PA-VM Failed to fetch Licenses
34495
Created On 03/12/20 14:54 PM - Last Modified 04/04/20 00:16 AM
Symptom
- VM-Auth Code is registered on Palo Alto Networks Support Portal but firewall is unable to fetch licenses. While attempting to license the firewall under Device > Licenses and selecting option “Retrieve Licenses from Server” or “Activate Feature During Auth-Code” it prompts either “Generic Communication Error” or “Failed to Fetch License”
System Logs:
general 0 Connection to Update server closed: updates.paloaltonetworks.com, source: 10.190.0.15
- Review System Logs to identify any failure events. System Logs:
- Access firewall CLI via ssh and try to ping update server from management interface
> ping host updates.paloaltonetworks.com
PING updates.gcp.gslb.paloaltonetworks.com (199.226.23.24) 56(84) bytes of data.
64 bytes from 34.84.96.34.bc.googleusercontent.com : icmp_seq=1 ttl=57 time=1.07 ms
64 bytes from 34.84.96.34.bc.googleusercontent.com : icmp_seq=2 ttl=57 time=1.13 ms
64 bytes from 34.84.96.34.bc.googleusercontent.com : icmp_seq=3 ttl=57 time=1.11 ms
PING updates.gcp.gslb.paloaltonetworks.com (199.226.23.24) 56(84) bytes of data.
64 bytes from 34.84.96.34.bc.googleusercontent.com : icmp_seq=1 ttl=57 time=1.07 ms
64 bytes from 34.84.96.34.bc.googleusercontent.com : icmp_seq=2 ttl=57 time=1.13 ms
64 bytes from 34.84.96.34.bc.googleusercontent.com : icmp_seq=3 ttl=57 time=1.11 ms
- If the IP address is not resolved. Review DNS settings under WebUI > Device > Setup > Services. DNS can be configured with one of the following options:
1. Servers - Configure the Primary DNS Server address and Secondary DNS Server address.
2. DNS Proxy Object - From the drop-down, select the DNS Proxy that you want to use to configure global DNS services, or click DNS Proxy to configure a new DNS proxy object.
2. DNS Proxy Object - From the drop-down, select the DNS Proxy that you want to use to configure global DNS services, or click DNS Proxy to configure a new DNS proxy object.
- If IP resolves but ping is unsuccessful, perform network troubleshooting to test the connectivity from management interface to Internet
Environment
- Platform: PA-VM
- PAN-OS / Plugin Version: Any
- Deployment: New
Cause
- Missing DNS configuration on PA-VM
- Private IP configured on management interface is not associated with a Public IP on the underlying Public Cloud Platform
Resolution
- Add DNS configuration under WebUI > Device > Setup > Services
- Ensure management interface has reachability to the internet.
- Alternatively, Service Routes can be configured to use one of the dataplane interfaces for DNS