Failed to check content upgrade info due to generic communication error.

migration · ‎08-29-2010

Recently, I am getting "Failed to check content upgrade info due to generic communication error. Please try again later" error message.

Do you have any idea about the problem? I faced with this problem at two different PoC.

Thanks.

-Ismail

migration · ‎03-10-2011

For all interested parties:

After a support call to Palo Alto, it was determined that a "feature"(not a 'bug") that is "by design" was causing my issues. Palo Alto says it is too costly to fix since there is a reasonable workaround. If enough people complain to their SE, then maybe PA will fix the issue, which is still present in the new OS 4.0.x.

The fix was to add static ARP entries for each firewall's management interface in the layer3 sub-interface of the physical internal interface.

Once the ARP entries went in, my passive firewall was able to reach out to the Internet for PaloAlto updates.

Hope this helps!

Mike

View solution in original post

ggutierrez · ‎08-29-2010

We recently migrated the updates to a CDN. The auth requests still go to updates.paloaltonetworks.com but the downloads are sourced from the following url:

http//:c0002083.cdn1.cloudfiles.rackspacecloud.com

If there is a rule set to allow updates only from our update server then you will need to add the ip from the new url.

migration · ‎08-29-2010

I did not specify any rule about updates. I am using default settings(factory-default settings of PAN 3.1.4)

Is this normal situation?

Thanks.

ggutierrez · ‎08-29-2010

You will need to configre a DNS server on the Device page to access the serrver. Be sure you can ping updates.paloaltonetworks.com

kkotsis · ‎09-01-2010

Hello,

i have the same problem.

I am pinging updates.paloaltonetworks.com but i am getting the same error.

thanks,

Kostas

migration · ‎03-07-2011

Am having same issue here. I am using two PA500's in an HA arrangement. One firewall(active one) can retrieve the updates normally while the second, passive, firewall receives the error.

sandro · ‎03-09-2011

I'm having same problem too.

migration · ‎03-10-2011

For all interested parties:

After a support call to Palo Alto, it was determined that a "feature"(not a 'bug") that is "by design" was causing my issues. Palo Alto says it is too costly to fix since there is a reasonable workaround. If enough people complain to their SE, then maybe PA will fix the issue, which is still present in the new OS 4.0.x.

The fix was to add static ARP entries for each firewall's management interface in the layer3 sub-interface of the physical internal interface.

Once the ARP entries went in, my passive firewall was able to reach out to the Internet for PaloAlto updates.

Hope this helps!

Mike

ldormond · ‎10-10-2011

Hello,

I am facing the same issue.

I have a Active/Passive PA2050 cluster and I get the same errir message on both devices when trying to check for new update content.

I have configured the appliances to only use mgmt interface and both firewalls can ping the update server (so there is no ARP issue) from the mgmt interface but I still get this error.

Any idea?

Regards,

Laurent

lnwh · ‎10-12-2011

The fix was to add static ARP entries for each firewall's management interface in the layer3 sub-interface of the physical internal interface.

Once the ARP entries went in, my passive firewall was able to reach out to the Internet for PaloAlto updates.

Nice fix it works for me.

I can ping update server but can't dowload files but after this fix it is works.

Thanks

Niklas

gswcowboy · ‎10-13-2011

Niklas,

Are you saying it's still not working for you even after executing the suggested workaround?

Thanks,

Renato

lnwh · ‎10-13-2011

I am saying it is working.

//Niklas

gswcowboy · ‎10-13-2011

Thanks for clarifying Niklas!

-Renato

EdwinD · ‎01-26-2012

FWIW, I was running into the same problem however my situation was a little different.

I was assuming that the firewall would make the connection to the Internet through the WWW/WAN interface that is configured the same way my Checkpoint firewalls do. I didn't realize that the management interface would be the one used for checking for updates.

I am in the initial build up of this Palo Alto segment which is to replace my Checkpoints. As such, I have part of my LAN configured on the Palo Alto, but I do not have it plugged into my core LAN.

So I changed my DNS servers to use 8.8.8.8 (Google) versus my Internal DNS, I modified my NTP to check time.apple.com (The time was off by 25 hours) and I changed the default gateway on the management interface to be the private/LAN IP address of the Palo Alto.

It still didn't work. I rebooted, and it started working.

Posted in case it may help someone else.

LCMember380 · ‎02-06-2013

Hi,

I had this issue recently when upgrading a HA pair. The active could reach the updates server fine, but passive failed.

Easiest way around this without messing around with static arp entries is to just refresh and download the software you require on the Active firewall.

When the prompt comes up to sync with HA make sure you check the box and click OK.

Once this is downloaded on the active jump over to the passive firewall >software> hit refresh , it will fail...But notice at the bottom of the software list you will have the latest version of software to install.

it will just say Unknown in the "release date" column and it should have the install button ready for you to upgrade the passive.

Hope that helps.

Owen.

Failed to check content upgrade info due to generic communication error.

Failed to check content upgrade info due to generic communication error.

Show your appreciation!