Error message "Failed to establish connection due to Server Identity check"

• System logs (show log system) report the following error

1 05:17:36 SYSTEM tls 2561 05:17:36 panos-auth-failure general critical Client IP: 10.129.70.132 Server IP: 10.129.81.213 Server CN: panorama.saf.com Failed to establish connection due to Server Identity check: .

• Connectivity between Firewall and Panorama (Log Collector) show as established

Firewall:
> show netstat all yes numeric-ports yes | match 3978
tcp        0      0 10.129.81.213:47952     panorama.saf.com:3978   ESTABLISHED
 
Panorama:
> show netstat all yes numeric-ports yes | match <Firewall_IP>
tcp6       0      0 10.129.70.132:3978      10.129.81.213:47952     ESTABLISHED

• Panorama managed VM Firewall
• PAN-OS: 10.1.5-h1

• On the firewall, the domain name is configured instead of the IP address as the Panorama server.
• The log receiver will use the resolved IP address to verify the client certificate against the authorization list which fails to connect.
• When the log receiver keeps trying continuously to connect and gets failed, the system logs would be flooded with failure to connect error messages.

1. The issue is fixed under PAN-195526  in PAN-OS versions 10.1.9, 10.2.4, and 11.0.0
2. Upgrade to these versions or later will resolve the issue.

1. In the Panorama certificate, use the IP address as the CN attribute.
2. Try disabling the 'Log Collector Communication' on the Firewall (GUI: Device > Setup > Management > Secure Communication Settings > uncheck "Log collector communication").