Issue
When changing the group ID of a HA configuration from a Panorama template, the following commit error occurs:
Mar 12 13:12:19 Error: pan_schema_verify_attribute(pan_schema_types.c:778):attr name failed to verify
Mar 12 13:12:19 Error: pan_schema_verify_attr(pan_schema_obj.c:3488): attribute name breaks schema at line 341
Mar 12 13:12:19 Error: pan_cfg_verify_ex(pan_cfg_commit_handler.c:999): invalid confgiuration. Schema verification failed.
Mar 12 13:12:19 <line><![CDATA[deviceconfig -> high-availability -> group -> 10 Constraints failed : Only one HA Group ID allowed
Mar 12 13:12:19 Error: pan_jobmgr_process_job(pan_job_mgr.c:2914): error verifying commit candidate
Mar 12 13:12:22 Error: pan_cfg_md5sum_by_file(pan_cfg_utils.c:4998): file/opt/pancfg/mgmt/sp/vsys1/pretrans-sp-config.xml doesn't exist
Mar 12 13:12:22 Error:pan_cfg_sp_get_shared_policy_info(pan_cfg_shared_policy.c:1606): failed to get md5sum for file /opt/pancfg/mgmt/sp/vsys1/pretrans-sp-config.xml
Resolution :
Steps to be followed on the Managed Firewall :
- Log in to the device. Go to Device > Setup > Management. In the Panorama Settings widget, click on "Disable Network Template". In the popup, leave the checkbox blank (so as not to copy the template contents to the local space).
- Return to the same page and click on “Enable Network Template”.
Note: The purpose of steps 1 and 2 are to temporarily free the template contents pushed from Panorama. - Go to the High Availability (HA) setup page and set the group id to the desired new value (for example, 10).
Note: Each HA group should have its own template so the HA group value is pushed to only that HA pair.
Steps to be followed on the Panorama :
- Change the template to have the new group ID and push it again to this device. This causes other template configurations to be recreated on the device. Step 1 caused the template objects to be lost.
- Make sure that the “Merge with candidate config” is checked, and perform a push just to this device.
- Now this device has group id 10 and also all the template objects are restored.
owner: kadak