Newly Bootstrapped PA-VMs Do Not Connect to Panorama

Newly Bootstrapped PA-VMs Do Not Connect to Panorama

2242
Created On 04/12/24 17:19 PM - Last Modified 06/13/24 21:55 PM


Symptom


FW bootstraps successfully, but doesn't connect to Panorama: 
  • Firewall logs shows that bootstrap was successful.
  • L3/Network connectivity is validated between FW and Panorama 
  • DNS resolves successfully 
  • Configd.log on panorama does not show VM registration attempts or is empty:
-0400 SVM registration. Serial:localhost.localdomain-cord DG: TPL: vm-mode:0 uuid: cpuid: svm_id:/proc/cpuinfo: No such file or directory
  • Configd.log on Firewall shows cert expired: 
-0700 Warning: pan_cmsa_tcp_channel_setup(src_panos/cms_agent.c:1015): client will not use SNI
-0700 Error: valid_cert(cs_client.c:17): commssl: Cert verify failed: error: 10 (certificate has expired)
-0700 Error: pan_cmsa_tcp_channel_setup(src_panos/cms_agent.c:1141): cms sent untrusted cert!!
-0700 COMM: connection established. sock=28 remote ip=10.0.0.132 port=3978 local port=37526

 

Environment


  • Public Cloud (AWS/Azure/Etc)
  • Newly launched PA-VM base image 
  • PAN-OS below 10.1.12, 10.2.8, 11.0.4, 11.1.2

Cause


PA-VM base image is using expired SSL Certificate

 

Resolution


  1. Use PAN-OS VM base image with updated certificate.
  2. Information about the certificate expiry is documented in the customer advisory  PAN-OS Cert Expiry.
PAN-OS Version for VM-Series
Availability

10.1.12

10.2.8
End of January 2024
11.0.4
11.1.2
End of February 2024

 

Additional Information


For bootstrap deployments using buckets

  • Upload PAN-OS version with hotfix to 'Software" folder 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000CrLWCA0&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail