Secondary IP(s) of Azure Network Interface(s) do not move to newly active unit with message “Failed to get Azure Access Token”

Secondary IP(s) of Azure Network Interface(s) do not move to newly active unit with message “Failed to get Azure Access Token”

14000
Created On 03/17/20 21:56 PM - Last Modified 04/06/20 17:00 PM


Symptom


Upon HA failover, the newly active firewall instance cannot pass traffic. Looking up on the Azure Console, we notice the Secondary IP(s) of Azure Network Interface(s) did not transfer to newly active firewall instance with pan_vm_plugin.log message “Failed to get Azure Access Token”.
 

  • Review Plugin logs to understand and verify the failure events on the active firewall:

  • less mp-log pan_vm_plugin.log or tail follow yes mp-log pan_vm_plugin.log . 

> pan_vm_plugin.log  logs:

Issue 1:
2020-02-01 19:13:51.610 -0800 vm_ha_state_trans INFO: : Instance running in region 'uksouth'
2020-02-01 19:14:11.631 -0800 vm_ha_state_trans INFO: : Getting Azure token failed with exception <urlopen error [Errno -3] Temporary failure in name resolution>
2020-02-01 19:14:11.631 -0800 vm_ha_state_trans INFO: : Failed to get Azure Access Token
Issue 2:
2020-02-01 06:11:19.705 -0800 vm_ha_state_trans INFO: : Instance running in region 'uksouth'
2020-02-01 06:11:20.563 -0800 vm_ha_state_trans INFO: : Getting Azure token failed with exception HTTP Error 400: Bad Request
2020-02-01 06:11:20.563 -0800 vm_ha_state_trans INFO: : Failed to get Azure Access Token
Issue 3:
2020-02-01 06:39:07.318 -0800 vm_ha_state_trans INFO: : Instance running in region 'uksouth'
2020-02-01 06:39:07.758 -0800 vm_ha_state_trans INFO: : Getting Azure token failed with exception HTTP Error 401: Unauthorized
2020-02-01 06:39:07.759 -0800 vm_ha_state_trans INFO: : Failed to get Azure Access Toke

  • Above log snippet indicates, VM-Series plugin was not able to get access token from Azure AD server

Environment


  • Platform: VM-Series Firewall
  • PAN-OS / Plugin Version: 9.0.5 / 1.0.8
  • Deployment: Azure

Cause


  • This issue could occur due to various reasons viz. DNS issue, Routing Issue, Internet access issue, Invalid client id, Invalid Tenant id or Invalid secret key. For each issue, plugin generates different log.

Resolution


  1. Resolution 1 :  Message “Temporary failure in name resolution” could occur because of DNS issue, Routing Issue, Internet access issue, missing public IP on management interface. Please fix routing and DNS issue in Azure console.
  2. Resolution 2 : Message  “HTTP Error 400: Bad Request” could occur because of invalid client id or Tenant id. Please update the PAN-OS configuration with correct “client id” or “Tenant id”
  3. Resolution 3 : Message  “HTTP Error 401: Unauthorized” could occur because of invalid secret key or any access related issue. Please update the PAN-OS configuration with correct “secret key”.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PP5ECAW&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail