Palo Alto Networks Knowledgebase: Dynamic Updates Display Error after Clicking on Check Now Button

Dynamic Updates Display Error after Clicking on Check Now Button

39114
Created On 02/07/19 23:33 PM - Last Updated 02/07/19 23:34 PM
Device Management Initial Configuration Installation QoS Zone and DoS Protection
Symptom
After checking Dynamic Update under Device tab after clicking on the Check Now button displays the following error:

"Failed to check content upgrade info due to generic communication error. Please check network connectivity and try again."

dnsserver.PNG


Cause
There can be several reasons that cause this message to appear and they are usually related to how the firewall is able to reach out to the internet.

Resolution
  1. Verify the firewall has DNS servers configured to be able to resolve updates.paloaltonetworks.com:
    From the WebGUI: Go to Device > Setup > Services:
    DNS server.png
 
  1. Ensure the firewall has an appropriate Default Gateway and interface speed and duplex are set to match the switch it is connected to:
Management interface.png
 
  1. Make sure the firewall is able to resolve FQDNs:
admin@firewall>ping host www.example.com
PING www.example.com (93.184.216.34) 56(84) bytes of data.
64 bytes from 93.184.216.34: icmp_seq=1 ttl=52 time=107 ms
64 bytes from 93.184.216.34: icmp_seq=2 ttl=52 time=106 ms
64 bytes from 93.184.216.34: icmp_seq=3 ttl=52 time=106 ms
^C
--- www.example.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 106.349/106.643/107.025/0.388 ms
  1. Traceroute out to updates.paloaltonetworks.com verify the correct path is taken (the final host will not reply)
admin@firewall> traceroute host updates.paloaltonetworks.com
traceroute to 199.167.52.141 (199.167.52.141), 30 hops max, 40 byte packets
 1  10.192.16.1 (10.192.16.1)  0.522 ms  0.507 ms  0.497 ms
 2  1.111-11-1.adsl-static.isp.belgacom.be (1.11.111.1)  32.761 ms  32.753 ms  32.740 ms
 3  2.222-22-2.adsl-static.isp.belgacom.be (2.22.222.2)  81.856 ms * *
 4  * * *
 5  * * *
 6  * * *
 7  prs-bb4-link.telia.net (213.155.136.222)  82.884 ms * *
 8  ash-bb4-link.telia.net (62.115.122.159)  142.306 ms  147.212 ms *
 9  sjo-b21-link.telia.net (80.91.248.188)  226.073 ms  222.208 ms  214.858 ms
10  internap-ic-140172-sjo-b21.c.telia.net (213.248.81.134)  201.253 ms  198.637 ms  219.945 ms
11  66.151.144.15 (66.151.144.15)  225.185 ms  242.096 ms  178.880 ms
12  paloaltonetit-5.border3.sje011.pnap.net (66.151.155.74)  194.397 ms * paloaltonetit-5.border3.sje011.pnap.net (66.151.155.74)  206.609 ms
13  * * *
14  * * *
15  * * *
16  * * *
 
  1. Verify Service Routes are set as expected, some services may need to be redirected over a dataplane interface in case the management network is isolated, use Default or Custom settings:
 service route configuration.png
 
  1. Make sure the firewall is allowed to make outbound connections through the security policy: 
Note: There is no URL filtering or file blocking profile
 
 firewall policy policy.png
  1. If ssl decryption is used, "Verify Update Server Identity" may need to be disabled if updates.paloaltonetworks.com is not excluded from decryption:
    Verify Server Identity.png


Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClkuCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments