10-31-2018 08:11 AM
When I commit the firewall in active firewall I can able to commit.
When I commit in passive firewall it shows "Error: config push error"
However I don't need to push the configuration in passive firewall I'm doing this as my HA sync is having issue.
Please let me know your comments
11-05-2018 01:38 AM
Guys
I have fixed the issue, I gave show management-clients on CLI of passive firewall it displayed the clients running.
I found '*' on the device client, I tried to restart the managment-server and devsrvr but it didn't restart the device client process.
So I restarted the secondary box then it got fixed. If your issue is in Primary box failover to secondary and try it.
After getting commit to both firewall, HA Issue fixed and configuration are synced now
10-31-2018 08:17 AM
Certainly odd. What PAN-OS version are you on?
The management-server log will have more information on why this failed. If you do the following and paste the output we may be able to see why:
> show jobs all
Grab the ID of the commit that failed
> less mp-log ms.log
Press the "/" key to start searching, type the Job-ID of the failed commit and copy the relevant commit logs.
10-31-2018 08:23 AM
Just an FYI, PAN-OS 8.1.1 isn't recommended. No version of PAN-OS 8.1 is at the moment but I would certainly recommend running 8.1.4-h2 if you have to run PAN-OS 8.1.
Likely an upgrade will fix it, or less service impacting you can try a restart of the management-server on the passive (not service effecting) "debug software restart process management-server".
Where are those management-server logs 😉
10-31-2018 08:39 AM
I will share the management logs soon
11-01-2018 03:08 AM
2018-11-01 10:06:59.594 +0400 dnscfgmod: Added fqdn resolved ips to config /opt/pancfg/mgmt/devices/localhost.localdomain/.refreshed-candidate.xml
2018-11-01 10:07:00.226 +0400 client routed reported Phase 1 was SUCCESSFUL
2018-11-01 10:07:00.237 +0400 client ha_agent reported Phase 1 was SUCCESSFUL
2018-11-01 10:07:01.429 +0400 client ikemgr reported Phase 1 was SUCCESSFUL
2018-11-01 10:07:01.504 +0400 client dhcpd reported Phase 1 was SUCCESSFUL
2018-11-01 10:07:01.562 +0400 client varrcvr reported Phase 1 was SUCCESSFUL
2018-11-01 10:07:01.718 +0400 client rasmgr reported warning: Warning: tunnel tunnel.100 ipv6 is not enabled. IPv6 address will be ignored!
(Module: rasmgr)
2018-11-01 10:07:01.719 +0400 client rasmgr reported Phase 1 was SUCCESSFUL
2018-11-01 10:07:02.162 +0400 client websrvr reported Phase 1 was SUCCESSFUL
2018-11-01 10:07:02.208 +0400 client sslmgr reported Phase 1 was SUCCESSFUL
2018-11-01 10:07:02.308 +0400 client authd reported Phase 1 was SUCCESSFUL
2018-11-01 10:07:02.315 +0400 client satd reported Phase 1 was SUCCESSFUL
2018-11-01 10:07:02.347 +0400 client pppoed reported Phase 1 was SUCCESSFUL
2018-11-01 10:07:02.457 +0400 client dnsproxyd reported Phase 1 was SUCCESSFUL
2018-11-01 10:07:02.515 +0400 client cryptod reported Phase 1 was SUCCESSFUL
2018-11-01 10:07:02.727 +0400 client l2ctrld reported Phase 1 was SUCCESSFUL
2018-11-01 10:07:02.856 +0400 client cord reported Phase 1 was SUCCESSFUL
2018-11-01 10:07:04.757 +0400 client sslvpn reported Phase 1 was SUCCESSFUL
2018-11-01 10:07:04.970 +0400 client logrcvr reported Phase 1 was SUCCESSFUL
2018-11-01 10:07:10.138 +0400 client device reported error: Error: config push error
(Module: device)
2018-11-01 10:07:10.139 +0400 client device reported Phase 1 FAILED
2018-11-01 10:07:10.940 +0400 client useridd reported Phase 1 was SUCCESSFUL
2018-11-01 10:07:10.940 +0400 All client have responded for validate.
2018-11-01 10:07:10.940 +0400 Client:device has P1 error reported
2018-11-01 10:07:10.940 +0400 Error: pan_mgmt_client_table_do_commit(pan_cfg_commit_jobs.c:3743): phase 1 failed
2018-11-01 10:07:10.950 +0400 EDL cfg(0x2a35000, 0) Releasing candidate EDLs of type IP
2018-11-01 10:07:10.950 +0400 EDL cfg(0x2a35000, 0) Releasing candidate EDLs of type Domain
2018-11-01 10:07:10.950 +0400 EDL cfg(0x2a35000, 0) Releasing candidate EDLs of type URL
2018-11-01 10:07:10.952 +0400 Error: pan_cfg_commit_to_local_device(pan_cfg_commit_handler.c:3223): Validate failed
2018-11-01 10:13:06.945 +0400 client authd reported op command was SUCCESSFUL
2018-11-01 10:13:08.905 +0400 client authd reported op command was SUCCESSFUL
2018-11-01 10:15:00.290 +0400 Checking to purge appstatdb logtype
2018-11-01 10:19:53.205 +0400 client authd reported op command was SUCCESSFUL
2018-11-01 10:19:55.057 +0400 client dagger reported op command was SUCCESSFUL
2018-11-01 10:19:55.299 +0400 template config file /opt/pancfg/mgmt/template/template-config.xml doesn't exist
99%2018-11-01 10:19:55.299 +0400 Could not find last pushed template, returning empty template config tree
2018-11-01 10:19:55.312 +0400 client l2ctrld reported op command was SUCCESSFUL
2018-11-01 10:21:47.578 +0400 client cryptod reported op command was SUCCESSFUL
2018-11-01 10:21:47.674 +0400 Error: pan_cfg_mgr_get_sp_disabled(pan_cfg_mgr.c:7283): failed to fetch: NO_MATCHES
2018-11-01 10:21:48.105 +0400 client authd reported op command was SUCCESSFUL
2018-11-01 10:21:48.917 +0400 client cryptod reported op command was SUCCESSFUL
2018-11-01 10:21:49.004 +0400 Error: pan_cfg_mgr_get_sp_disabled(pan_cfg_mgr.c:7283): failed to fetch: NO_MATCHES
2018-11-01 10:21:49.425 +0400 client authd reported op command was SUCCESSFUL
2018-11-01 10:30:00.692 +0400 Checking to purge appstatdb logtype
2018-11-01 10:33:33.955 +0400 client authd reported op command was SUCCESSFUL
2018-11-01 10:36:14.977 +0400 dnscfgmod: FQDN Refresh: Periodic TTL Expiry Refresh
2018-11-01 10:36:14.977 +0400 dnscfgmod: Main refresh function: (TTL Expiry)
2018-11-01 10:36:14.978 +0400 dnscfgmod:Fqdn refresh job 6360 scheduled
2018-11-01 10:36:14.978 +0400 FqdnRefresh job started processing. Dequeue time=2018/11/01 10:36:14 2018-11-01 10:36:19.750 +0400 dnscfgmod: Resolving fqdns took 5 secs
2018-11-01 10:36:19.750 +0400 Fqdn refresher thread device requested last config
2018-11-01 10:36:20.203 +0400 Warning: pan_hash_init(pan_hash.c:112): nbuckets 100 is not power of 2!
2018-11-01 10:36:20.203 +0400 Warning: pan_hash_init(pan_hash.c:112): nbuckets 100 is not power of 2!
2018-11-01 10:36:20.203 +0400 shm alloc(read-only) 'pan_shm_base' size 104172048
2018-11-01 10:36:20.950 +0400 dnscfgmod: Fqdn pijepkm.work/pijepkm.work could not be resolved
2018-11-01 10:36:20.950 +0400 dnscfgmod: Fqdn vfpurtshsphuwqulm.pw/vfpurtshsphuwqulm.pw could not be resolved
2018-11-01 10:36:20.950 +0400 dnscfgmod: Fqdn ruuvsgbaxbh.work/ruuvsgbaxbh.work could not be resolved
2018-11-01 10:36:20.951 +0400 dnscfgmod: Fqdn smtp.office365.com/smtp.office365.com not used
2018-11-01 10:36:20.951 +0400 dnscfgmod: Fqdn ppa.adnoc/ppa.adnoc.ae not used
2018-11-01 10:36:29.632 +0400 client device reported error: Error: config push error
(Module: device)
2018-11-01 10:36:29.633 +0400 client device reported Phase 1 FAILED
2018-11-01 10:36:29.633 +0400 Error: pan_cfg_refresh_deviceconfig(pan_cfg_commit_jobs.c:3177): phase 1 failed cstate:6 - verify:0
2018-11-01 10:36:29.634 +0400 Error: pan_dnscfg_force_refresh_fqdns_after_fail(pan_cfg_dnscfg.c:3813): Trying to refresh fqdn job after the first retry.Not allowed.
2018-11-01 10:36:29.690 +0400 Error: pan_cfg_dnscfg_refresh_fqdns(pan_cfg_dnscfg.c:4418): Failed to refresh the fqdn.
2018-11-01 10:36:29.757 +0400 Error: pan_jobmgr_process_job(pan_job_mgr.c:3228): Fqdn Refresh job failed
mailclient: Socket timeout. host=172.16.0.33
11-05-2018 01:38 AM
Guys
I have fixed the issue, I gave show management-clients on CLI of passive firewall it displayed the clients running.
I found '*' on the device client, I tried to restart the managment-server and devsrvr but it didn't restart the device client process.
So I restarted the secondary box then it got fixed. If your issue is in Primary box failover to secondary and try it.
After getting commit to both firewall, HA Issue fixed and configuration are synced now
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
