Firewall not accessible by GUI but SSH is working
51263
Created On 07/13/22 11:16 AM - Last Modified 07/04/23 14:44 PM
Symptom
- Firewall GUI is not accessible but CLI/SSH is working.
- Management access to Firewall is secured using SSL/TLS profile
- On the CLI, l3svc and websrvr processes are not running:
admin@Lab80-192-PA-3050> show system software status | match "websrvr\|l3svc"
Process l3svc stopped (pid: -1) - Exit Code: 1
Process websrvr stopped (pid: -1) - Exit Code: 1
- less mp-log mgmt_ngx_error.log or l3svc_ngx_error.log shows a certificate's key size is larger than available buffer.
[alert] 26864#0: nginx connected to sysd! SUCCESS
[emerg] 26864#0: client certificate id web_certificate_key key size 4365 larger than buffer 4096
[emerg] 26864#0: SSL: could not get key for web_certificate_key from cryptod, https access may not be available
...
- Loading a previous config version fixes WebUI access issue.
Environment
- Panorama managed PanOS firewalls
- Secure Web-GUI access configured
- Certificates pushed from Panorama.
Cause
Corrupt/Invalid certificate loaded on Panorama or Firewall.
Resolution
- Compare the private key pushed by Panorama and overridden certificate private key on Firewall. Note that even though the name is the same, the keys may differ. In the example, Panorama and firewall has exactly same certificate as far as the name is concerned.
- On the firewall CLI, use command "> show config pushed-template" to check the private key pushed from Panorama
- Compare it with the overridden certificate private key using ">configure #show"
- Once confirmed, correct the configuration by importing a valid certificate on Panorama and pushing the same to Firewall.
Note: The issue may occur when the certificate is imported on the Panorama without private key and pushed to Firewalls.
Additional Information
Import A Certificate And Private Key