Panorama Cisco plugin fails with "Attempt to connect with APIC timed out" message

Panorama Cisco plugin fails with "Attempt to connect with APIC timed out" message

717
Created On 08/01/23 15:22 PM - Last Modified 10/21/25 20:51 PM


Symptom


  • Dynamic address groups are not completely populated with IP addresses from Cisco plugin

  • Output of debug plugins cisco ip-tag-mappings all action print shows none or incomplete IP-TAG mappings learnt for relevant Panorama device groups:

    Device Group: DG_1
Device Group: DG_2
Device Group: DG_3

  • Output of show plugins cisco status show:

    Cluster Name          Status    Last Updated Time             Error Msg                   
----------------------------------------------------------------------------------------------------
PANW-FABRIC             Fail      2023-10-03T14:51:16.085000    Attempt to connect with APIC timed out, unable to connect.

  • Output of less plugins-log plugin_cisco_ret.log shows that the plugin is unable to connect with APIC:

    2023-10-24 06:04:04.126 +0200 DEBUG: : PANW-FABRIC: Cisco ACI version 5.2
2023-10-24 06:04:04.127 +0200 DEBUG: : PANW-FABRIC: Successfully updated cluster name
2023-10-24 06:04:04.260 +0200 DEBUG: : PANW-FABRIC: Successfully updated EPG cache
2023-10-24 06:04:04.333 +0200 DEBUG: : PANW-FABRIC: Successfully updated subnet gateway
2023-10-24 06:04:05.959 +0200 ERROR: : Attempt to connect with APIC timed out, unable to connect.
2023-10-24 06:04:05.972 +0200 DEBUG: : PANW-FABRIC: Successfully logged out of apic1.panw.net
2023-10-24 06:04:05.972 +0200 DEBUG: : PANW-FABRIC: Number of endpoints retrieved 58
2023-10-24 06:04:05.989 +0200 DEBUG: : PANW-FABRIC: Done storing tags
2023-10-24 06:04:05.989 +0200 DEBUG: : PANW-FABRIC: Done updating dashboard data
  • PCAPs gathered on Panorama interface show TLS connectivity to Cisco APIC successfully established; application data is transferred. Followed by a TLS Encrypted Alert message from Panorama a few seconds later.

Environment


  • Palo Alto Networks Panorama device
  • Cisco Plugin for Panorama installed and configured
  • Cisco ACI environment with special characters (non ASCII) in endpoint name/s connected to plugin

Cause


Special characters outside of ASCII range e.g. ö are not supported by Cisco plugin; causing timeout during tag retrieval and processing by plugin.

Resolution


Review the complete list of endpoint names on your ACI environment and ensure that special characters are removed/replaced with ASCII character set.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000XfusCAC&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail