''Error: Unable to read SDB for CA/CC'' during upgrade of Log-Collector from PAN-OS 10.1 to 11.1

''Error: Unable to read SDB for CA/CC'' during upgrade of Log-Collector from PAN-OS 10.1 to 11.1

3698
Created On 06/04/25 01:21 AM - Last Modified 08/26/25 02:47 AM


Symptom


  • Log collector upgraded from version 10.1.x to 11.1.x or later using Panorama
  • The following error message is displayed during upgrade.
Error: Unable to read SDB for CA/CC.
To upgrade to this version, this device should be connected to the Panorama using SC3.
Please re-onboard this device to the Panorama with a "Device Registation Auth Key."

Environment


  • Panorama
  • PAN-OS 10.1 and above
  • Panorama and Log-Collector using Custom certs.

Cause


  • The log-collector was never on-boarded to Panorama using the Secure authentication method which was introduced in PAN-OS 10.1 and is using Custom Certs.
  • The Panorama and Log-collector should be connected using Secure Authentication as opposed to Custom Certs.
admin@Lab-Logger> show panorama-status
Panorama Server 1 : 10.1.1.1
    Connected     : yes
    HA state      : Unknown
    Certificate subject Name : logger-panorama
    Certificate expiry at: 2042/02/02 00:26:04
    Connected at  : 2025/05/14 13:07:07
    Custom certificate Used: True



              
Resolution

In such a scenario, we need to change the connection method from Custom certs to SC3, upgrade the Log-collector to the desired PAN-OS and then re-enable the Custom cert option.


 


  1. Go to Panorama GUI > Managed Collectors > Log-Collector-Name > Serial-Number-of-the-Collector > Last tab (Communication) >
  2. Uncheck the Option 'customize secure server communication' and on the right side under 'Secure Client Communication', change the certificate type to Predefined and .Click OK.
  3. Perform a local commit to Panorama
  4. Perform a Push to Collector-Group.
  5. Once the push to Collector-Group is successful, onboard the log-collector to Panorama. Use the steps documented at How to reset secure communication between firewall and Panorama.
  6. Check the status on Log Collector with 
                > show panorama-status
  7. It should show up as connected and custom certs should say: False.
  8. Proceed to install the PAN-OS on the Log Collector (LC).
  9. Once the PAN-OS upgrade is completed, enable back the custom certs which we had unchecked in the first step followed by a commit and collector-group push.
  10. This will set back the connection method to custom certs if customer wishes to use custom certs as the connection method.




        
       
      





      

        
        
        

    

    

    

      

        
Other users also viewed:

        

             

               
              

        

    

        

        
        

          
Actions

          
    
           
            
            
            
  • 
                Print
            
    • 
            
  • 
            
    • 
            
  • 
              Copy Link
                
                
    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA1Ki000000TNJ9KAO&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail
    
            
    •