topic Re: Management server failed to send phase 1 to client sslvpn in Panorama Discussions

Management server failed to send phase 1 to client sslvpn

Ankit1Singh — Mon, 28 Aug 2023 14:59:08 GMT

Hi All, Commit is getting failed on only Active unit while pushing it from Panorama.

Commit Failed from Panorama

Error : Management server failed to send phase 1 to client sslvpn

Commit is failing only on Active unit while commit is successful on passive unit.

Device Details:

Panorama : M-500 PAN-OS : 9.1.8

Firewall : PA-5060 PAN-OS : 8.1.18

From Firewall :

adm(active)> show management-clients

Client PRI State Progress
-------------------------------------------------------------------------
routed 30 init 0
ha_agent 25 init 0
device 20 init 0
ikemgr 10 init 0
keymgr 10 init 0 (op cmds only)
logrcvr 10 init 0
dhcpd 10 init 0
varrcvr 10 init 0
sslvpn 10 init 0
rasmgr 10 init 0
useridd 10 init 0
satd 10 init 0
websrvr 10 init 0
sslmgr 10 init 0
authd 10 init 0
pppoed 10 init 0
dnsproxyd 10 init 0
cryptod 10 init 0
dagger 10 init 0 (op cmds only)
l2ctrld 10 init 0
cord 10 init 0

Overall status: init. Progress: 0

From Panorama:

adm> show management-clients

Client PRI State Progress
-------------------------------------------------------------------------
ha_agent 25 P2-ok 100
sslmgr 10 P2-ok 100
authd 10 P2-ok 100
cryptod 10 P2-ok 100
dagger 10 init 0 (op cmds only)
cord 10 P2-ok 100
logd 10 init 0 (op cmds only)
reportd 10 init 0 (op cmds only)
useridd 10 P2-ok 100

Overall status: P2-ok. Progress: 0

Re: Management server failed to send phase 1 to client sslvpn

PavelK — Mon, 28 Aug 2023 23:48:33 GMT

Hello @Ankit1Singh

to drill down root cause could you check logs from CLI:

Panorama: tail follow yes mp-log configd.log

FW: tail follow yes mp-log devsrv.log

Typically logs from these files can reveal more details than the error displayed in GUI. Also, both Panoramas as well as Firewall have outdated PAN-OS. If there is a chance, I would recommend to upgrade both.

Kind Regards

Pavel

Re: Management server failed to send phase 1 to client sslvpn

TomYoung — Tue, 29 Aug 2023 00:23:04 GMT

Hi @Ankit1Singh ,

Could you run the CLI command "show system software status | match sslvpn" and confirm the process is running? If not, you can restart the process with the CLI command "debug software restart process sslvpn". Then commit again.

Thanks,

Tom

Re: Management server failed to send phase 1 to client sslvpn

Ankit1Singh — Tue, 29 Aug 2023 08:09:34 GMT

Thank you TomYoung for the reply.

Command need to run or Panorama or the managed firewall?

Also restarting sslvpn process cause any traffic impact?

Re: Management server failed to send phase 1 to client sslvpn

Ankit1Singh — Tue, 29 Aug 2023 08:17:03 GMT

Below logs from firewall might help to identify the issue.

2023-08-28 00:59:43.454 -0700 [Cache] Load /opt/pancfg/mgmt/content//cache/80101//tdb.cache.ser-1 success
load cache is successful
2023-08-28 00:59:43.512 -0700 Get tdb_only from last committed config
2023-08-28 00:59:43.512 -0700 No Any content change
2023-08-28 00:59:43.512 -0700 TDB compilation done, return 0
2023-08-28 01:00:05.601 -0700 Use stored file_type_hash table as tdb->dlp_file_type_hash is invalid
2023-08-28 01:00:05.603 -0700 Error: pan_profile_compile_memory(pan_profile_comp.c:7341): Stored file_type_hash table is also in valid entry
2023-08-28 01:00:06.404 -0700 Config commit phase1 abort
2023-08-28 01:00:06.404 -0700 tdb compile flag is still up, abort thread wait 1 second
2023-08-28 01:00:06.416 -0700 Error: cfgagent_modify_callback(pan_cfgagent.c:84): Modify string (sw.mgmt.runtime.clients.device.err) error: USER (1)
2023-08-28 01:00:07.404 -0700 tdb compile flag is still up, abort thread wait 1 second

Re: Management server failed to send phase 1 to client sslvpn

TomYoung — Tue, 29 Aug 2023 11:47:45 GMT

Hi @Ankit1Singh ,

Please run the commands on the managed NGFW. The commit is failing there. As long as you have not reverted the configuration, the Panorama pushed configuration is still part of the candidate configuration. You can still try to commit it.

Thanks,

Tom

Re: Management server failed to send phase 1 to client sslvpn

Ankit1Singh — Tue, 29 Aug 2023 13:55:02 GMT

I tried with the mgmt-server restart but still it is failing with the same error.

-------debug software restart process management-server---------

I believe restarting mgmt-server will restart all the process including sslvpn.

debug software restart process sslvpn ---- will hit be helpful now?

If I run this command will it impact live traffic?

Thank you for your reply!!!!