Commit not working in passive firewall

Venkatesan_radhakrishnan — Wed, 31 Oct 2018 15:11:16 GMT

When I commit the firewall in active firewall I can able to commit.

When I commit in passive firewall it shows "Error: config push error"

However I don't need to push the configuration in passive firewall I'm doing this as my HA sync is having issue.

Please let me know your comments

Re: Commit not working in passive firewall

LukeBullimore — Wed, 31 Oct 2018 15:17:28 GMT

Hey @Venkatesan_radhakrishnan

Certainly odd. What PAN-OS version are you on?

The management-server log will have more information on why this failed. If you do the following and paste the output we may be able to see why:

> show jobs all

Grab the ID of the commit that failed

> less mp-log ms.log

Press the "/" key to start searching, type the Job-ID of the failed commit and copy the relevant commit logs.

Re: Commit not working in passive firewall

Venkatesan_radhakrishnan — Wed, 31 Oct 2018 15:18:56 GMT

8.1.1

Model 3020

Re: Commit not working in passive firewall

LukeBullimore — Wed, 31 Oct 2018 15:23:55 GMT

Hey @Venkatesan_radhakrishnan

Just an FYI, PAN-OS 8.1.1 isn't recommended. No version of PAN-OS 8.1 is at the moment but I would certainly recommend running 8.1.4-h2 if you have to run PAN-OS 8.1.

Likely an upgrade will fix it, or less service impacting you can try a restart of the management-server on the passive (not service effecting) "debug software restart process management-server".

Where are those management-server logs 😉

Re: Commit not working in passive firewall

Venkatesan_radhakrishnan — Wed, 31 Oct 2018 15:39:21 GMT

I will share the management logs soon

Re: Commit not working in passive firewall

Venkatesan_radhakrishnan — Thu, 01 Nov 2018 10:08:13 GMT

2018-11-01 10:06:59.594 +0400 dnscfgmod: Added fqdn resolved ips to config /opt/pancfg/mgmt/devices/localhost.localdomain/.refreshed-candidate.xml

2018-11-01 10:07:00.226 +0400 client routed reported Phase 1 was SUCCESSFUL

2018-11-01 10:07:00.237 +0400 client ha_agent reported Phase 1 was SUCCESSFUL

2018-11-01 10:07:01.429 +0400 client ikemgr reported Phase 1 was SUCCESSFUL

2018-11-01 10:07:01.504 +0400 client dhcpd reported Phase 1 was SUCCESSFUL

2018-11-01 10:07:01.562 +0400 client varrcvr reported Phase 1 was SUCCESSFUL

2018-11-01 10:07:01.718 +0400 client rasmgr reported warning: Warning: tunnel tunnel.100 ipv6 is not enabled. IPv6 address will be ignored!

(Module: rasmgr)

2018-11-01 10:07:01.719 +0400 client rasmgr reported Phase 1 was SUCCESSFUL

2018-11-01 10:07:02.162 +0400 client websrvr reported Phase 1 was SUCCESSFUL

2018-11-01 10:07:02.208 +0400 client sslmgr reported Phase 1 was SUCCESSFUL

2018-11-01 10:07:02.308 +0400 client authd reported Phase 1 was SUCCESSFUL

2018-11-01 10:07:02.315 +0400 client satd reported Phase 1 was SUCCESSFUL

2018-11-01 10:07:02.347 +0400 client pppoed reported Phase 1 was SUCCESSFUL

2018-11-01 10:07:02.457 +0400 client dnsproxyd reported Phase 1 was SUCCESSFUL

2018-11-01 10:07:02.515 +0400 client cryptod reported Phase 1 was SUCCESSFUL

2018-11-01 10:07:02.727 +0400 client l2ctrld reported Phase 1 was SUCCESSFUL

2018-11-01 10:07:02.856 +0400 client cord reported Phase 1 was SUCCESSFUL

2018-11-01 10:07:04.757 +0400 client sslvpn reported Phase 1 was SUCCESSFUL

2018-11-01 10:07:04.970 +0400 client logrcvr reported Phase 1 was SUCCESSFUL

2018-11-01 10:07:10.138 +0400 client device reported error: Error: config push error

(Module: device)

2018-11-01 10:07:10.139 +0400 client device reported Phase 1 FAILED

2018-11-01 10:07:10.940 +0400 client useridd reported Phase 1 was SUCCESSFUL

2018-11-01 10:07:10.940 +0400 All client have responded for validate.

2018-11-01 10:07:10.940 +0400 Client:device has P1 error reported

2018-11-01 10:07:10.940 +0400 Error: pan_mgmt_client_table_do_commit(pan_cfg_commit_jobs.c:3743): phase 1 failed

2018-11-01 10:07:10.950 +0400 EDL cfg(0x2a35000, 0) Releasing candidate EDLs of type IP

2018-11-01 10:07:10.950 +0400 EDL cfg(0x2a35000, 0) Releasing candidate EDLs of type Domain

2018-11-01 10:07:10.950 +0400 EDL cfg(0x2a35000, 0) Releasing candidate EDLs of type URL

2018-11-01 10:07:10.952 +0400 Error: pan_cfg_commit_to_local_device(pan_cfg_commit_handler.c:3223): Validate failed

2018-11-01 10:13:06.945 +0400 client authd reported op command was SUCCESSFUL

2018-11-01 10:13:08.905 +0400 client authd reported op command was SUCCESSFUL

2018-11-01 10:15:00.290 +0400 Checking to purge appstatdb logtype

2018-11-01 10:19:53.205 +0400 client authd reported op command was SUCCESSFUL

2018-11-01 10:19:55.057 +0400 client dagger reported op command was SUCCESSFUL

2018-11-01 10:19:55.299 +0400 template config file /opt/pancfg/mgmt/template/template-config.xml doesn't exist

99%2018-11-01 10:19:55.299 +0400 Could not find last pushed template, returning empty template config tree

2018-11-01 10:19:55.312 +0400 client l2ctrld reported op command was SUCCESSFUL

2018-11-01 10:21:47.578 +0400 client cryptod reported op command was SUCCESSFUL

2018-11-01 10:21:47.674 +0400 Error: pan_cfg_mgr_get_sp_disabled(pan_cfg_mgr.c:7283): failed to fetch: NO_MATCHES

2018-11-01 10:21:48.105 +0400 client authd reported op command was SUCCESSFUL

2018-11-01 10:21:48.917 +0400 client cryptod reported op command was SUCCESSFUL

2018-11-01 10:21:49.004 +0400 Error: pan_cfg_mgr_get_sp_disabled(pan_cfg_mgr.c:7283): failed to fetch: NO_MATCHES

2018-11-01 10:21:49.425 +0400 client authd reported op command was SUCCESSFUL

2018-11-01 10:30:00.692 +0400 Checking to purge appstatdb logtype

2018-11-01 10:33:33.955 +0400 client authd reported op command was SUCCESSFUL

2018-11-01 10:36:14.977 +0400 dnscfgmod: FQDN Refresh: Periodic TTL Expiry Refresh

2018-11-01 10:36:14.977 +0400 dnscfgmod: Main refresh function: (TTL Expiry)

2018-11-01 10:36:14.978 +0400 dnscfgmod:Fqdn refresh job 6360 scheduled

2018-11-01 10:36:14.978 +0400 FqdnRefresh job started processing. Dequeue time=2018/11/01 10:36:14 2018-11-01 10:36:19.750 +0400 dnscfgmod: Resolving fqdns took 5 secs

2018-11-01 10:36:19.750 +0400 Fqdn refresher thread device requested last config

2018-11-01 10:36:20.203 +0400 Warning: pan_hash_init(pan_hash.c:112): nbuckets 100 is not power of 2!

2018-11-01 10:36:20.203 +0400 shm alloc(read-only) 'pan_shm_base' size 104172048

2018-11-01 10:36:20.950 +0400 dnscfgmod: Fqdn pijepkm.work/pijepkm.work could not be resolved

2018-11-01 10:36:20.950 +0400 dnscfgmod: Fqdn vfpurtshsphuwqulm.pw/vfpurtshsphuwqulm.pw could not be resolved

2018-11-01 10:36:20.950 +0400 dnscfgmod: Fqdn ruuvsgbaxbh.work/ruuvsgbaxbh.work could not be resolved

2018-11-01 10:36:20.951 +0400 dnscfgmod: Fqdn smtp.office365.com/smtp.office365.com not used

2018-11-01 10:36:20.951 +0400 dnscfgmod: Fqdn ppa.adnoc/ppa.adnoc.ae not used

2018-11-01 10:36:29.632 +0400 client device reported error: Error: config push error

(Module: device)

2018-11-01 10:36:29.633 +0400 client device reported Phase 1 FAILED

2018-11-01 10:36:29.633 +0400 Error: pan_cfg_refresh_deviceconfig(pan_cfg_commit_jobs.c:3177): phase 1 failed cstate:6 - verify:0

2018-11-01 10:36:29.634 +0400 Error: pan_dnscfg_force_refresh_fqdns_after_fail(pan_cfg_dnscfg.c:3813): Trying to refresh fqdn job after the first retry.Not allowed.

2018-11-01 10:36:29.690 +0400 Error: pan_cfg_dnscfg_refresh_fqdns(pan_cfg_dnscfg.c:4418): Failed to refresh the fqdn.

2018-11-01 10:36:29.757 +0400 Error: pan_jobmgr_process_job(pan_job_mgr.c:3228): Fqdn Refresh job failed

mailclient: Socket timeout. host=172.16.0.33

Re: Commit not working in passive firewall

Venkatesan_radhakrishnan — Mon, 05 Nov 2018 09:38:33 GMT

Guys

I have fixed the issue, I gave show management-clients on CLI of passive firewall it displayed the clients running.

I found '*' on the device client, I tried to restart the managment-server and devsrvr but it didn't restart the device client process.

So I restarted the secondary box then it got fixed. If your issue is in Primary box failover to secondary and try it.

After getting commit to both firewall, HA Issue fixed and configuration are synced now

topic Re: Commit not working in passive firewall in General Topics

Commit not working in passive firewall

Re: Commit not working in passive firewall

Re: Commit not working in passive firewall

Re: Commit not working in passive firewall

Re: Commit not working in passive firewall

Re: Commit not working in passive firewall

Re: Commit not working in passive firewall