Firewall shows disconnected from Panorama after upgrade to 10.1.5-h1

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

Firewall shows disconnected from Panorama after upgrade to 10.1.5-h1

L2 Linker

Just upgraded one of my standby firewalls from 10.1.5 to 10.1.5-h1 for the OpenSSL vulnerability and after the install and reboot it shows disconnected in Panorama (also confirmed via the cli show panorama-status).  My Panorama has already been running 10.1.5-h1 for the last week or so with no issues.   I have opened a P1 support case but haven't heard anything yet and imagine it will be hours or days so hoping someone here has run into this?  

1 accepted solution

Accepted Solutions

L7 Applicator

Try this:

  1. Generate a new auth key on panorama
  2. Enter this command on the firewall "request sc3 reset"
  3. Restart the management server process with "debug software restart process management-server"
  4. Log in to the firewall again and enter "request authkey set " followed by the auth key you generated on panorama
  5. Enter config mode on the firewall and do a commit force

View solution in original post

6 REPLIES 6

L7 Applicator

Try this:

  1. Generate a new auth key on panorama
  2. Enter this command on the firewall "request sc3 reset"
  3. Restart the management server process with "debug software restart process management-server"
  4. Log in to the firewall again and enter "request authkey set " followed by the auth key you generated on panorama
  5. Enter config mode on the firewall and do a commit force

L2 Linker

You are amazing!  Thank you so much.  Support had absolutely no clue how to fix this!

Huge thank you mate! Had the same problem after upgrading to 10.1.5-h2 from 10.0.8. Been fighting for hours with it before I was about to go to TAC but your fix worked perfectly. 

Do you have to generate a new auth key on panorama for each FW? This process does not work if the FW Device Groups and Templates is control by PAN.

L0 Member

CHECK if Palo-HA pair are no longer connected because of an empty “auth-key”?

Panorama → Managed Devices → Summary

<<Check Certification Column (Should have “pre-defined”) >>

 

 

(1) –GENERATE-- OR --COPY-- <panorama-auth-key>

Panorama → Device Registration Auth Key

 

 

(2) Use Tools and SSH into Firewall :

(a) Start Stopwatch OR Use “paping” tool

https-tcp-ping “paping -p 443 <ip-address-of firewall>

(c) SSH into Firewall2 : (putty, openssh)

(I) type command “request sc3 reset” (this resets it and gets ready for new auth-code)

(II) type command “debug software restart process management-server

 

<< MGT WEB GUI & YOUR SSH connection will be KILLED >>

<< Wait 5 -10 Minutes OR watch paping tool >>

 

(d) SSH BACK into Firewall :

(I) type command “request authkey set <auth-code-from-step(1)>

(II) Goto Config Mode type command “configure

 

<< Wait 2-3 Min for services to be ready for commit >>

 

(III) type command “commit forced

 

<< Check Output for Errors, Once Done Then >>

 

(IV) type “exit” press <enter>

(V) type “exit” press <enter>

 

<< Redo Step (2) with the second firewall in the HA Pair >>

 

 

(3) Re-Sync Firewall Data after Panorama shows “connected” in

Panorama → Managed Devices → Summary

(a) Push a config ONLY TO SPECIFIC firewalls to re-synced:

(I) Click → Commit → Push to Devices

(II) Click → Edit Selections

(III) Once on scope selection menu UN-CHECK all other Firewalls

(IV) Click “OK”

 

L0 Member

I have the same problem after upgrading the firewall from 10.1.12 to 10.2.8. I try the procedures above, but no effect , the firewall still show as disconnected from panorama (v. 10.1.9. 

  • 1 accepted solution
  • 10392 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!