PA-500 webserver crash

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

PA-500 webserver crash

Not applicable

Hi,

Can someone please tell me how to troubleshoot extremely slow web reports? Logs are fine, but ACC and Monitoring -> App Scope items just keep loading and loading and loading and im basically locked out of management every time i click on a menu item for 30min atleast.

Error messages:
Server Not Responding
The server is not responding.  Please wait and try your operation again later.
Device:
PA-500 in HA mode
SW version 5.0.2
Thank you
1 accepted solution

Accepted Solutions

Not applicable

Figured it out - i had accidentally misconfigured a policy and firewall mgmt port didnt have access to the internet. Fixed the policy and now everything is working as it should - apparently, if the service routes dont have access to the internet (DNS probably), you will have serious issues when trying to view the ACC tab.

There really should be a warning about misconfigured service routes - frozen device is not cool.

View solution in original post

8 REPLIES 8

L6 Presenter

what's 'show system resources' indicating? are you logging all sec policies and possibly have a deny catch all rule being logged? what is iowait times looking like? provide 'show system files' and 'show system resources' output. also, is this occurring on all browsers? (ie,ff, chrome, etc)    

Hello,

I had a similar issue with 5.0.1.

The CPU average was normal with BUT I received a very high value for the IOWAIT.

I upgraded the PA 500 (in my lab) to 5.0.2 and the problem seems to be gone for the moment...

Regards

HA

Not applicable

Thank you for the responses. Dont know whats wrong with it, tried "request restart software" in the console, which should, atleast in my knowleadge, only restart management plane and not disrupt the network - the entire network died and i ended up pulling the plug and letting HA peer take over the traffic.

Will plug it back in later today and see if it will behave now.

Not applicable

Put the HA peer 1 back into the network and its operating nicely as a passive device.

On the HA peer 2 (currently active) when i try to look at ACC->threat level, the entire device hangs and i have to wait for several timeout errors before i can use the device normally again.

bricked1.jpg

Tried the "show system resources" before and after clicking on a threat level and its so hung that it doesnt even show them.

I have 20 rules and all have logging at session end on. It shows 12h at the top, but since i thought it might be a log issue, i deleted all the logs and noon today - there cant be that many logs to basically brick the device for a while.

I'm using IE 9.

bricked2.jpg


Don't see any anomalies via sys resources output. are you seeing the same unresponsive behavior with other browsers or specifically only with IE9? do you have any core files generated? '>show system files' would provide an indication if there were any generated by the system. That being said, it would behoove us to take a look at your issue with a live debug session. We can take a closer look. Please contact PAN Support or your Authorized Service Center so we can begin investigating this issue.


There cant be any anomalies in the resources output, because thats pre log .... it doesnt show any output from the show system resources command when its hung on the logs (just like in the putty window - it justs waits).

show system files (after several problems)

/var/cores/:
total 4.0K
drwxrwxrwx 2 root root 4.0K Jan 18 10:44 crashinfo

/var/cores/crashinfo:
total 0

/opt/dpfs/var/cores/:
total 4.0K
drwxrwxrwx 2 root root 4.0K Jan 18 10:47 crashinfo

/opt/dpfs/var/cores/crashinfo:
total 0

It doesnt also work with chrome - same issues.

bricked4.jpg

How do i get into the "live debug" session with my fw?

Not applicable

Figured it out - i had accidentally misconfigured a policy and firewall mgmt port didnt have access to the internet. Fixed the policy and now everything is working as it should - apparently, if the service routes dont have access to the internet (DNS probably), you will have serious issues when trying to view the ACC tab.

There really should be a warning about misconfigured service routes - frozen device is not cool.

Hello Gert,

Is the cluster of PA 500 stable now ?

I plan to upgrade some cluster in 5.0.2...

Regards,

HA

  • 1 accepted solution
  • 4975 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!