Addressed Issues—ADEM Agents for Prisma SD-WAN Remote Sites

Table of Contents

Addressed Issues—ADEM Agents for Mobile Users

Addressed Issues—ADEM Agents for Prisma SD-WAN Remote Sites

The following issues have been addressed in the Autonomous Digital Experience Management (ADEM) agent for Prisma SD-WAN Remote Networks.

Where Can I Use This?	What Do I Need?
Prisma Access (Managed by Strata Cloud Manager) Prisma Access (Managed by Panorama)	Prisma Access license Autonomous DEM license

Autonomous DEM Agent 3.6.40

ID	Description
DEM-12632	Fixed an issue where the ADEM agent stopped sending monitoring data after a restart, causing the device to appear offline in the portal.
DEM-13247	Fixed an issue where automatic agent upgrades from version 3.6.4 failed due to a missing configuration entry, leaving devices on an older agent version.
DEM-13322	Fixed an issue where ADEM agent versions prior to 3.6.40 did not properly release TPM (Trusted Platform Module) handles, causing system instability or preventing other applications from accessing TPM functions. If you are still experiencing this issue after upgrading to version 3.6.40, identify the scenario that matches your situation and follow the resolution steps below. Scenario 1: ADEM is enabled and experiencing TPM issues You have an active ADEM Remote Network license and agents are deployed, but you are facing TPM-related issues. Log in Strata Cloud ManagerSystem SettingsAccess Experience Management and click Access Experience Agent Management. Verify the affected site shows as online and note the current agent version. If the ADEM agent version is below 3.6.40 and the ION version is above 6.3.6-b10, initiate the auto-upgrade: Select the affected site(s). Initiate the auto-upgrade to version 3.6.40 or later. Monitor the upgrade status in the console and confirm the new version after completion. Proceed to the hard reboot step below. Scenario 2: ADEM license is present but the agent is dormant and causing TPM issues You have an active ADEM Remote Network license, but the agent is dormant (not actively collecting data) and still causing TPM issues. Case 1 — Agent is online: Log in Strata Cloud ManagerSystem SettingsAccess Experience Management. Confirm the affected site shows as online Check the ION version on the affected site. If the ION version is 6.3.6-b10 or higher, initiate the auto-upgrade to ADEM agent version 3.6.40 or later and proceed to the hard reboot step below. If the ION version is below 6.3.6, contact Palo Alto Networks Technical Assistance Team (TAC) for assistance. Case 2 — Agent is offline: The agent shows as offline in the Strata Cloud ManagerSystem SettingsAccess Experience Management page, or Case 1 auto-upgrade is not supported, contact Palo Alto Networks TAC for assistance. Scenario 3: No ADEM license but the agent is causing TPM issues Contact TAC and provide the ADEM agent version and ION version. TAC will stop the ADEM process before you perform the hard reboot. Perform Hard reboot After upgrading or after TAC stops the ADEM process, you must perform a hard reboot. Without it, TPM handles remain locked and the issue will recur. Save all open work on the affected endpoint (ION device). Perform a complete shutdown (not a restart). Wait 10 seconds after shutdown completes. Power on the device and allow it to fully boot. Verify TPM functionality by running dump tpm status on the ION CLI. After completing the resolution steps and hard reboot, verify the issue is resolved: Check ADEM agent version: Open the Strata Cloud Manager→System Settings→Access Experience Management and click Access Experience Agent Management page. Confirm the site displays version 3.6.40 or later. Verify TPM availability: Run dump tpm status on ION CLI to confirm the process is running. Monitor for recurrence: Observe the endpoint for 24-48 hours. Confirm no TPM error messages appear in event logs. Verify if the ADEM agent is still active.

Description

DEM-12632

Fixed an issue where the ADEM agent stopped sending monitoring data after a restart, causing the device to appear offline in the portal.

DEM-13247

Fixed an issue where automatic agent upgrades from version 3.6.4 failed due to a missing configuration entry, leaving devices on an older agent version.

DEM-13322

Fixed an issue where ADEM agent versions prior to 3.6.40 did not properly release TPM (Trusted Platform Module) handles, causing system instability or preventing other applications from accessing TPM functions. If you are still experiencing this issue after upgrading to version 3.6.40, identify the scenario that matches your situation and follow the resolution steps below.

Scenario 1: ADEM is enabled and experiencing TPM issues

You have an active ADEM Remote Network license and agents are deployed, but you are facing TPM-related issues.

Log in Strata Cloud ManagerSystem SettingsAccess Experience Management and click Access Experience Agent Management.
Verify the affected site shows as online and note the current agent version.
If the ADEM agent version is below 3.6.40 and the ION version is above 6.3.6-b10, initiate the auto-upgrade:
1. Select the affected site(s).
2. Initiate the auto-upgrade to version 3.6.40 or later.
3. Monitor the upgrade status in the console and confirm the new version after completion.
Proceed to the hard reboot step below.

Scenario 2: ADEM license is present but the agent is dormant and causing TPM issues

You have an active ADEM Remote Network license, but the agent is dormant (not actively collecting data) and still causing TPM issues.

Case 1 — Agent is online:

Log in Strata Cloud ManagerSystem SettingsAccess Experience Management.
Confirm the affected site shows as online
Check the ION version on the affected site.
If the ION version is 6.3.6-b10 or higher, initiate the auto-upgrade to ADEM agent version 3.6.40 or later and proceed to the hard reboot step below.
If the ION version is below 6.3.6, contact Palo Alto Networks Technical Assistance Team (TAC) for assistance.

Case 2 — Agent is offline:

The agent shows as offline in the Strata Cloud ManagerSystem SettingsAccess Experience Management page, or Case 1 auto-upgrade is not supported, contact Palo Alto Networks TAC for assistance.

Scenario 3: No ADEM license but the agent is causing TPM issues

Contact TAC and provide the ADEM agent version and ION version. TAC will stop the ADEM process before you perform the hard reboot.

Perform Hard reboot

After upgrading or after TAC stops the ADEM process, you must perform a hard reboot. Without it, TPM handles remain locked and the issue will recur.

Save all open work on the affected endpoint (ION device).
Perform a complete shutdown (not a restart).
Wait 10 seconds after shutdown completes.
Power on the device and allow it to fully boot.
Verify TPM functionality by running dump tpm status on the ION CLI.

After completing the resolution steps and hard reboot, verify the issue is resolved:

Check ADEM agent version:
- Open the Strata Cloud Manager→System Settings→Access Experience Management and click Access Experience Agent Management page.
- Confirm the site displays version 3.6.40 or later.
Verify TPM availability:
- Run dump tpm status on ION CLI to confirm the process is running.
Monitor for recurrence:
- Observe the endpoint for 24-48 hours.
- Confirm no TPM error messages appear in event logs.
- Verify if the ADEM agent is still active.

Addressed Issues—ADEM Agents for Mobile Users

Autonomous DEM Docs

Addressed Issues—ADEM Agents for Prisma SD-WAN Remote Sites

Autonomous DEM Docs

Addressed Issues—ADEM Agents for Prisma SD-WAN Remote Sites

Autonomous DEM Agent 3.6.40

Activation & Onboarding

SASE

Visibility & Monitoring