I support 10+ 4060's (Ver 5.0.15) and for several years had to deal with Panorama commits pushes to boxes increasingly taking longer and longer to complete (like 1-2 hrs). Workaround had been to script a daily login and running of the "debug software restart management-server" command on each FW. This seemed to basically work.
I've noticed though over last 6months-yr this has not been resolving the issues and often have had to perform a "request restart software" to get Panorama pushes to complete relatively quickly. Systems will either take forever for commit proccess to move from 0% to 100%, or often found , via "show jobs all", the process at 99%. When this is going on often can't SSH to box and can only get access via console connection....& at times that doesn't work and system must be power-cycled.
I haven't gone down the Vendor case path yet..but likely will....But wanted 1st to see if community users have experienced this and had feedback.
Getting new boxes is not an option for quite a while.
Going to 6.X is also not an option on these boxes.
Looking for feedback.
Best way to determine what exactly is cause and what fix may be.
Issue occurring often enough now to impact needed flow of day-to-day operations occurring with these FW.
There is no real fix, the problem is these 40xx series have 1GB management plane memory.
It is the same problem the PA500 faced, but for the PA500 is a memory upgrade kit available.
And "new" PA500 come with 2 GB standard.
The memory for the PA500 is standard "pc" memory.
As mentioned before for the PA500 is a upgrade kit, for the 40xx series there is not.
but i know some people that upgraded a 4020 lab FW to 2GB with normal "pc" memory.
And it just works fine, but warrenty void en no support.
There may not be an easy fix as was just stated, but if you would like to see exactly what is "hanging" then I would suggest the following CLI command while you are performing a commit:
> show management-clients
Client PRI State Progress
routed 30 P1-ok 99
ha_agent 25 P1-ok 99
device 20 P1-sent 5
ikemgr 10 P1-ok 99
keymgr 10 init 0 (op cmds only)
logrcvr 10 P1-ok 99
dhcpd 10 P1-ok 99
varrcvr 10 P1-ok 99
l3svc 10 P1-ok 99
sslvpn 10 P1-ok 99
rasmgr 10 P1-ok 99
useridd 10 P1-sent 70
satd 10 P1-ok 99
websrvr 10 P1-ok 99
sslmgr 10 P1-ok 99
authd 10 P1-ok 99
pppoed 10 P1-ok 99
dnsproxyd 10 P1-ok 99
cryptod 10 P1-ok 99
dagger 10 init 0 (op cmds only)
Overall status: P1-sent. Progress: 0
Sometimes there is a problem with just 1 service that can be causing the delay, sometimes not. This also helps you make sure that the wheels are still turning.
Just keep repeating the command via the CLI to check the status.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!