- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
on 01-31-2023 02:16 PM
Experiencing an issue where Commit to the panorama succeeds, but push to the device fails with status 'none' and error message as 'no detail'? Read to see @Tom-Lee's findings. Thanks for sharing with the community!
We recently had this issue where after upgrading firewalls to 10.1 the panorama gave an error on push to certain firewalls with the description "none" which wasn't very helpful. On further process eliminating we discovered it was only VM FWs in AWS the error occurred on. Panorama wouldn't even try to push the device templates or give any meaningful error messages.
It was only when prompted we checked the plugin versions. Panorama 10.1.8-h2 after the upgrade had vm_series-2.1.6 where as the firewall image include vm_series-2.1.7!
A reminder to all on PAN-OS updates not just to check your Panorama is a higher or equal version of Software but also the AV/Threat/ AND plug-in versions!
The reason template push failed specifically to AWS is that we utilize Cloudwatch configuration in the template for AWS where as other VM series didn't have this configuration in the template. The error was not shown in Panorama but basically the template was not compatible with the firewall as Panorama did not have support for 2.1.7.
Other strange issues on upgrade from 9.1.x to 10.1.x :-
We also had issues when setting User ID redistribution agents and they would not connect to panorama or some firewalls. When using default secure comms certificate the built-in PAN-OS certificate is used, and if this expires again no messages are displayed to make this obvious but in our case the scheduled dynamic content update after upgrade hadn't worked and it required a manual check now, download and install of the latest content version to refresh the built in certificate. This is not to be confused with other FW certificates as there is also device certificate (used to communicate with Palo Alto Cloud), Cortex Data Lake specific certificate (used to communicate with customer specific instance) in addition to the user based certs that can be installed for Management console or SSL decrypt / Client auth.
Creating this article to help others searching for quick answers!
See also here https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000wkupCAA