Cloud service plugin unable to connect with error "Unable to connect to API gateway. Reason: (28, 'Operation timed out after 30001 milliseconds with 0 out of 0 bytes received')"

• The Panorama is running a cloud service plugin which is unable to connect to the API gateway due to which the administrator cannot commit to Prisma Access.
• This issue also causes the Panorama to not show the latest logs from Cortex data lake.
• The issue can be intermittent or consistent.

• Strata Logging Service
• Panorama managed Prisma Access
• Supported PAN-OS
• Cloud service plugin any version

• As the error indicates this issue is caused by the inability of the cloud service plugin to access https://api.gpcloudservice.com/
• This can be caused by an upstream firewall blocking the connection.
• This can also be caused by an upstream device performing SSL decryption.
• In this specific case, the problem was caused by an upstream network device dropping the server hello due to MTU configuration.

1. Configure the upstream firewalls to bypass the panorama connection to api.gpcloudservice.com from SSL decryption.
2. Configure the upstream firewalls to allow the panorama connection to api.gpcloudservice.com along with the ports and URL's mentioned in the Strata Logging Service.
3. Change the panorama network path to use another device or involve local IT team to troubleshoot local network connectivity issues.
4. Perform packet captures on the management interface to identify request and response details.

Login the Panorama Command Line interface (CLI ) to initiate the connectivity test during troubleshooting.

> debug plugins cloud_services prisma-access echo-test

<response status="success"><result>URL: https://api.gpcloudservice.com/config/latest?action=echo&service=config&p4cl=hea d&plugin_version=cloud_services-4.0.0-h64&panos_version=10.2.4&pan_content_version=8767-8352
Result: fail
Message: Unable to connect to API gateway. Reason: (28, 'Operation timed out after 30001 milliseconds with 0 out of 0 byt es received')<<<<<<<<<<<<<<<<<<<<<<<<<<<
RTT: 30014
</result></response>

The command can be run as many times as needed to initiate the traffic during the troubleshooting.