Managed devices disconnects from panorama due to SC3 failure after changing Panorama's ip address

Managed devices disconnects from panorama due to SC3 failure after changing Panorama's ip address

20405
Created On 10/31/22 22:19 PM - Last Modified 03/17/25 21:02 PM


Symptom


  • When a firewall which was connected to panorama is moved from one location to another (eg: from LAN to WAN) and the Panorama IP to which the FW connects changes.
    • Example, FW1 was connected to Panorama at ip 10.1.1.1
    • FW1 is moved to another branch office across internet
    • Since 10.1.1.1 cannot be reached from branch office, the panorama server ip-address in the firewall is changed to the natted ip-address of Panorama, say 1.1.1.1
    • Although  the Panorama server didn't change, but the ip to which the firewall can connect changed. 
  • When the IP address of the panorama is changed and the 'Panorama Server' ip address is re-configured in the managed devices.
  • If one of the above conditions are met, the CMS connection from the firewall to the panorama will fail with the following error.
 Error: sc3_register(sc3_register.c:265): SC3: Invalid authkey '2:fBVSYj_tQlqZXeKcHuO6c3Rw2LTBT0-NjPifuBA5uGPrHb38EC4FViQwts7uXjF2s4RrSi8lVkD1eCJWE1dIiw' given by Device: <SN>
  
2022-06-27 13:51:42.396 +0200 Warning: sc3_init_sc3(sc3_utils.c:380): SC3: Device CSR set to '2da56629-bc9c-4299-a735-05608f258869'
2022-06-27 13:51:42.396 +0200 SC3: CA: '', CC/CSR: '2da56629-bc9c-4299-a735-05608f258869'
2022-06-27 13:51:42.398 +0200 debug: _get_current_cert(sc3_utils.c:113): sdb node 'cfg.ms.ca' does not exist.
2022-06-27 13:51:42.398 +0200 Warning: sc3_get_current_sc3(sc3_utils.c:179): SC3: failed to get SNI
2022-06-27 13:51:42.399 +0200 debug: _get_current_cert(sc3_utils.c:113): sdb node 'cfg.ms.cc' does not exist.
2022-06-27 13:51:42.399 +0200 Warning: sc3_get_current_sc3(sc3_utils.c:182): SC3: failed to get CCN
2022-06-27 13:51:42.499 +0200 Warning: sc3_init_sctx(sc3_ctx.c:323): SC3: not set, skip cert loading
2022-06-27 13:51:42.499 +0200 SC3A: using SNI (from AK): 7c155262-3fed-425a-995d-e29c1ee3ba73

 

Environment


  • Panorama managed Palo Alto Firewalls
  • PAN-OS 10.1.0 or higher

Cause


  • When a device (FW) is moved from one Panorama to another, the device registration authkey and related data gets removed automatically.
  • It is required to reset the sc3 to be able to connect to a new Panorama.
  • Although In the scenario described under cause, the panorama server didn't change, the IP connectivity is changed. Due to this  sc3 reset is proactively done in the FW. 
  • This causes the SC3 connection to fail and the managed devices remains disconnected. 

Resolution


With the device registration process, below steps are required to make the FW connect with new Panorama so that old certificates are cleared from the device.
  1. Perform sc3 reset on the Firewall (Do not run this command on Panorama)
Lab-133> request sc3 reset
  1. Restart management server on the firewall
Lab-133>  debug software restart process management-server
  1. Reset the secure connection state of a managed device on Panorama.
Lab-panorama>  clear device-status deviceid <device_SN>
  1. Add the existing or new device registration key on the firewall again to connect to the panorama

Additional Information


A feature/enhancement request is in filed via PAN-197870 to automate the above steps when a FW is moved from one panorama to another and when the ip address of the Panorama is changed.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000kEySCAU&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language