Error message "CDL Receiver Key Empty" seen when viewing telemetry stats

Error message "CDL Receiver Key Empty" seen when viewing telemetry stats

9382
Created On 03/15/23 09:43 AM - Last Modified 03/13/24 02:21 AM


Symptom


  • Device is not seen in AIOps for NGFW Free in Palo Alto application hub
  • Telemetry settings are enabled and region is correctly selected (Device > Setup >Telemetry)
show device-telemetry settings
Device Telemetry Settings:
    device-health-performance: yes
    product-usage: yes
    threat-prevention: yes
    region: americas
    status: status: Device Certificate is valid
  • CDL Receiver Key Empty is seen in  show device-telemetry stats all output 
> show device-telemetry stats all 
Device Telemetry Statistics:
    device-health-performance: 
        last-attempt: Mon Feb 20 13:59:11 CET 2023
        last-success: Mon Feb 20 12:59:05 CET 2023
        num-of-failed-attempts: 1
        reason: CDL Receiver Key Empty
        status: failed
.....
  •  Device Certificate is correctly fetched:
show device-certificate status 
Device Certificate information:
        Current device certificate status: Valid
        Not valid before: 2023/01/03 13:58:58 CET
        Not valid after: 2023/04/03 14:58:58 CEST
        Last fetched timestamp: 2023/01/03 14:08:58 CET
        Last fetched status: success
        Last fetched info: Successfully fetched Device Certificate
  • Server configured as telemetry destination contains stg5 string
> show device-telemetry details 
Device telemetry details:
    Send interval       : 60 minutes
    Timestamp for send  : 01:59:51
    End point           : br-stg5.us.stg.cdl.pan.run

 

Environment


  • Palo Alto Firewall
  • PANOS 10.0 and above
  • AIOPs 

Cause


  • Device needs to be added into a tenant configuration first.
  • Secondly server configured as a destination is incorrect when it contains stg5 string.

Resolution


  1. Add a device to a tenant configuration:
    • In a tenant configuration (usually seen on the right top), next Common Services and Device Associations. Choose a serial number and activate.
  2. If the wrong server configured. Please contact Palo Alto support to set correct value for End point seen in the output of the command below,
> show device-telemetry details 
Device telemetry details:
    Send interval       : 60 minutes
    Timestamp for send  : 01:59:51
    End point           : br-prd1.us.cdl.paloaltonetworks.com
  1. Initiate telemetry data to be collected by executing the command
> request device-telemetry collect-now
Depending on Send Interval (5 mins or 60 mins) a firewall may appear in AIOPs with significant delay. Allow up to a few hours to confirm the resolution.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000kHLxCAM&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail