I have an HA pair (active/passive) of PA3250s (no Panorama) and just recently upgraded to PanOS 10.0.6 from 9.1.9. I configured the device telemetry and downloaded the new certificates for both firewalls. Telemetry is working great on my primary firewall, however, the secondary is failing every time with the error code "CDL Receiver Key Empty". I have opened a support case but have not had much luck. We verified the location is set to "Americas" instead of "americas" and all of the other settings seem to match the working firewall. Has anyone else seen this before? I've attached a screenshot and the text from the email that is generated below.
receive_time: 2021/08/18 08:52:02
time_generated: 2021/08/18 08:52:02
opaque: Failed to send: file 'PA_016301001973_dt_10.0.6_20210817_1607_4-hr-interval_HOUR.tgz'.
I had the same issue on my passive firewall, active firewall does not have issues. Come to find out I had SSL Decryption policies that was preventing the traffic since the CA that Palo Alto is using for 'apitrusted.paloaltonetworks.com' is not a trusted CA (weird). I wasn't decrypting the traffic, just validating certificates. I downloaded the CA cert and imported and marked as "trusted ca". Things seem to be working now.
show log decryption dst in 188.8.131.52
2021/10/28 04:44:20 ssl Trust 48978 [INTERNAL-IP]
[RULE-NAME] allow Untrust 443 184.108.40.206
TLS1.2 ECDHE AES_256_GCM SHA384 No Decrypt
apitrusted.paloaltonetworks.com Palo Alto Networks Inc.-SJC-Ser
Untrusted issuer CA
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!