Commit fails from Panorama to Firewall for migrated configuration.

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Commit fails from Panorama to Firewall for migrated configuration.

L2 Linker



I am preparing to migrate configuration from cisco FWSM to Palo Alto 5250 which is managed by Panorama. The converted configuration gets exported to Panorama but while attempting to commit to the firewall, i get the following error. I have done "re-mapping" of Vlan interfaces in Cisco FWSM to Palo Alto aggregate interface sub-interfaces. Please help. 

I am using expedition tool. My Panorama version is 8.1.2


Error Message:
. Validation Error:
. vsys -> vsys2 -> import -> network -> interface 'ae1.251' is not a valid reference
. vsys -> vsys2 -> import -> network -> interface is invalid
. Can't get interface ae1.516 id(Module: routed)
. Error: unknown interface ae1.516
. Error: virtual router configuration error
. (Module: device)
. Commit failed


L5 Sessionator

Part of the human intervention that it is required during the migration is remapping the interfaces to valid interface names in a PANOS device.

As we can't know how the wiring will me made after the intervention, this process is not done automatically and one task is to map the Cisco interfaces to PANOS interfaces (doing the rename).


Thanks for the response. 

In Cisco those are interface VLANs.  I have "remapped" them in the migration tool. 

For example in cisco it was "VLAN 251". I have re-mapped it as a sub-interface as "ae1.251"


Please let me know if i am missing anything here. I am new to Palo Alto as well. 

Are you using AE or Sub-interfaces for connectivity to the Cisco LAN side?  Are you connecting to a VLAN with L3-SVI trunk LACP? Or just one interface with sub-interfaces?  If just one interface with sub-interfaces, then you don't need AE's.  Once you map your interfaces correctly in Expedition / MT, you push them.  I have in the past had to create the interfaces on the FW in advance and then it worked.

In Cisco FWSM, it is a single trunk interface for physical connectivity. I will try without doing any re-mapping in the conversion tool and check. Thank you. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!