Dynamic Update download fails due to "updater error code:-60".
5814
Created On 06/08/22 04:49 AM - Last Modified 10/31/23 07:53 AM
Symptom
- When you try to download a file in Dynamic Update, the following error is displayed.
- In ms.log, the following log is recorded at that time.
2022-06-04 13:41:37.285 +0900 updater error code:-60 2022-06-04 13:41:37.286 +0900 Error: pan_jobmgr_downloader_thread(pan_job_mgr.c:1785): DOWNLOAD job failed
- "Check Now" succeeds without any errors. Only "Download" fails.
Environment
- Any PAN-OS.
- Firewall and Panorama platforms.
Cause
- "updater error code:-60" indicates a certificate validation issue.
- A firewall accesses the following URLs to receive content updates. For more information, see Content Delivery Network Infrastructure.
proditpdownloads.paloaltonetworks.com
downloads.paloaltonetworks.com
updates.paloaltonetworks.com
- The error could be observed if the certificate of the SSL connection to above URL is signed with an untrusted root CA by another network device.
- To check the certificate, please collect a pcap file by the tcpdump command, if management interface is used for Dynamic Updates.
> tcpdump filter "port 443"
- If the dataplane interface is used for Dynamic Updates, please collect pcap from Monitor > Packet Capture.
Resolution
If the certificate of the network device is the one that you can trust, then one of the following options could be a workaround.
※To check whether it's trusted by a firewall, please see this article.
- Import the certificate into a firewall, and set it as Trusted Root CA.
1-1. Device tab > Certificate Management > Certificates > Import that certificate. Then click OK.
1-2. Click the certificate name which was imported in 1-1, and click Trusted Root CA checkbox.
1-3. Commit.
- Uncheck Verify Update Server Identity.
2-1. Go to Device tab > Setup > Services > uncheck Verify Update Server Identity checkbox.
2-2. Commit.
- On the network device which provides the untrusted certificate, change the configuration not to forge the SSL certificate for the SSL connection (Dynamic Update traffic) coming from the Palo Alto Networks firewall.