Error:
An unexpected error occurred. Please click Reload to try again.
Error:
An unexpected error occurred. Please click Reload to try again.
How to troubleshoot the connection failure between FW and Panor... - Knowledge Base - Palo Alto Networks

How to troubleshoot the connection failure between FW and Panorama

34874
Created On 01/31/23 19:28 PM - Last Modified 09/27/23 06:44 AM


Objective


Troubleshoot Connection Failure Between Firewall And Panorama

Environment


  • Firewall
  • Panorama

Procedure


  1. On the Firewall UI, check the Panorama configuration: Device > Setup > Management > Panorama Settings
  2. If Panorama Server is configured using FQDN then make sure that the Firewall is able to resolve the FQDN by pinging the Panorama FQDN from the Firewall. Otherwise, check if there is any issue related to Firewall's connection to DNS server or the DNS server entries.
  3. On the Firewall UI, check the Service Route to Panorama: Device > Setup > Services > Service Route Configuration > click Customize > Panorama
  4. Make sure that Panorama is running the same or a later PAN-OS version than the Firewall.
  5. Check the MTU size settings on the Firewall interface used as a service route to panorama and on any device in the connection path between Firewall and Panorama. Make sure that the packets exchanged between the Firewall and Panorama are not getting fragmented. Refer to Firewall unable to connect to Panorama due to fragmentation.
  6. Check that the clock and/or NTP server are properly set on both Firewall and Panorama. 
    show clock
show ntp
  7. If a permitted IP addresses list is configured for the firewall's or Panorama's management interface under Device > Setup > Interfaces > Management for firewall and Panorama > Setup > Interfaces > Management for Panorama , then ensure that you include the Panorama's IP address for the firewall and the firewall's IP address for Panorama. Note that by default when no permitted IP addresses list is configured, all IP addresses are allowed.
  8. Follow the same steps listed in How To Troubleshoot Connection Failures Between Firewall And Log Collector to identify if a device in your network is potentially blocking the connection between the firewall and Panorama. Note that service port 3978 is used for communication between Panorama and managed firewalls.
  9. If the connection to Panorama is through a tunnel which configuration has been pushed by Panorama to this managed Firewall prior to the disconnection and if that tunnel is down then you need to:
      1. Troubleshoot IPSec VPN connectivity issues between Panorama and Firewall.
      2. Troubleshoot IPSec VPN Tunnel Down between Panorama and Firewall.
      3. If changes in the configuration of the tunnel on the Firewall needs to be done then:
        1. Override that tunnel configuration with local Firewall configuration and commit on the Firewall.
        2. Once the tunnel is up and the connection to Panorama is restored, you can perform the same configuration changes on Panorama, commit on Panorama and push them to the Firewall.
        3. Revert the Firewall's tunnel configuration to Panorama pushed config and commit on the Firewall.
    1. For PAN-OS 10.1 and above, If SSL handshake is failing between the Firewall and panorama then ensure that the Authentication key generated on Panorama has been imported to the Firewall. 
      1. show system state | match cfg.ms.ca
        Where cfg.ms.ca is the Common Name of the CA certificate signing the Client Certificate, either on Firewall or panorama. CA should match on the Firewall and the panorama to confirm the Firewall is connecting to the correct panorama
      2. Refer to Recover Connectivity to Panorama if the value cfg.ms.ca is not matching between FW and Panorama.
    2. For further troubleshooting check for error messages in ms.log (messages regarding registration) and configd.log (messages regarding connection) on both Firewall and Panorama. 

    Additional Information


    • Warning: Executing the command on the Firewall as mentioned in step 6.b 
      request sc3 reset
    will reset the client certificate on the Firewall. You will need to re-onboard the Firewall (using an authkey) as mentioned in the document.
    Do NOT use this command on Panorama (unless directed by a TAC Engineer) as this will affect the connections between Panorama and all its managed Firewalls.
    • Pre-10.1.0 version, Panorama authenticates Firewall based on serial number.
      Starting from PAN-OS 10.1.0 version, Panorama requires Device serial number and an Auth Key to register for the first time.
    • Please review other relevant and helpful document: Troubleshooting Panorama Connectivity.
    Other users also viewed:
    How to download GlobalProtect from the Customer Support Portal
    Download and Install the GlobalProtect App for Windows
    Resource List: GlobalProtect Configuring and Troubleshooting
    PAN-OS Software Updates
    Where to find the current preferred software versions? (PAN-OS, GlobalProtect, User-ID Agent, Plugins)
    Results 1-5 of 238,837
    Actions
    • Print
    • Copy Link

      https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000kGjUCAU&lang=en_US%E2%80%A9&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail