Bootstrapping is failing for PA-VM deployed in Azure because of internet issue

Bootstrapping is failing for PA-VM deployed in Azure because of internet issue

3161
Created On 03/18/20 12:33 PM - Last Modified 04/06/20 17:21 PM


Symptom
PA-VM is deployed through bootstrapping process in Azure using Bring your own license (BYOL) model and the firewall instance fails to get config, license or any bootstrapping settings.
  • Login to CLI and execute following two commands
>show system bootstrap status
Bootstrap Phase                          Status                    Details
===============                      ======                 =======
Media Detection                           Failed                     No bootstrap media detected.

>debug logview component bts_details
s1mp bts_details 2020-02-13 14:23:31: INFO: Running command: status []
s1mp bts_details 2020-02-13 14:23:31: INFO: Bootstrap log initialized
s1mp bts_details 2020-02-13 14:12:12: ERROR: btsErrorNoMedia: No Install media detected.(2)
s1mp bts_details 2020-02-13 14:12:12: DEBUG: Adding status: Media Detection Failed No bootstrap media detected.
s1mp bts_details 2020-02-13 14:12:12: DEBUG: Syslogging: /usr/local/bin/pan_elog -u 12 -e201326619 -s critical -m "No bootstrap media detected." -x
s1mp bts_details 2020-02-13 14:12:12: ERROR: btsErrorNoMedia: No Install media detected.(2)
s1mp bts_details 2020-02-13 14:12:12: INFO: Failed to mount install media: 1 [] [] 4392
  • Above highlighted text in CLI output indicates firewall failed to detect media.


Environment
  • Platform: VM-Series Firewall 
  • PAN-OS / Plugin Version: 9.0.5 / -
  • Deployment: Azure 


Cause
  • This can be encountered if the firewall VM is unable to reach/access Azure File Share to pull any bootstrapping information possibly due to missing internet route which is required to make necessary API calls to Azure Fabric


Resolution
  • Ensure management traffic is routed via default “system route” points to Internet and not through any of the dataplane interfaces of the FW 
  • If UDR is used, make sure default route is configured and pointed to correct next hop. To check/Configure the UDR Click on Resource Group > Route Table > Routes > Click/Configure on the Route
User-added image
  • Associate Public IP to private IP assigned to management interface of the firewall instance
  • To check/Configure the Public IP Click on Resource Group > eth0 > IP configuration > Click on the IP
User-added image


Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PP7jCAG&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments