05-22-2022 08:15 PM - edited 05-22-2022 08:15 PM
We're trying to bring up these units, two PA-440's.
They are in an HA pair, both tied to the same management switch, and both can ping/trace to updates.paloaltonetworks.com as described in this article: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PP1RCAW
However, the second unit can't retrieve it's licenses (I had to manually upload the files) and can't get content updates (similar error, "Failed to check Content content upgrade info due to Unknown error. Please check network connectivity and try again")
I've opened a support ticket but have not yet heard back. Any suggestions?
05-27-2022 01:14 PM
In case this happens to anyone else, I had uncheck "Verify Update server Identity" In device settings, and some magically fixed all the issues.
05-23-2022 09:33 AM
Confirm that the mgmt interface on the 2ndary FW has its default gateway pointing either downstream to your L3 switch, or to the Primary PANW FW (if this is how your network is configured).
Look at the Traffic Logs on the Primary FW to see if you see the SrcAddress of the mgmt IP Secondary FW passing through the Primary FW (because the primary should be seeing all traffic from inside the network, including the mgmt IP of the secondary FW, right?)
from the CLI on the secondary FW can you "ping host updates.paloaltonetworks.com"?
confirm DNS is configured correctly.
05-23-2022 09:35 AM - edited 05-23-2022 09:37 AM
I've confirmed the gateway is set correctly, DNS is working, and I can ping/trace updates.paloaltonetworks.com without any issues.
I see the traffic on my regular firewall as it's going out to the internet to hit updates.paloaltonetworks.com and it's being passed, as well as getting a response from updates.paloaltonetworks.com.
I just still get the error on retrieving licensing, or trying to do check dynamic updates, or check software updates.
05-23-2022 02:45 PM
Hello,
Check the logs on the active PAN to see which policy its hitting when attempting to get updates/licenses. Only a guess, but its getting blocked or decrypted.
Regards,
05-23-2022 02:46 PM
There are no logs for the management interface, and like I said above, I can see the traffic leaving our network on our corporate firewall, and see replies.
05-27-2022 01:14 PM
In case this happens to anyone else, I had uncheck "Verify Update server Identity" In device settings, and some magically fixed all the issues.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
