Firewall unable to connect to Panorama with "Cert verify failed" error

Firewall unable to connect to Panorama with "Cert verify failed" error

24896
Created On 05/12/20 06:37 AM - Last Modified 05/14/20 22:27 PM


Symptom


Firewall unable to connect to Panorama with following error and log events

Firewall
  •  Firewall system log does not show "Connected to Panorama Server" event
  •  "Cert verify failed: error: 9" message is reported on firewall ms.log every ~10 seconds
  
* var/log/pan/ms.log

1970-05-10 18:33:53.347 -0700 Error:  valid_cert(cs_client.c:17): commssl: Cert verify failed: error: 9 (certificate is not yet valid)
1970-05-10 18:33:53.348 -0700 Error:  pan_cmsa_tcp_channel_setup(src_panos/cms_agent.c:936): cms sent untrusted cert!!

1970-05-10 18:34:03.548 -0700 Error:  valid_cert(cs_client.c:17): commssl: Cert verify failed: error: 9 (certificate is not yet valid)
1970-05-10 18:34:03.548 -0700 Error:  pan_cmsa_tcp_channel_setup(src_panos/cms_agent.c:936): cms sent untrusted cert!!

Panorama
  • Panorama system log and reportd.log would show firewall is connected to panorama shortly then get disconnected (similar sequence of events is being repeated in every few minutes)
  
* show_log_system.txt 

2020/05/11 18:33:50 2020/05/11 18:33:50 info     tls            panoram 0  0007HQTACLAB000 Client authentication successful 
PAN-OS ver: 8.1.10 Panorama ver:9.0.7 Client IP: 10.46.32.122 Server IP: 10.46.55.60 Client CN: 0006C105644
2020/05/11 18:33:50 2020/05/11 18:33:50 info     general        general 0  0007HQTACLAB000 0006C105644 connected
2020/05/11 18:35:01 2020/05/11 18:35:01 info     general        general 0  0007HQTACLAB000 0006C105644 disconnected
2020/05/11 18:35:01 2020/05/11 18:35:01 info     tls            tls-ses 0  0007HQTACLAB000 Device 0006C105644 disconnected from the server
  
* var/log/pan/reportd.log 

2020-05-11 18:33:50.275 -0700 Handling device conn update [new connection] for 0006C105644
2020-05-11 18:33:50.275 -0700 connection to 0006C105644 is now ready
...
2020-05-11 18:35:01.660 -0700 connmgr: received disconnect cb from ms for 0006C105644(1000693)
2020-05-11 18:35:01.660 -0700 connmgr: connection entry removed. devid=0006C105644 sock=4294967295 result=0
2020-05-11 18:35:01.660 -0700 Handling device conn update [disconnection] for 0006C105644
2020-05-11 18:35:01.660 -0700 connection to 0006C105644 is now removed
2020-05-11 18:35:01.660 -0700 Error:  reportd_connection_removal_callback(util.c:2960): connection to 0006C105644 is now removed
2020-05-11 18:35:01.660 -0700 connmgr: connection entry removed. devid=0006C105644 (1000693)

Environment


  • PAN-OS 7.1 and above.
  • Palo Alto Firewall 
  • Panorama

Cause


  • Firewall is having inaccurate system time (date and year) which is having large time skew compared to Panorama system time. 
  • This type of problem is commonly observed on a brand new firewall or a replacement (RMA) firewall in which system time has not been set (configured) before. 

Resolution


Set the firewall system date to match with Panorama time or Firewall local time with one of following methods:

1. Setting system time manually 
Device > Setup > Management > General Settings > Time Zone; Date; Time

or through the firewall command line  
PA-xxxx> set clock date YYYY/MM/DD time hh:mm:ss

2. Configure to sync with NTP server 
Device > Setup > Services > NTP Server Address
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g0000008U1i&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail