Panorama push errors None after upgrade

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

Panorama push errors None after upgrade

L1 Bithead

We recently had this issue where after upgrading firewalls to 10.1 the panorama gave a error on push to certain firewalls with description "none" which wasn't very helpful.  On further process eliminating we discovered it was only VM FW's in AWS the error occurred on.  Panorama wouldn't even try to push the device templates or give any meaningful error messages.

It was only when prompted we checked the plugin versions .  Panorama 10.1.8-h2 after upgrade had vm_series-2.1.6 where as the firewall image include vm_series-2.1.7!

 

A reminder to all on PAN-OS updates not just to check your Panorama is a higher or equal version of Software but also the AV/Threat/ AND plug-in versions!

 

The reason template push failed specifically to AWS is that we utilize cloudwatch configuration in the template for AWS where as other VM series didn't have this configuration in the template.  The error was not shown in Panorama but basically the template was not compatible with the firewall as Panorama did not have support for 2.1.7.

 

Other strange issues on upgrade from 9.1.x to 10.1.x :-

We also had issues when setting User ID redistribution agents and they would not connect to panorama or some firewalls.  When using default secure comms certificate the built-in PAN-OS certificate is used, and if this expires again no messages are displayed to make this obvious but in our case the scheduled dynamic content update after upgrade hadn't worked and it required a manual check now, download and install of the latest content version to refresh the built in certificate.  This is not to be confused with other fw certificates as there is also device certificate (used to communicate with Palo Alto Cloud), Cortex Data Lake specific certificate (used to communicate with customer specific instance) in addition to the user based certs that can be installed for Management console or SSL decrypt / Client auth.

 

Creating this article to help others searching for quick answers!

See also here https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000wkupCAA

 

2 REPLIES 2

Community Team Member

Hi @Tom-Lee ,

 

Thanks for sharing this! I will nominate this as an article for more people to see. 

LIVEcommunity team member
Stay Secure,
Jay
Don't forget to Like items if a post is helpful to you!

Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

L4 Transporter

Just FYI, for anyone who happens to stumble upon this, I upgraded from 10.1.10-h1 to 10.2.7 on an esx Pano and an HA pair of physical and got hethe same error.  So in my case it had nothing to do with the vm_series plugin.  They are currently saying that it is a previously unknown bug.

  • 1421 Views
  • 2 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!