PA-FW Update getting Fail

cancel
Showing results for 
Search instead for 
Did you mean: 

PA-FW Update getting Fail

Not applicable

Dear Experts,

We have PA-FW getting fail during the Update. Firewall has three zones: Inside,Outside and DMZ.

Management IP address of PA-FW is passing through Inside zone of the PA-FW. Management interface of the FW has the gateway on the core switch and core-switch has the default gateway of the Inside zone interface.

In the traffic logs.. The connections are incomplete.

Please advice how to fix it.

Thank you

5 REPLIES 5

L4 Transporter

Hello

Despite the root cause of your problem You can use alternative way of upgrading from CLI.

Here You have doc's :

Is it possible to upgrade from the command line while using a console session?

https://live.paloaltonetworks.com/docs/DOC-5170

Because you have PAN OS downloaded so the first doc should be enought.

If now - probably You have to open support ticket.

Regards

Slawek

L7 Applicator

Hello Parvez,

Step-1: Could you please apply CLI command > tail follow yes mp-log ms.log ------ while trying to get updates. It should give you more insight about this failure.

Step-2: You may try to do an "nslookup"  for update server.

Step-3: you can check the real time session in the CLI by using 'show session all filter source IP_ADD_OF_THE_MGMT-INTERFACE destination IP_ADD_OF_THE_UPDATE_SERVER' --- collect the session ID from this command


Apply CLI command >show session id xyz. to get detail information i.e NAT rule, C-S and S-C  flow( C-Client, S-server) etc.


Hope this helps.


Thanks

I forget to mention that CLI in thats situation mean CLI by management serial port (RS232)

Below is the output.

admin@PA-(active)> show session all filter source 10.20.65.1

--------------------------------------------------------------------------------

ID Application    State   Type Flag Src[Sport]/Zone/Proto (translated IP[Port])

Vsys Dst[Dport]/Zone (translated IP[Port])

--------------------------------------------------------------------------------

116506       undecided ACTIVE  FLOW  NS   10.20.65.1[36490]/Inside/6 (80.50.158.252[62521])

vsys1 199.167.52.13[443]/Internet  (199.167.52.13[443])

admin@PA-(active)> show session id 116506

Session 116506

        c2s flow:

source:      10.20.65.1 [Inside]

dst:         199.167.52.13

proto:       6

sport: 36490 dport:      443

state: INIT type:       FLOW

src user:    e-j\i

dst user:    unknown

        s2c flow:

source:      199.167.52.13 [Internet]

dst:         80.50.158.252

proto:       6

sport:       443 dport:      62521

state: INIT type:       FLOW

src user:    unknown

dst user:    e-j\i

        start time : Wed Jun 11 14:17:58 2014

        timeout : 10 sec

        total byte count(c2s)         : 222

        total byte count(s2c)         : 390

        layer7 packet count(c2s)      : 3

        layer7 packet count(s2c)      : 5

vsys : vsys1

application : incomplete

rule : For PA-Updates

        session to be logged at end   : True

        session in session ager       : False

        session synced from HA peer   : False

        address/port translation      : source + destination

nat-rule : TMG-NAT(vsys1)

        layer7 processing : enabled

        URL filtering enabled         : False

        session via syn-cookies       : False

        session terminated on host    : False

        session traverses tunnel      : False

        captive portal session        : False

        ingress interface : ethernet1/2

        egress interface : ethernet1/1

        session QoS rule : N/A (class 4)

        tracker stage firewall        : Aged out

admin@PA-(active)>

L7 Applicator

Search the logs for the update errors on this list.

Updater Error Codes

Once you identify the error, search that error in the document section here for the remediation steps.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!