No management access https since upgrading to 6.0.1

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

No management access https since upgrading to 6.0.1

Not applicable

I have upgraded several devices from 5.0.8, but of course the last one has to give me grief. Since upgrading from 5.0.8 to 6.0.1, I can no longer ssh or https to the management port (or any other interface on the firewall). The only way I can get on the box is to ssh to a router that is directly connected, then ssh from there to the firewall (PA3020). Once I got on there I did restart it again for good measure but nothing changed. Verified there is no asymmetric routing issue and verified "show deviceconfig system service" that https is not disabled. I also changed http to not disabled and I can't access it even through http so it's not protocol specific or certificate related etc....Nothing else has changed, just a routine upgrade like every other site, but I'm getting stumped for ideas. I spend 2+ hours on the phone with TAC and got nowhere, now waiting for the next tier....so thought I would throw it out there to the community in case someone has come across this scenario.

6 REPLIES 6

Not applicable

I tried to revert back to 5.0.8 and the problem persisted. I then took down our MPLS and failed over to a secondary connection, same problem. Luckily I managed to be put in contact with Patrick at Palo Alto who was working night shift and this guy was brilliant! He identified a bug in 6.0.1 that only applies to the 3000 series PAN's. The fix should be out in 6.0.2 or 6.0.3 but if anyone else runs into this, the command you need to run (which is not in your config) is:

debug dataplane fpga set sw_aho yes

This command does not survive a reboot so when we upgraded to 6.0.1 and rebooted, we had to enter that command again. I'm back up and running and thankfully to Patrick I won't be pulling an all nighter. BIG GOLD STAR!

L1 Bithead

I reset my PA-200 to factory default and i lost access through https, how do i re-enable it from the CLI

yeah and i can ping it, ssh is listenning but https doesnt seem to, how do i confirm it's listening on the device it's self ?

l think this should help:

 

> show config running | match disable

 

or configure

 

# show deviceconfig system service

 

service {
disable-telnet yes;
disable-http yes;
disable-https no;
disable-ssh no;
disable-snmp no;
disable-icmp no;

Thanks man, I will try it tomorrow

  • 7106 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!