"Could not get vsys info for device xxxx in dg xxxx" Error Message when commit and push via Ansible

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

"Could not get vsys info for device xxxx in dg xxxx" Error Message when commit and push via Ansible

L1 Bithead

"Could not get vsys info for device xxxx in dg xxxx" when using panos_commit_push module in Ansible.

 

Commit and push via Panorama GUI is successful.

10 REPLIES 10

L5 Sessionator

Hi @hbui01, could you share (redacted) the relevant code snippets please? And describe the equivalent Panorama GUI clicks you are performing and looking to replicate? Thanks!

Help the community: "Like" helpful comments, and click "Accept as Solution" if you found your answer 🙂

Hi JimmyHolland,
Thank you for your reply.
Attached is the panos_commit_push code snippet.
In the Panorama GUI, after creating an address object, I am clicking Commit, followed by Commit and Push.
Thank you for your help.
Huy

Hi @hbui01, I can't see any code I am afraid.

Just FYI:

The commit in the GUI is the same as https://paloaltonetworks.github.io/pan-os-ansible/modules/panos_commit_panorama_module.html 
The push in the GUI is the same as https://paloaltonetworks.github.io/pan-os-ansible/modules/panos_commit_push_module.html

The "commit and push" is the same as doing both of those two modules listed above, in that order.

Help the community: "Like" helpful comments, and click "Accept as Solution" if you found your answer 🙂

Hi JimmyHolland,

 

I pasted code snippet.

 

- name: commit config on firewall panorama

      panos_commit_push:

         provider: '{{ provider }}'

         style: 'device group'

         name: '{{ device_groups }}'

         description:

         devices:

            #- 000000000000

            #- '{{ device_groups }}'

            - 000000000000

            - 000000000000

 

Panos_commit_panorama is successful but panos_commit_push is not.

 

Thank you.

Hi @hbui01, I was able to get the same error ("Could not get vsys info for device 012345678903 in dg lab-device-group") by trying to list a device serial number which was not in the device group, have you by chance done the same thing?

 

    - name: commit config on firewall panorama
      panos_commit_push:
        provider: "{{ provider }}"
        style: "device group"
        name: "{{ device_group }}"  <- The DeviceGroup referenced only has two firewalls
        description:
        devices:
          - 012345678901   <- This firewall is in the DevceGroup referenced above 
          - 012345678902   <- This firewall is in the DevceGroup referenced above
          - 012345678903   <- This firewall is NOT in the DevceGroup referenced above

 

I also noticed that your value for the name parameter is a variable called device_groups, (not singular device_group) please note that the name parameter is expecting a single string, not a list of strings, so we are looking for a single device group to be passed in. This is what led me to test a device serial number which was in a different device group to that specified in the name parameter.

 

Hope that helps!

Help the community: "Like" helpful comments, and click "Accept as Solution" if you found your answer 🙂

Hi JimmyHolland,

 

Thank you.  We are still receiving error message even with modifying value for name parameter and ensuring our device serial numbers are in the device-group.

 

    - name: commit config on firewall panorama

      panos_commit_push:

         provider: '{{ provider }}'

         style: 'device group'

         name: 'LAS-DMZ'

         description:

         devices:

            - 012345678901

            - 012345678902

Hi @hbui01, what error message do you get now?

Help the community: "Like" helpful comments, and click "Accept as Solution" if you found your answer 🙂

Hi JimmyHolland,

 

Still receiving the same error message ""Could not get vsys info for device 012345678903 in dg lab-device-group").

 

Thank you.

The only way I can replicate that error is with a serial number that does not match the Device Group, can you double check everything? Are the managed firewalls definitely connected too? Otherwise, I would engage your Palo Alto Networks point of contact, and share this conversation with them

Help the community: "Like" helpful comments, and click "Accept as Solution" if you found your answer 🙂

Hi JimmyHolland,

 

I have a case open with Palo Alto Networks. I have double-checked device serial numbers are showing as part of the device-group, managed, and connected.

 

Thank you.

  • 3191 Views
  • 10 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!