Firewall unable to connect to Panorama with "Cert verify failed" error
24896
Created On 05/12/20 06:37 AM - Last Modified 05/14/20 22:27 PM
Symptom
Firewall unable to connect to Panorama with following error and log events
Firewall
- Firewall system log does not show "Connected to Panorama Server" event
- "Cert verify failed: error: 9" message is reported on firewall ms.log every ~10 seconds
* var/log/pan/ms.log
1970-05-10 18:33:53.347 -0700 Error: valid_cert(cs_client.c:17): commssl: Cert verify failed: error: 9 (certificate is not yet valid)
1970-05-10 18:33:53.348 -0700 Error: pan_cmsa_tcp_channel_setup(src_panos/cms_agent.c:936): cms sent untrusted cert!!
1970-05-10 18:34:03.548 -0700 Error: valid_cert(cs_client.c:17): commssl: Cert verify failed: error: 9 (certificate is not yet valid)
1970-05-10 18:34:03.548 -0700 Error: pan_cmsa_tcp_channel_setup(src_panos/cms_agent.c:936): cms sent untrusted cert!!
Panorama
- Panorama system log and reportd.log would show firewall is connected to panorama shortly then get disconnected (similar sequence of events is being repeated in every few minutes)
* show_log_system.txt
2020/05/11 18:33:50 2020/05/11 18:33:50 info tls panoram 0 0007HQTACLAB000 Client authentication successful
PAN-OS ver: 8.1.10 Panorama ver:9.0.7 Client IP: 10.46.32.122 Server IP: 10.46.55.60 Client CN: 0006C105644
2020/05/11 18:33:50 2020/05/11 18:33:50 info general general 0 0007HQTACLAB000 0006C105644 connected
2020/05/11 18:35:01 2020/05/11 18:35:01 info general general 0 0007HQTACLAB000 0006C105644 disconnected
2020/05/11 18:35:01 2020/05/11 18:35:01 info tls tls-ses 0 0007HQTACLAB000 Device 0006C105644 disconnected from the server
* var/log/pan/reportd.log
2020-05-11 18:33:50.275 -0700 Handling device conn update [new connection] for 0006C105644
2020-05-11 18:33:50.275 -0700 connection to 0006C105644 is now ready
...
2020-05-11 18:35:01.660 -0700 connmgr: received disconnect cb from ms for 0006C105644(1000693)
2020-05-11 18:35:01.660 -0700 connmgr: connection entry removed. devid=0006C105644 sock=4294967295 result=0
2020-05-11 18:35:01.660 -0700 Handling device conn update [disconnection] for 0006C105644
2020-05-11 18:35:01.660 -0700 connection to 0006C105644 is now removed
2020-05-11 18:35:01.660 -0700 Error: reportd_connection_removal_callback(util.c:2960): connection to 0006C105644 is now removed
2020-05-11 18:35:01.660 -0700 connmgr: connection entry removed. devid=0006C105644 (1000693)
Environment
- PAN-OS 7.1 and above.
- Palo Alto Firewall
- Panorama
Cause
- Firewall is having inaccurate system time (date and year) which is having large time skew compared to Panorama system time.
- This type of problem is commonly observed on a brand new firewall or a replacement (RMA) firewall in which system time has not been set (configured) before.
Resolution
Set the firewall system date to match with Panorama time or Firewall local time with one of following methods:
1. Setting system time manually
Device > Setup > Management > General Settings > Time Zone; Date; Time
or through the firewall command line
PA-xxxx> set clock date YYYY/MM/DD time hh:mm:ss
2. Configure to sync with NTP server
Device > Setup > Services > NTP Server Address