Unknown Device-to-ip mapping for all IOT devices because of cookies issue
6711
Created On 03/31/22 08:21 AM - Last Modified 03/31/22 12:49 PM
Symptom
- "show iot ip-device-mapping all" command shows "unknown" for all device related info for all IP addresses:
dmin@DC-FW> show iot ip-device-mapping all IP Vsys Category Profile Osfamily OS Model Vendor --------------- ----- ---------------------- ---------------------- ---------------------- ---------------------- ---------------------- ---------------------- 172.*.*.5 vsys1 Unknown Unknown Unknown Unknown Unknown Unknown 172.*.*.1 vsys1 Unknown Unknown Unknown Unknown Unknown Unknown 172.*.*.4 vsys1 Unknown Unknown Unknown Unknown Unknown Unknown 172.*.*.6 vsys1 Unknown Unknown Unknown Unknown Unknown Unknown 172.*.*.2 vsys1 Unknown Unknown Unknown Unknown Unknown Unknown 172.*.*.2 vsys1 Unknown Unknown Unknown Unknown Unknown Unknown 172.*.*.3 vsys1 Unknown Unknown Unknown Unknown Unknown Unknown 172.*.*.3 vsys1 Unknown Unknown Unknown Unknown Unknown Unknown 172.*.*.1 vsys1 Unknown Unknown Unknown Unknown Unknown Unknown 172.*.*.3 vsys1 Unknown Unknown Unknown Unknown Unknown Unknown 172.*.*.6 vsys1 Unknown Unknown Unknown Unknown Unknown- "show iot icd statistics all" command shows ignored queries and all cached entries are zero
admin@DC-FW> show iot icd statistics all ICD Cloud server: eu.iot.services-edge.paloaltonetworks.com:443 Cloud connection: connected Summary of ICD gRPC client: number of connection reset: 3 number of connection failed: 0 number of connection established: 43 number of connection attempts: 43 number of connection released: 42 number of connection selected: 73293 number of selections failed: 2 number of bytes sent: 11866765 number of bytes received: 13139032 Last gRPC connection Attempt: 2022-03-11 13:57:18 +0300 +03 Last successful gRPC connection: 2022-03-11 13:57:18 +0300 +03 Summary of gRPC connections [configured source IP: ]: Device cert status: Installed Validity: Notbefore: 2022-03-03 10:15:21 +0000 UTC Notafter: 2022-06-01 10:15:21 +0000 UTC EnforcerURL: enforcer.iot.services-edge.paloaltonetworks.com:443 max gRPC connections: 1, max alive time: 900 seconds, max bytes sent: unlimited [0]gRPC conn[172.30.44.250:38612 -> 34.91.42.5:443], state true, selected 264, backup false, device cert, close @2022-03-11 14:12:18 +0300 +03 send: wire 42900, app 42240, num 132; receive: wire 47520, app 47520, num 396 Unknown IP Query LRU statistics: number of entries : 0 number of expired entries : 0 number of queries to cloud : 0 number of queries ignored : 11074799 number of queries answered : 0 Verdict LRU statistics: number of verdicts : 0 number of verdicts ignored : 0 number of verdicts pushed out : 0 GETALL duration : nil
Environment
Any PA-FW with IOT enabled.
Cause
As shown above there are zero verdicts and zero cached entries, However, there is high number of ignored queries which means that the firewall is connected to the cloud but the cloud has never responded, one of the possible causes of such issue is having the wrong cloud region during on-board process then changing the cloud region to the desired one, so the existing cookies would still point to the old cloud region.
More info about the cloud regions can be found in the admin guide .
Resolution
Reseting the cookies on the firewall where the problem is seen:
> debug iot clear-all type cookie > debug iot icd reset cookie
Additional Information
Please note that the resolution given in this article solves one of the possible causes for such symptoms. In case the provided resolution doesn't help, searching our knowledge base and then contacting the support team is required.