Refresh FQDN failed

Erez · ‎08-22-2016

Hi guys,

I have a big problem.
My PA failed in refresh fqdn task and now the PA can't resolve Fqdn object.

My dns Setting are good and there is no drops between PA and DNS server.

Any advices?

Thank you!

syadav · ‎08-22-2016

Hi Erez,

To start, you may want to check if the firewall is receving a response for the DNS queries by taking a pcap.

Check if the DNS service route is via MGT or data interface and take tcpdump (MGT) or DP capture (Monitor > packet capture)

Check the service route for DNS :

Thanks,

Sandeep.

Erez · ‎08-22-2016

Thank you,

The DNS service route is via MGT.

I did Tcpdump from DNS server (tcpdump filter "src net dns server")

and then force refresh fqdn

this is the result:

8517 packets received by filter
0 packets dropped by kernel

This is ok no?

syadav · ‎08-22-2016

Hi Erez,

You need to open the pcap (SCP/TFTP to a computer to view using Wireshark) and check if the DNS req. and response are seen with the DNS response having the answer to FQDN(s) configured.

Sandeep.

TranceforLife · ‎08-22-2016

Hi,

Could you post output of this command:

>tail lines 100 mp-log ms.log

Thx

Myky

Erez · ‎08-22-2016

Here it is:

2016-08-23 08:10:21.222 +0300 Error: pan_mgmt_get_sysd_string(pan_cfg_status_handler.c:367): failed to fetch cfg.platform.uuid
2016-08-23 08:10:21.222 +0300 Error: pan_mgmt_get_sysd_string(pan_cfg_status_handler.c:367): failed to fetch cfg.platform.cpuid
2016-08-23 08:10:22.232 +0300 Error: pan_comm_get_tcp_conn_gen(comm_utils.c:571): COMM: cannot connect. remote ip=10.24.15.35 port=3978 err=No route to host(113) sock=29
2016-08-23 08:10:24.323 +0300 No new WF-Private updates available for download
2016-08-23 08:10:35.242 +0300 Error: pan_comm_get_tcp_conn_gen(comm_utils.c:571): COMM: cannot connect. remote ip=10.24.15.35 port=3978 err=No route to host(113) sock=29
2016-08-23 08:10:48.252 +0300 Error: pan_comm_get_tcp_conn_gen(comm_utils.c:571): COMM: cannot connect. remote ip=10.24.15.35 port=3978 err=No route to host(113) sock=29
2016-08-23 08:11:01.262 +0300 Error: pan_comm_get_tcp_conn_gen(comm_utils.c:571): COMM: cannot connect. remote ip=10.24.15.35 port=3978 err=No route to host(113) sock=29
2016-08-23 08:11:14.272 +0300 Error: pan_comm_get_tcp_conn_gen(comm_utils.c:571): COMM: cannot connect. remote ip=10.24.15.35 port=3978 err=No route to host(113) sock=29
2016-08-23 08:11:27.282 +0300 Error: pan_comm_get_tcp_conn_gen(comm_utils.c:571): COMM: cannot connect. remote ip=10.24.15.35 port=3978 err=No route to host(113) sock=29
2016-08-23 08:11:40.292 +0300 Error: pan_comm_get_tcp_conn_gen(comm_utils.c:571): COMM: cannot connect. remote ip=10.24.15.35 port=3978 err=No route to host(113) sock=29
2016-08-23 08:11:49.893 +0300 Error: __retry_wf_report_fetch(pan_cfg_cms_handler.c:1826): Failed to fetch report from wildfire server 10.24.15.34, initiating retries
2016-08-23 08:11:50.574 +0300 client useridd reported op command was SUCCESSFUL
2016-08-23 08:11:53.302 +0300 Error: pan_comm_get_tcp_conn_gen(comm_utils.c:571): COMM: cannot connect. remote ip=10.24.15.35 port=3978 err=No route to host(113) sock=32
2016-08-23 08:11:55.997 +0300 Error: __retry_wf_report_fetch(pan_cfg_cms_handler.c:1826): Failed to fetch report from wildfire server 10.24.15.34, initiating retries
2016-08-23 08:12:06.312 +0300 Error: pan_comm_get_tcp_conn_gen(comm_utils.c:571): COMM: cannot connect. remote ip=10.24.15.35 port=3978 err=No route to host(113) sock=29
2016-08-23 08:12:19.322 +0300 Error: pan_comm_get_tcp_conn_gen(comm_utils.c:571): COMM: cannot connect. remote ip=10.24.15.35 port=3978 err=No route to host(113) sock=29
2016-08-23 08:12:32.332 +0300 Error: pan_comm_get_tcp_conn_gen(comm_utils.c:571): COMM: cannot connect. remote ip=10.24.15.35 port=3978 err=No route to host(113) sock=29
2016-08-23 08:12:45.342 +0300 Error: pan_comm_get_tcp_conn_gen(comm_utils.c:571): COMM: cannot connect. remote ip=10.24.15.35 port=3978 err=No route to host(113) sock=29
2016-08-23 08:12:58.352 +0300 Error: pan_comm_get_tcp_conn_gen(comm_utils.c:571): COMM: cannot connect. remote ip=10.24.15.35 port=3978 err=No route to host(113) sock=29
2016-08-23 08:13:11.362 +0300 Error: pan_comm_get_tcp_conn_gen(comm_utils.c:571): COMM: cannot connect. remote ip=10.24.15.35 port=3978 err=No route to host(113) sock=32
2016-08-23 08:13:24.372 +0300 Error: pan_comm_get_tcp_conn_gen(comm_utils.c:571): COMM: cannot connect. remote ip=10.24.15.35 port=3978 err=No route to host(113) sock=29
2016-08-23 08:13:37.382 +0300 Error: pan_comm_get_tcp_conn_gen(comm_utils.c:571): COMM: cannot connect. remote ip=10.24.15.35 port=3978 err=No route to host(113) sock=29
2016-08-23 08:13:46.173 +0300 Error: __retry_wf_report_fetch(pan_cfg_cms_handler.c:1826): Failed to fetch report from wildfire server 10.24.15.34, initiating retries
2016-08-23 08:13:50.392 +0300 Error: pan_comm_get_tcp_conn_gen(comm_utils.c:571): COMM: cannot connect. remote ip=10.24.15.35 port=3978 err=No route to host(113) sock=29
2016-08-23 08:13:52.277 +0300 Error: __retry_wf_report_fetch(pan_cfg_cms_handler.c:1826): Failed to fetch report from wildfire server 10.24.15.34, initiating retries
2016-08-23 08:13:58.379 +0300 Error: __retry_wf_report_fetch(pan_cfg_cms_handler.c:1826): Failed to fetch report from wildfire server 10.24.15.34, initiating retries
2016-08-23 08:14:03.402 +0300 Error: pan_comm_get_tcp_conn_gen(comm_utils.c:571): COMM: cannot connect. remote ip=10.24.15.35 port=3978 err=No route to host(113) sock=29
2016-08-23 08:14:04.480 +0300 Error: __retry_wf_report_fetch(pan_cfg_cms_handler.c:1826): Failed to fetch report from wildfire server 10.24.15.34, initiating retries
2016-08-23 08:14:10.583 +0300 Error: __retry_wf_report_fetch(pan_cfg_cms_handler.c:1826): Failed to fetch report from wildfire server 10.24.15.34, initiating retries
2016-08-23 08:14:16.411 +0300 Error: pan_comm_get_tcp_conn_gen(comm_utils.c:571): COMM: cannot connect. remote ip=10.24.15.35 port=3978 err=No route to host(113) sock=29
2016-08-23 08:14:16.686 +0300 Error: __retry_wf_report_fetch(pan_cfg_cms_handler.c:1826): Failed to fetch report from wildfire server 10.24.15.34, initiating retries
2016-08-23 08:14:22.791 +0300 Error: __retry_wf_report_fetch(pan_cfg_cms_handler.c:1826): Failed to fetch report from wildfire server 10.24.15.34, initiating retries
2016-08-23 08:14:28.894 +0300 Error: __retry_wf_report_fetch(pan_cfg_cms_handler.c:1826): Failed to fetch report from wildfire server 10.24.15.34, initiating retries
2016-08-23 08:14:29.421 +0300 Error: pan_comm_get_tcp_conn_gen(comm_utils.c:571): COMM: cannot connect. remote ip=10.24.15.35 port=3978 err=No route to host(113) sock=32
2016-08-23 08:14:35.003 +0300 Error: __retry_wf_report_fetch(pan_cfg_cms_handler.c:1826): Failed to fetch report from wildfire server 10.24.15.34, initiating retries
2016-08-23 08:14:41.105 +0300 Error: __retry_wf_report_fetch(pan_cfg_cms_handler.c:1826): Failed to fetch report from wildfire server 10.24.15.34, initiating retries
2016-08-23 08:14:42.431 +0300 Error: pan_comm_get_tcp_conn_gen(comm_utils.c:571): COMM: cannot connect. remote ip=10.24.15.35 port=3978 err=No route to host(113) sock=29
2016-08-23 08:14:47.205 +0300 Error: __retry_wf_report_fetch(pan_cfg_cms_handler.c:1826): Failed to fetch report from wildfire server 10.24.15.34, initiating retries
2016-08-23 08:14:53.309 +0300 Error: __retry_wf_report_fetch(pan_cfg_cms_handler.c:1826): Failed to fetch report from wildfire server 10.24.15.34, initiating retries
2016-08-23 08:14:55.441 +0300 Error: pan_comm_get_tcp_conn_gen(comm_utils.c:571): COMM: cannot connect. remote ip=10.24.15.35 port=3978 err=No route to host(113) sock=29
2016-08-23 08:14:59.410 +0300 Error: __retry_wf_report_fetch(pan_cfg_cms_handler.c:1826): Failed to fetch report from wildfire server 10.24.15.34, initiating retries
2016-08-23 08:15:00.334 +0300 Checking to purge appstatdb logtype
2016-08-23 08:15:08.451 +0300 Error: pan_comm_get_tcp_conn_gen(comm_utils.c:571): COMM: cannot connect. remote ip=10.24.15.35 port=3978 err=No route to host(113) sock=29
2016-08-23 08:15:21.222 +0300 pan_dynupdsch_local_refresh(pan_cfg_dynupdsch.c:1793): scheduled-update: "_SystemWildfireUpdate_" refreshing of WildFire
2016-08-23 08:15:21.223 +0300 Error: pan_mgmt_get_sysd_string(pan_cfg_status_handler.c:367): failed to fetch cfg.platform.uuid
2016-08-23 08:15:21.223 +0300 Error: pan_mgmt_get_sysd_string(pan_cfg_status_handler.c:367): failed to fetch cfg.platform.cpuid
NO_MATCHES
2016-08-23 08:15:21.461 +0300 Error: pan_comm_get_tcp_conn_gen(comm_utils.c:571): COMM: cannot connect. remote ip=10.24.15.35 port=3978 err=No route to host(113) sock=29
NO_MATCHES
--2016-08-23 08:15:21-- https://updates.paloaltonetworks.com/Updates/UpdateService2.asmx/CheckForWildfireUpdate
Resolving updates.paloaltonetworks.com... 199.167.52.141
Connecting to updates.paloaltonetworks.com|199.167.52.141|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1606 (1.6K) [text/xml]
Saving to: `/tmp/.wildfireinfo.xml.71763.tmp'

10.24.15.35 is our pamorama machine but we didn't using the machine.

TranceforLife · ‎08-23-2016

Hi,

Just confirm you can ping your DNS servers from the Palo through the CLI. Take few FQDN and try to see if you are getting a resolution, not from the Palo device, just use different PC.

What PAN-OS are you running? After 6.1.x you can change refresh time to 600 seconds instead of 1800.

If the device fails to get FQDN info during a refresh period, the firewall will not retry immediately. The firewall will wait for the new refresh period time.

> configure

# set deviceconfig system fqdn-refresh-time <600-14399>

# commit

More info here:

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Change-the-FQDN-Refresh-Timers/ta...

For your logs errors check this article:

https://live.paloaltonetworks.com/t5/Management-Articles/Log-Collector-Setting-Does-Not-Clear-on-the...

Thx,

Myky

Unlock your full community experience!

Refresh FQDN failed

Refresh FQDN failed

Show your appreciation!