Prisma Access: EDL connection failures with error "Unable to fetch external dynamic list. SSL connect error. Using old copy for refresh."

Prisma Access: EDL connection failures with error "Unable to fetch external dynamic list. SSL connect error. Using old copy for refresh."

9488
Created On 01/16/23 00:24 AM - Last Modified 03/21/24 21:35 PM


Symptom


  • Prisma Access Firewalls unable to establish connectivity with EDL URL.
  • Traffic does not match the security policy with EDL.
  • System logs (GUI: Monitor > Logs > System) display the following error.
EDL(xxxx) Unable to fetch external dynamic list. SSL connect error. Using old copy for refresh.

Environment


  • Prisma Access - Panorama managed
  • Prisma Access - Cloud managed
  • EDL (External Dynamic List)

Cause


  • Prisma Access nodes use the loopback interface IP address (in trusted zone and the IP address is assigned automatically from the configured infrastructure subnet) to connect to the EDL URL to download the EDL.
  • This connection (from trusted zone to untrusted zone) is not allowed by default, so the connection fails.

Resolution


  1. Create a security policy to allow the Prisma Access nodes to connect to the EDL URL.
  2. Commit the configuration changes.
Example Policy
  • source zone - trust
  • destination zone - untrust
  • source address - the Infrastructure Subnet x.x.x.x/xx
  • destination address - the address object with EDL URL FQDN xxxxx.xxx
  • App-id - SSL

Additional Information


Verification:
  • Check the EDL connection status:
> request system external-list show type xxxx
  • Manually initiate EDL connection:
> request system external-list refresh type xxxx
  • Check the EDL refresh job status:
> show jobs all
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000kGHQCA2&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language