Firewalls disconnected from Panorama with error message "SC3: verify error:27:certificate not trusted (depth:0)" in ms.log

• Multiple Firewalls suddenly disconnected from the primary-active Panorama and/or commit push to device failed with the Error message: "Panorama connectivity check failed for <IP>. Reason: SSL handshake failed, reverting configuration".
• The firewalls are connected to the secondary Panoramas correctly.
• Ping between Firewalls and Panorama works but the SSL is failing.
• ms.log (less mp-log ms.log) on Panorama shows Error 'Unknown SNI'. 
• ms.log/configd.log (less mp-log configd.log) on FW shows Error 'SC3: verify error:27:certificate not trusted (depth:0)'
• When checking the SDB value using "show system state filter cfg.ms.*" on both Panoramas and Firewalls, CA value on primary-active does not match with the CA on the secondary-passive Panorama and on Firewalls.  
   

• Panorama managed Firewalls
• PAN-OS 10.1 or higher
• Panorama configured in HA (High Availability)

CA certificate is changed on the Primary-active Panorama (SC3.CA change)  which does not match the certificate on the Firewall. 

Perform the following steps to resolve the issue:

1. Suspend Primary-Active Panorama (A).
2. Secondary Panorama becomes active Secondary-Active (B).
3. Then change the priority of (B) to Primary and (A) to Secondary and commit (ensure pre-emption is enabled).
4. This will sync the CA certificate from (B) to (A) and will matches with the CA on Firewalls.
5. Make Panorama (A) functional and check the SDB value to confirm the match.
6. After this change, the firewalls should be connected to both Panoramas automatically.
   
   
   

• A reset of SC3 on Panorama.
• Cases where a new Panorama is introduced via RMA.
• Changes to SC3.CA on Panorama during periods of high CPU usage. If a connection flap occurs between the FW and Panorama, the SDB fetch may fail to read SC3.CA.