M-100 Not Connecting to Panorama, Error Message on the M-100: error while loading serial number""
Panorama cannot connect to the M-100 hardware.
The mp-log ms.log file on the M-100 shows the following:
unable to load number from /opt/pancfg/mgmt/cms/ssl/internal/serial
error while loading serial number
18016:error:0D066096:asn1 encoding routines:a2i_ASN1_INTEGER:short line:f_int.c:215:
Mar 06 16:07:29 Error: regenerate_panorama_ca_signed_cert(pan_system_settings.c:6696): cert generation failed: Failed to generate self signed certificate and key
Mar 06 16:07:29 Error: pan_system_setting_change_cms_cert_settings(pan_system_settings.c:6787): Failed to generate Panorama certificate. Devices may not be able to connect.Mar 06 16:07:29 db quota for traffic set to 12938 MB
Verify by using the following indicators:
- Unable to connect to port 3978 from Panorama
- Netstat output does not reflect anything listening on 3978 on the member
- Ping works successfully
- Local.cert on both of the boxes is the CN of the cert is the management IP address of the secondary Panorama server. So on both members they have the same local.cert.
- Run the following CLI command > show panorama-certificates on both members, and the secondary unit (Passive) has no certs at all
-rw-r--r-- 1 root root 5.8K Jan 30 14:00 client.pem
-rw-r--r-- 1 root root 5.8K Feb 14 15:16 client_001901000475.pem
-rw-r--r-- 1 root root 5.8K Feb 14 12:40 client_002201000535.pem
-rw-r--r-- 1 root root 5.8K Feb 14 12:40 client_002201000536.pem
-rw-r--r-- 1 root root 5.8K Jan 30 14:00 client_009201000401.pem
-rw-r--r-- 1 root root 5.8K Jan 30 14:00 server.pem
The secondary unit needs to have the server.pem file in order to start the services to listen for Panorama.
The file system is preventing the serial number from being read correctly. Because of this, port 3798 is not listening for Panorama.
In order to restore functionality to the device, perform a factory reset on the hardware.
For additional information on a hardware factory reset, reference the following document: How to Factory Reset a Palo Alto Networks Device