Firewall is unable to connect to Panorama with "Error: cs_load

Firewall is unable to connect to Panorama with "Error: cs_load_certs" in ms.log

19513

Created On 02/18/20 07:34 AM - Last Modified 07/31/24 18:52 PM

M-100 Appliance

M-200 Appliance

M-500 Appliance

M-600 Appliance

Device Management

8.1

7.1

PAN-OS

Panorama

Symptom

Firewall is unable to connect to panorama with "Error: cs_load_certs" messages in ms.log

> less mp-log ms.log
.......
....Error: cs_load_certs(cs_common.c:179): CMS agent: Can not read key file: /opt/pancfg/mgmt/cms/ssl/client2.pem
......

Environment

The issue was confirmed in the environment below:

Firewall with PAN-OS 7.1.22
Panorama with PAN-OS 8.1.11

Cause

The certificate used on the problematic Firewall for connection to Panorama is not readable.

Resolution

Please open a support case with Palo Alto Networks when the symptoms match.
The Support engineer will arrange a live debug session and apply a workaround to the environment.

Other users also viewed:

How to download GlobalProtect from the Customer Support Portal

Download and Install the GlobalProtect App for Windows

Resource List: GlobalProtect Configuring and Troubleshooting

PAN-OS Software Updates

Where to find the current preferred software versions? (PAN-OS, GlobalProtect, User-ID Agent, Plugins)