks.com is resolving to :

 

a92-122-165-117.deploy.akamaitechnologies.com.https

 

But... in front of Panorama there is a perimeter SRX fw allowing updates.paloaltonetworks.com ONLY !

 

admin@asfdsadfasdf> view-pcap mgmt-pcap mgmt.pcap

17:22:58.515102 IP <ip-addr-removed>.36347 > a92-122-165-117.deploy.akamaitechnologies.com.https: S 1831023988:1831023988(0) win 14600 <mss 1460,sackOK,timestamp 2046968 0,nop,wscale 7>
17:22:59.192528 IP fl-7034162.sc.reg.net.51362 > <ip-addr-removed>.https: P 17867:18679(812) ack 17555 win 256
17:22:59.192544 IP <ip-addr-removed>.https > fl-7034162.sc.reg.net.51362: . ack 18679 win 330

 

So it seems we need to introduce another policy on SRXs but they are native fw's not next-gen, so dynamic policy is not an option.

 

Stay tuned !

 

Ajaz

 

 

 

Ok so Palo use CDN (Content Delivery Network e.g Akamai), to deliver dynamic updates and downloads. If your network does not allow for the 'Dynamic' nature of CDN in terms of DNS, then modify your update server from:

 

updates.paloaltonetworks.com

 

TO

 

staticupdates.paloaltonetworks.com

 

Or.. architect your network to tolerate and act upon dynamic DNS

 

Also please take look at this for further details:

https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/threat-prevention/content-delivery-n...

 

Hope this helps !

 

Ajaz

  • 1 accepted solution
  • 2985 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!