topic Re: No valid AceMlc2 config: SC 1 (AceMlc2): Config not valid in General Topics

No valid AceMlc2 config: SC 1 (AceMlc2): Config not valid

paolopoz — Fri, 27 Sep 2024 09:42:20 GMT

Hello all,

I need some help troubleshooting these low severity logs that keep popping up.

This is happening on a PA-3220 which is running 10.2.9.

The output of show ctd-agent status security-client is:

[snip]

Security Client AceMlc2(1)
Current cloud server: ace.hawkeye.services-edge.paloaltonetworks.com:443
Cloud connection: disconnected
Config:
Number of gRPC connections: 2, Number of workers: 6
Debug level: 2, Insecure connection: false, Cert valid: true, Key valid: true, CA count: 385
Maximum number of workers: 10
Maximum number of sessions a worker should process before reconnect: 1024
Maximum number of messages per worker: 0
Skip cert verify: false
Grpc Connection Status:
State Invalid Config (8), last err SC 1 (AceMlc2): Config not valid
Pool state: Invalid Config (7)
last update: 2024-09-27 11:11:24.801152042 +0200 CEST m=+4233846.308952506
last connection retry: 2024-09-27 11:11:24.801135605 +0200 CEST m=+4233846.308936058
last pool close: 2024-08-09 11:09:08.896545095 +0200 CEST m=+112.772251674
isProxy: false

[/snip]

I did not find any useful documentation on how to understand what's not working and how should I fix it.

So far i got that it's about cloud features of Vulnerability Protection but it seems it's not enabled on the software version I am using.

Any other hint or suggestion is appreciated.

Re: No valid AceMlc2 config: SC 1 (AceMlc2): Config not valid

JoseRegueiro — Fri, 27 Sep 2024 15:47:15 GMT

Hello I had the same problem on the passive PA in my cluster
licenses ok, "debug software restart process ctd-agent" or firewall restart does not change anything.
but when I suspended the active one, magic, the problem disappear, confirming that my configuration (network, service route configuration and other) was correct.

have a nice day

Re: No valid AceMlc2 config: SC 1 (AceMlc2): Config not valid

BPry — Fri, 27 Sep 2024 16:06:20 GMT

@paolopoz,

If you're looking at a passive firewall that doesn't have an internet connection through the management interface and relies upon a service route this is kind of expected, which is why it's a low severity alert.

Re: No valid AceMlc2 config: SC 1 (AceMlc2): Config not valid

paolopoz — Tue, 01 Oct 2024 14:01:33 GMT

Thanks @BPry but this is happening on the active firewall.

All services are running as intended.

The firewall has access to internet.

Re: No valid AceMlc2 config: SC 1 (AceMlc2): Config not valid

paolopoz — Fri, 13 Dec 2024 10:47:51 GMT

I had to open a case to PA to fix this.

The error was caused by an active but unlicensed feature.

They disabled the service:

set system setting ctd feature-forward mica disable

Then rebooted it:

debug software restart process ctd-agent

Hope this help others.