topic Validation Error: interface 'ethernet1/2' is already in use, but it isn't ... and zones are type unknown, but they aren't in Panorama Discussions

Validation Error: interface 'ethernet1/2' is already in use, but it isn't ... and zones are type unknown, but they aren't

Jeroen_Proost — Thu, 07 Sep 2023 14:00:04 GMT

Hi,

When I try to push a config from Panorama to a PA-440, the commit fails because of these reasons. Which is strange because ethernet1/2 isn't in use (on the PA-440).

Also the zones are configured and their type is defined.

What am I missing here ?

Thank you very much,

Re: Validation Error: interface 'ethernet1/2' is already in use, but it isn't ... and zones are type unknown, but they aren't

ozheng — Mon, 11 Sep 2023 08:33:00 GMT

Hello Jeroen_Proost,

Can you run a "blank" commit on the firewall?

If it fails, the issue is on your firewall, not on the configuration you are pushing from the Panorama.

Otherwise, you will need to give more info on the change you have done between the last successful commit from Panorama to this PA-400 and the unsuccessful one.

Olivier

Re: Validation Error: interface 'ethernet1/2' is already in use, but it isn't ... and zones are type unknown, but they aren't

Jeroen_Proost — Mon, 11 Sep 2023 09:01:06 GMT

Hello @ozheng ,

Do you mean a template with no configuration in it ?

Thank you,

Re: Validation Error: interface 'ethernet1/2' is already in use, but it isn't ... and zones are type unknown, but they aren't

ozheng — Tue, 12 Sep 2023 01:14:24 GMT

Hello Jeroen Proost,

You connect to the CLI to the firewall then you run the following commands:

> configure
# commit force

Then you wait the commit result.

Olivier

Re: Validation Error: interface 'ethernet1/2' is already in use, but it isn't ... and zones are type unknown, but they aren't

Jeroen_Proost — Tue, 19 Sep 2023 12:35:52 GMT

Hello @ozheng ,

This is what I get:

Performing panorama connectivity check (attempt 1 of 5)
Panorama connectivity check was successful for 10.222.222.20
Configuration committed successfully

So that works...

The only difference from the last succesful commit is that in between, for some reason nobody could login anymore so I had to do a factory reset...

I connected an other PA-440, added it to Panorama but when I try to push the templates and device groups to this device, I get the exact same errors.

For reference, these are the error messages when pushing the device group and template to the PA-440's:

Details:

. In VSYS vsys1 from zone untrust-l3 of type unknown and to zone untrust-l3 of type unknown are incompatible in security rule allow ike-ipsec

. In VSYS vsys1 from zone trust-l3 of type unknown and to zone trust-l3 of type unknown are incompatible in security rule drop paxton to non-paxton

. In VSYS vsys1 from zone intern-l2 of type unknown and to zone intern-l2 of type unknown are incompatible in security rule allow intern to intern

. In VSYS vsys1 from zone trust-l3 of type unknown and to zone trust-l3 of type unknown are incompatible in security rule allow trust to trust

. In VSYS vsys1 from zone trust-l3 of type unknown and to zone untrust-l3 of type unknown are incompatible in security rule allow trust to untrust

. In VSYS vsys1 from zone trust-l3 of type unknown and to zone untrust-l3 of type unknown are incompatible in nat rule to-internet

. Configuration is invalid

=> the zones trust-l3 and untrust-l3 aren't of type unknown, they are type Layer 3

Details:

. Validation Error:

. network -> vlan -> vlan-intern -> interface 'ethernet1/2' is already in use

. network -> vlan -> vlan-intern -> interface is invalid

. Commit failed

=> I don't see where interface 'ethernet1/2' is in use. So just for testing I removed 'ethernet1/2' from "vlan-intern", but then I get:

. Validation Error:

. network -> virtual-wire -> default-vwire -> interface1 'ethernet1/1' is not a valid reference

. network -> virtual-wire -> default-vwire -> interface1 is invalid

. Commit failed

=> But there are no virtual-wire's configured !

Re: Validation Error: interface 'ethernet1/2' is already in use, but it isn't ... and zones are type unknown, but they aren't

ozheng — Wed, 20 Sep 2023 08:07:34 GMT

Hello Jeroen_Proost.

Maybe there is the vwire on the firewall config?

Anyway, have you run the commit force on the firewall (with no pending change)?

If it fails --> the issue is on the firewall not on Panorama.

Olivier

Re: Validation Error: interface 'ethernet1/2' is already in use, but it isn't ... and zones are type unknown, but they aren't

Jeroen_Proost — Wed, 20 Sep 2023 13:49:47 GMT

Hello @ozheng ,

Yes, I was able to do the commit force on the local firewall. In the meanwhile I contacted PA support, we deleted the standard factory settings (default virt router, default vwire, default interfaces,...) and were able to push the templates and device groups from Panorama...

I'm glad this seems to be the solution. Tomorrow I'm going to connect another fw and see if it works again.