Panorama Syslog Forwarding failling due to OCSP and CRL validation

Panorama Syslog Forwarding failling due to OCSP and CRL validation

23900
Created On 09/13/22 21:55 PM - Last Modified 06/10/25 07:40 AM


Symptom


Syslog Forwarding over TCP is broken due to SSL handshake failure.

Environment


  • Panorama.
  • PAN-OS 10.1.7 or higher
  • Palo Alto Networks Firewall.
  • Syslog Server configured with SSL.

Cause


  • Online Certificate Status Protocol (OCSP) is used by certificate authorities to check the revocation status of an X.509 digital certificate.
  • On the Palo Alto Networs Firewalls or Panorama, a Syslog Forwarding profile can be configured with SSL as transport method, for SSL, the port 6514 is used by default.
  • If the certificate doesn't include OCSP URI, the Firewall can skip these certificate validation and establish the TLS connection with the Syslog server.

Resolution


Run the following CLI command below to skip the OCSP/CRL/SKU validation 
> set syslogng ssl-conn-validation explicit OCSP skip CRL skip EKU skip
Note: The command works on PAN-OS 10.1.7 and above. Although the CLI is seen in 10.1.5 and 10.1.6, it only works in 10.1.7 or higher.
 

Additional Information


The syslog-ng.log log file includes the following errors

syslog-ng[50723]: syslog-ng no OCSP URI in cert; 
syslog-ng[50723]: syslog-ng ocsp over-riding errors due to global-flag;
syslog-ng[50723]: syslog-ng no CRL distribution points;
syslog-ng[50723]: issuer extended key-usage does not have OCSP signing; ihash='/opt/pancfg/mgmt/syslogng/ca.d/d6325660.0'
syslog-ng[50723]: Error connecting BIO;
syslog-ng[50723]: Error querying OCSP responsder;
syslog-ng[50723]: ocsp request failed; idx='0'
syslog-ng[50723]: syslog-ng ocsp over-riding errors due to global-flag;
syslog-ng[50723]: syslog-ng - converted CRL from DER to PEM;
syslog-ng[50723]: syslog-ng certificate is revoked; idx='0'
syslog-ng[50723]: syslog-ng CRL suppressing errors due to global settings;
syslog-ng[50723]: unable to load issuer cert; ihash='/opt/pancfg/mgmt/syslogng/ca.d/c43a77d9.0'
syslog-ng[50978]: syslog-ng starting up; version='3.29.1'
syslog-ng[50978]: SSL error while writing stream; tls_error='SSL routines:SSL3_WRITE_BYTES:ssl handshake failure', location='/opt/pancfg/mgmt/syslogng/pan_sysng.cfg:59:3'

 

The syslog-ng is no longer used in PANOS 11.1 and higher, the error messages can now be seen in logrcvr.log and logd.log for firewall and panorama respectively.

2025-06-10 14:23:08.129 +1000 CRL URL http://crl3.digicert.com/DigiCertGlobalRootG2.crl cert /tmp/srvr.crt.218812 certcnt 2
2025-06-10 14:23:08.129 +1000 CRL status [Errno 104] Connection reset by peer
rv 0 end
2025-06-10 14:23:08.129 +1000 Error: _pan_syslog(pan_syslog.c:1616): error in SSL_connect

The command to skip the OCSP/CRL/SKU validation has also changed:

> set syslog ssl-conn-validation explicit OCSP skip CRL skip EKU skip
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000wlXXCAY&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language