04-10-2014 07:35 PM
I have upgraded several devices from 5.0.8, but of course the last one has to give me grief. Since upgrading from 5.0.8 to 6.0.1, I can no longer ssh or https to the management port (or any other interface on the firewall). The only way I can get on the box is to ssh to a router that is directly connected, then ssh from there to the firewall (PA3020). Once I got on there I did restart it again for good measure but nothing changed. Verified there is no asymmetric routing issue and verified "show deviceconfig system service" that https is not disabled. I also changed http to not disabled and I can't access it even through http so it's not protocol specific or certificate related etc....Nothing else has changed, just a routine upgrade like every other site, but I'm getting stumped for ideas. I spend 2+ hours on the phone with TAC and got nowhere, now waiting for the next tier....so thought I would throw it out there to the community in case someone has come across this scenario.
04-10-2014 10:26 PM
I tried to revert back to 5.0.8 and the problem persisted. I then took down our MPLS and failed over to a secondary connection, same problem. Luckily I managed to be put in contact with Patrick at Palo Alto who was working night shift and this guy was brilliant! He identified a bug in 6.0.1 that only applies to the 3000 series PAN's. The fix should be out in 6.0.2 or 6.0.3 but if anyone else runs into this, the command you need to run (which is not in your config) is:
debug dataplane fpga set sw_aho yes
This command does not survive a reboot so when we upgraded to 6.0.1 and rebooted, we had to enter that command again. I'm back up and running and thankfully to Patrick I won't be pulling an all nighter. BIG GOLD STAR!
03-09-2017 08:03 AM
Do you have a mgmt access or console to the device?
03-09-2017 08:29 AM
yeah and i can ping it, ssh is listenning but https doesnt seem to, how do i confirm it's listening on the device it's self ?
03-09-2017 08:38 AM - edited 03-09-2017 09:02 AM
l think this should help:
> show config running | match disable
# show deviceconfig system service
03-09-2017 09:17 AM
Thanks man, I will try it tomorrow
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!