No management access https since upgrading to 6.0.1

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
Not applicable

No management access https since upgrading to 6.0.1

I have upgraded several devices from 5.0.8, but of course the last one has to give me grief. Since upgrading from 5.0.8 to 6.0.1, I can no longer ssh or https to the management port (or any other interface on the firewall). The only way I can get on the box is to ssh to a router that is directly connected, then ssh from there to the firewall (PA3020). Once I got on there I did restart it again for good measure but nothing changed. Verified there is no asymmetric routing issue and verified "show deviceconfig system service" that https is not disabled. I also changed http to not disabled and I can't access it even through http so it's not protocol specific or certificate related etc....Nothing else has changed, just a routine upgrade like every other site, but I'm getting stumped for ideas. I spend 2+ hours on the phone with TAC and got nowhere, now waiting for the next tier....so thought I would throw it out there to the community in case someone has come across this scenario.

Highlighted
Not applicable

I tried to revert back to 5.0.8 and the problem persisted. I then took down our MPLS and failed over to a secondary connection, same problem. Luckily I managed to be put in contact with Patrick at Palo Alto who was working night shift and this guy was brilliant! He identified a bug in 6.0.1 that only applies to the 3000 series PAN's. The fix should be out in 6.0.2 or 6.0.3 but if anyone else runs into this, the command you need to run (which is not in your config) is:

debug dataplane fpga set sw_aho yes

This command does not survive a reboot so when we upgraded to 6.0.1 and rebooted, we had to enter that command again. I'm back up and running and thankfully to Patrick I won't be pulling an all nighter. BIG GOLD STAR!

Highlighted
L1 Bithead

I reset my PA-200 to factory default and i lost access through https, how do i re-enable it from the CLI

Highlighted
L6 Presenter

Highlighted
L1 Bithead

yeah and i can ping it, ssh is listenning but https doesnt seem to, how do i confirm it's listening on the device it's self ?

Highlighted
L6 Presenter

l think this should help:

 

> show config running | match disable

 

or configure

 

# show deviceconfig system service

 

service {
disable-telnet yes;
disable-http yes;
disable-https no;
disable-ssh no;
disable-snmp no;
disable-icmp no;

Highlighted
L1 Bithead

Thanks man, I will try it tomorrow

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!