Failed to commit policy to device after downgrading 10.0.0

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Failed to commit policy to device after downgrading 10.0.0

L2 Linker

Hi All,

 

We are trying to downgrade from 10.0.6 to 9.1.15. After we downgrade to 10.0.0 first , the auto commit have error. It mention failed to commit policy to device. Do anyone have go through the same problem? My suggestion is we just downgrade to 9.1.15 since we already in base version 10.0.

 

 

3 REPLIES 3

Cyber Elite
Cyber Elite

Hi @Momoj ,

 

In my experience, this happens occasionally if the firewall does not convert the configuration correctly between versions.  If you open the task manager and look at the details for the auto-commit, you should be able to see the exact commit error so that you can fix it.  It usually is a syntax error that can be fixed in the GUI or the CLI by adding or removing a specific parameter or just deleting and re-adding the specific piece of configuration.

 

My guess is that you will get the same auto-commit error in 9.1.15.  So, I would fix it.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

Hi @TomYoung,

 

Alright, I understand. I already take a look at the details for auto commit. Its only mention failed to commit policy to device and I also can see some warning related to certificate( Eg. is configured with no certificate profile. Please select a certificate profile for performing server certificate validation)

 

 

Cyber Elite
Cyber Elite

Hi @Momoj ,

 

I understand.  An auto commit failure with no error message is very difficult to troubleshoot. 

 

Normally warnings do not impact the commit, but I ran across this doc -> https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PPRPCA4&lang=en_US%E2%80%A... with the same error that you have (different warning).  That solution was to fix the warning.  The only time I have seen a certificate profile warning is for EDLs -> https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLdlCAG, and these warnings normally do not cause the commit to fail.

 

I also see that auto commits can fail due to bugs, dynamic update mismatches, etc.  So, it may not be a config issue.

 

  1. Try a "commit force" on the CLI to see if it fixes it.
  2. Open a TAC case.

If you still feel like doing it on your own, you could remove the config with the warning and commit force or look through the ms.log file to see if you can find the reason for the commit failure -> https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMb2CAG.

 

Sorry that I can't provide a quick fix,

 

Tom

Help the community: Like helpful comments and mark solutions.
  • 2891 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!