Firewall's logs are not ingested to Cortex Data Lake service and “Not able to connect() to server (null)” is seen in ms.log or logrcvr.log

Firewall's logs are not ingested to Cortex Data Lake service and “Not able to connect() to server (null)” is seen in ms.log or logrcvr.log

13627
Created On 10/21/20 07:31 AM - Last Modified 10/29/21 16:20 PM


Symptom


The logs may not be ingesting to Cortex Data Lake service, even the on-premise firewall is properly licensed, certificate is successfully fetched to the firewall for logging service, and also the customer info is successfully retrieved.

The following messages may be seen in the content of ms.log or logrcvr.log files on the firewall.

2020-09-14 08:32:28.014 -0500 Error:  pan_comm_get_iplist(cs_conn.c:4682): connmgr: panorama: addr info address: (null) error: No address associated with hostname
2020-09-14 08:32:28.014 -0500 Error:  pan_conn_mgr_do_connect(cs_conn.c:11682): Failed to resolve ip address: (null)2020-09-14 08:32:28.014 -0500 Error:  pan_conn_mgr_connect_to_server_impl(cs_conn.c:12203): Not able to connect() to server (null)
2020-09-14 08:32:28.014 -0500 connmgr: connection entry removed. devid=triallr-(null)-def sock=0 result=0
2020-09-14 08:32:28.014 -0500 Received connection update cb for triallr-(null)-def: 8
2020-09-14 08:32:28.014 -0500 Removing dst_swap_info entry for triallr-(null)-def
2020-09-14 08:32:28.014 -0500 Error:  pan_comm_get_iplist(cs_conn.c:4682): connmgr: panorama: addr info address: (null) error: No address associated with hostname
2020-09-14 08:32:28.014 -0500 Error:  pan_conn_mgr_do_connect(cs_conn.c:11682): Failed to resolve ip address: (null)2020-09-14 08:32:28.014 -0500 Error:  pan_conn_mgr_connect_to_server_impl(cs_conn.c:12203): Not able to connect() to server (null)
2020-09-14 08:32:28.014 -0500 connmgr: connection entry removed. devid=dpilr-(null)-def sock=0 result=0
2020-09-14 08:32:28.014 -0500 Received connection update cb for dpilr-(null)-def: 8
2020-09-14 08:32:28.014 -0500 Removing dst_swap_info entry for dpilr-(null)-def

Environment


  • All CDL environments
  • PANO-OS
  • Panorama

Cause


The issue is most likely related to wrong region info. It is often to see that the region name is configured starting with a capital letter, however the region name has to be all in lowercase.

Resolution


  1. Execute the commands below in the CLI of the firewall to see if merged and/or running config on the firewall contains correct region info. 
> less mp-log ms.log
> less mp-log logrcvr.log
 

NOTE:

You may see the output below, which shows the region name starts with a capital letter and needs to be corrected.   

logging-service-regions Europe;
 

 

  1. Correct the region info by changing the config either locally on firewall or on Panorama.
  • In order to correct the config locally on the firewall, please run the commands below in the CLI of the firewall.
> configure
# set deviceconfig setting logging logging-service-forwarding logging-service-regions europe
# commit
# exit
 
  • In order to correct the config on Panorama, please run the commands in the CLI of Panorama and then push template to firewall(s) with the incorrect config.
> configure
# set template <template_used for_the_problematic_firewall> config deviceconfig setting logging logging-service-forwarding logging-service-regions europe
# commit
# exit

Additional Information


 You can check the content of ms.log and logrcvr.log files by running the commands below in the CLI of the firewall.
  
> less mp-log ms.log
   > less mp-log logrcvr.log
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HBGGCA4&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language