Error: dns-signature cloud service connection refused

Error: dns-signature cloud service connection refused

54046
Created On 01/04/21 21:18 PM - Last Modified 04/23/24 00:16 AM


Symptom


  • The following error can be seen in the System Logs (show_log_system.txt):
2020/11/17 10:23:36 medium   rtsig   dns-si cloud-f 0  dns-signature cloud service connection refused.
 
  • At the same time (matching timestamps), there is a matching entry in the DNS Security logs (dnsproxyd.log):
2020-11-17 10:23:36.527 +1000 Warning:  _rtsig_cloud_curl_cb(rtsig/rtsig_cloud/pan_dnsproxy_rtsig_cloud_curl.c:77): RTSIG CLD: response failure Timeout was reached (0) failed!

Environment


  • PAN-OS 9.1 10.0
  • DNS Security License

Cause


Cause 1)
If the firewall management traffic traverses the firewall, the issue can be caused by the paloalto-dns-security App-ID traffic being blocked.

Cause 2)
The error for DNS query timeouts "response failure Timeout was reached (0))" was incorrectly mapped to System Log error "dns-signature cloud service connection refused."
 

Resolution


Resolution for Cause 1)
Make sure that App-ID paloalto-dns-security for traffic sourced by the firewalls' management port is allowed.

Resolution for Cause 2)
This is a cosmetic product defect, but it has already been addressed in PAN-OS 9.1.13 and 10.0.9 through PAN-159210.
In the addressed PAN-OS versions, this error has mapped to System Log entry "dns-signature cloud query timeout".

Additional Information


Cause 1)
This issue impacts the DNS Security service.

Cause 2)
This issue does not represent service impact. Query time-outs from time to time are expected.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HCA9CAO&lang=en_US%E2%80%A9&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language