auto commit issues after upgrade to 10.x

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

auto commit issues after upgrade to 10.x

L1 Bithead

Hi,

 

We started to experience auto commit finishing delay on our PA-5220 after the upgrade to 10.x.  We have a pair of HA PA-5220 in active/passive mode, we never had an auto commit issue before in previous updates, reboots of the firewalls. We have upgraded numerous times before from 8.x all the way to 10.x.  In our recent upgrade to 10.1.x, three of the four firewalls failed on the initial auto commit, of those two of the three eventually finished after retrying a few times in about 10 minutes, one of them though took about 60 minutes to complete.  

 

I know it's published that it may take 30 minutes for auto commit to finish, but in our case we actually never seen it go over more than 5 minutes in the PA-5220 until the upgrade to 10.x.  When it was failing to auto commit the following error was present on all three firewalls but did eventually cleared by itself. i

 

configured traffic quota of 0 MB is less than the minimum 32 MB.
Invalid configuration. Please fix errors and try again.
Failed to commit policy to device

 

in our case this was not service impacting, since it was on HA pair but we do have standalone firewalls that if they are stuck at auto committing then it would be service impacting.

 

Support basically said this is acceptable/normal.

 

I just want to know if this is the new normal now for us and to set expectations as such, and what others experience is with auto commit finishing. 

 

Thanks.

4 REPLIES 4

Community Team Member

Hi @RREALICA ,

 

This could be expected after 10.1.x due to some changes, autocommit fails unless all of the logging disks are ready and have stopped rebuilding.  Expected times for rebuilding the disk will depend on the logging size itself (I've seen it take 60 - 90 minutes).  Allow time for the rebuilding to complete.

 

 
 

rtaImage.jpeg

 

Hope this helps,

-Kiwi.

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Don't forget to hit that Like button if a post is helpful to you!

L1 Bithead

Thanks @kiwi.
Experienced a 30 minute reboot to HA ready on PA-5220 going from 10.0.11-h1 to 10.1.6-h6.

Saw the same auto commit errors as @RREALICA.

It did not seem possible to SSH into CLI as admin (to check RAID status) until the system completed the auto commit. 

L0 Member

We also ran into the same issue on an HA Active/Passive pair of PA-5220s. Our upgrade path was 9.1.14-h4 -> 10.0.11-h1 -> 10.1.8. We noticed on the dashboard that HA was down, and also all of the interfaces showed down and not configured. In Tasks we were getting the Auto Commit failure repeatedly with details of:

configured traffic quota of 0 MB is less than the minimum 32 MB.
Invalid configuration. Please fix errors and try again.

 

Our uptime was 87 minutes when the Auto Commit finally completed. Once that was done everything appeared to be working as expected. Only one firewall in the pair had this happen, the other upgraded in a normal time window (15ish minutes).

 

As a note, you can check on RAID with cli command: show system raid detail

A pair of PA-5250 10.0.11-h1 -> 10.1.6-h6 took ~67 mins per device.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!