Telemetry error - CDL Receiver Key Empty

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Telemetry error - CDL Receiver Key Empty

L4 Transporter

Hi All,

 

We have a client who all of a sudden started to receive the following telemetry error -  'CDL Receiver Key Empty' on PA-440. No changes have been made. Currently running PAN OS 10.1.2. They are not using CDL and are just sending Telemetry data to PA with a certificate. This looks like it may be a an issue on the PA backend.

 

Can anyone clarify? @BPry ?

 

BenPrice_0-1641256179346.png

 

Thanks in advance.

 

 

 

 

 

1 accepted solution

Accepted Solutions

L4 Transporter

@BPry 

Firewall did not receive the signed URL key required back from PAN servers to upload telemetry data (based on the telemetry logs), which looks to have caused the error. Also, the firewall failed to fetch the device certificate correctly upon 3 month renewal. Rebooted firewall and waited 24 hours and the firewall was then able to retrieve the certificate and telemetry data began to flow successfully again.

 
Looked to have been an issue with the Palo Alto back end as no changes were made on the firewall except a reboot, but am not quite sure.

View solution in original post

13 REPLIES 13

Cyber Elite
Cyber Elite

@Ben-Price,

That error has never been incredibly well defined. I've seen it caused by backend licensing issues that needed support to fix the licensing on their end, and I've seen it being caused by blocking licensing traffic from the firewall. I'd start with basic troubleshooting to kick things off (has the device been restarted, verify via logs the traffic is being allowed, etc) and go from there. 

L4 Transporter

@BPry 

Firewall did not receive the signed URL key required back from PAN servers to upload telemetry data (based on the telemetry logs), which looks to have caused the error. Also, the firewall failed to fetch the device certificate correctly upon 3 month renewal. Rebooted firewall and waited 24 hours and the firewall was then able to retrieve the certificate and telemetry data began to flow successfully again.

 
Looked to have been an issue with the Palo Alto back end as no changes were made on the firewall except a reboot, but am not quite sure.

L4 Transporter

paragkarki143_0-1644452168893.jpeg

@BPry I conducted the reboot and telemetry started up again however it has since stopped again.

Any help would be much appreciated. Thank you in advance.

 

PrasKtmBoy

Cyber Elite
Cyber Elite

@Pras,

You'd probably want to report it to TAC to help investigate why you keep running into issues and bring up that it's failed multiple times requiring a restart. A simple restart will likely fix it again, but there could be a communication issue due to your configuration or it could simply be a bug within PAN-OS 10.1 that you're running into.

If you haven't already, I would install 10.1.4 to ensure you're at least running the latest release. I don't see anything in the release notes to actually address an issue that would point towards your issue. 

L1 Bithead

I had the same issue when I installed 10.2.0.  Reboot didn't fix it, and installing 10.2.0-h1 didn't fix it either.  Just installed 10.2.1 and after a couple hours it finally started working.  Fingers crossed it is now resolved.

L2 Linker

I have this same issue on 10.1.6-H6 and thus far a reboot has not fixed it.  Shows my device cert is good and CDL is showing current logs.  But AIOps stopped getting telemetry data about a week ago.

 

Jason_Lieberman_0-1665974182695.png

 

I also see

 

Jason_Lieberman_1-1665974317382.png

 

PCNSE, PCNSC, CyberForce

I'm experiencing the same issue you are (with the exception that my device cert is valid) with my firewalls that are running 10.1.6-h6 (2x 220s and a VM), but not on those running 10.1.4 (2x 820s). I just enabled aiops today. 

L3 Networker

My PA-3430 devices running 10.2.3-h2 had this issue.  Device certificate was a week away from expiring but still causing the CDL error apparently.

request certificate fetch

Fixed the issue.

L0 Member

When I try to place a TAC case, it is redirecting me to the live community. How do I submit a ticket?

L3 Networker

There is a very unfriendly feature of the case opening tool where it does this for certain categories, basically telling you in an insulting and passive aggressive manner that your need is too petty to concern regular support staff.  (Isn't it nice how you can spend a ton of time typing up your situation into the case notes and then on submit BAM it redirects you do the forum and throws out all your typing?)

 

Choosing a "better fitting" category / issue type / whatever may allow you to open the ticket.

L3 Networker

This is now listed as a known issue in the release notes of 10.2.4.

======================

PAN-208325

The following NextGen firewalls and Panorama management server models are unable to automatically renew the device certificate (
Device
Setup
Management
or
Panorama
Setup
Management
).
  • M-300 and M-700
  • PA-410 Firewall
  • PA-440, PA-450, and PA-460 Firewalls
  • PA-3400 Series
  • PA-5410, PA-5420, and PA-5430 Firewalls
  • PA-5450 Firewall
Workaround:
Log in to the firewall CLI or Panorama CLI and fetch the device certificate.
admin>
request certificate fetch
 
======================

L1 Bithead

We were finally able to get telemetry sent to AIOps by permitting google-base as per this article.

  • 1 accepted solution
  • 19117 Views
  • 13 replies
  • 3 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!