Failed to check content upgrade info due to generic communication error.

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L6 Presenter

Niklas,

Are you saying it's still not working for you even after executing the suggested workaround?

Thanks,

Renato

Highlighted
Not applicable

I am saying it is working.

//Niklas

Highlighted
L6 Presenter

Thanks for clarifying Niklas!

-Renato

Highlighted
L3 Networker

FWIW, I was running into the same problem however my situation was a little different.

I was assuming that the firewall would make the connection to the Internet through the WWW/WAN interface that is configured the same way my Checkpoint firewalls do.   I didn't realize that the management interface would be the one used for checking for updates.

I am in the initial build up of this Palo Alto segment which is to replace my Checkpoints.   As such, I have part of my LAN configured on the Palo Alto, but I do not have it plugged into my core LAN. 

So I changed my DNS servers to use 8.8.8.8 (Google) versus my Internal DNS, I modified my NTP to check time.apple.com (The time was off by 25 hours) and I changed the default gateway on the management interface to be the private/LAN IP address of the Palo Alto.

It still didn't work.   I rebooted, and it started working.

Posted in case it may help someone else.

Highlighted
L0 Member

Hi,

I had this issue recently when upgrading a HA pair. The active could reach the updates server fine, but passive failed.

Easiest way around this without messing around with static arp entries is to just refresh and download the software you require on the Active firewall.

When the prompt comes up to sync with HA make sure you check the box and click OK.

Once this is downloaded on the active jump over to the passive firewall >software> hit refresh , it will fail...But notice at the bottom of the software list you will have the latest version of software to install.

it will just say Unknown in the "release date" column :smileywink: and it should have the install button ready for you to upgrade the passive.

Hope that helps.

Owen.

Highlighted
L3 Networker

While performing a sync to peer when performing a software or dynamic update does work around the issue of a passive device in a HA pair not being able to get the updates, it is not best practice and it can expose you to split brains when your HA pair is under heavy loads. Configuring static ARPs on the internal L3 interfaces allows both PAN devices to access PANs update servers without increasing the risks of split brains.

Highlighted
L2 Linker

Hello,

 

I have the same issue, with an HA. Currently Active can update its content updates, but Passive can't update them. I have a question, about your workaround. 

 

When you said "configure the ARP entries", do your refer to add the MAC address, of each MGT interface, in all Layer 3 interfaces that I have configured?

 

Regards,

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!