- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
10-14-2022 04:56 AM
Going mad here trying to connect a dedicated log collector to a Panorama HA pair.
Followed this procedure
I get a far as step 12, but after the commit it never reports connected and I never get a status.
The log collector is reporting disconnected
admin@Panorama> show panorama-status
Panorama Server 1 : 10.201.24.12
Connected : no
HA state : disconnected
Panorama Server 2 : 10.201.25.12
Connected : no
HA state : disconnected
The log is constantly cycling this
2022-10-14 11:44:47.330 +0000 CMSA: Source bind sock to 10.201.25.13
2022-10-14 11:44:47.330 +0000 COMM: Source bind sock 18 to 10.201.25.13 before connect to remote ip [10.201.25.12] @port 3978
2022-10-14 11:44:47.331 +0000 COMM: connection established. sock=18 remote ip=10.201.25.12 port=3978 local port=45361
2022-10-14 11:44:47.331 +0000 cms agent: Pre. send buffer limit=87040. s=18
2022-10-14 11:44:47.331 +0000 cms agent: Post. send buffer limit=425984. s=18
2022-10-14 11:44:47.331 +0000 Warning: pan_cmsa_tcp_channel_setup(src_panos/cms_agent.c:905): SC3A: client will use sni:'a83fdd6a-3842-4806-962b-4af693a2744d' and ccn:'353cea78-6757-45ac-9073-8fa13c4e2090'
2022-10-14 11:44:47.331 +0000 SC3: CA: 'a83fdd6a-3842-4806-962b-4af693a2744d', CC/CSR: '353cea78-6757-45ac-9073-8fa13c4e2090'
2022-10-14 11:44:47.335 +0000 CMSA: Source bind sock to 10.201.25.13
2022-10-14 11:44:47.335 +0000 COMM: Source bind sock 19 to 10.201.25.13 before connect to remote ip [10.201.24.12] @port 3978
2022-10-14 11:44:47.336 +0000 SC3: context initialized using SNI: a83fdd6a-3842-4806-962b-4af693a2744d
2022-10-14 11:44:47.336 +0000 cmsa: client will use SNI: a83fdd6a-3842-4806-962b-4af693a2744d
2022-10-14 11:44:47.336 +0000 COMM: connection established. sock=19 remote ip=10.201.24.12 port=3978 local port=39935
2022-10-14 11:44:47.336 +0000 cms agent: Pre. send buffer limit=87040. s=19
2022-10-14 11:44:47.336 +0000 cms agent: Post. send buffer limit=425984. s=19
2022-10-14 11:44:47.336 +0000 Warning: pan_cmsa_tcp_channel_setup(src_panos/cms_agent.c:905): SC3A: client will use sni:'a83fdd6a-3842-4806-962b-4af693a2744d' and ccn:'353cea78-6757-45ac-9073-8fa13c4e2090'
2022-10-14 11:44:47.336 +0000 Error: pan_cmsa_tcp_channel_setup(src_panos/cms_agent.c:1208): panorama agent: SSL connect error. sock=18 err=1
2022-10-14 11:44:47.337 +0000 SC3: CA: 'a83fdd6a-3842-4806-962b-4af693a2744d', CC/CSR: '353cea78-6757-45ac-9073-8fa13c4e2090'
2022-10-14 11:44:47.341 +0000 SC3: context initialized using SNI: a83fdd6a-3842-4806-962b-4af693a2744d
2022-10-14 11:44:47.341 +0000 cmsa: client will use SNI: a83fdd6a-3842-4806-962b-4af693a2744d
2022-10-14 11:44:47.342 +0000 Error: pan_cmsa_tcp_channel_setup(src_panos/cms_agent.c:1208): panorama agent: SSL connect error. sock=19 err=1
Repeated the process multiple times, but same failure every time. Both sides are running 10.1.6-h6
10-31-2022 01:54 PM
I opened a support ticket for this exact issue. This KB article solved the issue for me:
I skipped over step 2.2 because there was no managed device to reset.
Good luck.
10-16-2022 02:42 PM
Hello @alan-griffiths
thanks for the post.
1.) Could you make sure that log collector has the same time and time zone as Panorama?
2.) Could you make sure that log collector has set DNS server?
3.) Could you make sure that log collector has device management license applied?
Kind Regards
Pavel
10-20-2022 08:07 AM
hi Alan-Griffiths:
your panorama ha state display disconnected,so i think you should recovery ha state then check log collector connect stats.
10-24-2022 04:28 AM
Hi, sorry for late reply, was on leave last week. I have validated 1) and 2), but what is the command to check 3)?
10-24-2022 05:30 AM
Thank you for reply @alan-griffiths
you can check it from cli by: request license info
This license: "Device Management License" should be listed under Feature.
Kind Regards
Pavel
10-24-2022 06:52 AM
Confirmed device mgt license is present.
10-24-2022 07:03 PM
Hello @alan-griffiths
thank you for reply.
Could you confirm the PAN-OS version of both Panorama as well as Log Collector?
Could you confirm that Log Collector's certificate is not expired? Navigate to: https://<Log Collector IP>:3978
Could you confirm what logs on Panorama side says?
Kind Regards
Pavel
10-25-2022 02:37 AM
Both Panorama and LC are running 10.1.6-h6.
Confirmed LC cert is still valid.
Panorama log is filled with these
2022-10-25 09:34:50.101 +0000 Error: sni_ssl_servername_cb(src_cms/cms_server.c:654): Unknown SNI: 'ae25c29c-0b84-4ff3-8b7e-5a2877411c8a'.
139678775854848:error:1408A0E2:SSL routines:SSL3_GET_CLIENT_HELLO:clienthello tlsext:s3_srvr.c:1181:
2022-10-25 09:34:52.147 +0000 Error: sni_ssl_servername_cb(src_cms/cms_server.c:654): Unknown SNI: 'a83fdd6a-3842-4806-962b-4af693a2744d'.
139678809425664:error:1408A0E2:SSL routines:SSL3_GET_CLIENT_HELLO:clienthello tlsext:s3_srvr.c:1181:
2022-10-25 09:35:00.456 +0000 Error: sni_ssl_servername_cb(src_cms/cms_server.c:654): Unknown SNI: 'ae25c29c-0b84-4ff3-8b7e-5a2877411c8a'.
139678792640256:error:1408A0E2:SSL routines:SSL3_GET_CLIENT_HELLO:clienthello tlsext:s3_srvr.c:1181:
2022-10-25 09:35:02.500 +0000 Error: sni_ssl_servername_cb(src_cms/cms_server.c:654): Unknown SNI: 'a83fdd6a-3842-4806-962b-4af693a2744d'.
139678733891328:error:1408A0E2:SSL routines:SSL3_GET_CLIENT_HELLO:clienthello tlsext:s3_srvr.c:1181:
2022-10-25 09:35:10.811 +0000 Error: sni_ssl_servername_cb(src_cms/cms_server.c:654): Unknown SNI: 'ae25c29c-0b84-4ff3-8b7e-5a2877411c8a'.
139678826211072:error:1408A0E2:SSL routines:SSL3_GET_CLIENT_HELLO:clienthello tlsext:s3_srvr.c:1181:
2022-10-25 09:35:12.847 +0000 Error: sni_ssl_servername_cb(src_cms/cms_server.c:654): Unknown SNI: 'a83fdd6a-3842-4806-962b-4af693a2744d'.
139678775854848:error:1408A0E2:SSL routines:SSL3_GET_CLIENT_HELLO:clienthello tlsext:s3_srvr.c:1181:
2022-10-25 09:35:21.164 +0000 Error: sni_ssl_servername_cb(src_cms/cms_server.c:654): Unknown SNI: 'ae25c29c-0b84-4ff3-8b7e-5a2877411c8a'.
139678826211072:error:1408A0E2:SSL routines:SSL3_GET_CLIENT_HELLO:clienthello tlsext:s3_srvr.c:1181:
2022-10-25 09:35:23.202 +0000 Error: sni_ssl_servername_cb(src_cms/cms_server.c:654): Unknown SNI: 'a83fdd6a-3842-4806-962b-4af693a2744d'.
10-31-2022 01:54 PM
I opened a support ticket for this exact issue. This KB article solved the issue for me:
I skipped over step 2.2 because there was no managed device to reset.
Good luck.
11-01-2022 03:11 AM
Ah, you're about 6 hours too late. I'd just opened a ticket and got the same info. The Palo documentation is baffling. There are two separate pages detailing how to configure dedicated log collector. One page includes a step to reset the sc3 the other one doesn't.
This is the page support told me to use https://docs.paloaltonetworks.com/panorama/10-1/panorama-admin/manage-log-collection/log-collection-...
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!