02-28-2022 06:44 AM
Hello I have new deployed Panorama and new PA-440 Firewall.
I setup Panorama with all basic settings like IP address/netmask, default GW, DNS, it has license assigned.
Next I generated AuthKey for the firewalls with validity for 10 days and without SN specified.
PA-440 is in remote location and has a basic WAN setup and IPSec VPN to my datacenter where panorama is.
It has a vlan interface setup in my internal zone and set as source for every service.
I am able to ping Panorama from the PA-440 so network over VPN is working.
When I setup Panorama IP with Auth Key on the firewall and add Firewall on panorama by the Serial Number I still see PA-440 in panorama as Disconnected.
I checked the DataCenter firewall where IPSec is terminated and I can''t see in logs any blocked traffic in between these two.
Port 3978 for Panorama is enabled in security rules and I can see some ssl traffic is passing in Datacenter over this port.
Is there something else I forgott to setup or something else I need to check in order to be able to manage this Firewall by Panorama?
05-12-2022 05:18 PM
We recently experienced the same problem and only saw it on devices 10.1 and up. Last week or two we added devices that were 9.1.0-h3 and traffic matched on Panorama / SSL w/application default no problem. This week with 10.1 we had to add a specific match for SSL on service port 3978 to get them to connect.
05-18-2022 01:31 AM
I faced similar issue recently. Backup firewall looked disconnected on Panorama v10.2. And traffic should be flow over active firewall's IPsec. If you see "TCP session closed via injecting RST" on Palo Alto counter, try to change your security rule with any application and tcp/3978 on service and no security profile. I hope it will solve your problem. It was worked for me.
07-29-2022 11:35 AM
I had a similar issue although I am just using the MGMT interface to connect to Panorama. I had the problem on a PA-820 I got as an RMA, and also on Palo VMs. This problem is caused by the new Panorama Device Registration Auth Key. We're running PAN-OS 10.1.
tail follow yes mp-log ms.log on Panorama shows a bunch of SC3 errors like "keyfile not exists", "bad certificate", "Failed to get the current CA name", "Failed to get the Current CC name", "failed to get SNI", "failed to get CCN".
tcpdump filter "port 3978" on the firewall followed by view-pcap mgmt-pcap mgmt.pcap shows the device communicating with Panorama but the device sends a RST.
Our solution was to reset sc3.
We had to do it both on the device and on Panorama to get things to work.
Palo doesn't recommend doing it on Panorama but we couldn't get it working until we did that.
Start by resetting sc3 on the device as shown in the three steps below.
1. On the cli of the firewall
show system info (copy the s/n for step 2)
request sc3 reset (reply y to the prompt)
debug software restart process management-server
(wait for the management-server process to come back up)
2. On Panorama cli:
clear device-status deviceid <device s/n>
3. Reconnect to the firewall cli and do:
request authkey set <authkey>
(the authkey is on Panorama, Panorama tab, on the left pane near the bottom, "Device Registration Auth Key". If no key appears, click Add to create a new one. (I just gave it a name and specfied 1 day lifetime.) Then copy/paste it into the command above.
It may take a minute or so and in some cases these steps may need to be done twice. But, if this does not work you may need to do the "request sc3 reset" and "debug software restart management-server" on Panorama (not recommended). Once the management-server process is back up, log into the Panorama UI, delete any device reg auth key and generate a new one. Then repeat the 3 steps above using the new Device Auth Reg Key.
08-17-2022 05:14 AM
Thanks for your post. I performed this similar fix on a firewall/Panorama and it resolved the issue. I was seeing the SC3 and bad certificate errors as well.
10-06-2022 09:59 PM
did you find a fix for this issue? I am having the same issue
11-10-2022 12:04 PM
Made my day ! One PA-3220 was suddenly unable to connect to our PRA-25 after downgrading it from 10.2.3 to 10.2.2.h2 and this solved it
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!