This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Panorama & "Managed Devices" unable to connect

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Panorama & "Managed Devices" unable to connect

aayoung
L1 Bithead

‎08-27-2018 07:15 AM

I believe I have set up the Panorama and Firewalls correctly as per a few different KB articles I've read. I've check connectivity between the MGT interfaces, made sure that the attempts weren't being denied due to the fact that "permitted IP's" were configured. I even checked out a TCP dump of the connection on TCP 3978, and see ack's going out to the firewalls, however any return traffic just comes back stating a window size of 0. Any advice?

 

P.S.

I've checked the MTU and have no SSL-Certificates setup.

0 Likes Likes
2 REPLIES 2

gwesson
L7 Applicator

‎08-27-2018 10:57 AM

Window size of zero may not be an issue if the connection hasn't opened yet.

 

The firewalls themselves make the connection to Panorama, so you can grab a tcpdump on the firewall's management interface using Panorama's IP as the filter:

 

tcpdump filter "host 192.0.2.1" snaplen 0

 

Once that's completed, you can transfer it via SCP or TFTP if you want to take a further look. Check to see that there's an established connection. If not, there should be some frames that lead you to the root cause.

 

One note: if the firewall's management interface is subject to security policy because it traverses the firewall, you'll need a security rule (and possibly source-NAT) to ensure it's allowed and can route.

aayoung
L1 Bithead
In response to gwesson

‎08-28-2018 06:50 AM

Thanks, sorry got caught up yesterday. I'm stumped, the TCP connection will get all the way to FIN and then I'll see a retransmission. Followed by another 3-way handshake and more of the same. I think I'm just going to forgo using the MGT ports and connect them via in-band L3 ports. Thanks for trying to help.

0 Likes Likes
  • 2518 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks