Unable to access Firewall GUI with error "websrvr: Exited 4 times, waiting xxxx seconds" to retry seen in the System Logs.
28294
Created On 10/11/21 03:19 AM - Last Modified 11/11/21 22:00 PM
Symptom
- Unable to access GUI of the Firewall.
- Websrvr keeps on restarting continuously.
- CLI Access is working fine.
- System Logs show "websrvr: Exited 4 times, waiting xxxx seconds".
- ms.log indicate the reason for the restart :-
2021-09-24 14:22:42.571 +1000 Web certificate XXXXXX has expired, need to restart webserver
- Masterd.log show that the websrvr is restarting continuously :-
2021-09-24 14:22:42.952 +1000 INFO: websrvr: received user restart
2021-09-24 14:22:42.953 +1000 INFO: websrvr: User restart reason - triggered by web certificate expiry
2021-09-24 14:22:42.954 +1000 INFO: websrvr: received user stop
2021-09-24 14:22:43.111 +1000 INFO: websrvr: exited, Core: False, Exit code: 0
2021-09-24 14:22:43.289 +1000 INFO: websrvr: process running with pid 1914
2021-09-24 14:22:47.111 +1000 INFO: websrvr: exited, Core: False, Exit code: 1
2021-09-24 14:22:47.283 +1000 INFO: websrvr: process running with pid 1920
2021-09-24 14:22:51.110 +1000 INFO: websrvr: exited, Core: False, Exit code: 1
2021-09-24 14:22:51.292 +1000 INFO: websrvr: process running with pid 1928
2021-09-24 14:22:55.121 +1000 INFO: websrvr: exited, Core: False, Exit code: 1
2021-09-24 14:22:55.304 +1000 INFO: websrvr: process running with pid 1932
2021-09-24 14:22:59.112 +1000 INFO: websrvr: exited, Core: False, Exit code: 1
2021-09-24 14:22:59.366 +1000 ERROR: websrvr: Exited 4 times, waiting 120 seconds to retry
Environment
- Palo Alto Firewalls
- Panorama
- Custom Certificate being used for management access to the GUI.
- Certificate for management access is expired.
Cause
- PAN-OS is not allowed to run websrvr with an expired certificate as a part of system hardening.
- This is an expected behaviour if the custom certificate being used expires.
- The websrvr will keep on restarting until the expired certificate is removed or replaced.
Resolution
- Remove or replace the expired certificate being used for management access to the GUI with a valid certificate.
- The following KB has a couple of options on how to do that :-