Push to devices failed reason SSL handshake fail

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Push to devices failed reason SSL handshake fail

L1 Bithead

Hello Team,

recently we are unable to push config changes to devices from Panorama (version 10.1.6-h6), it fails with this error message: Panorama connectivity check failed. SSL handshake failed, reverting configuration

 

Any suggestion?

Regards.

4 REPLIES 4

Hi @Jbergill1 ,

Recent Panorama OS versions have a feature which tell the firewall to check connectivity with Panorama immaterially after the config push is completed. The purpose of this check is to verify if your last commit is not causing any issues with communication between firewall and Panorama, which will makes your firewall unmanageable (and probably unreachable).

If the check is success is successful - firewall can connect to Panorama, config is considered completely installed

If the check fails - firewall cannot reach Panorama, firewall will automatically start reverting your last push.

 

Unfortunately the error message in the commit is very generic - it just tells you that firewall cannot establish HTTPS connection with Panorama, but the real reason could be anything, really depends on what configuration you are trying to push and what is the difference between the new and the currently running config.

 

In nutshell your last commit breaks the communication between firewall and Panorama. You need to figure out what and fix it, before pushing to the device.

 

I recently experienced something similar - modified one rule on remote firewall from using any service to application-default. PAN FW have app-id for traffic to panorama - the app is called "panorama", but it is depending on ssl (because the real traffic is https based). The problem is that this traffic use specific port, which is not default for ssl, so my rule no longer was matching. For that reason when pushing the config to FW, it immediately start blocking the traffic from FW to Panorama.

 

So my advise is:

- Check your traffic/unified logs and see if you have any block traffic from FW mgmt to Panorama IP.

- Review your config push? Are you changing anything related to Panorama config? Panorama IP, FW mgmt, SSL certificates

Thanks for your answer.

 

Regarding your advice: there was no denied traffic between fw and panorama, and there was no configuration change to justify it. Investigating the issue, the key was the secure connection between panorama and the fw, in fact the error was seeing the traffic capture, a tls handshake issue. Enabling and configuring secure communication between fw and panorama has solved the problem.

 

Palo Alto support can't explain to me how it has been working before without that configuration.

 

Thanks and regards.

I still remember the issue when people upgraded their globalprotect app and firewall they saw the error ""Could not verify the server certificate of the gateway" https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004O5iCAE

 

This issue was caused because the newer versions had stronger security checks, so this could be the same case.

L2 Linker

Followed this doc & issue was resolved : https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000wlJpCAI

However, this might not be scalable solution if you have to do this for large number of managed firewalls via Panorama. Expecting some better & easy resolution in future 

  • 3665 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!