EDL Fetch task fails to get Queued in Active/Passive pair
10035
Created On 06/12/19 21:52 PM - Last Modified 03/31/22 19:12 PM
Symptom
- The issue occurs after FQDN Refresh, which we get error "update error code -1" within the ms-logs files.
2019/03/26 10:10:29 medium general general 0 EDL(PPTR_EDL_Suspicious_Emails) Unable to fetch external dynamic list. Timeout was reached. Using old copy for refresh. 2019/03/26 10:10:29 medium general general 0 EDL(PPTR_EDL_LEGACY) Unable to fetch external dynamic list. Timeout was reached. Using old copy for refresh. 2019/03/26 10:10:29 medium general general 0 EDL(PPTR_EDL_LS_ISAO) Unable to fetch external dynamic list. Timeout was reached. Using old copy for refresh. 2019/03/26 10:10:29 medium general general 0 EDL(PPTR_EDL_TAP) Unable to fetch external dynamic list. Timeout was reached. Using old copy for refresh. 2019/03/26 10:04:20 medium general general 0 FW has lost connection to panorama, no log will be forwarded 2019/03/26 10:04:04 info general general 0 FqdnRefresh job enqueued. Enqueue time=2019/03/26 10:04:04. JobId=303579. . Type: Full 2019/03/29 17:03:53 info general general 0 EDL(PPTR_EDL_TAP) No changes to list file 2019/03/29 17:03:53 medium general general 0 EDL(PPTR_EDL_TAP) Unable to fetch external dynamic list. Timeout was reached. Using old copy for refresh. 2019/03/29 17:03:53 info general general 0 EDL(PPTR_EDL_Suspicious_Emails) No changes to list file 2019/03/29 17:03:53 medium general general 0 EDL(PPTR_EDL_Suspicious_Emails) Unable to fetch external dynamic list. Timeout was reached. Using old copy for refresh.
Environment
- 2 Palo Alto Networks Firewalls
- Active/Passive
- EDL configured
- Passive firewall has the following configured:
- Direct Internet Access
- Sync To Peer
Cause
Dynamic updates don't always show to be synchronized which may be causing our Multiple Jobs Queued issue, which we can't cancel. Having the firewall perform both tasks: "Download and Install" and "sync-to-peer" on the passive member to queue to many tasks.
Resolution
To prevent this issue from occurring again, and if we have "Direct Internet Access" for both firewalls, we recommend to uncheck "Sync-To-Peer.".