master_not_discovered_exception in Palo Alto Networks Log Collector

Published by Nickajay on

The master_not_discovered_exception error in Palo Alto Networks Log Collector (especially in Panorama-managed environments) indicates that the Log Collector cannot locate or communicate with its “master” Panorama — the one that manages the log collector cluster or handles centralized logging coordination.

Let’s go step-by-step to understand the cause, impact, and resolution.

🔍 1. Meaning of the Error

The master_not_discovered_exception typically appears in:

System logs (/var/log/ms.log or /opt/pancfg/mgmt/logs/ms.log)

Panorama > Monitor > Logs > System

It means:

The Log Collector is unable to discover or connect to the Panorama master that manages the Log Collector cluster.

In other words, the Log Collector doesn’t know who its “manager” is — so it cannot register, sync configuration, or forward logs properly.

⚙️ 2. Common Scenarios Where It Happens

Scenario Description

🔄 After Panorama HA failover The new active Panorama instance didn’t assume master collector control properly.

🧩 Collector group misconfiguration The collector is not added properly to the collector group or has wrong serial information.

🌐 Network/Connectivity issue TCP ports 28443 or 28260 (Panorama communication) blocked between collector and Panorama.

⚙️ Software version mismatch Panorama and Log Collector versions are incompatible.

💾 Corrupted collector registration The collector’s internal registration data is stale or invalid.

🧰 3. How to Troubleshoot

Step 1. Check Panorama Connection Status

On Panorama CLI:

> show log-collector all

You should see the list of collectors with “Connected” status.

If it shows “Disconnected” or “Unknown”, the issue is active.

Step 2. Verify Network Connectivity

From the Log Collector:

ping <panorama-ip>

telnet <panorama-ip> 28443

✅ Ensure Panorama ports (TCP 28443, 28260) are reachable.

Step 3. Check Log Collector Registration

On Panorama CLI:

> show log-collector connected

> show system logdb-quota

> show system info

Ensure:

Serial numbers match the collector entry in Panorama > Collector Groups.

The collector group name and serial number are consistent.

Step 4. Sync Collector Configuration

If the collector lost sync, force a re-registration:

> request log-collector restart management-server

> request log-collector connect

Or in Panorama GUI:

Go to Panorama > Managed Collectors → select the collector → Commit and Push config again.

Step 5. Check for Panorama HA Sync

If you have HA:

> show panorama-status

> show high-availability state

Ensure both peers are synchronized and have identical collector group configuration.

Step 6. Review Logs

On the Log Collector:

tail -f /var/log/ms.log

Look for lines like:

master_not_discovered_exception

Failed to contact master at <IP>

That can confirm whether the issue is network-related or registration-related.

🧩 4. Common Fixes

Root Cause Solution

Panorama failover or HA desync Perform HA sync again (Commit on Active Panorama).

Log Collector not registered properly Remove and re-add the collector in Panorama GUI (Collector Groups).

Communication ports blocked Allow TCP 28443 & 28260 bidirectionally.

Software mismatch Upgrade Panorama and collectors to the same PAN-OS version.

Internal corruption Restart management-server on collector: debug software restart process management-server

🧾 5. Example Resolution Workflow

1. Confirm Panorama active node:

> show high-availability state

2. On that node:

> show log-collector all

3. If the collector shows “disconnected”:

Verify connectivity.

Re-register via GUI or CLI.

Commit and push configuration.

4. Restart collector mgmt services if needed.

🧠 6. Preventive Tips

Always perform HA sync before and after upgrades.

Keep Panorama and Collectors on same PAN-OS version.

Regularly back up Panorama configuration.

Monitor via Panorama > Managed Collectors > Status dashboard.

Read More

Author Profile

Nickajay
Nickajay
Categories: Tips & Trickstutorials
Tags:

0 Comments

Leave a Reply

Avatar placeholder

Related Posts

Tech News Tips & Tricks tutorials

How to Install Cisco and Juniper Images in EVE-NG

EVE-NG (Emulated Virtual Environment – Next Generation) is a powerful network emulator that supports multiple vendors including Cisco and Juniper. This guide provides step-by-step instructions on How to Install Cisco and Juniper Images in EVE-NG installing Read more

Tech News Tips & Tricks tutorials

Running Cisco IOS/IOL with QEMU in Docker on MacBooks

Apple’s transition to Apple Silicon (M1/M2/M3 chips) brought significant improvements in performance and efficiency. However, it also introduced some complexity when working with virtualization and emulation tools like Docker, QEMU, and GNS3, especially when trying Read more

IOS Tips & Tricks

GNS3 On Mac Silicon M1/ M2 / M3

 How to Install GNS3 on Mac Silicon (M1 / M2 / M3) Installing GNS3 on Mac Silicon requires a few extra steps due to architecture differences. However, by using OrbStack, you can easily create a Read more