After upgrade of User-id agent, the firewall gets disconnected from the Agent.

• User-id agent and firewall is disconnected post updating User-id agent
• If management pcap is taken it can be seen that the firewall sending reset during ssl handshake stating Unknown CA.

[ Info 1305]: New connection 172.16.206.1 : 40983.
[ Info 1378]: Device thread 1 with 172.16.206.1 : 40983 is started.
[Error 3499]: Failed to validate client certificate, thread : 1, 1-0!
[ Info 1701]: Connection 172.16.206.1 : 40983 closed.

[distributord] Received certificate with issuer = '/C=US/ST=California/L=Santa Clara/O=Palo Alto Networks/OU=Engineering/CN=User-ID Agent 1'
[distributord] Received certificate with subject = '/C=US/ST=California/L=Santa Clara/O=Palo Alto Networks/OU=Engineering/CN=User-ID Agent 1'
[distributord] Loading default uia trust cert in store
Error:  pan_distributor_agent_verify_cert_cb(pan_distributor_agent.c:1816): X509_verify_cert returned error 18, error = 'self signed certificate'
[distributord] Returning FAILURE from pan_user_id_uia_verify_cert_cb
Error:  pan_dcom_ssl_connect(pan_dcom_ssl.c:331): conn user: SSL_connect return -1
Error:  pan_dcom_ssl_connect(pan_dcom_ssl.c:332): SSL :error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed 

• Packet capture would look like this:

• Palo Alto Firewalls
• Supported PAN-OS.
• User-ID Agent version 10.2.2
• Prisma Access

1. Upgrade the Firewalls to hotfix version as per the advisory.
2. Once Firewall is upgraded, then upgrade the User-id Agent.
3. By upgrading the firewall first to the hotfix version it will have both old certificate and new certificate, this avoiding the issue. 
4. For Prisma Access, Use User ID agent 9.0.6 version which is still using the old certificate. (UaInstall-9.0.6-101.msi) until the Prisma Access is upgraded to use the new certificates.