Error message "Failed to establish connection due to Server Identity check"
872
Created On 01/12/23 21:36 PM - Last Modified 07/20/23 20:47 PM
Symptom
- System logs (show log system) report the following error
1 05:17:36 SYSTEM tls 2561 05:17:36 panos-auth-failure general critical Client IP: 10.129.70.132 Server IP: 10.129.81.213 Server CN: panorama.saf.com Failed to establish connection due to Server Identity check: .
- Connectivity between Firewall and Panorama (Log Collector) show as established
Firewall:
> show netstat all yes numeric-ports yes | match 3978
tcp 0 0 10.129.81.213:47952 panorama.saf.com:3978 ESTABLISHED
Panorama:
> show netstat all yes numeric-ports yes | match <Firewall_IP>
tcp6 0 0 10.129.70.132:3978 10.129.81.213:47952 ESTABLISHED
Environment
- Panorama managed VM Firewall
- PAN-OS: 10.1.5-h1
Cause
- On the firewall, the domain name is configured instead of the IP address as the Panorama server.
- The log receiver will use the resolved IP address to verify the client certificate against the authorization list which fails to connect.
- When the log receiver keeps trying continuously to connect and gets failed, the system logs would be flooded with failure to connect error messages.
Resolution
- The issue is fixed under PAN-195526 in PAN-OS versions 10.1.9, 10.2.4, and 11.0.0
- Upgrade to these versions or later will resolve the issue.
- In the Panorama certificate, use the IP address as the CN attribute.
- Try disabling the 'Log Collector Communication' on the Firewall (GUI: Device > Setup > Management > Secure Communication Settings > uncheck "Log collector communication").
Additional Information
Configure Authentication With Custom Certificates Between Log Collectors