A bootstrapped VM-Series firewall cannot connect to Panorama
5402
Created On 08/19/21 01:33 AM - Last Modified 06/19/23 05:39 AM
Symptom
A bootstrapped VM-Series firewall running 10.1.0 or 10.1.1 cannot get connected to the Panorama. In firewall's configd.log file, there is a warning log that says 'Device has a bootstrap file, will not do SC3'.
Example:
CLI output of 'less mp-log configd.log'
On Firewall:
Warning: sc3_sendRegInfo(sc3_register.c:375): SC3: Device has a bootstrap file, will not do SC3. Error: pan_mgmtop_get_system_info(pan_ops_common.c:18025): Unable to fetch net.s1.eth0.dhcp-dns: NO_MATCHES cms conn: registration message sent to panorama Error: pan_conn_mgr_callback_expiry_async(cs_conn.c:8781): connmgr: Expired Request. entry:725, msgno=0 devid=panorama Error: pan_cms_conn_process_async_result_panos(pan_cfg_mgr.c:4788): cms conn: failed to send registration to panorama. client_id=1234567 result=4 reqlen=4711
On Panorama:
Warning: _register_ext_validation(pan_cfg_mgt_handler.c:4409): reg: device '000000000000000' not using issued cert. SC3: did:'000000000000000', ser:'000000000000000', ver:'10.1.1', mod:'PA-VM' Warning: sc3_register(sc3_register.c:201): SC3: connstat for '000000000000000': -1 Warning: sc3_register(sc3_register.c:233): SC3: register device '000000000000000' does not have a peer cert. Error: sc3_register(sc3_register.c:254): SC3: register - No authkey given for device '000000000000000' Error: pan_cfg_handle_mgt_reg(pan_cfg_mgt_handler.c:4742): SC3: Failed to register device: '000000000000000'
Environment
- Bootstrapped VM-Series firewalls
- PAN-OS 10.1.0 or 10.1.1
Cause
A bootstrapped VM-Series firewall will not send the Authentication Key (AK) and Certificate Signing Request (CSR) if a bootstrap configuration is found.
Resolution
Upgrade to PAN-OS 10.1.2