FWs not sending logs to Panorama, logs show constant disconnect

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

FWs not sending logs to Panorama, logs show constant disconnect

L4 Transporter

Woes with RMA M-100 continue.  Sometime yesterday logs stopped showing up on our m-100 and no idea why.   It was working after we restored the configuration but stopped yesterday.  I can push policies to the FWs and as far as they can tell they are forwarding logs to Panorama but I simply don't see them there.  I cannot manage the firewalls from the PAN itself but they show as 'connected.'  It seems to be a registration or handshake issue between the panorama and all my firewalls.

 

We have a case open with support and of course they got no idea why its happening.  I swear PA support is the absolute worst and although they make a good product it completely blows when it doesn't work because its almost impossible to find out on your own or with their support why its not working right.  

 

Has anyone seen this problem before?   If so what was the fix? 

1 accepted solution

Accepted Solutions

Welp PA support managed to figure this out.  The issue was when we RMA'd the m-100 and imported the configuration the serial number for the log-collector changed and therefore it stopped showing the logs eventhough the FWs were sending them.  What is odd is the 'log-collector' is the PANORAMA itself and we had to re-import the configuration to get back to square 1.  It took PA 3 weeks to figure this out and I caution anyone who has a Panorama to tread lightly if and when it dies and you have to RMA it.  

View solution in original post

4 REPLIES 4

Cyber Elite
Cyber Elite

Well now... support are humans as well, and do not think it is fair to say they are the worst.

I can tell you that I personally had seen/occured worst support from other vendors as compared to PANW.

 

Anyways... can you confirm that you have seen/viewed this topic:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFCCA0

 

It talks about when the FW and Panorama lose their sequence numbers.  This has personally happened to me, when I corrupted my virtual Panorama and just installed a new one.  The sequence numbers were not the same, and the FWs would not forward correctly.

 

Good luck and let me know... keep me the loop, as the Live website here has other commands for how to force the resynch, but do not know if this is your issue.  Take it troubleshooting step at a time.

 

 

Help the community: Like helpful comments and mark solutions

I saw that article along with every other PAN tech document regarding this and none of it fixed our issue. Going on 2 weeks with no resolution from PAN support and having it escalated.  I know they are human but we aren't paying a grip for these as well as support to not get resolutions to our problems.  We are going on a month of issues with our M-100 and still aren't where we were prior to having these issues.  I don't anyone that would be ok with this, would you? 

Welp PA support managed to figure this out.  The issue was when we RMA'd the m-100 and imported the configuration the serial number for the log-collector changed and therefore it stopped showing the logs eventhough the FWs were sending them.  What is odd is the 'log-collector' is the PANORAMA itself and we had to re-import the configuration to get back to square 1.  It took PA 3 weeks to figure this out and I caution anyone who has a Panorama to tread lightly if and when it dies and you have to RMA it.  

Not sure if they've earned the "worst" title yet, but Palo TAC is pretty bad on average.  Of course they have qualified techs, but it's pretty hit or miss across products/features. 

  • 1 accepted solution
  • 6273 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!