Expedition Discussions

Reply
L1 Bithead
Posts: 3
Registered: ‎02-08-2019

Expedition migrated ASA configuration is giving "Configuration is invalid" error on validation

[ Edited ]

Hi Experts,

 

I have merged 9 different ASA firewall/contexts to create 3 Vsys on Paloalto 5220.

Till 2 vsys migration worked fine and configuration was ready to get pushed with few warnings as validation said "configuration is valid"

Now after migrating/merging configuration for last Vsys validation on firewall is continuously failing with message "configuration is invalid", their are no errors but quite a lot of warnings but i think that's just fine (correct me if wrong).

 

Commit Error Screenshot.PNG

 

Had initiated real time log capture before hitting validation again, can you please have a look and advise its critical.

 

Logs are attached as codes.

 

Thanks/Sharad

dc-p-fw-01(active)> tail follow yes mp-log devsrv.log
2019-02-08 12:08:52.420 +0300 Config commit phase0 started
2019-02-08 12:08:54.211 +0300 pan_ha_is_sync_needed: needed=1, is_peer_up=1, state=5, peer_state=4
2019-02-08 12:08:54.212 +0300 /opt/pancfg/cache/pan/VSYS_ZONE.db saved to disk, digest: 8b5f0c2b681f86716208002e7d56d8f1
2019-02-08 12:08:54.225 +0300 Config commit phase0 done
2019-02-08 12:08:56.742 +0300 Config commit phase1 started
2019-02-08 12:08:56.742 +0300 flags 0x40000, content 0x1, not devsrvr only, not content only
2019-02-08 12:08:56.763 +0300 Get virus from last committed config
2019-02-08 12:08:56.763 +0300 Get wildfire from last committed config
2019-02-08 12:08:56.763 +0300 Get wpc from last committed config
2019-02-08 12:08:56.763 +0300 Get raven from last committed config
2019-02-08 12:08:56.763 +0300 TDB compilation started. tdb_compile_flag: 0x1 custom_dns 0
2019-02-08 12:08:56.763 +0300 compile type 0x1 (1)
2019-02-08 12:08:58.670 +0300 Warning:  pan_tdb_do_file_2_version(pan_tdb_comp.c:83): open app version file /opt/pancfg/mgmt/content//pan_threatversion error
2019-02-08 12:08:58.670 +0300 Warning:  pan_tdb_content_version(pan_tdb_comp.c:143): pan_tdb_file_2_version threat error, reset to 0
2019-02-08 12:08:58.670 +0300 Content Engine version: 0x8010101 APP version: 0x3011157, Threat 0x0, virus 0x0, wildfire 0x0 type 1
2019-02-08 12:08:58.683 +0300 Primary checking
2019-02-08 12:08:58.708 +0300 [Cache] Load /opt/pancfg/mgmt/content//cache/80101//tdb.cache.ser-1 success
2019-02-08 12:08:58.712 +0300 Primary checks done
2019-02-08 12:08:58.712 +0300 [TDB] Loading tdb cache /opt/pancfg/mgmt/content//cache/80101//tdb.cache.ser-1 with wildfire 0/0 virus 0/0
2019-02-08 12:08:58.712 +0300 calc md5
2019-02-08 12:09:00.960 +0300 End of parsing custom threat
2019-02-08 12:09:01.101 +0300 [Cache] Load /opt/pancfg/mgmt/content//cache/80101//tdb.cache.ser-1 success
load cache is successful
2019-02-08 12:09:01.111 +0300 Get tdb_only from last committed config
2019-02-08 12:09:01.112 +0300 No Any content change
2019-02-08 12:09:01.112 +0300 TDB compilation done, return 0
2019-02-08 12:09:02.490 +0300 Use stored file_type_hash table as tdb->dlp_file_type_hash is invalid
2019-02-08 12:09:02.490 +0300 Error:  pan_profile_compile_memory(pan_profile_comp.c:7341): Stored file_type_hash table is also in valid entry
'cfg.hal.appid-dfa': NO_MATCHES
2019-02-08 12:09:02.783 +0300 Loading PaloAltoNetworks URL categories...
2019-02-08 12:09:02.783 +0300 Found URL categories
2019-02-08 12:09:02.783 +0300 Number of categories: 93 Order exists in content: no
2019-02-08 12:09:02.792 +0300 auto_mac_detect not configured, set to false, auto_mac_detect=0
2019-02-08 12:09:02.796 +0300 Warning:  pan_hash_init(pan_hash.c:112): nbuckets 1028 is not power of 2!
2019-02-08 12:09:02.823 +0300 Retrieved stored platform base MAC address e8:98:6d:41:bc:00
2019-02-08 12:09:02.823 +0300 HA in active-passive mode, construct base MAC from HA group ID
2019-02-08 12:09:02.823 +0300 Computed platform base MAC address e8:98:6d:41:bc:00 from configuration
2019-02-08 12:09:03.466 +0300 Warning:  pan_cfg_get_anchored_pat_config(pan_config_parser.c:23974): files /opt/pancfg/mgmt/content/global/countrycode.txt does not exist
2019-02-08 12:09:03.466 +0300 Warning:  pan_global_from_obj(pan_config_parser.c:21044): pan_cfg_get_anchored_pat_config failed
2019-02-08 12:09:03.477 +0300 vsys1 Security Policy:  783 platform accumulated rules;  783 total rules;  783 active rules;  0 disabled rules;
2019-02-08 12:09:03.526 +0300 vsys1 App Override Policy:  0 platform accumulated rules;  0 total rules;  0 active rules;  0 disabled rules;
2019-02-08 12:09:03.526 +0300 vsys1 Decryption:  0 platform accumulated rules;  0 total rules;  0 active rules;  0 disabled rules;
2019-02-08 12:09:03.527 +0300 vsys1 NAT Policy:  349 platform accumulated rules;  349 total rules;  349 active rules;  0 disabled rules;
2019-02-08 12:09:03.538 +0300 vsys1 QoS Policy:  0 platform accumulated rules;  0 total rules;  0 active rules;  0 disabled rules;
2019-02-08 12:09:03.538 +0300 vsys1 PBF Policy:  0 platform accumulated rules;  0 total rules;  0 active rules;  0 disabled rules;
2019-02-08 12:09:03.538 +0300 vsys1 DOS Policy:  0 platform accumulated rules;  0 total rules;  0 active rules;  0 disabled rules;
2019-02-08 12:09:03.538 +0300 vsys1 Tunnel Inspection:  0 platform accumulated rules;  0 total rules;  0 active rules;  0 disabled rules;
2019-02-08 12:09:03.540 +0300 vsys2 Security Policy:  1231 platform accumulated rules;  511 total rules;  448 active rules;  63 disabled rules;
2019-02-08 12:09:03.614 +0300 vsys2 App Override Policy:  0 platform accumulated rules;  0 total rules;  0 active rules;  0 disabled rules;
2019-02-08 12:09:03.614 +0300 vsys2 Decryption:  0 platform accumulated rules;  0 total rules;  0 active rules;  0 disabled rules;
2019-02-08 12:09:03.614 +0300 vsys2 NAT Policy:  349 platform accumulated rules;  0 total rules;  0 active rules;  0 disabled rules;
2019-02-08 12:09:03.614 +0300 vsys2 QoS Policy:  0 platform accumulated rules;  0 total rules;  0 active rules;  0 disabled rules;
2019-02-08 12:09:03.614 +0300 vsys2 PBF Policy:  0 platform accumulated rules;  0 total rules;  0 active rules;  0 disabled rules;
2019-02-08 12:09:03.614 +0300 vsys2 DOS Policy:  0 platform accumulated rules;  0 total rules;  0 active rules;  0 disabled rules;
2019-02-08 12:09:03.614 +0300 vsys2 Tunnel Inspection:  0 platform accumulated rules;  0 total rules;  0 active rules;  0 disabled rules;
2019-02-08 12:09:03.628 +0300 vsys3 Security Policy:  4708 platform accumulated rules;  3768 total rules;  3477 active rules;  291 disabled rules;
2019-02-08 12:09:03.667 +0300 Processing 1000 rules take 0 sec
2019-02-08 12:09:03.707 +0300 Processing 2000 rules take 0 sec
2019-02-08 12:09:03.747 +0300 Processing 3000 rules take 0 sec
2019-02-08 12:09:03.812 +0300 vsys3 App Override Policy:  0 platform accumulated rules;  0 total rules;  0 active rules;  0 disabled rules;
2019-02-08 12:09:03.812 +0300 vsys3 Decryption:  0 platform accumulated rules;  0 total rules;  0 active rules;  0 disabled rules;
2019-02-08 12:09:03.812 +0300 vsys3 NAT Policy:  683 platform accumulated rules;  334 total rules;  334 active rules;  0 disabled rules;
2019-02-08 12:09:03.823 +0300 vsys3 QoS Policy:  0 platform accumulated rules;  0 total rules;  0 active rules;  0 disabled rules;
2019-02-08 12:09:03.823 +0300 vsys3 PBF Policy:  0 platform accumulated rules;  0 total rules;  0 active rules;  0 disabled rules;
2019-02-08 12:09:03.823 +0300 vsys3 DOS Policy:  0 platform accumulated rules;  0 total rules;  0 active rules;  0 disabled rules;
2019-02-08 12:09:03.823 +0300 vsys3 Tunnel Inspection:  0 platform accumulated rules;  0 total rules;  0 active rules;  0 disabled rules;
2019-02-08 12:09:03.824 +0300 wrote 0 custom dns domains
2019-02-08 12:09:03.824 +0300  pan_config_from_obj(pan_config_parser.c:23590): appsig use regex
2019-02-08 12:09:03.838 +0300  pan_config_from_obj(pan_config_parser.c:23590): appsig use regex
2019-02-08 12:09:03.838 +0300  pan_config_from_obj(pan_config_parser.c:23590): appsig use regex
2019-02-08 12:09:03.846 +0300  pan_config_from_obj(pan_config_parser.c:23590): appsig use regex
2019-02-08 12:09:04.009 +0300 Get custom from last committed config
2019-02-08 12:09:04.009 +0300 No TDB compilation needed custom_dns 1
2019-02-08 12:09:04.119 +0300 syncfs on /opt/pancfg/mgmt returns 0
2019-02-08 12:09:04.119 +0300 phase1: modifying cfgpush.*.*.cfg
2019-02-08 12:09:04.305 +0300 push config takes 0 sec
2019-02-08 12:09:04.305 +0300 check cfgpush.s1.comm.cfg object
2019-02-08 12:09:04.305 +0300 appsig not changed
2019-02-08 12:09:04.305 +0300 tdb not changed
2019-02-08 12:09:04.311 +0300 NTDB-vr 1 may need an updated
2019-02-08 12:09:04.311 +0300 NTDB-Update VR 1 - 2 ipv4, 0 ipv6, and 0 ospfv3
2019-02-08 12:09:04.313 +0300 NTDB-Updated VR 1 - total ip4 2 - dynamic 0
2019-02-08 12:09:04.313 +0300   NTDB-IP4 unchanged 2, new 0, del 0
2019-02-08 12:09:04.313 +0300 NTDB-Updated VR 1 - total ip6 0 dynamic 0
2019-02-08 12:09:04.313 +0300   NTDB-IP6 unchanged 0 new 0, del 0
2019-02-08 12:09:04.313 +0300 NTDB-vr 2 may need an updated
2019-02-08 12:09:04.313 +0300 NTDB-Update VR 2 - 2 ipv4, 0 ipv6, and 0 ospfv3
2019-02-08 12:09:04.315 +0300 NTDB-Updated VR 2 - total ip4 2 - dynamic 0
2019-02-08 12:09:04.315 +0300   NTDB-IP4 unchanged 1, new 1, del 1
2019-02-08 12:09:04.315 +0300 NTDB-Updated VR 2 - total ip6 0 dynamic 0
2019-02-08 12:09:04.315 +0300   NTDB-IP6 unchanged 0 new 0, del 0
2019-02-08 12:09:04.315 +0300 NTDB-vr 3 may need an updated
2019-02-08 12:09:04.315 +0300 NTDB-Update VR 3 - 3 ipv4, 0 ipv6, and 0 ospfv3
2019-02-08 12:09:04.316 +0300 NTDB-Updated VR 3 - total ip4 3 - dynamic 0
2019-02-08 12:09:04.316 +0300   NTDB-IP4 unchanged 3, new 0, del 0
2019-02-08 12:09:04.316 +0300 NTDB-Updated VR 3 - total ip6 0 dynamic 0
2019-02-08 12:09:04.316 +0300   NTDB-IP6 unchanged 0 new 0, del 0
2019-02-08 12:09:04.317 +0300 NTDB-vif_create_increment_script: 0 sec
2019-02-08 12:09:08.296 +0300 Config commit phase1 done
2019-02-08 12:09:08.300 +0300 Config commit phase1 abort
2019-02-08 12:09:08.300 +0300 kill SIGUSR1 to pid 0 

 

L4 Transporter
Posts: 179
Registered: ‎11-02-2015

Re: Expedition migrated ASA configuration is giving "Configuration is invalid" error on va

Would it be possible to share the project with us at fwmigrate at paloaltonetworks dot com?

 

We can try to see what did it go wrong on the XML creation for the resulting PANOS config.

L1 Bithead
Posts: 3
Registered: ‎02-08-2019

Re: Expedition migrated ASA configuration is giving "Configuration is invalid" error on va

Thanks for quick revert, can you please share the link for the "fwmigrate" location for project upload.

Do you want converted/output xml or entire project can be shared ?

L4 Transporter
Posts: 179
Registered: ‎11-02-2015

Re: Expedition migrated ASA configuration is giving "Configuration is invalid" error on va

I would rather get the whole project that you have worked in Expedition and sent via email: fwmigrate at paloaltonetworks dot com.

Thanks
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!