Commit Error after upgrading to 6.1.1 from 6.0.1

Reply
L1 Bithead

Commit Error after upgrading to 6.1.1 from 6.0.1

Operation Commit
Result Failed

Details vsys1

    Error: Duplicate user name 'OU=Students,DC=cadets,DC=cbchs,DC=org'

    Error: Failed to parse security policy

(Module: device)

If I revert to 6.0.1 it commits with no issues.

I've tried removing OU=Students,DC=cadets,DC=cbchs,DC=org' from the group include list on the group mapping settings and am still not able to commit after upgrading.

L2 Linker

Re: Commit Error after upgrading to 6.1.1 from 6.0.1

Hello Robertsa,

Is this HA pair and is the commit failing only on passive device ?

If so, then please make sure root CA certificate is not missing on the passive device. If its missing, then manually reconfigure it and then sync the devices and commit again.

Hope this helps

L1 Bithead

Re: Commit Error after upgrading to 6.1.1 from 6.0.1

Hello Mystique,

This is indeed an HA pair but it is failing on both the passive and active devices.

Thank you,

Robertsa

Highlighted
L1 Bithead

Re: Commit Error after upgrading to 6.1.1 from 6.0.1

Also the CA certificate is present and Status is "Valid" for both devices.

L2 Linker

Re: Commit Error after upgrading to 6.1.1 from 6.0.1

can you send output of below command from PA FW CLI active or passive device:

> show user group list

L1 Bithead

Re: Commit Error after upgrading to 6.1.1 from 6.0.1

Sure! Message sent :smileyhappy:

L2 Linker

Re: Commit Error after upgrading to 6.1.1 from 6.0.1

I can see the whole group name as below from cli command output

cn=all students,ou=groups,ou=students,dc=cadets,dc=cbchs,dc=org

Can you please try to delete the security rule in which this group name is being used and then commit. If commit is successful, then reconfigure the security rule again.

Hope this helps. If not then you might want to open a support case to further troubleshoot the issue live.

L2 Linker

Re: Commit Error after upgrading to 6.1.1 from 6.0.1

Your best bet is just to remove the security policy rule and commit the changes. Then readd it.

L1 Bithead

Re: Commit Error after upgrading to 6.1.1 from 6.0.1

Thanks to you both, Mystique and Parmas,

I had 7 rules applying to just our student users, in each I had users listed: cadets\all students, ou=students,dc=cadets,dc=cbchs,dc=org, and cadets\allstudents.

I first tested the effectiveness of the applicable policies using only ou=students,dc=cadets,dc=cbchs,dc=org, the policies still applied so I attempted upgrading our passive pan with the security policies updated.

The upgrade failed.

So I then tested the effectiveness of the applicable policies using only cadets\allstudents, the policies still applied so I attempted upgrading our passive pan with the security policies updated.

The upgrade was at  last successful.

My question is how did you both know to look at security policies and users being listed from the Duplicate user name error? Was vsys1 a clue for you?

Also when the upgrade was failing it was aborting on start up at "satd-config", "sslmgr-config-p1" etc. Why would security rules being ineffective cause start up processes to abort?

Thank you both again,

Robertsa

L2 Linker

Re: Commit Error after upgrading to 6.1.1 from 6.0.1

This error - Error: Failed to parse security policy was clue for issue being with security policy.


Glad to know upgrade was successful.


Have a great day ahead!!

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!