topic Can't commit from Panorama due to mis-match Vsys number between Pan and local box in Panorama Discussions

Can't commit from Panorama due to mis-match Vsys number between Pan and local box

SAugustin — Fri, 21 Jan 2022 18:01:19 GMT

wanted to know if anyone has ever experienced this issue. recently configured a new Vsys "Vsys6" which was successfully added to the correct Template_stack and device groups. everything worked fine for 2-3 weeks, however last night after adding 2 Sec.policies to the new Vsys. the commit failed. FYI for security i've edited the zone names and policy name.

. In VSYS vsys5 from zone "zone name" of type unknown and to zone "zone name" of type unknown are incompatible in security rule "rule name"
. In VSYS vsys5 from zone "zone name" of type unknown and to zone "zone name" of type unknown are incompatible in nat rule "rule name"
. In VSYS vsys5 from zone "zone name" of type unknown and to zone "zone name" of type unknown are incompatible in nat rule "rule name"
. In VSYS vsys5 from zone "zone name" of type unknown and to zone "zone name" of type unknown are incompatible in nat rule "rule name"
. Configuration is invalid

It goes on for a couple more rules where the zone or rule name will change.

I've noticed that on the PAN, the Vsys# does not match the name"description" from the Vsys# name"description" on the local boxes. for example on the PAN Vsys5 is named blue and Vsys6 is yellow, but on the local box Vsys5 is Yellow and Vsys6 is blue. I've tried pushing the stack to the boxes but that didnt work, tried reverting but that didn't work either.

Re: Can't commit from Panorama due to mis-match Vsys number between Pan and local box

nikoolayy1 — Mon, 24 Jan 2022 08:59:38 GMT

Hello,

Have you followed the article below when adding the new vsys using panorama?

New Virtual System (vsys) created in Panorama Template does not... - Knowledge Base - Palo Alto Networks

Also I found the the below info:

You can rename a vsys only on the local firewall. On Panorama, renaming a vsys is not supported. If you rename a vsys on Panorama, the result is an entirely new vsys or the new vsys name gets mapped to the wrong vsys on the firewall.

Device > Virtual Systems (paloaltonetworks.com)

If nothing works you may try to remove and add again the the firewall with its VSYS systems :

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cmd6CAC

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CmM0CAK

You may also check for bugs for your version, for example :

Known Issues (paloaltonetworks.com)

Re: Can't commit from Panorama due to mis-match Vsys number between Pan and local box

SAugustin — Tue, 25 Jan 2022 13:52:04 GMT

Nikolay,

Everything was done correctly in regards to creating the new Vsys. as i stated the Vsys was created 2-3 weeks before the issue started. Anyway, I tried removing the new Vsys6 and the configs created with it on the PAN and tried to push it to the local FW box. the push still failed but only the device group portion. So we decided to un-pair the FW from PAN but instead of checking the import "device and network template" and the "policy and object" checkbox.we decided to only keep the local default settings "local admin" ,"management port" etc. after UN-pairing we didnt commit the change on the local box. instead we went straight to re-pairing the FW back to PAN, added it back to the device groups. did a "commit and push" and that was successful. when into the local FW and everything matches up now. PAN and local FW Vsys are all matched up.