Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Result: Failed to validate server certificate for endpoint api.paloaltonetworks.com

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Result: Failed to validate server certificate for endpoint api.paloaltonetworks.com

L2 Linker

issue1:

I am having issues with getting Panorama and firewalls connected up to datalake. I opened a case and i am told it can't connect to api.paloaltonetworks.com. I have pcap that says otherwise. There is no ssl decryption in between. Its frustrating when you spend serious amount of money on this storage and it doesn't work.

issue2:

I am have a hard time find nice straight forward instructions on how to get panorama managed firewalls along with panorama setup with datalake. The instructions are all over the place. If someone has instructions they followed, preferably including the cert generation from the cloud services that would be really helpful.

 

5 REPLIES 5

Cyber Elite
Cyber Elite

@Johndbabio1,

Are you allowing your firewalls to communicate with ocsp.paloaltonetworks.com and crl.paloaltonetworks.com? The error your getting is simply stating that they can't validate the certificate of api.paloaltonetworks.com, not that it's not able to reach api.paloaltonetworks.com. Take a look at the required communication document and make sure you can actually communicate to all of the required FQDNs and that you're actually allowing all of the necessary traffic to pass. 

What documentation are you attempting to follow? The Getting Started documentation will walk you through how you go about setting this up in a step by step fashion. 

tail follow yes mp-log lcaas_agent.log

2021-06-19 23:16:59,171 lcaas_agent INFO source interface: src route sysd str: cfg.net.s0.srcif
2021-06-19 23:16:59,171 lcaas_agent INFO source interface: src_table: {'refresh': 300}
2021-06-19 23:16:59,171 lcaas_agent INFO Server not passed in. Picking up from cfg.lcaas-orch-server-domain sysd node
2021-06-19 23:16:59,179 lcaas_agent INFO LCaas server port not passed in. Picking up from cfg.lcaas-orch-server-port sysd node
2021-06-19 23:17:59,239 lcaas_agent ERROR Failed to fetch LCaaS server cert - retrying....
2021-06-19 23:19:01,270 lcaas_agent ERROR Failed to fetch LCaaS server cert - retrying....
2021-06-19 23:20:03,296 lcaas_agent ERROR Failed to fetch LCaaS server cert - retrying....
2021-06-19 23:21:05,322 lcaas_agent ERROR Failed to fetch LCaaS server cert - retrying....
2021-06-19 23:22:07,347 lcaas_agent ERROR Failed to fetch LCaaS server cert for validation check after 5 retries
2021-06-19 23:22:07,348 lcaas_agent ERROR Failed to validate server certificate for endpoint api.paloaltonetworks.com

Did you find a solution to this one?

L0 Member

Engineers will find solutions for everything else not the LCaaS errors. i think we must accept that not even the programmers at Palo Alto can fix this.

Why is it difficult for the solution to this problem to be posted?

L2 Linker

I know this is a late reply, but have you checked this doc? The one command: request logging-service-forwarding customerinfo [show|fetch] was pretty helpful - error message showed me I was getting SSL handshake rejected.

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMXKCA4

 

 

  • 8547 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!