PAN-DB download: Failed.

Showing results for 
Search instead for 
Did you mean: 

PAN-DB download: Failed.

L4 Transporter


I get this error message from the passive Firewall in HA Mode. I verify in "Service options" that the "management interface" is in use. From CLI I can reach ""

ES2PA5050FW02(passive)> ping host

PING ( 56(84) bytes of data.

64 bytes from ( icmp_seq=1 ttl=37 time=185 ms

64 bytes from ( icmp_seq=2 ttl=37 time=185 ms

And license is ok too.

ES2PA5050FW02(passive)> show url-cloud status

PAN-DB URL Filtering

License :                          valid                                  

Cloud connection :                 not connected                          

URL database version - device :    2015.05.13.402                         

URL protocol version - device :    pan/0.0.2                             

Could some one help?

Gonzalo Arroyo


L3 Networker

Hi Gonzalo,

I would suggest you run a tcpdump to verify TCP connectivity between firewall and server.

Example: >  tcpdump filter "src or dst"

Once you've initiated the tcpdump initiate traffic with the server

Example you can try redownloading pan-db url

To view pcaps run >  view-pcap mgmt.-pcap mgmt.pcap or > view-pcap no-dns-lookup yes mgmt.-pcap mgmt.pcap

Use the following doc to assist you in running tcpdump and also will show how to export the pcaps

How To Packet Capture (tcpdump) On Management Interface

L7 Applicator

Also confirm that the security policies permit the download as outlined here.

PAN-DB Error: URL Database Download Failed

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

Hi both

I checked there is no problem with the security policies, they allow the connection for pan-db-cloud.

I'm not sure what to filter in packet-capture. Whay stage do I need to select? receive, drop, firewall, transmit?

best regards

Gonzalo Arroyo


You can use the management IP address as a source for the packet capture, if you use the default service route settings. also, you can check the logs in mp-log devsrv.log


I checked the log you said and this is the results.

@ES2PA5050FW02(passive)> tail mp-log devsrv.log

parent allocator usage

parent allocator usage

malloc current usage 155117720 max. usage 383293567

alloc 90340 times, free 90251 times, small alloc 0, small free 0, big alloc 90340, big free 90251

alloc usage 155117720 max. usage 383293567

sz alloc usage 101643616 max. usage 356468761

sz alloc usage 77298553 max. usage 351025693

sz alloc usage 69193386 max. usage 347983010

usage 451408 max. allowed 52428800

2015-05-19 14:30:15.945 +0200 Update URL was completed for passive peer.


For packet capturing I'm using the management ip but I still has doubts. What stage do I need to select? receive, drop, firewall, transmit?

Best regards


From the logs it looks like it was completed sucessfully

2015-05-19 14:30:15.945 +0200 Update URL was completed for passive peer.

For the packet capture, becauee you are using the default service route using the mgmt interface, then you need to do this fro cli, please check this document for more details:

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!