运行 PAN OS 11.1 的日志收集器无法加入集群，错误为“master_not_discovered

运行 PAN OS 11.1 的日志收集器无法加入集群，错误为“master_not_discovered_exception”

11266

Created On 05/29/24 21:51 PM - Last Modified 01/07/25 10:53 AM

Symptom

日志收集器已启动并连接到 Panorama，但Panorama > 托管收集器 > 健康状态下的 ES状态显示红色圆圈且“未运行”。

When running 显示日志收集器 es 集群运行状况 command, it takes a while to return an output or eventually returning error as follow,

{
   "error" : {
       "root_cause" : [
           {
              "type" : "master_not_discovered_exception",
              "reason" : null
           }
       ],
       "type" : "master_not_discovered_exception",
       "reason" : null
   },
   "status" : 503
}

When checking es_restart.log (更少 mp-log es_restart.log), master_not_discovered_exception error is seen, for example,

ERROR Unable to load template /opt/pancfg/mgmt/saved-configs/elasticsearch/templates/system_<serial_number>. {"error":{"root_cause":[{"type":"master_not_discovered_exception","reason":null}],"type":"master_not_discovered_exception","reason":null},"status":503}

Netstat output (显示 netstat 数字是程序是 | 匹配 9300 command output) on log collector shows SYN_SENT towards other log collector(s) in the same cluster.

> show netstat numeric yes programs yes | match 9300
tcp6       0      1 <local_LC_IP>:44095     <remote_LC_IP>:9300      SYN_SENT    43158/java          
tcp6       0      1 <local_LC_IP>:46397     <remote_LC_IP>:9300      SYN_SENT    41947/java          
tcp6       0      1 <local_LC_IP>:42961     <remote_LC_IP>:9300      SYN_SENT    42785/java

Environment

混合模式或记录器模式下的全景图
2 个节点收集器组或更多
PAN OS 11.1 或更高版本

Cause

用于 LC 间通信的TCP端口 9300 - 9302 被日志收集器之间的中间设备阻止。

Resolution

允许TCP端口 9300 - 9302 在所有中间设备上进行 LC（日志收集器）间通信
自 PAN OS 11.1 起，LC 间通信不再使用通过TCP端口 28 的SSH隧道。

Additional Information