I just encountered what i think is a bug and will report it through the PAN-OS folks. We were setting up connection for NGFW to the Cortex Data Lake. It wouldn't get the CDL cert. we flipped the HA pair and went through same process and it worked. after looking the through the Device/Setup configs, the ONLY difference was that the one that just worked had 0.pool.ntp.org set in its secondary NTP server setting. We added 0.pool.ntp.org as a secondary then it grabbed. So then we just took pool.ntp.org right out of both configs, moved 0.pool.ntp.org to the primary. Again no issues. I think it might be in how we are grabbing those IPs when they resolve, or its taking too long for the main pool to grab the IPs its wants to provide. Earlier above, there was a comment about using a stable time server, which by changing out pool.ntp.org for basically any legit time server, you were probably resolved. If you have any problems with NTP, first thing i would check would be that you aren't using the generic pool.ntp.org.
... View more