11-13-2019 01:44 PM - edited 11-13-2019 01:49 PM
I;ve installed a new firewall using Bundle 1, I get this error with a new VM
One of them worked correctly, but after I killed it, I started to get these issues. Any idea what can be wrong?
The PEM key is the proper one, created when I launched the machine
This seems to happen after I killed the first "bundle 1 machine" and it said trial expired, I re subscribed (hourly rate) but I still can;t get to the machines
➜ Downloads ssh -i paloalto.pem admin@REDACTEDIP -v
OpenSSH_7.9p1, LibreSSL 2.7.3
debug1: Reading configuration data /Users/xxx/.ssh/config
debug1: /Users/xxx/.ssh/config line 1: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 48: Applying options for *
debug1: Connecting to REDACTEDIP [REDACTEDIP] port 22.
debug1: Connection established.
debug1: identity file paloalto.pem type -1
debug1: identity file paloalto.pem-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.9
debug1: Remote protocol version 2.0, remote software version OpenSSH_12.1
debug1: match: OpenSSH_12.1 pat OpenSSH* compat 0x04000000
debug1: Authenticating to REDACTEDIP:22 as 'admin'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: ecdh-sha2-nistp256
debug1: kex: host key algorithm: ssh-rsa
debug1: kex: server->client cipher: aes128-ctr MAC: umac-64-etm@openssh.com compression: none
debug1: kex: client->server cipher: aes128-ctr MAC: umac-64-etm@openssh.com compression: none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ssh-rsa SHA256:+qi4tx18hKBnH3R12SYeAF2XtsL1df+A+3EHsabgYi0
debug1: Host 'REDACTEDIP' is known and matches the RSA host key.
debug1: Found key in /Users/xxx/.ssh/known_hosts:40
debug1: rekey after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 4294967296 blocks
debug1: Will attempt key: paloalto.pem explicit
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: paloalto.pem
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: keyboard-interactive
Password:
11-13-2019 01:51 PM
In all honestly, waiting longer and reconnect your SSH session. You will get the password prompt during the firewall start-up which could take 10-15 minutes. Once you log in with the pem file you should set a password and commit.
configure
set mgt-config users admin password
commit
11-13-2019 01:51 PM
In all honestly, waiting longer and reconnect your SSH session. You will get the password prompt during the firewall start-up which could take 10-15 minutes. Once you log in with the pem file you should set a password and commit.
configure
set mgt-config users admin password
commit
08-12-2022 01:54 PM
Running into this same issue. We've let it sit for days, re-spun it up with a different AMI (10.1.3, and 10.1.6), and still the same issue. It worked once, and now will not again.
03-09-2023 11:05 AM
we are having s simlier issue, with or without management swap at instance launch state, firewall still asking for password. Launched almost 10 firewalls (BYOL, bundle2) and same behavior. tried to change the pem key aswell, no luck. this is really frustrating, I have launched couple of paloalto firewalls in the past but never experienced like this. anyone found the solution.
03-09-2023 11:24 AM
Our issue turned out that you cannot turn off the ec2 instance metadata, or force HTTPS tokens on the ec2 instance metadata endpoint. This is because the palo uses this endpoint to grab the public key to add to the user at launch. They should code the bootstrap process to use the IMDBS tokens.
03-09-2023 12:36 PM
Hi @RPendela ,
What does the prompt say?
Thanks,
Tom
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
