I had a similar issue although I am just using the MGMT interface to connect to Panorama. I had the problem on a PA-820 I got as an RMA, and also on Palo VMs. This problem is caused by the new Panorama Device Registration Auth Key. We're running PAN-OS 10.1.
. tail follow yes mp-log ms.log on Panorama shows a bunch of SC3 errors like "keyfile not exists", "bad certificate", "Failed to get the current CA name", "Failed to get the Current CC name", "failed to get SNI", "failed to get CCN".
.
tcpdump filter "port 3978" on the firewall followed by view-pcap mgmt-pcap mgmt.pcap shows the device communicating with Panorama but the device sends a RST.
.
Our solution was to reset sc3.
We had to do it both on the device and on Panorama to get things to work.
Palo doesn't recommend doing it on Panorama but we couldn't get it working until we did that.
. Start by resetting sc3 on the device as shown in the three steps below.
.
1. On the cli of the firewall
show system info (copy the s/n for step 2)
request sc3 reset (reply y to the prompt) debug software restart process management-server (wait for the management-server process to come back up)
.
2. On Panorama cli: clear device-status deviceid <device s/n>
.
3. Reconnect to the firewall cli and do: request authkey set <authkey> (the authkey is on Panorama, Panorama tab, on the left pane near the bottom, "Device Registration Auth Key". If no key appears, click Add to create a new one. (I just gave it a name and specfied 1 day lifetime.) Then copy/paste it into the command above.
.
It may take a minute or so and in some cases these steps may need to be done twice. But, if this does not work you may need to do the "request sc3 reset" and "debug software restart management-server" on Panorama (not recommended). Once the management-server process is back up, log into the Panorama UI, delete any device reg auth key and generate a new one. Then repeat the 3 steps above using the new Device Auth Reg Key.
... View more