- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
02-14-2024 07:08 AM
Hi,
I have the following issue I am running panorama 10.2.7h3 my new device P440 is also running 10.2.7h3.
When I want to onboard the device into panorama it is not working.
I am onboarding the device with Authenticatio keys.
Following the below procedure.
Add a Firewall as a Managed Device (paloaltonetworks.com)
I have also reset the secure communication on the PA440 and tried removing adding the serials from panorama.
The connection doesn't come up.
In the ms.log file i am getting the following.
Seems to be related to SSL.
2024-02-14 15:49:05.844 +0100 COMM: connection established. sock=24 remote ip=10.255.125.50 port=3978 local port=54018
2024-02-14 15:49:05.844 +0100 cms agent: Pre. send buffer limit=46080. s=24
2024-02-14 15:49:05.844 +0100 cms agent: Post. send buffer limit=425984. s=24
2024-02-14 15:49:05.844 +0100 Error: cs_load_certs_ex(cs_common.c:544): keyfile not exists
2024-02-14 15:49:05.844 +0100 Error: pan_cmsa_tcp_channel_setup(src_panos/cms_agent.c:1340): cms agent: cs_load_certs_ex failed2024-02-14 15:49:05.845 +0100 cmsa: client will use default context
2024-02-14 15:49:05.846 +0100 Error: _get_current_cert(sc3_utils.c:117): sdb node 'cfg.ms.ca' does not exist ret -5
2024-02-14 15:49:05.846 +0100 Error: sc3_ca_exists(sc3_certs.c:229): SC3: Failed to get the current CA name.
2024-02-14 15:49:05.846 +0100 Warning: sc3_init_sc3(sc3_utils.c:360): SC3: Failed to get the Current CC name
2024-02-14 15:49:05.846 +0100 SC3: CA: '', CC/CSR: 'd41d48e6-c7da-4a61-8307-79ce0cc33ff7'
2024-02-14 15:49:05.846 +0100 Error: _get_current_cert(sc3_utils.c:117): sdb node 'cfg.ms.ca' does not exist ret -5
2024-02-14 15:49:05.846 +0100 Warning: sc3_get_current_sc3(sc3_utils.c:184): SC3: failed to get SNI
2024-02-14 15:49:05.846 +0100 Warning: sc3_get_current_sc3(sc3_utils.c:187): SC3: failed to get CCN
2024-02-14 15:49:05.847 +0100 Warning: sc3_init_sctx(sc3_ctx.c:302): SC3: not set, skip cert loading
2024-02-14 15:49:05.847 +0100 SC3A: using SNI (from AK): 4591c212-e525-4d70-92fb-4f5243dff4af
2024-02-14 15:49:05.847 +0100 SC3A: using sc3 ctx with no cert
2024-02-14 15:49:05.901 +0100 Error: pan_cmsa_tcp_channel_setup(src_panos/cms_agent.c:1719): panorama agent: SSL connect error. sock=24 err=5
Am i missing something?
taking a pcap also show that panoram is just resetting the connection.
Any help on this would be appreciated.