Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
05-14-2015 05:06 AM
Hello
I get this error message from the passive Firewall in HA Mode. I verify in "Service options" that the "management interface" is in use. From CLI I can reach "s0000.urlcloud.paloaltonetworks.com"
ES2PA5050FW02(passive)> ping host s0000.urlcloud.paloaltonetworks.com
PING s0000.urlcloud.paloaltonetworks.com (50.18.116.114) 56(84) bytes of data.
64 bytes from s0204.urlcloud.paloaltonetworks.com (50.18.116.114): icmp_seq=1 ttl=37 time=185 ms
64 bytes from s0204.urlcloud.paloaltonetworks.com (50.18.116.114): icmp_seq=2 ttl=37 time=185 ms
And license is ok too.
ES2PA5050FW02(passive)> show url-cloud status
PAN-DB URL Filtering
License : valid
Cloud connection : not connected
URL database version - device : 2015.05.13.402
URL protocol version - device : pan/0.0.2
Could some one help?
Gonzalo Arroyo
05-14-2015 06:27 AM
Hi Gonzalo,
I would suggest you run a tcpdump to verify TCP connectivity between firewall and server.
Example: > tcpdump filter "src 50.18.116.114 or dst 50.18.116.114"
Once you've initiated the tcpdump initiate traffic with the server
Example you can try redownloading pan-db url
To view pcaps run > view-pcap mgmt.-pcap mgmt.pcap or > view-pcap no-dns-lookup yes mgmt.-pcap mgmt.pcap
Use the following doc to assist you in running tcpdump and also will show how to export the pcaps
05-14-2015 07:01 AM
Also confirm that the security policies permit the download as outlined here.
PAN-DB Error: URL Database Download Failed
05-18-2015 08:11 AM
Hi both
I checked there is no problem with the security policies, they allow the connection for pan-db-cloud.
I'm not sure what to filter in packet-capture. Whay stage do I need to select? receive, drop, firewall, transmit?
best regards
Gonzalo Arroyo
05-18-2015 08:29 AM
Gonzalo
You can use the management IP address as a source for the packet capture, if you use the default service route settings. also, you can check the logs in mp-log devsrv.log
Amjad
05-19-2015 06:17 AM
I checked the log you said and this is the results.
@ES2PA5050FW02(passive)> tail mp-log devsrv.log
parent allocator usage
parent allocator usage
malloc current usage 155117720 max. usage 383293567
alloc 90340 times, free 90251 times, small alloc 0, small free 0, big alloc 90340, big free 90251
alloc usage 155117720 max. usage 383293567
sz alloc usage 101643616 max. usage 356468761
sz alloc usage 77298553 max. usage 351025693
sz alloc usage 69193386 max. usage 347983010
usage 451408 max. allowed 52428800
2015-05-19 14:30:15.945 +0200 Update URL was completed for passive peer.
acuntia@ES2PA5050FW02(passive)>
For packet capturing I'm using the management ip but I still has doubts. What stage do I need to select? receive, drop, firewall, transmit?
Best regards
Gonzalo
05-19-2015 07:09 AM
From the logs it looks like it was completed sucessfully
2015-05-19 14:30:15.945 +0200 Update URL was completed for passive peer.
For the packet capture, becauee you are using the default service route using the mgmt interface, then you need to do this fro cli, please check this document for more details:
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
