https://live.paloaltonetworks.com/t5/panorama-discussions/ssh-invalid-commit-error/m-p/545457#M1574 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/223621">@sujithGovindaraj</a> ,</P> <P>With some major upgrades there are changes in config syntax. During the upgrade firewall will automatically update the configuration to the new syntax - this is one of the main reasons why before it was important to follow the upgrade path and not skip majort version (to ensure proper config upgrade). <BR /><BR />Unfortunately there are some rare cases where the automatic config upgrade is failing. What most probably is happening is that the current commited config contain syntax for the previous versions (probably from 10.0 or .1 as SSH ciphers were not available in 9.1).</P> <P>&nbsp;</P> <P>I would suggest you the following:<BR />1. Login to the problematic FW</P> <P>2. Export running config to xml file</P> <P>3. Open the XML with text editor and locate the relevant part of the config - the error gives you some directions &lt;deviceconfig&gt;&lt;system&gt;&lt;ssh&gt;</P> <P>4. Delete the whole "section" &lt;ssh&gt;&lt;/ssh&gt;</P> <P>5. Import the edited config back to the FW</P> <P>6. Load the imported config - this will load the file as candidate config</P> <P>7. Commit locally to the firewall</P> <P>8. Confirm commit is successfull and try to push from Panorama</P> <P>&nbsp;</P> Fri, 09 Jun 2023 09:32:02 GMT aleksandar.astardzhiev 2023-06-09T09:32:02Z https://live.paloaltonetworks.com/t5/panorama-discussions/ssh-invalid-commit-error/m-p/545222#M1571 <P>We have upgraded our palo alto firewall from 9.2.x to 10.2.4 after degradation from Panroma getting error as " out of sync ". we tried to commit and push from Panorma but we were unable to commit getting the error " SSH invalid"<BR /><BR /></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="sujithGovindaraj_0-1686194452743.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/50738iBEA6F3417A3A3894/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="sujithGovindaraj_0-1686194452743.png" alt="sujithGovindaraj_0-1686194452743.png" /></span></P> <P><BR />kindly help us to resove this issue&nbsp;</P> Thu, 08 Jun 2023 03:21:35 GMT https://live.paloaltonetworks.com/t5/panorama-discussions/ssh-invalid-commit-error/m-p/545222#M1571 sujithGovindaraj 2023-06-08T03:21:35Z https://live.paloaltonetworks.com/t5/panorama-discussions/ssh-invalid-commit-error/m-p/545457#M1574 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/223621">@sujithGovindaraj</a> ,</P> <P>With some major upgrades there are changes in config syntax. During the upgrade firewall will automatically update the configuration to the new syntax - this is one of the main reasons why before it was important to follow the upgrade path and not skip majort version (to ensure proper config upgrade). <BR /><BR />Unfortunately there are some rare cases where the automatic config upgrade is failing. What most probably is happening is that the current commited config contain syntax for the previous versions (probably from 10.0 or .1 as SSH ciphers were not available in 9.1).</P> <P>&nbsp;</P> <P>I would suggest you the following:<BR />1. Login to the problematic FW</P> <P>2. Export running config to xml file</P> <P>3. Open the XML with text editor and locate the relevant part of the config - the error gives you some directions &lt;deviceconfig&gt;&lt;system&gt;&lt;ssh&gt;</P> <P>4. Delete the whole "section" &lt;ssh&gt;&lt;/ssh&gt;</P> <P>5. Import the edited config back to the FW</P> <P>6. Load the imported config - this will load the file as candidate config</P> <P>7. Commit locally to the firewall</P> <P>8. Confirm commit is successfull and try to push from Panorama</P> <P>&nbsp;</P> Fri, 09 Jun 2023 09:32:02 GMT https://live.paloaltonetworks.com/t5/panorama-discussions/ssh-invalid-commit-error/m-p/545457#M1574 aleksandar.astardzhiev 2023-06-09T09:32:02Z