Panorama unable to connect Strata Logging Service after initial configuration.
6631
Created On 10/10/24 09:03 AM - Last Modified 01/06/25 21:42 PM
Symptom
- Panorama configured for Strata Logging Service.
- When checking the status "request plugins cloud_services logging-service status", the following error message is displayed.
> request plugins cloud_services logging-service status fail Exception 'customer-id' - In lcaas_agent.log (less mp-log lcaas_agent.log), response code 401 can be seen.
16:13:39,693 lcaas_agent INFO URL=https://lic.lc.prod.us.cs.paloaltonetworks.com:444/Platform/CustomerInfo/ 16:13:39,693 lcaas_agent INFO CERT=/opt/pancfg/mgmt/ssl/private/device.crt 16:13:40,397 lcaas_agent INFO response from orchestrator=b'{"code":401,"message":"Got error. No provisioned tenant id found for serial number in cert subject: ClientCert.Subject(commonName=000702042476, orgUnit=null, serialNumber=null, oid=OID.1.3.6.1.4.1.25461.4.22.1)","timeStamp":"2024-10-08T07:13:40.311Z"}' 16:13:40,398 lcaas_agent INFO Resp from cloud service : b'{"code":401,"message":"Got error. No provisioned tenant id found for serial number in cert subject: ClientCert.Subject(commonName=000702042476, orgUnit=null, serialNumber=null, oid=OID.1.3.6.1.4.1.25461.4.22.1)","timeStamp":"2024-10-08T07:13:40.311Z"}' 16:13:40,398 lcaas_agent ERROR Customer is not provisioned in CSP - There are no issues with the license and device certificate.
- From a packet capture on a management interface, you do not observe any traffic from port 444.
> tcpdump snaplen 0 filter "tcp port (3978 or 80 or 443 or 444) or udp port 53"
Environment
- Panorama
- Supported PAN-OS
- Strata Logging Service (Previously Cortex Data Lake)
Cause
Panorama is not onboarded to the Strata Logging Service tenant.
Resolution
Onboard Panorama following the steps at Configure Panorama for Strata Logging Service.