Firewall 无法连接到Panorama升级后

Firewall 无法连接到Panorama升级后

14515
Created On 11/02/21 06:06 AM - Last Modified 07/31/23 16:48 PM


Symptom


  • Panorama和托管防火墙升级到 10.1.2
  • 防火墙显示断开连接 Panorama
  • 配置.log onPanorama (显示 mp 日志 configd.log ) 显示“注册设备失败”消息
Warning:  isSC3conn(sc3_register.c:47): SC3: Given SNI does not match for peer (/78d92c71-79d0-4381-9370-2f0d35338d3e)
Warning:  sc3_register(sc3_register.c:211): SC3: connstat for '012001xxxxxx': 1
Error:  sc3_register(sc3_register.c:220): SC3: Re-register of '012001xxxxxx' is not allowed.
reg: device '012001062884' using  :: 84e7f61d-191b-4e3e-a4c6-9e5649367d84
Warning:  _register_ext_validation(pan_cfg_mgt_handler.c:4439): reg: device '012001xxxxxx' not registered before but using a signed cert ( :: 84e7f61d-191b-4e3e-a4c6-9e5649367d84)
Error:  pan_cfg_handle_mgt_reg(pan_cfg_mgt_handler.c:4754): SC3: Failed to register device: '012001xxxxxx'


 

Environment


  • Panorama 管理帕洛阿尔托防火墙
  • 升级到Panorama/防火墙到PAN-OS10.1.2

Cause


  • 在PAN10.1 及更高版本,FW在初始TLS将供应认证密钥与设备证书一起注册CSR,这是在 10.1 安装时生成的
  • 此身份验证密钥由Panorama并且需要输入Firewall在Panorama配置
  • 一旦身份验证密钥被验证Panorama它将签署设备CSR使用根CA证书并推送设备证书和根CA证明给FW使用第一个TLS联系。
  • 从那里新的寄存器从FW将开始使用被推送的设备证书来实现TLS验证

Resolution


在托管上发出以下命令firewall那是断开的。
>request sc3 reset                       >>> Refer to the important note below
>debug software restart process management-server
>request authkey set <>                  >>> auth key from Panorama
>configure
#commit force
#exit

注意:不要运行“请求 sc3 重置"命令Panorama. 这样做将重置所有连接的防火墙。 此命令将在托管上运行firewall.

Additional Information


恢复托管设备连接至 Panorama
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000oMiyCAE&lang=zh_CN&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language