Error message: 'Failed to validate server certificate for endpoint api.paloaltonetworks.com'
44206
Created On 01/21/22 04:06 AM - Last Modified 01/09/24 03:14 AM
Symptom
- Firewall configured to send logs to Cortex Data Lake.
- The logs are not sent to CDL
- lcass agent log display "server certificate for endpoint api.paloaltonetworks.com"
> tail follow yes mp-log lcaas_agent.log
.......
251 lcaas_agent ERROR Failed to fetch LCaaS server cert for validation check
252 lcaas_agent ERROR Failed to validate server certificate for endpoint api.paloaltonetworks.com
....Environment
- Palo Alto Firewalls
- PAN-OS 9.1 and above
- Logs configured to be sent to Cortex Data Lake (CDL)
Cause
This issue is normally caused by FW failing to reach api.paloaltonetworks.com or lic.lc.prod.us.cs.paloaltonetworks.com.
Resolution
- Verify the Firewall connectivity to logging service is working fine. Refer Troubleshooting Firewall Connectivity with Logging Service
- Try refresh of license and certificate by using the command
> request logging-service-forwarding certificate fetch-noproxy pre-shared-key xxxxxxxxxxxx
- Verify the TCP ports and FQDNs required for CDL is allowed.
- Run TCPDUMP on the management interface to capture the packets and verify the status. (by default the traffic will go through the FW MGT interface).
> tcpdump snaplen 0 filter "tcp port (3978 or 80 or 443 or 444) or udp port 53"
- If the URLs are blocked by any intermediate device, ensure the URL is allowed. In the above example, "lic.lc.prod.us.paloaltonetworks.com" has been blocked.
- For any further assistance, open a case with Support .