PA-VM does not connect back to panorama using software firewall license plugin

• PA-VM does not connect back to panorama using software firewall license plugin

• On bootstrapped firewall, we can see serial number but in >less mp-log ms.log we see below errors-

2024-01-26 06:43:20.341 -0800 Error: pan_cmsa_tcp_channel_setup(src_panos/cms_agent.c:903): cms agent: cs_load_certs_ex failed
2024-01-26 06:43:20.341 -0800 cmsa: client will use default context
2024-01-26 06:43:20.342 -0800 Warning: pan_cmsa_tcp_channel_setup(src_panos/cms_agent.c:1008): client will not use SNI
2024-01-26 06:43:20.489 -0800 panorama agent: ssl channel established. sock=29 ssl=0x561d4084c000
2024-01-26 06:43:20.489 -0800 Device info set to panorama
2024-01-26 06:43:27.730 -0800 update client device info, n_entries=1 op=1
2024-01-26 06:43:27.730 -0800 Device info updated for client id 1000409 device_registered no
2024-01-26 06:44:09.118 -0800 Error: pan_comm_get_tcp_conn_gen(comm_utils.c:702): COMM: cannot connect. remote ip=10.18.85.6 port=3978 err=Connection timed out(110) sock=28

• pa-vm bootstrapped using sw_fw_lic workflow

• panorama with software firewall license plugin

• If we use sw_fw_lic workflow, we cannot have authcodes under /license or AV or content under /content in 10.1.x or lower.  Having these files will cause connection back to panorama to fail

•  Create custom image that has the AV and content

https://docs.paloaltonetworks.com/vm-series/10-1/vm-series-deployment/set-up-the-vm-series-firewall-on-azure/create-a-custom-vm-series-image-for-azure

• Use 10.2.x for pan-os and panorama that has the feature to automatically push Dynamic updates at connect

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-new-features/panorama-features/automatic-content-push-for-vm-series-and-cn-series-firewalls

• In addition, if any plugin is in use.  They should be upgraded to latest