Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
06-10-2014 03:10 AM
Dear Experts,
We have PA-FW getting fail during the Update. Firewall has three zones: Inside,Outside and DMZ.
Management IP address of PA-FW is passing through Inside zone of the PA-FW. Management interface of the FW has the gateway on the core switch and core-switch has the default gateway of the Inside zone interface.
In the traffic logs.. The connections are incomplete.
Please advice how to fix it.
Thank you
06-10-2014 07:50 AM
Hello
Despite the root cause of your problem You can use alternative way of upgrading from CLI.
Here You have doc's :
Is it possible to upgrade from the command line while using a console session?
https://live.paloaltonetworks.com/docs/DOC-5170
Because you have PAN OS downloaded so the first doc should be enought.
If now - probably You have to open support ticket.
Regards
Slawek
06-10-2014 08:43 AM
Hello Parvez,
Step-1: Could you please apply CLI command > tail follow yes mp-log ms.log ------ while trying to get updates. It should give you more insight about this failure.
Step-2: You may try to do an "nslookup" for update server.
Step-3: you can check the real time session in the CLI by using 'show session all filter source IP_ADD_OF_THE_MGMT-INTERFACE destination IP_ADD_OF_THE_UPDATE_SERVER' --- collect the session ID from this command
Apply CLI command >show session id xyz. to get detail information i.e NAT rule, C-S and S-C flow( C-Client, S-server) etc.
Hope this helps.
Thanks
06-10-2014 12:06 PM
I forget to mention that CLI in thats situation mean CLI by management serial port (RS232)
06-11-2014 05:54 AM
Below is the output.
admin@PA-(active)> show session all filter source 10.20.65.1
--------------------------------------------------------------------------------
ID Application State Type Flag Src[Sport]/Zone/Proto (translated IP[Port])
Vsys Dst[Dport]/Zone (translated IP[Port])
--------------------------------------------------------------------------------
116506 undecided ACTIVE FLOW NS 10.20.65.1[36490]/Inside/6 (80.50.158.252[62521])
vsys1 199.167.52.13[443]/Internet (199.167.52.13[443])
admin@PA-(active)> show session id 116506
Session 116506
c2s flow:
source: 10.20.65.1 [Inside]
dst: 199.167.52.13
proto: 6
sport: 36490 dport: 443
state: INIT type: FLOW
src user: e-j\i
dst user: unknown
s2c flow:
source: 199.167.52.13 [Internet]
dst: 80.50.158.252
proto: 6
sport: 443 dport: 62521
state: INIT type: FLOW
src user: unknown
dst user: e-j\i
start time : Wed Jun 11 14:17:58 2014
timeout : 10 sec
total byte count(c2s) : 222
total byte count(s2c) : 390
layer7 packet count(c2s) : 3
layer7 packet count(s2c) : 5
vsys : vsys1
application : incomplete
rule : For PA-Updates
session to be logged at end : True
session in session ager : False
session synced from HA peer : False
address/port translation : source + destination
nat-rule : TMG-NAT(vsys1)
layer7 processing : enabled
URL filtering enabled : False
session via syn-cookies : False
session terminated on host : False
session traverses tunnel : False
captive portal session : False
ingress interface : ethernet1/2
egress interface : ethernet1/1
session QoS rule : N/A (class 4)
tracker stage firewall : Aged out
admin@PA-(active)>
06-22-2014 07:29 AM
Search the logs for the update errors on this list.
Once you identify the error, search that error in the document section here for the remediation steps.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
