Software updates not working from the passive firewall when using a explicit web proxy setup

• Active/Passive HA setup
• Firewall's dataplane interface IP is configured as explicit web proxy under Network -> Proxy
• Passive firewall is configured to send its management traffic to the proxy IP, via management vlan to reach the dataplane IP to use the web proxy
• Fetching the software/dynamic updates will throw this error "Failed to check content upgrade info due to SSL connect error. Please check network connectivity and try again."
• On the passive FW, gathering a tcpdump on the proxy port doesn't show any packets leaving the management interface 

• PAN-OS 11.0.x,11.1.x, 11.2.x
• PA-1400, PA-3400 Series and PA-VM

By default, the update daemon on passive FW internally connects to proxy daemon running on passive management plane without sending out any packet from management interface. 

Explicitly configure management IP in the service route on the passive firewall by navigating to Device -> Setup -> Services -> Service Route Configuration -> Customize -> Palo Alto Network Services -> Use MGT interface. This will force the traffic to take management interface egress and then via management vlan to reach the current Active device dataplane interface to use the web-proxy.

• If we use the service-route to have DP interface as source, then the traffic on the
  • Active Device: does not use web-proxy as the packets are internally forwarded to the DP
  • Passive Device: Packets will be blackholed as the DP interface has no reachability.