This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Troubleshooting PAN-Agent connectivity

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Troubleshooting PAN-Agent connectivity

helenio.sartori
L3 Networker

‎01-08-2010 05:18 AM

Hello, I have PAN OS 3.0.5 installed on a cluster (active passive)

The passive device seams to have problem to contact PAN

As you can see from ommand below 10.44.36.125 Agent can't be reached (on active is ok)

(active)> show pan-agent statistics
Name             IP Address      Port    Vsys        State             Users  Gr
ps  IPs       Activity Cnts Link Speed
--------------------------------------------------------------------------------
--------------------------------------
svs00013.ac.ti.ch 10.44.36.125    3750    vsys1       connected, ok     4361   5
     2526      60069         fast

(passive)> show pan-agent statistics

Name             IP Address      Port    Vsys        State             Users  Gr

ps  IPs       Activity Cnts Link Speed

--------------------------------------------------------------------------------

--------------------------------------

svs00013.ac.ti.ch     3750    vsys1       trying to connect 0      0

     0         0             fast

As from below we can ping the Agent ...

(passive)> ping host 10.44.36.125

PING 10.44.36.125 (10.44.36.125) 56(84) bytes of data.

64 bytes from 10.44.36.125: icmp_seq=1 ttl=124 time=0.308 ms

64 bytes from 10.44.36.125: icmp_seq=2 ttl=124 time=0.293 ms

If I try to reset the Connection ...

(passive)> debug device-server reset pan-agent all

Server error : Failed to get response from device server. Please try again later

.

How can I trobleshoot the comunication between PAN FW and the Agent to see where the comunication is wrong ?

Labels:
0 Likes Likes
2 REPLIES 2

nrice
L5 Sessionator

‎01-08-2010 10:47 AM

Hi Helenio,

The PAN-agent is only active on the active device in t he HA pair.  It is not active on the passive device.  In the event of a failover, the information is transferred to the newly active device.

Looks like you are familiar with the main troubleshooting comands for the PAN- agent, show pan-agent statistics, show pan-agent user IDs, debug device-server reset pan-agent all.  There are also logs that can be viewed in the PAN-agent iteslf.

0 Likes Likes

helenio.sartori
L3 Networker
In response to nrice

‎01-11-2010 10:53 PM

This sound strange ... how can betransfered Group-user mapping during failover if the active device dies ... this shoul be done before as for TCP sessions. (show pan-agent user on the passive doesn't show any user-group map). This also mean, since the MNGT interface of the passive device is not the same as the active, that a new PAN FW-PAN agent connection as to be establish a new PAN-Agent connectio increasing the failover time ... isn't ? (I'll do a test of failover to see how long this will take) ...

0 Likes Likes
  • 4127 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks