12-21-2022 11:08 PM
just to give a baseline - hardware are pa-5220, running 10.1.6-h6, HA (active/passive), device managed by Panorama.
Long story short - one of the firewalls got stuck on a reboot cycle where the firewall would reboot every 85 minutes. The data plane would not come up during this time and support processed a RMA.
For the fun part:
our initial attempt to restore, after upgrading the same software level as working firewall, we used a device state backup, everything sync up properly, when we tried to pass traffic through the new firewall we saw the following strange behavior:
2nd restore attempt we used a back from a day before the firewall failed, we had no issues with synching up in this case as well. this gave us a better experience.
Any feedback, suggestions would be appreciated. A TAC support is currently open and waiting feedback as well.
12-28-2022 08:57 AM
Issues has been resolved - that's the good news. We are going to push to get a RCA in this case since the problems encountered does not seem normal.
1. To fix the error "bind: Cannot assign requested address"- create a dummy/temporary L3 interface, commit, test and then remove the dummy/temporary L3 interface. No amount of reboots, "commit force" by different levels of TAC did not make a difference. Also TAC mentioned there's a cli command to refresh the interface and zones but we did not try this.
2. Another problem came about where the IPSEC VPNs were not coming - this turns out the ISAKMP process is not properly starting up or not listening for IPSEC traffic. Check for ISAKMP via "show netstat listening yes | match isakmp" to see if the firewall is listening for the traffic - restart of ISAKMP process resolved the issue - a reboot of the firewall also may have been best after fixing the interface related issues.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!