Panorama shows commit timed out for the connected firewall

Panorama shows commit timed out for the connected firewall

5319
Created On 11/24/22 23:29 PM - Last Modified 08/27/24 02:50 AM


Symptom


  • Panorama is configured for log forwarding and management of connected Firewalls.
  • During commit push to the firewalls, the commit times out.
image.png

Environment


  • Panorama with managed Firewalls
  • The same Panorama configured for log forwarding
  • Supported PAN-OS

Cause


  • No preference list has been configured on Firewalls.
  • When preference list is not configured, Panorama does management & logging both over TCP 3978 with one single channel.
  • This can can cause firewall disconnection issues or Recv-Q (value of 0) or Send-Q (value of 729280) to be choked as below.
PA-lab(active)> show netstat all yes numeric yes programs yes | match 3978
tcp 0 729280 192.168.6.1:49381 10.10.9.2:3978 ESTABLISHED 3972/mgmtsrvr

Resolution


  1. Configure Log Collector Preference List.
  2. When Preference list is configured, it opens a separate socket, which allows logging and management work to be done in the separate socket.
  3. This will makes the " Management channel " more stable
  • GUI: Panorama > Collector Groups > Collector-Group-Name > Device Log Forwarding
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000sZy9CAE&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language