When onboarding with OS11.2.X, the FW cannot connect to Panorama.

• Onboarding Firewall with PAN-OS 11.2.X to Panorama.
• The Firewall fails to  connect to Panorama.
• The following error messages are seen in the Panorama and  Firewall configd logs.

Panorama configd.log

-0800 Warning:  _register_ext_validation(pan_cfg_mgt_handler.c:4651): reg: device 'xxxxx' not using issued cert.
-0800 SC3: did:'xxxxx', ser:'xxxxx', ver:'11.2.4-h2', mod:'PA-450'
-0800 Warning:  sc3_register(sc3_register.c:212): SC3: connstat for 'xxxxx': -1
-0800 Warning:  sc3_register(sc3_register.c:249): SC3: register device 'xxxxx' does not have a peer cert.
-0800 Error:  sc3_register(sc3_register.c:270): SC3: register - No authkey given for device 'xxxxx'
-0800 Error:  pan_cfg_handle_mgt_reg(pan_cfg_mgt_handler.c:4992): SC3: Failed to register device: 'xxxxx'

Firewall configd.log

-0800 Error:  _get_current_cert(sc3_utils.c:117): sdb node 'cfg.ms.ca' does not exist ret -5
-0800 Warning:  sc3_get_current_sc3(sc3_utils.c:184): SC3: failed to get SNI
-0800 Warning:  sc3_get_current_sc3(sc3_utils.c:187): SC3: failed to get CCN
-0800 Warning:  sc3_sendRegInfo(sc3_register.c:425): SC3R: AK not present.
-0800 Error:  pan_cfg_get_cms_msg(pan_cfg_mgr.c:47047): SC3: reg - authkey needed, but missing

• PA-Series Next-Generation Firewall
• Panorama
• PAN-OS 11.2.X

• The authkey cannot be set on the firewall using WebUI.
• The authkey is set using the GUI Path :  Device > Setup > Management > Panorama Settings > Auth key
• But when checking the settings, the information is not added. 
• One can check the settings with the command below, cfg.ms.ak is not added, when the setting is done using WebUI.

> show system state filter cfg.ms.*

cfg.ms.ak: xxxxxxxxxxxx
cfg.ms.csr: xxxxxxxxxxxxx

1. Use the CLI command to set the Authentication key on Firewall.
2. Use the command  > request authkey set <auth key>
3. For details about Authentication key, Refer to Authentication Key For Secure Firewall Onboarding.

N/A