Cannot connect Log Collector to Panorama

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Cannot connect Log Collector to Panorama

L2 Linker

Going mad here trying to connect a dedicated log collector to a Panorama HA pair.

Followed this procedure

https://docs.paloaltonetworks.com/panorama/10-1/panorama-admin/set-up-panorama/set-up-the-panorama-v...

 

I get a far as step 12, but after the commit it never reports connected and I never get a status.

The log collector is reporting disconnected

admin@Panorama> show panorama-status

Panorama Server 1 : 10.201.24.12
    Connected     : no
    HA state      : disconnected

Panorama Server 2 : 10.201.25.12
    Connected     : no
    HA state      : disconnected

The log is constantly cycling this

2022-10-14 11:44:47.330 +0000 CMSA: Source bind sock to 10.201.25.13
2022-10-14 11:44:47.330 +0000 COMM: Source bind sock 18 to 10.201.25.13 before connect to remote ip [10.201.25.12] @port 3978
2022-10-14 11:44:47.331 +0000 COMM: connection established. sock=18 remote ip=10.201.25.12 port=3978 local port=45361
2022-10-14 11:44:47.331 +0000 cms agent: Pre. send buffer limit=87040. s=18
2022-10-14 11:44:47.331 +0000 cms agent: Post. send buffer limit=425984. s=18
2022-10-14 11:44:47.331 +0000 Warning:  pan_cmsa_tcp_channel_setup(src_panos/cms_agent.c:905): SC3A: client will use sni:'a83fdd6a-3842-4806-962b-4af693a2744d' and ccn:'353cea78-6757-45ac-9073-8fa13c4e2090'
2022-10-14 11:44:47.331 +0000 SC3: CA: 'a83fdd6a-3842-4806-962b-4af693a2744d', CC/CSR: '353cea78-6757-45ac-9073-8fa13c4e2090'
2022-10-14 11:44:47.335 +0000 CMSA: Source bind sock to 10.201.25.13
2022-10-14 11:44:47.335 +0000 COMM: Source bind sock 19 to 10.201.25.13 before connect to remote ip [10.201.24.12] @port 3978
2022-10-14 11:44:47.336 +0000 SC3: context initialized using SNI: a83fdd6a-3842-4806-962b-4af693a2744d
2022-10-14 11:44:47.336 +0000 cmsa: client will use SNI: a83fdd6a-3842-4806-962b-4af693a2744d
2022-10-14 11:44:47.336 +0000 COMM: connection established. sock=19 remote ip=10.201.24.12 port=3978 local port=39935
2022-10-14 11:44:47.336 +0000 cms agent: Pre. send buffer limit=87040. s=19
2022-10-14 11:44:47.336 +0000 cms agent: Post. send buffer limit=425984. s=19
2022-10-14 11:44:47.336 +0000 Warning:  pan_cmsa_tcp_channel_setup(src_panos/cms_agent.c:905): SC3A: client will use sni:'a83fdd6a-3842-4806-962b-4af693a2744d' and ccn:'353cea78-6757-45ac-9073-8fa13c4e2090'
2022-10-14 11:44:47.336 +0000 Error:  pan_cmsa_tcp_channel_setup(src_panos/cms_agent.c:1208): panorama agent: SSL connect error. sock=18 err=1
2022-10-14 11:44:47.337 +0000 SC3: CA: 'a83fdd6a-3842-4806-962b-4af693a2744d', CC/CSR: '353cea78-6757-45ac-9073-8fa13c4e2090'
2022-10-14 11:44:47.341 +0000 SC3: context initialized using SNI: a83fdd6a-3842-4806-962b-4af693a2744d
2022-10-14 11:44:47.341 +0000 cmsa: client will use SNI: a83fdd6a-3842-4806-962b-4af693a2744d
2022-10-14 11:44:47.342 +0000 Error:  pan_cmsa_tcp_channel_setup(src_panos/cms_agent.c:1208): panorama agent: SSL connect error. sock=19 err=1

Repeated the process multiple times, but same failure every time. Both sides are running 10.1.6-h6

1 accepted solution

Accepted Solutions

I opened a support ticket for this exact issue. This KB article solved the issue for me:

https://docs.paloaltonetworks.com/panorama/10-1/panorama-admin/troubleshooting/recover-managed-devic...

I skipped over step 2.2 because there was no managed device to reset.

Good luck.

View solution in original post

9 REPLIES 9

Cyber Elite
Cyber Elite

Hello @alan-griffiths

 

thanks for the post.

 

1.) Could you make sure that log collector has the same time and time zone as Panorama?

2.) Could you make sure that log collector has set DNS server?

3.) Could you make sure that log collector has device management license applied?

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.

L3 Networker

hi Alan-Griffiths

your panorama ha state display  disconnected,so i think you should recovery ha state then check log collector connect stats.

Hi, sorry for late reply, was on leave last week. I have validated 1) and 2), but what is the command to check 3)?

Cyber Elite
Cyber Elite

Thank you for reply @alan-griffiths

 

you can check it from cli by: request license info

This license: "Device Management License" should be listed under Feature.

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.

Confirmed device mgt license is present.

Cyber Elite
Cyber Elite

Hello @alan-griffiths

 

thank you for reply.

 

Could you confirm the PAN-OS version of both Panorama as well as Log Collector?

Could you confirm that Log Collector's certificate is not expired? Navigate to: https://<Log Collector IP>:3978

Could you confirm what logs on Panorama side says?

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.

Both Panorama and LC are running 10.1.6-h6.

Confirmed LC cert is still valid.

Panorama log is filled with these

2022-10-25 09:34:50.101 +0000 Error:  sni_ssl_servername_cb(src_cms/cms_server.c:654): Unknown SNI: 'ae25c29c-0b84-4ff3-8b7e-5a2877411c8a'.
139678775854848:error:1408A0E2:SSL routines:SSL3_GET_CLIENT_HELLO:clienthello tlsext:s3_srvr.c:1181:
2022-10-25 09:34:52.147 +0000 Error:  sni_ssl_servername_cb(src_cms/cms_server.c:654): Unknown SNI: 'a83fdd6a-3842-4806-962b-4af693a2744d'.
139678809425664:error:1408A0E2:SSL routines:SSL3_GET_CLIENT_HELLO:clienthello tlsext:s3_srvr.c:1181:
2022-10-25 09:35:00.456 +0000 Error:  sni_ssl_servername_cb(src_cms/cms_server.c:654): Unknown SNI: 'ae25c29c-0b84-4ff3-8b7e-5a2877411c8a'.
139678792640256:error:1408A0E2:SSL routines:SSL3_GET_CLIENT_HELLO:clienthello tlsext:s3_srvr.c:1181:
2022-10-25 09:35:02.500 +0000 Error:  sni_ssl_servername_cb(src_cms/cms_server.c:654): Unknown SNI: 'a83fdd6a-3842-4806-962b-4af693a2744d'.
139678733891328:error:1408A0E2:SSL routines:SSL3_GET_CLIENT_HELLO:clienthello tlsext:s3_srvr.c:1181:
2022-10-25 09:35:10.811 +0000 Error:  sni_ssl_servername_cb(src_cms/cms_server.c:654): Unknown SNI: 'ae25c29c-0b84-4ff3-8b7e-5a2877411c8a'.
139678826211072:error:1408A0E2:SSL routines:SSL3_GET_CLIENT_HELLO:clienthello tlsext:s3_srvr.c:1181:
2022-10-25 09:35:12.847 +0000 Error:  sni_ssl_servername_cb(src_cms/cms_server.c:654): Unknown SNI: 'a83fdd6a-3842-4806-962b-4af693a2744d'.
139678775854848:error:1408A0E2:SSL routines:SSL3_GET_CLIENT_HELLO:clienthello tlsext:s3_srvr.c:1181:
2022-10-25 09:35:21.164 +0000 Error:  sni_ssl_servername_cb(src_cms/cms_server.c:654): Unknown SNI: 'ae25c29c-0b84-4ff3-8b7e-5a2877411c8a'.
139678826211072:error:1408A0E2:SSL routines:SSL3_GET_CLIENT_HELLO:clienthello tlsext:s3_srvr.c:1181:
2022-10-25 09:35:23.202 +0000 Error:  sni_ssl_servername_cb(src_cms/cms_server.c:654): Unknown SNI: 'a83fdd6a-3842-4806-962b-4af693a2744d'.

I opened a support ticket for this exact issue. This KB article solved the issue for me:

https://docs.paloaltonetworks.com/panorama/10-1/panorama-admin/troubleshooting/recover-managed-devic...

I skipped over step 2.2 because there was no managed device to reset.

Good luck.

Ah, you're about 6 hours too late. I'd just opened a ticket and got the same info. The Palo documentation is baffling. There are two separate pages detailing how to configure dedicated log collector. One page includes a step to reset the sc3 the other one doesn't.

 

This is the page support told me to use https://docs.paloaltonetworks.com/panorama/10-1/panorama-admin/manage-log-collection/log-collection-...

 

  • 1 accepted solution
  • 4164 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!