Prisma Access Redistribution Agent connection failure "close connection to agent" to primary-passive/secondary-passive Panorama
Symptom
Configure Quarantine List Redistribution in Prisma Access
Once this settings on Panorama, Panorama management will open the TCP/5007 for accepting the connection from Service Connection.
However, primary-passive/secondary-passive Panorama will return "close connection to agent" error
Environment
Prisma Access
Panorama Managed
high availability (HA) configuration
Cause
Open TCP/5007 only on primary-active/secondary-active, primary-passive/secondary-passive Panorama will close TCP/5007 listening
============================================================
primary-active -> primary-passive
============================================================
admin@Panorama#01(primary-active)> show netstat all yes numeric-ports yes programs yes | match 5007
tcp6 0 0 [::]:5007 [::]:* LISTEN 5802/distributord
admin@Panorama#01(primary-active)> request high-availability state suspend
Successfully changed HA state to suspended
admin@Panorama#01(primary-suspended)> request high-availability state functional
Successfully changed HA state to functional
admin@Panorama#01(primary-initial)>
admin@Panorama#01(primary-initial)>
admin@Panorama#01(primary-passive)>
admin@Panorama#01(primary-passive)> show netstat all yes numeric-ports yes programs yes | match 5007
============================================================
secondary-passive -> secondary-active
============================================================
admin@Panorama#02(secondary-passive)> show netstat all yes numeric-ports yes programs yes | match 5007
admin@Panorama#02(secondary-passive)>
admin@Panorama#02(secondary-passive)>
admin@Panorama#02(secondary-active)> show netstat all yes numeric-ports yes programs yes | match 5007
tcp6 0 0 [::]:5007 [::]:* LISTEN 8732/distributord
admin@Panorama#02(secondary-active)>
Resolution
The primary-passive/secondary-passive Panorama will close TCP/5007 listening so this is expected.