08-22-2021 04:21 AM
Hi Team,
I have 3 firewalls in my different loctions, All 2 firewall URL Update version is up to date. Only one firewall is a lower version.
Also, I identified lower version firewall having a different update server when I checked the show url-cloud-info command.
lower version update cloud server is: pdx1prod.urlcloud.paloaltonetworks.com
The higher version update cloud server is: serverlist.urlcloud.paloaltonetworks.com.
Kindly help me out to resolve this issue.
08-27-2021 09:19 PM
Hi Team,
Issue resolved and please find the TAC solution below,
1. The URL-filter elect the cloud server:pdx1prod.urlcloud.paloaltonetworks.com
2. And the response is very slow during
show url-cloud status
test url www.google.com /www.yahoo.com
3. Change the mgmt to 1400 make some improvement during certificate exchange on small ISP path MTU.
Then the cloud server change to serverlist.urlcloud.paloaltonetworks.com
test url and response better now
ISSUS fixed.
Thank you all
Regards,
Vishnu Ps.
08-22-2021 08:28 PM
Interesting. PAN-DB should update every 5 minutes. Did the issue, 16 hours later, correct itself?
What does Monitor > Logs > System ( subtype eq url-filtering ) show?
Did you mean the "show url-cloud status" command?
Since you see a cloud server, it sounds like the status of the cloud connection is "connected", could you confirm?
If you are connected and still do not have the latest version, you can manually request a download -> https://docs-new.paloaltonetworks.com/pan-os/8-1/pan-os-admin/url-filtering/troubleshoot-url-filteri... and see what happens.
If you are not connected, go here -> https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/url-filtering/troubleshoot-url-filtering/p....
08-22-2021 08:38 PM - edited 08-22-2021 08:38 PM
Under Device services what is update server you have configured?
I have this updates.paloaltonetworks.com.
PA>show url-cloud status
PAN-DB URL Filtering
License : valid
Current cloud server : serverlist.urlcloud.paloaltonetworks.com
Cloud connection : connected
Cloud mode : public
URL database version - device : 20210823.20055
URL database version - cloud : 20210823.20055 ( last update time 2021/08/22 21:30:20 )
URL database status : good
URL protocol version - device : pan/2.0.0
URL protocol version - cloud : pan/2.0.0
Protocol compatibility status : compatible
Regards
08-22-2021 10:14 PM
Hi Tom Yong,
Yes , it's showing connected only.
Please find the ss for your reference.
08-22-2021 10:16 PM
Hi MP18,
I have configured this updates.paloaltonetworks.com.
I getting below error in the system logs,
( description contains 'CURL ERROR: bind failed with errno 124: Address family not supported by protocol' )
from pohlye to everyone: 4:23 PM
and ( description contains 'CLOUD ELECTION: pdx1prod.urlcloud.paloaltonetworks.com IP: 66.232.32.12 was elected, measured alive test 1466481.' )
08-23-2021 04:14 AM
Hi ,
I getting this error logs from the device server.
URLPERF: MP pandb-cache-smart-clear-max-lru = 2500000 mp devsrv.log 2021-08-22 08:34:33 2021-08-22 08:34:33.181 +0530 Cloud Connection Agent is starting... mp devsrv.log 2021-08-22 08:34:33 2021-08-22 08:34:33.182 +0530 PAN-DB engine is starting... mp devsrv.log 2021-08-22 08:34:33 2021-08-22 08:34:33.183 +0530 Warning: pan_log_proxy(pan_priv_log.c:269): Elog being proxied mp devsrv.log 2021-08-22 08:34:33 2021-08-22 08:34:33.186 +0530 PAN-DB engine started. mp devsrv.log 2021-08-22 08:34:33 2021-08-22 08:34:33.187 +0530 Warning: pan_log_proxy(pan_priv_log.c:269): Elog being proxied mp devsrv.log 2021-08-22 08:34:33 2021-08-22 08:34:33.191 +0530 Warning: pan_hash_init(pan_hash.c:113): nbuckets 10240 is not power of 2! mp devsrv.log 2021-08-22 08:34:33 2021-08-22 08:34:33.191 +0530 Warning: pan_hash_init(pan_hash.c:113): nbuckets 10240 is not power of 2! mp devsrv.log 2021-08-22 08:34:33 2021-08-22 08:34:33.515 +0530 Error: pan_cfgagent_write_sysd_boolean_sync(pan_cfgagent.c:168): sync modify <sw.mgmt.runtime.clients.device.register> failed: NO_MATCHES mp devsrv.log 2021-08-22 08:34:33 2021-08-22 08:34:33.515 +0530 cfgagent register failed in try 1/25. sleeping for 5 seconds... mp devsrv.log 2021-08-22 08:34:38 2021-08-22 08:34:38.525 +0530 Error: pan_cfgagent_write_sysd_boolean_sync(pan_cfgagent.c:168): sync modify <sw.mgmt.runtime.clients.device.register> failed: NO_MATCHES mp devsrv.log 2021-08-22 08:34:38 2021-08-22 08:34:38.525 +0530 cfgagent register failed in try 2/25. sleeping for 5 seconds... mp devsrv.log 2021-08-22 08:34:43 2021-08-22 08:34:43.535 +0530 Error: pan_cfgagent_write_sysd_boolean_sync(pan_cfgagent.c:168): sync modify <sw.mgmt.runtime.clients.device.register> failed: NO_MATCHES mp devsrv.log 2021-08-22 08:34:43 2021-08-22 08:34:43.535 +0530 cfgagent register failed in try 3/25. sleeping for 5 seconds... mp devsrv.log 2021-08-22 08:34:48 2021-08-22 08:34:48.545 +0530 Error: pan_cfgagent_write_sysd_boolean_sync(pan_cfgagent.c:168): sync modify <sw.mgmt.runtime.clients.device.register> failed: NO_MATCHES mp devsrv.log 2021-08-22 08:34:48 2021-08-22 08:34:48.545 +0530 cfgagent register failed in try 4/25. sleeping for 5 seconds... mp devsrv.log 2021-08-22 08:34:53 2021-08-22 08:34:53.555 +0530 Error: pan_cfgagent_write_sysd_boolean_sync(pan_cfgagent.c:168): sync modify <sw.mgmt.runtime.clients.device.register> failed: NO_MATCHES mp devsrv.log 2021-08-22 08:34:53 2021-08-22 08:34:53.555 +0530 cfgagent register failed in try 5/25. sleeping for 5 seconds... mp devsrv.log 2021-08-22 08:34:58 2021-08-22 08:34:58.575 +0530 Error: pan_cfgagent_write_sysd_boolean_sync(pan_cfgagent.c:168): sync modify <sw.mgmt.runtime.clients.device.register> failed: NO_MATCHES mp devsrv.log 2021-08-22 08:34:58 2021-08-22 08:34:58.575 +0530 cfgagent register failed in try 6/25. sleeping for 5 seconds... mp devsrv.log 2021-08-22 08:35:03 2021-08-22 08:35:03.595 +0530 Error: pan_cfgagent_write_sysd_boolean_sync(pan_cfgagent.c:168): sync modify <sw.mgmt.runtime.clients.device.register> failed: NO_MATCHES mp devsrv.log 2021-08-22 08:35:03 2021-08-22 08:35:03.595 +0530 cfgagent register failed in try 7/25. sleeping for 5 seconds... mp devsrv.log 2021-08-22 08:35:05 2021-08-22 08:35:05.113 +0530 URL filtering vendor(PAN-DB) not changed. mp devsrv.log 2021-08-22 08:35:08 2021-08-22 08:35:08.605 +0530 Error: pan_cfgagent_write_sysd_boolean_sync(pan_cfgagent.c:168): sync modify <sw.mgmt.runtime.clients.device.register> failed: NO_MATCHES mp devsrv.log 2021-08-22 08:35:08 2021-08-22 08:35:08.605 +0530 cfgagent register failed in try 8/25. sleeping for 5 seconds... mp devsrv.log 2021-08-22 08:35:13 2021-08-22 08:35:13.305 +0530 path : https://s0000.urlcloud.paloaltonetworks.com/urlcloud_list, path mp devsrv.log 2021-08-22 08:35:13 2021-08-22 08:35:13.615 +0530 Error: pan_cfgagent_write_sysd_boolean_sync(pan_cfgagent.c:168): sync modify <sw.mgmt.runtime.clients.device.register> failed: NO_MATCHES mp devsrv.log 2021-08-22 08:35:13 2021-08-22 08:35:13.615 +0530 cfgagent register failed in try 9/25. sleeping for 5 seconds... mp devsrv.log 2021-08-22 08:35:14 2021-08-22 08:35:14.362 +0530 Error: pan_cloud_agent_secure_conn_pandb_enabled(pan_cloud_agent_connect.c:1140): failed to fetch sysd obj sw.mgmt.runtime.curl-param mp devsrv.log 2021-08-22 08:35:14 2021-08-22 08:35:14.384 +0530 Error: pan_cloud_agent_secure_conn_pandb_enabled(pan_cloud_agent_connect.c:1140): failed to fetch sysd obj sw.mgmt.runtime.curl-param mp devsrv.log 2021-08-22 08:35:18 2021-08-22 08:35:18.625 +0530 Error: pan_cfgagent_write_sysd_boolean_sync(pan_cfgagent.c:168): sync modify <sw.mgmt.runtime.clients.device.register> failed: NO_MATCHES mp devsrv.log 2021-08-22 08:35:18 2021-08-22 08:35:18.625 +0530 cfgagent register failed in try 10/25. sleeping for 5 seconds... mp devsrv.log 2021-08-22 08:35:23 2021-08-22 08:35:23.635 +0530 Error: pan_cfgagent_write_sysd_boolean_sync(pan_cfgagent.c:168): sync modify <sw.mgmt.runtime.clients.device.register> failed: NO_MATCHES mp devsrv.log 2021-08-22 08:35:23 2021-08-22 08:35:23.635 +0530 cfgagent register failed in try 11/25. sleeping for 5 seconds... mp devsrv.log 2021-08-22 08:35:28 2021-08-22 08:35:28.645 +0530 Error: pan_cfgagent_write_sysd_boolean_sync(pan_cfgagent.c:168): sync modify <sw.mgmt.runtime.clients.device.register> failed: NO_MATCHES mp devsrv.log 2021-08-22 08:35:28 2021-08-22 08:35:28.645 +0530 cfgagent register failed in try 12/25. sleeping for 5 seconds... mp devsrv.log 2021-08-22 08:35:33 2021-08-22 08:35:33.655 +0530 Error: pan_cfgagent_write_sysd_boolean_sync(pan_cfgagent.c:168): sync modify <sw.mgmt.runtime.clients.device.register> failed: NO_MATCHES mp devsrv.log 2021-08-22 08:35:33 2021-08-22 08:35:33.655 +0530 cfgagent register failed in try 13/25. sleeping for 5 seconds... mp devsrv.log 2021-08-22 08:35:38 2021-08-22 08:35:38.665 +0530 Error: pan_cfgagent_write_sysd_boolean_sync(pan_cfgagent.c:168): sync modify <sw.mgmt.runtime.clients.device.register> failed: NO_MATCHES mp devsrv.log 2021-08-22 08:35:38 2021-08-22 08:35:38.665 +0530 cfgagent register failed in try 14/25. sleeping for 5 seconds... mp devsrv.log 2021-08-22 08:35:43 2021-08-22 08:35:43.675 +0530 Error: pan_cfgagent_write_sysd_boolean_sync(pan_cfgagent.c:168): sync modify <sw.mgmt.runtime.clients.device.register> failed: NO_MATCHES mp devsrv.log 2021-08-22 08:35:43 2021-08-22 08:35:43.675 +0530 cfgagent register failed in try 15/25. sleeping for 5 seconds... mp devsrv.log 2021-08-22 08:35:48 2021-08-22 08:35:48.685 +0530 Error: pan_cfgagent_write_sysd_boolean_sync(pan_cfgagent.c:168): sync modify <sw.mgmt.runtime.clients.device.register> failed: NO_MATCHES mp devsrv.log 2021-08-22 08:35:48 2021-08-22 08:35:48.685 +0530 cfgagent register failed in try 16/25. sleeping for 5 seconds... mp devsrv.log 2021-08-22 08:35:53 2021-08-22 08:35:53.695 +0530 Error: pan_cfgagent_write_sysd_boolean_sync(pan_cfgagent.c:168): sync modify <sw.mgmt.runtime.clients.device.register> failed: NO_MATCHES mp devsrv.log 2021-08-22 08:35:53 2021-08-22 08:35:53.695 +0530 cfgagent register failed in try 17/25. sleeping for 5 seconds... mp devsrv.log 2021-08-22 08:35:55 2021-08-22 08:35:55.365 +0530 ======================================= mp devsrv.log 2021-08-22 08:35:55 2021-08-22 08:35:55.365 +0530 Cloud IP mp devsrv.log 2021-08-22 08:35:55 2021-08-22 08:35:55.365 +0530 Source IP 172.16.168.226 mp devsrv.log 2021-08-22 08:35:55 2021-08-22 08:35:55.365 +0530 name lookup time 0.000000 second mp devsrv.log 2021-08-22 08:35:55 2021-08-22 08:35:55.365 +0530 connect time 0.000000 second mp devsrv.log 2021-08-22 08:35:55 2021-08-22 08:35:55.365 +0530 ssl connect time 0.000000 second mp devsrv.log 2021-08-22 08:35:55 2021-08-22 08:35:55.365 +0530 total time 39.969514 second mp devsrv.log 2021-08-22 08:35:55 2021-08-22 08:35:55.365 +0530 server certificate chain: 0 certinfo(s) mp devsrv.log 2021-08-22 08:35:55 2021-08-22 08:35:55.365 +0530 curl error: Could not resolve host: s0000.urlcloud.paloaltonetworks.com mp devsrv.log 2021-08-22 08:35:55 2021-08-22 08:35:55.365 +0530 ======================================= mp devsrv.log 2021-08-22 08:35:55 2021-08-22 08:35:55.365 +0530 Perform download from cloud with result Couldn't resolve host name. mp devsrv.log 2021-08-22 08:35:55 2021-08-22 08:35:55.366 +0530 Error: pan_cloud_agent_download_cloud_list(pan_cloud_agent_connect.c:1747): PAN-DB cloud list loading failed (ERROR:Couldn't resolve host name). mp devsrv.log 2021-08-22 08:35:55 2021-08-22 08:35:55.366 +0530 Warning: pan_cloud_agent_get_curl_connection(pan_cloud_agent_connect.c:2685): cannot elect a cloud mp devsrv.log 2021-08-22 08:35:55 2021-08-22 08:35:55.368 +0530 Warning: pan_log_proxy(pan_priv_log.c:269): Elog being proxied
08-23-2021 05:08 AM
Which version of PAN OS you are using?
Regards
08-23-2021 05:09 AM
This line (6th from bottom) looks like your issue.
mp devsrv.log 2021-08-22 08:35:55 2021-08-22 08:35:55.365 +0530 curl error: Could not resolve host: s0000.urlcloud.paloaltonetworks.com
Can you run the command "ping host s0000.urlcloud.paloaltonetworks.com"? This will test DNS. The source address used will be your management interface. Could you also run the command "debug dataplane internal vif route 250" to verify that you do not have any service routes installed? The output should be blank. If not, please post.
08-23-2021 05:12 AM
sure, I will test and let you know the updates.
08-23-2021 05:27 AM
Hi @VishnuPS ,
- What PAN-OS version are you running?
- Does all three firewalls are in the same region or different? (EMEA, APAC, etc)
- What is the output from ">test url google.com"?
The output from your previous screenshot and the output of the command I suggest above should confirm that your firewall is able to communicate with PAN-DB cloud to check URL categorization and everything is working normally.
The PAN-DB version is version of a "cache file" that firewall will try to update every 5min. This cache file contain top xxxx urls for the region that your firewalls is. That way firewall will check the local cache instead of checking with the cloud, for URL/domain that is very popilar. Palo Alto networks periodicaly updates this cache file, but if your firewall is not updating this file, this doesn't mean you are not connected to PAN-DB.
08-23-2021 05:37 AM
Hi Astarzhiev,
- What PAN-OS version are you running?
9.1.8
- Does all three firewalls are in the same region or different? (EMEA, APAC, etc)
Yes
- What is the output from ">test url google.com"?
Let me check and let you know.
Thanks for the update.
08-23-2021 06:19 AM
Hi @VishnuPS,
Did you see my last post? I think those commands will give us more insight to the issue.
Thanks!
08-23-2021 09:19 AM
Yes Tom, I will run and let you know the updates. Thank you.
08-24-2021 01:11 AM
Test url google.com still fails.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
