Error:
An unexpected error occurred. Please click Reload to try again.
Error:
An unexpected error occurred. Please click Reload to try again.
Alarm: Device Disconnected From Controller on ION device - Knowledge Base - Palo Alto Networks

Alarm: Device Disconnected From Controller on ION device

13100
Created On 07/30/21 20:59 PM - Last Modified 01/03/23 03:46 AM


Symptom


ION device shows offline on portal due to connectivity issue with Prisma SD WAN controller with Alarm message "DEVICE_DISCONNECTED_FROM_CONTROLLER"

Environment


  • Prisma SD WAN
  • ION (Instant-ON Network) device.

Cause


The alarm triggers if the ION device lost mrl connection for more than 30 min. Possible reasons for connectivity issue include:
  • DNS Resolution failure
  • An issue with firewall or proxy
  • Layer 2 or Layer 3  reachability issue to the Internet
  • ​​​​​Hardware issue with the ION device or with a port

Resolution


Troubleshooting
 
  1. Ensure that the site has internet reachability via any port. ION device will try to establish controller connection via any available ports, starting with controller port. In case the internet connection is not available via controller port, the ION device will try to connect using public Internet or private MPLS connection.
  2. Confirm there is no physical layer issue, like a faulty cable.
  3. Ensure the correct cable type is used. The duplex and speed must match at both ends of the cable.
  4. Check if the status of ports is not Down. Use the following device toolkit commands to check device status:
dump interface status interface <Interface>
dump interface config interface <Interface>
Note : In case the cable connections are intact, and the port found Admin Down, execute the following command to see if port comes up: 
config interface <interface_name> enable=true
  1. ​​In case you are able to connect to the internet, check if DNS resolution works well using the following device toolkit command:
nslookup locator.cgnx.net
  1. Ensure that you are able to ping DNS IP Address using the appropriate interface with the help of the device toolkit commands:
ping controller1 <DNS_IP Address>
ping internet1 <DNS_IP Address>
  1. Confirm that there is no issue at Layer 4 using the following device toolkit command:
tcpping controller1 locator.cgnx.net:443
  1. If all the above steps are working, try to execute the following command:
file view log mrl_agent
  1. Verify if you see any issue related to SSL Handshake. In case, there is any Proxy or Firewall in between, allow SSL traffic.
  2. Ensure no reachability issue from device to controller is observed using the following command:
debug controller reachability controller1

Confirm Resolution:
  • Verify the controller connection using the following device toolkit commands:
dump overview
dump controller status
debug controller reachability controller1
debug controller reachability <internet_port>

Note : In case there are two ION devices configured in HA mode, the secondary ION device always uses the controller port to reach the cloud controller. Thus, make sure that the controller is reachable from the controller port else the secondary ION device will display as Offline on the portal. In case the secondary ISP connection is terminated on the secondary ION device, this device will not use the internet port connection to reach the controller.

Additional Information


If the issue persists contact Palo Alto Support.
Other users also viewed:
Your query has an error: Request Error.
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000001W0sCAE&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language