Device Telemetry fails with the error - "Failed to send: file" seen in the System Logs.
19892
Created On 01/27/23 09:30 AM - Last Modified 12/18/25 23:33 PM
Symptom
- Device Telemetry enabled on the Firewall.
- System logs (show log system) indicating failure to send the telemetry data.
critical device- send-fa 0 Failed to send: file 'PA_XXXX_dt_10.1.8_20230120_0230_1-hr-interval_HOUR.tgz'.
critical device- send-fa 0 Failed to send: file 'PA_XXXX_dt_10.1.8_20230120_0230_1-hr-interval_HOUR.tgz'.
critical device- send-fa 0 Failed to send: file 'PA_XXXX_dt_10.1.8_20230120_0230_1-hr-interval_HOUR.tgz'.
critical device- send-fa 0 Failed to send: file 'PA_XXXX_dt_10.1.8_20230119_2030_1-hr-interval_HOUR.tgz'.
- device_telemetry_send.log (less mp-log device_telemetry_send.log) file indicates the following errors.
dt_send INFO TX FILE: curl cmd status: 11, 11; err msg: 'Send File to CDL Receiver Failed'
dt_send ERROR TX FILE: Failed to send file
- device_telemetry_curl.log ( less mp-log device_telemetry_curl.log) display logs related to a self signed certificate - "SSL certificate problem: self signed certificate in certificate chain"
'* Connected to storage.googleapis.com (xx.yy.zz.qq) port 443 (#0)\n'
Server hello (2):\n', '} [2 bytes data]\n', '* SSL certificate problem: self signed certificate in certificate chain\n', '\r', ' 0 0 0 0 0 0 0 0 --:--:-- --:
--:-- --:--:-- 0\n', '* Closing connection 0\n', 'curl: (60) SSL certificate problem: self signed certificate in certificate chain\n', 'More details here: https://curl.haxx.se/docs/sslcerts.html\n', '\n', 'curl failed to verify the legitimacy of the server and there
fore could not\n', 'establish a secure connection to it.
Environment
- Palo Alto networks Firewall
- PAN-OS 10.1 or higher
- Device Telemetry Enabled
Cause
This issue is caused by an intermediate device decrypting the connection between the Firewall and storage.googleapis.com:443
Resolution
Exempt the traffic from Firewall's management interface to storage.googleapis.com:443 from SSL decryption
Additional Information
- Refer to the following links on what type of traffic needs to be allowed from the Firewall to send the Device Telemetry data to CDL.
- Note: Exclude the domains in the following document from the decryption policy to allow telemetry traffic to pass: Exclude-Domain