HA pair, first unit has no issue getting licenses, second one "failed to fetch licenses. failed to get license info."

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

HA pair, first unit has no issue getting licenses, second one "failed to fetch licenses. failed to get license info."

L1 Bithead

We're trying to bring up these units, two PA-440's.

 

They are in an HA pair, both tied to the same management switch, and both can ping/trace to updates.paloaltonetworks.com as described in this article: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PP1RCAW

 

However, the second unit can't retrieve it's licenses (I had to manually upload the files) and can't get content updates (similar error, "Failed to check Content content upgrade info due to Unknown error. Please check network connectivity and try again")

 

I've opened a support ticket but have not yet heard back. Any suggestions?

 

 

 

1 accepted solution

Accepted Solutions

In case this happens to anyone else, I had uncheck "Verify Update server Identity" In device settings, and some magically fixed all the issues. 

View solution in original post

5 REPLIES 5

Cyber Elite
Cyber Elite

Confirm that the mgmt interface on the 2ndary FW has its default gateway pointing either downstream to your L3 switch, or to the Primary PANW FW (if this is how your network is configured).  

 

Look at the Traffic Logs on the Primary FW to see if you see the SrcAddress of the mgmt IP Secondary FW passing through the Primary FW (because the primary should be seeing all traffic from inside the network, including the mgmt IP of the secondary FW, right?)

from the CLI on the secondary FW can you "ping host updates.paloaltonetworks.com"? 
confirm DNS is configured correctly.

 

 

 

Please help out other users and “Accept as Solution” if a post helps solve your problem !

I've confirmed the gateway is set correctly, DNS is working, and I can ping/trace updates.paloaltonetworks.com without any issues. 

I see the traffic on my regular firewall as it's going out to the internet to hit updates.paloaltonetworks.com and it's being passed, as well as getting a response from updates.paloaltonetworks.com.

I just still get the error on retrieving licensing, or trying to do check dynamic updates, or check software updates. 

Cyber Elite
Cyber Elite

Hello,

Check the logs on the active PAN to see which policy its hitting when attempting to get updates/licenses. Only a guess, but its getting blocked or decrypted.

Regards,

There are no logs for the management interface, and like I said above, I can see the traffic leaving our network on our corporate firewall, and see replies. 

In case this happens to anyone else, I had uncheck "Verify Update server Identity" In device settings, and some magically fixed all the issues. 

  • 1 accepted solution
  • 4364 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!