Dynamic updates failing since the 18th....

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Dynamic updates failing since the 18th....

L4 Transporter

Some of our PA's are failing to get updates with a "generic communication failure"

 

They go out the same rule on one PA.

 

The DR site seems to be ok.

 

DNS and trace route seem fine...

 

Rob

 

14 REPLIES 14

L7 Applicator

Hmmm this was posted earlier this month, here was the resolution, HTH.

 

But I found the issue: Some of the update traffic is now classified as "ssl" and not "paloalto-updates". When you try multiple times, it eventually contacts a download server which is classified as "paloalto-updates". With "ssl" added to the rule, it works now instantly and every time. Thanks for your help.

Hello,

We also had ours do the same thing. My guess is that it was an issue on PAN's side. However today all of mine are getting updates. Maybe check the traffic logs to see if they are getting blocked on your side? By default they will check from the management port.

 

Regards,

It's working now.

 

Pulling from "199.167.52.141"

 

It was failing on "34.84.96.34"

 

Prior to the issue it seemed to be trying both,

During the issue just trying 34.84....

Now just using 199.167....

 

 

So I guess they have a broken repository.

 

 

 

 

So, to hopefully conclude this..

 

After going back to support a few times, they have finally said that "Senior Resource" has said they are migrating to Google Cloud. And had received reports that users could not connect. etc..

 

My summary. Failed service migration by PA, nothing to do with our hardware, configuration or internet.

 

Cheers

 

Rob

I'm having a somewhat similar issue, but this has to do with the schedule itself. For instance, I have App & Threat set to download and install every hour. The schedule runs, and returns (in System Log) "Auto update agent found no new Content updates".

 

However, if I manually refresh the new updates will appear. On the next schedule the download start and install. I tried this on 2 PA-220's: same schedule and I manually refreshed one of them. And sure enough, the one that I did not manually refresh stayed put on the old content.

 

This is driving me mad

We encounter the same in a global PA deployment.

Automatic content updates dont work anymore, triggering it manually on the device works fine.

However, automatic antivirus updates still work fine.

 

Sounds like the exact same issue. Do you have Panorama in your environment? We encounter the same issue on Panorama app/threat.

 

On a few firewalls that have not yet been connected to Panorama, it seems like the content works as well. We did have an issue with it not updating in december, but disabling the schedules (content & av), commiting, enabling the schedules and commiting seemed to resolve the issue.

Yes, Panorama itself has the same issue with content updates. Download and install schedules are pushed from Panorama to devices via template setting.

I am guessing it's somewhat geographical [I am in the UK], and the GOOGLE CDN address I WAS getting would not be the same as say the one for the US. Which may account for it not affecting a wider audience.

 

Rob

L3 Networker

Wow, we just noticed this the other day. Since the 12/17 our updates have been failing. Do it manually and it worked fine. I opened a case but they said to restart the management plane.

I've restarted a few of the firewalls and also upgrading them to 9.0.4 without any improvement. So I guess restarting the Management plane won't do much good.

Seems like our firewalls are acting normally now when it comes to content updates. How about you guys?

I don't think we have seen and issue since late December.

 

Rob

 

 

Me too. We had 16 out of 18 firewalls not updating, but they all grabbed the last update without a problem.

  • 9881 Views
  • 14 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!