FW's Not connected to M100, SSL failed to connect to panorama

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

FW's Not connected to M100, SSL failed to connect to panorama

L1 Bithead

We are on a test network with one Panorama m100 and two PA-5020s that are at 6.1.7 (there are reasons). they have not been modified lately but are showing disconnected after an attempted push. They show In Sync, for Shared Policy. Out of sync for templates. Last commit status is not connected. 

 

They were/are not an HA pair

 

When i have tried the tcpdump from CLI on each of the items i never see traffic. tcpdump used with no filters.

 

I've been reading through the community posts and have checked that 

 

  • Check IP connectivity between the devices.
    Good

  • Make sure port 3978 is open and available from the device to Panorama.
    Not sure how to check from within the PA's, but we didn't change anything

  • Make sure that a self signed certificate has been generated on Panorama.
    Did not exist, would an expired cert still show in the certificates listing? Could it have worked without one? I have now tried creating self-signed certs but the FW's still show the following in System Log

    "Failed to establish SSL connection to Panorama
    Server: Port: 3978 Retry: 2204000"


  • Confirm the serial number configured in Panorama (case sensitive).
    Correct

  • If a permitted IP list is configured for the management interface, make sure that Panorama IP is allowed in the list. By default, it will allow all IPs if a list is not specified.
    Correct

  • Make sure Panorama is on a version greater than or equal to that of the managed devices. Panorama can manage devices running supported PAN-OS versions of the same or a lower release.
    Verified all are at 6.1.7

  • Check MTU settings on the managed device, as the value may need to be reduced. If a device on the path is fragmenting packets, communication from Managed Device to Panorama will not succeed.
    1500 all around, no network changes
  • Verify that there is not a large time difference between the clock (Date/Time) on Panorama and the clock (Date/Time) on the managed device.
    Verified, all are at the same time.

 

The cert instructions don't really show what we have in 6.1.7, they seem to all be vers 7 now. I may very well have not done the correct option on the certs. I have created a self signed cert on the panorama and imported to the firewalls and created the certs on the fw's and imported onto the Panorama.

1 accepted solution

Accepted Solutions

L1 Bithead

Ok, it has been fixed. The problem appears to have been the reach back to Palo Alto to verify the new threat license that was needed (old expired). The new license was installed but we still had no connectivity between the Panorama and FW's. It was noticed by another team trying to help me that our App + Threat version were pretty old and the fix to bypass the online requirement was pushed through Apps. Updated the Apps and we are now connected again.

View solution in original post

1 REPLY 1

L1 Bithead

Ok, it has been fixed. The problem appears to have been the reach back to Palo Alto to verify the new threat license that was needed (old expired). The new license was installed but we still had no connectivity between the Panorama and FW's. It was noticed by another team trying to help me that our App + Threat version were pretty old and the fix to bypass the online requirement was pushed through Apps. Updated the Apps and we are now connected again.

  • 1 accepted solution
  • 4798 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!