PAN URL DB not getting update.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

PAN URL DB not getting update.

L3 Networker

Hi Team,

 

I have 3 firewalls in my different loctions, All 2 firewall URL Update version is up to date. Only one firewall is a lower version. 

 

Also, I identified lower version firewall having a different update server when I checked the show url-cloud-info command.

 

lower version update cloud server is: pdx1prod.urlcloud.paloaltonetworks.com

The higher version update cloud server is: serverlist.urlcloud.paloaltonetworks.com.

 

Kindly help me out to resolve this issue.

1 accepted solution

Accepted Solutions

Hi Team,

 

Issue resolved and please find the TAC solution below,


1. The URL-filter elect the cloud server:pdx1prod.urlcloud.paloaltonetworks.com
2. And the response is very slow during
show url-cloud status
test url www.google.com /www.yahoo.com
3. Change the mgmt to 1400 make some improvement during certificate exchange on small ISP path MTU.
Then the cloud server change to serverlist.urlcloud.paloaltonetworks.com
test url and response better now
ISSUS fixed.

 

Thank you all

 

Regards,

Vishnu Ps.

View solution in original post

20 REPLIES 20

Cyber Elite
Cyber Elite

Interesting.  PAN-DB should update every 5 minutes.  Did the issue, 16 hours later, correct itself?

What does Monitor > Logs > System ( subtype eq url-filtering ) show?

Did you mean the "show url-cloud status" command?

Since you see a cloud server, it sounds like the status of the cloud connection is "connected", could you confirm?

If you are connected and still do not have the latest version, you can manually request a download -> https://docs-new.paloaltonetworks.com/pan-os/8-1/pan-os-admin/url-filtering/troubleshoot-url-filteri... and see what happens.

If you are not connected, go here -> https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/url-filtering/troubleshoot-url-filtering/p....

 

Help the community: Like helpful comments and mark solutions.

Cyber Elite
Cyber Elite

@VishnuPS 

 

Under Device services what is update server you have configured?

I have this updates.paloaltonetworks.com.

 

PA>show url-cloud status

PAN-DB URL Filtering
License : valid
Current cloud server : serverlist.urlcloud.paloaltonetworks.com
Cloud connection : connected
Cloud mode : public
URL database version - device : 20210823.20055
URL database version - cloud : 20210823.20055 ( last update time 2021/08/22 21:30:20 )
URL database status : good
URL protocol version - device : pan/2.0.0
URL protocol version - cloud : pan/2.0.0
Protocol compatibility status : compatible

 

Regards

MP

Help the community: Like helpful comments and mark solutions.

Hi Tom Yong,

 

Yes , it's showing connected only.

 

VishnuPS_0-1629695617192.png

Please find the ss for your reference. 

Hi MP18,

 

I have configured this updates.paloaltonetworks.com.

 

I getting below error in the system logs,

 

( description contains 'CURL ERROR: bind failed with errno 124: Address family not supported by protocol' )
from pohlye to everyone: 4:23 PM
and ( description contains 'CLOUD ELECTION: pdx1prod.urlcloud.paloaltonetworks.com IP: 66.232.32.12 was elected, measured alive test 1466481.' )

Hi , 

 

I getting this error logs from the device server.

 

URLPERF: MP pandb-cache-smart-clear-max-lru = 2500000
mp        devsrv.log                         2021-08-22 08:34:33   2021-08-22 08:34:33.181 +0530 Cloud Connection Agent is starting...
mp        devsrv.log                         2021-08-22 08:34:33   2021-08-22 08:34:33.182 +0530 PAN-DB engine is starting...
mp        devsrv.log                         2021-08-22 08:34:33   2021-08-22 08:34:33.183 +0530 Warning:  pan_log_proxy(pan_priv_log.c:269): Elog being proxied
mp        devsrv.log                         2021-08-22 08:34:33   2021-08-22 08:34:33.186 +0530 PAN-DB engine started.
mp        devsrv.log                         2021-08-22 08:34:33   2021-08-22 08:34:33.187 +0530 Warning:  pan_log_proxy(pan_priv_log.c:269): Elog being proxied
mp        devsrv.log                         2021-08-22 08:34:33   2021-08-22 08:34:33.191 +0530 Warning:  pan_hash_init(pan_hash.c:113): nbuckets 10240 is not power of 2!
mp        devsrv.log                         2021-08-22 08:34:33   2021-08-22 08:34:33.191 +0530 Warning:  pan_hash_init(pan_hash.c:113): nbuckets 10240 is not power of 2!
mp        devsrv.log                         2021-08-22 08:34:33   2021-08-22 08:34:33.515 +0530 Error:  pan_cfgagent_write_sysd_boolean_sync(pan_cfgagent.c:168): sync modify <sw.mgmt.runtime.clients.device.register> failed: NO_MATCHES
mp        devsrv.log                         2021-08-22 08:34:33   2021-08-22 08:34:33.515 +0530 cfgagent register failed in try 1/25. sleeping for 5 seconds...
mp        devsrv.log                         2021-08-22 08:34:38   2021-08-22 08:34:38.525 +0530 Error:  pan_cfgagent_write_sysd_boolean_sync(pan_cfgagent.c:168): sync modify <sw.mgmt.runtime.clients.device.register> failed: NO_MATCHES
mp        devsrv.log                         2021-08-22 08:34:38   2021-08-22 08:34:38.525 +0530 cfgagent register failed in try 2/25. sleeping for 5 seconds...
mp        devsrv.log                         2021-08-22 08:34:43   2021-08-22 08:34:43.535 +0530 Error:  pan_cfgagent_write_sysd_boolean_sync(pan_cfgagent.c:168): sync modify <sw.mgmt.runtime.clients.device.register> failed: NO_MATCHES
mp        devsrv.log                         2021-08-22 08:34:43   2021-08-22 08:34:43.535 +0530 cfgagent register failed in try 3/25. sleeping for 5 seconds...
mp        devsrv.log                         2021-08-22 08:34:48   2021-08-22 08:34:48.545 +0530 Error:  pan_cfgagent_write_sysd_boolean_sync(pan_cfgagent.c:168): sync modify <sw.mgmt.runtime.clients.device.register> failed: NO_MATCHES
mp        devsrv.log                         2021-08-22 08:34:48   2021-08-22 08:34:48.545 +0530 cfgagent register failed in try 4/25. sleeping for 5 seconds...
mp        devsrv.log                         2021-08-22 08:34:53   2021-08-22 08:34:53.555 +0530 Error:  pan_cfgagent_write_sysd_boolean_sync(pan_cfgagent.c:168): sync modify <sw.mgmt.runtime.clients.device.register> failed: NO_MATCHES
mp        devsrv.log                         2021-08-22 08:34:53   2021-08-22 08:34:53.555 +0530 cfgagent register failed in try 5/25. sleeping for 5 seconds...
mp        devsrv.log                         2021-08-22 08:34:58   2021-08-22 08:34:58.575 +0530 Error:  pan_cfgagent_write_sysd_boolean_sync(pan_cfgagent.c:168): sync modify <sw.mgmt.runtime.clients.device.register> failed: NO_MATCHES
mp        devsrv.log                         2021-08-22 08:34:58   2021-08-22 08:34:58.575 +0530 cfgagent register failed in try 6/25. sleeping for 5 seconds...
mp        devsrv.log                         2021-08-22 08:35:03   2021-08-22 08:35:03.595 +0530 Error:  pan_cfgagent_write_sysd_boolean_sync(pan_cfgagent.c:168): sync modify <sw.mgmt.runtime.clients.device.register> failed: NO_MATCHES
mp        devsrv.log                         2021-08-22 08:35:03   2021-08-22 08:35:03.595 +0530 cfgagent register failed in try 7/25. sleeping for 5 seconds...
mp        devsrv.log                         2021-08-22 08:35:05   2021-08-22 08:35:05.113 +0530 URL filtering vendor(PAN-DB) not changed.
mp        devsrv.log                         2021-08-22 08:35:08   2021-08-22 08:35:08.605 +0530 Error:  pan_cfgagent_write_sysd_boolean_sync(pan_cfgagent.c:168): sync modify <sw.mgmt.runtime.clients.device.register> failed: NO_MATCHES
mp        devsrv.log                         2021-08-22 08:35:08   2021-08-22 08:35:08.605 +0530 cfgagent register failed in try 8/25. sleeping for 5 seconds...
mp        devsrv.log                         2021-08-22 08:35:13   2021-08-22 08:35:13.305 +0530 path : https://s0000.urlcloud.paloaltonetworks.com/urlcloud_list, path
mp        devsrv.log                         2021-08-22 08:35:13   2021-08-22 08:35:13.615 +0530 Error:  pan_cfgagent_write_sysd_boolean_sync(pan_cfgagent.c:168): sync modify <sw.mgmt.runtime.clients.device.register> failed: NO_MATCHES
mp        devsrv.log                         2021-08-22 08:35:13   2021-08-22 08:35:13.615 +0530 cfgagent register failed in try 9/25. sleeping for 5 seconds...
mp        devsrv.log                         2021-08-22 08:35:14   2021-08-22 08:35:14.362 +0530 Error:  pan_cloud_agent_secure_conn_pandb_enabled(pan_cloud_agent_connect.c:1140): failed to fetch sysd obj sw.mgmt.runtime.curl-param
mp        devsrv.log                         2021-08-22 08:35:14   2021-08-22 08:35:14.384 +0530 Error:  pan_cloud_agent_secure_conn_pandb_enabled(pan_cloud_agent_connect.c:1140): failed to fetch sysd obj sw.mgmt.runtime.curl-param
mp        devsrv.log                         2021-08-22 08:35:18   2021-08-22 08:35:18.625 +0530 Error:  pan_cfgagent_write_sysd_boolean_sync(pan_cfgagent.c:168): sync modify <sw.mgmt.runtime.clients.device.register> failed: NO_MATCHES
mp        devsrv.log                         2021-08-22 08:35:18   2021-08-22 08:35:18.625 +0530 cfgagent register failed in try 10/25. sleeping for 5 seconds...
mp        devsrv.log                         2021-08-22 08:35:23   2021-08-22 08:35:23.635 +0530 Error:  pan_cfgagent_write_sysd_boolean_sync(pan_cfgagent.c:168): sync modify <sw.mgmt.runtime.clients.device.register> failed: NO_MATCHES
mp        devsrv.log                         2021-08-22 08:35:23   2021-08-22 08:35:23.635 +0530 cfgagent register failed in try 11/25. sleeping for 5 seconds...
mp        devsrv.log                         2021-08-22 08:35:28   2021-08-22 08:35:28.645 +0530 Error:  pan_cfgagent_write_sysd_boolean_sync(pan_cfgagent.c:168): sync modify <sw.mgmt.runtime.clients.device.register> failed: NO_MATCHES
mp        devsrv.log                         2021-08-22 08:35:28   2021-08-22 08:35:28.645 +0530 cfgagent register failed in try 12/25. sleeping for 5 seconds...
mp        devsrv.log                         2021-08-22 08:35:33   2021-08-22 08:35:33.655 +0530 Error:  pan_cfgagent_write_sysd_boolean_sync(pan_cfgagent.c:168): sync modify <sw.mgmt.runtime.clients.device.register> failed: NO_MATCHES
mp        devsrv.log                         2021-08-22 08:35:33   2021-08-22 08:35:33.655 +0530 cfgagent register failed in try 13/25. sleeping for 5 seconds...
mp        devsrv.log                         2021-08-22 08:35:38   2021-08-22 08:35:38.665 +0530 Error:  pan_cfgagent_write_sysd_boolean_sync(pan_cfgagent.c:168): sync modify <sw.mgmt.runtime.clients.device.register> failed: NO_MATCHES
mp        devsrv.log                         2021-08-22 08:35:38   2021-08-22 08:35:38.665 +0530 cfgagent register failed in try 14/25. sleeping for 5 seconds...
mp        devsrv.log                         2021-08-22 08:35:43   2021-08-22 08:35:43.675 +0530 Error:  pan_cfgagent_write_sysd_boolean_sync(pan_cfgagent.c:168): sync modify <sw.mgmt.runtime.clients.device.register> failed: NO_MATCHES
mp        devsrv.log                         2021-08-22 08:35:43   2021-08-22 08:35:43.675 +0530 cfgagent register failed in try 15/25. sleeping for 5 seconds...
mp        devsrv.log                         2021-08-22 08:35:48   2021-08-22 08:35:48.685 +0530 Error:  pan_cfgagent_write_sysd_boolean_sync(pan_cfgagent.c:168): sync modify <sw.mgmt.runtime.clients.device.register> failed: NO_MATCHES
mp        devsrv.log                         2021-08-22 08:35:48   2021-08-22 08:35:48.685 +0530 cfgagent register failed in try 16/25. sleeping for 5 seconds...
mp        devsrv.log                         2021-08-22 08:35:53   2021-08-22 08:35:53.695 +0530 Error:  pan_cfgagent_write_sysd_boolean_sync(pan_cfgagent.c:168): sync modify <sw.mgmt.runtime.clients.device.register> failed: NO_MATCHES
mp        devsrv.log                         2021-08-22 08:35:53   2021-08-22 08:35:53.695 +0530 cfgagent register failed in try 17/25. sleeping for 5 seconds...
mp        devsrv.log                         2021-08-22 08:35:55   2021-08-22 08:35:55.365 +0530 =======================================
mp        devsrv.log                         2021-08-22 08:35:55   2021-08-22 08:35:55.365 +0530 Cloud  IP 
mp        devsrv.log                         2021-08-22 08:35:55   2021-08-22 08:35:55.365 +0530 Source IP 172.16.168.226
mp        devsrv.log                         2021-08-22 08:35:55   2021-08-22 08:35:55.365 +0530 name lookup time 0.000000 second
mp        devsrv.log                         2021-08-22 08:35:55   2021-08-22 08:35:55.365 +0530 connect time 0.000000 second
mp        devsrv.log                         2021-08-22 08:35:55   2021-08-22 08:35:55.365 +0530 ssl connect time 0.000000 second
mp        devsrv.log                         2021-08-22 08:35:55   2021-08-22 08:35:55.365 +0530 total time 39.969514 second
mp        devsrv.log                         2021-08-22 08:35:55   2021-08-22 08:35:55.365 +0530 server certificate chain: 0 certinfo(s)
mp        devsrv.log                         2021-08-22 08:35:55   2021-08-22 08:35:55.365 +0530 curl error: Could not resolve host: s0000.urlcloud.paloaltonetworks.com
mp        devsrv.log                         2021-08-22 08:35:55   2021-08-22 08:35:55.365 +0530 =======================================
mp        devsrv.log                         2021-08-22 08:35:55   2021-08-22 08:35:55.365 +0530 Perform download from cloud with result Couldn't resolve host name.
mp        devsrv.log                         2021-08-22 08:35:55   2021-08-22 08:35:55.366 +0530 Error:  pan_cloud_agent_download_cloud_list(pan_cloud_agent_connect.c:1747): PAN-DB cloud list loading failed (ERROR:Couldn't resolve host name).
mp        devsrv.log                         2021-08-22 08:35:55   2021-08-22 08:35:55.366 +0530 Warning:  pan_cloud_agent_get_curl_connection(pan_cloud_agent_connect.c:2685): cannot elect a cloud
mp        devsrv.log                         2021-08-22 08:35:55   2021-08-22 08:35:55.368 +0530 Warning:  pan_log_proxy(pan_priv_log.c:269): Elog being proxied

 

@VishnuPS 

 

Which version of PAN OS you are using?

 

Regards

MP

Help the community: Like helpful comments and mark solutions.

This line (6th from bottom) looks like your issue.

 

mp        devsrv.log                         2021-08-22 08:35:55   2021-08-22 08:35:55.365 +0530 curl error: Could not resolve host: s0000.urlcloud.paloaltonetworks.com

Can you run the command "ping host s0000.urlcloud.paloaltonetworks.com"?  This will test DNS.  The source address used will be your management interface.  Could you also run the command "debug dataplane internal vif route 250" to verify that you do not have any service routes installed?  The output should be blank.  If not, please post.

Help the community: Like helpful comments and mark solutions.

9.1.8 Panos

sure, I will test and let you know the updates.

Hi @VishnuPS ,

- What PAN-OS version are you running?

- Does all three firewalls are in the same region or different? (EMEA, APAC, etc)

- What is the output from ">test url google.com"?

 

The output from your previous screenshot and the output of the command I suggest above should confirm that your firewall is able to communicate with PAN-DB cloud to check URL categorization and everything is working normally.

 

The PAN-DB version is version of a "cache file" that firewall will try to update every 5min. This cache file contain top xxxx urls for the region that your firewalls is. That way firewall will check the local cache instead of checking with the cloud, for URL/domain that is very popilar. Palo Alto networks periodicaly updates this cache file, but if your firewall is not updating this file, this doesn't mean you are not connected to PAN-DB.

Hi Astarzhiev,

 

- What PAN-OS version are you running?  

 

9.1.8

 

- Does all three firewalls are in the same region or different? (EMEA, APAC, etc)

Yes

 

- What is the output from ">test url google.com"?

Let me check and let you know.

 

Thanks for the update.

Cyber Elite
Cyber Elite

Hi @VishnuPS,

 

Did you see my last post?  I think those commands will give us more insight to the issue.

 

Thanks!

Help the community: Like helpful comments and mark solutions.

Yes Tom, I will run and let you know the updates. Thank you.

VishnuPS_1-1629792686305.png

 

Test url google.com still fails.

  • 1 accepted solution
  • 37247 Views
  • 20 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!