updates.paloaltonetworks.com connectivity

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

updates.paloaltonetworks.com connectivity

L1 Bithead

hi all,

we have been trying to test our networks connectivity

to updates.paloaltonetworks.com and have been unsuccessful.

we tried ping to updates but it fails and also traceroute it also fails.

and when we tried from different networks all the coonectivity

tests to updates.paloaltonetworks.com failed also.

is your updates down?

because we can seem to still be able to connect to https://updates.paloaltonetworks.com via web browser, it just asks us for username and password

can anybody clarify what is happening with pan updates site?

1 accepted solution

Accepted Solutions

Below the tail of a successful update check, maybe that gives you an comparison to your and a hint what might be wrong on your box.

admin@PA4020> tail follow yes mp-log ms.log

  Self-signed certificate encountered.

HTTP request sent, awaiting response... 200 OK

Length: 3215 (3.1K) [text/xml]

Saving to: `/tmp/.avinfo.xml.tmp'

     0K                                                      100% 21.2M=0s

2013-01-10 08:00:00 (21.2 MB/s) - `/tmp/.avinfo.xml.tmp' saved [3215/3215]

Jan 10 08:03:14 Getting authorization info for user admin succeeded.

NO_MATCHES

NO_MATCHES

--2013-01-10 08:04:06--  https://updates.paloaltonetworks.com/Updates/UpdateService.asmx/CheckForSignatureUpdate

Resolving updates.paloaltonetworks.com... 199.167.52.13

Connecting to updates.paloaltonetworks.com|199.167.52.13|:443... connected.

WARNING: cannot verify updates.paloaltonetworks.com's certificate, issued by `/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287':

  Self-signed certificate encountered.

HTTP request sent, awaiting response... 200 OK

Length: 4149 (4.1K) [text/xml]

Saving to: `/tmp/.contentinfo.xml.tmp'

     0K                                                      100% 78.8K=0.05s

2013-01-10 08:04:50 (78.8 KB/s) - `/tmp/.contentinfo.xml.tmp' saved [4149/4149]

NO_MATCHES

NO_MATCHES

--2013-01-10 08:04:51--  https://updates.paloaltonetworks.com/Updates/UpdateService.asmx/CheckForVirusUpdate

Resolving updates.paloaltonetworks.com... 199.167.52.13

Connecting to updates.paloaltonetworks.com|199.167.52.13|:443... connected.

WARNING: cannot verify updates.paloaltonetworks.com's certificate, issued by `/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287':

  Self-signed certificate encountered.

HTTP request sent, awaiting response... 200 OK

Length: 3215 (3.1K) [text/xml]

Saving to: `/tmp/.avinfo.xml.tmp'

     0K                                                      100% 19.6M=0s

2013-01-10 08:04:58 (19.6 MB/s) - `/tmp/.avinfo.xml.tmp' saved [3215/3215]

View solution in original post

12 REPLIES 12

L0 Member

updates.paloaltonetworks.com works for me

A good starting point for troubleshooting is usually connectivity test, name resolution, service routes.

If you are using 4.x you are lucky. You can do a quick connectivity test via telnet.

The following output confirms that you are able to connect from your mgmt interface to updates.paloaltonetworks.com

telnet port 443 host updates.paloaltonetworks.com

Trying 199.167.52.13...

Connected to updates.paloaltonetworks.com.

Escape character is '^]'.

On 5.x telnet is disabled and there is no connectivity test available via cli.

You can try a ping host

ping host updates.paloaltonetworks.com

PING updates.paloaltonetworks.com (199.167.52.13) 56(84) bytes of data.

^C

--- updates.paloaltonetworks.com ping statistics ---

4 packets transmitted, 0 received, 100% packet loss, time 3011ms

This above proves that name resolution is working, unfortunately Palo Alto doesn't allow to ping their update server.

If you trigger the updates via 'check now' in the GUI, you can check the ms.log with less 'mp-log ms.log' and should see something like that towards the end

--2013-01-05 07:30:03--  https://updates.paloaltonetworks.com/Updates/UpdateService2.asmx/CheckForVirusUpdate

Resolving updates.paloaltonetworks.com... 199.167.52.13

Connecting to updates.paloaltonetworks.com|199.167.52.13|:443...connected.

HTTP request sent, awaiting response... 200 OK

Length: 3215 (3.1K) [text/xml]

Saving to: `/tmp/.avinfo.xml.tmp'

     0K                                                      100% 8.62M=0s

2013-01-05 07:30:25 (8.62 MB/s) - `/tmp/.avinfo.xml.tmp' saved [3215/3215]

Jan 05 07:30:26 No new Antivirus updates available for download

Hope that helps.

L5 Sessionator

Hi,

Couple of months back there was a change made to the update server and an annoucement was sent out which states the following

Reminder: Palo Alto Networks Update Server Change Notification on 10/5/12


Created by panagent Sep 27, 2012

Palo Alto Networks is rolling out a CDN-based update infrastructure. As a result, content updates throughout the world will be delivered from the closest server to the device.

If you have firewall rules that restrict the hosts that your devices can reach, you will need to adjust your firewall policy as follows. The current static IP address, 67.192.236.252 will be retired on October 5, 2012 and updates.paloaltonetworks.comwill begin to leverage our CDN infrastructure. A new static host is now available at staticupdates.paloaltonetworks.com with an IP address of 199.167.52.15. You will need to adjust your firewall rule to reflect the new IP address or hostname and you will need to change the update server address that is configured on the device to staticupdates.paloaltonetworks.com. Refer to Palo Alto Networks Devices Require FQDN For Update Server.  This change can be made anytime prior to October 5 to achieve no interruption of update services.

It is recommended that users who do not have requirements to restrict the hosts your devices can reach, leave the update server configuration as updates.paloaltonetworks.com. If no change is made to the configuration, devices will begin to take advantage of the new CDN infrastructure on October 5, 2012.



Have you made the change according to the above mentioned announcement. If it is not the above issue then please check your traffic logs if it is blocking anything while you are trying to do the update.


Hope this helps.

Thank you

Numan

I am having the same problems with the updates failing. I have gone into the cli interface and verified telnet connectivity to both the updates.paloaltonetworks.com and the staticupdates.paloaltonetworks.com as well as name resolution.  I have also tried changing the update server to both names mentioned above, ip addresses, etc. and I still get the messages "Failed to check Antivirus content upgrade info due to generic communication error" "Failed to check Content content upgrade info due to generic communication error" "Connection to Update server closed: staticupdates.paloaltonetworks.com"   Any other suggestions would be appreciated.  I am on version 4.1 and yes my licensing is current and there are no licensing errors.

L4 Transporter

Hello,

I have many PA firewall installed on customer site.

One of them report the same error message : "Failed to check Antivirus content upgrade info due to generic communication error"

DNS check is ok (updates.paloaltonetworks.com)

Cluster (PA500) is  running 4.1.8h1.

Regards,

HA

Hi Paula,

Telnet on you Palo Alto appliance uses the management interface as the source of the connection.

If you can successful connect to updates.paloaltonetworks.com and staticupdates.paloaltonetworks.com on port 443, it will show the 'connected to <hostname>'.

That confirms that there is no connectivity issue between the management interface and the update server.

You mentioned that your licensing is up to date as well, which pretty much leaves to my knowledge only the 'service routes' as a possible issue.

Check that Device > Setup > Services > Service Route Configuration uses 'use default' as the source for Palo Alto Updates.

Other than that I suggest to open a ticket with support.

Thanks

Ulli

Screen Shot 2013-01-10 at 07.54.55 .png

Below the tail of a successful update check, maybe that gives you an comparison to your and a hint what might be wrong on your box.

admin@PA4020> tail follow yes mp-log ms.log

  Self-signed certificate encountered.

HTTP request sent, awaiting response... 200 OK

Length: 3215 (3.1K) [text/xml]

Saving to: `/tmp/.avinfo.xml.tmp'

     0K                                                      100% 21.2M=0s

2013-01-10 08:00:00 (21.2 MB/s) - `/tmp/.avinfo.xml.tmp' saved [3215/3215]

Jan 10 08:03:14 Getting authorization info for user admin succeeded.

NO_MATCHES

NO_MATCHES

--2013-01-10 08:04:06--  https://updates.paloaltonetworks.com/Updates/UpdateService.asmx/CheckForSignatureUpdate

Resolving updates.paloaltonetworks.com... 199.167.52.13

Connecting to updates.paloaltonetworks.com|199.167.52.13|:443... connected.

WARNING: cannot verify updates.paloaltonetworks.com's certificate, issued by `/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287':

  Self-signed certificate encountered.

HTTP request sent, awaiting response... 200 OK

Length: 4149 (4.1K) [text/xml]

Saving to: `/tmp/.contentinfo.xml.tmp'

     0K                                                      100% 78.8K=0.05s

2013-01-10 08:04:50 (78.8 KB/s) - `/tmp/.contentinfo.xml.tmp' saved [4149/4149]

NO_MATCHES

NO_MATCHES

--2013-01-10 08:04:51--  https://updates.paloaltonetworks.com/Updates/UpdateService.asmx/CheckForVirusUpdate

Resolving updates.paloaltonetworks.com... 199.167.52.13

Connecting to updates.paloaltonetworks.com|199.167.52.13|:443... connected.

WARNING: cannot verify updates.paloaltonetworks.com's certificate, issued by `/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287':

  Self-signed certificate encountered.

HTTP request sent, awaiting response... 200 OK

Length: 3215 (3.1K) [text/xml]

Saving to: `/tmp/.avinfo.xml.tmp'

     0K                                                      100% 19.6M=0s

2013-01-10 08:04:58 (19.6 MB/s) - `/tmp/.avinfo.xml.tmp' saved [3215/3215]

L2 Linker

I am having the same problem (PA-500),

CLI output

xxxxx@PA-500> tail follow yes mp-log ms.log

Jan 11 10:37:40 client dagger reported op command was SUCCESSFUL

NO_MATCHES

NO_MATCHES

--2013-01-11 10:37:42--  https://updates.paloaltonetworks.com/Updates/UpdateService2.asmx/CheckForSignatureUpdate

Resolving updates.paloaltonetworks.com... 199.167.52.13

Connecting to updates.paloaltonetworks.com|199.167.52.13|:443... connected.

Unable to establish SSL connection.

I don't know what happened but updates are running again. I did no changes in configuration...

L4 Transporter

The last 4 days my scheduled updates have failed.  I just manually updated through the GUI and it downloaded and installed fine?

L1 Bithead

I'm also getting the same message. I logged into the GUI and the antivirus signature was the lastest version. I check for antivirus updates every hour so it maybe failing once in a while but this never happened until about 2-3 weeks ago.

I resolved the problem by updating the firmware.  It was the last thing I tried and I have not had any problems with the scheduled updates since the upgrade.

Also, make sure DNS if configured so the firewall can resolve updates.paloaltonetworks.com.

 

 

  • 1 accepted solution
  • 28563 Views
  • 12 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!