- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
05-28-2021 09:38 PM
We have firewalls in HA which have 2 virtual systems. On commit and push to policy and objects to vsys1 is failing with below error message. I can't figure out what is causing this.
05-29-2021 06:30 AM
@raji_toor does commit only to panorama work or does it fail there already? You could also check the config logs for the changes between the last working commit and this failing one - there probably is something which lead to this error. I think once had a problem like this one where a service object was created and in the port field there was a space character. Panorama accepted this object but pushing it to the firewall lead to a commit error.
05-28-2021 10:02 PM
As per above error seems it is failing due to duplicate certificate.
Please check below logs to known exact reason for commit failure
less mp-log ms.log
If above does not show enough info please check below logs
less mp-log devsrv.log
Regards
05-28-2021 11:56 PM
@MP18 From both logs I see below and i don't see a clear reason in either.
Also the certificate warnings are not new, and commit issue only happens with device-groups and not template
2021-05-28 23:29:00.736 -0700 client device reported error: Warning: vsys1 decryption: forward decrypt untrust cert is not configured, forward decrypt trust cert will be used instead.
(Module: device)
2021-05-28 23:29:00.737 -0700 client device reported Phase 1 FAILED
2021-05-28 23:29:00.737 -0700 Error: pan_mgmt_client_table_do_commit(pan_cfg_commit_jobs.c:3943): phase 1 failed
2021-05-28 23:29:00.738 -0700 client routed reported error: config commit phase 1 aborted(Module: routed)
2021-05-28 23:29:00.738 -0700 Error: _pan_mgmt_client_errors_callback(pan_cfg_commit_jobs.c:827): but there was no outstanding Phase 0/Phase 1/Phase 2. Ignoring - verify: 0
2021-05-28 23:29:00.739 -0700 client ikemgr reported error: panike_daemon phase 1 aborted(Module: ikemgr)
2021-05-28 23:29:00.739 -0700 Error: _pan_mgmt_client_errors_callback(pan_cfg_commit_jobs.c:827): but there was no outstanding Phase 0/Phase 1/Phase 2. Ignoring - verify: 0
2021-05-28 23:29:00.743 -0700 Error: _pan_mgmt_client_errors_callback(pan_cfg_commit_jobs.c:827): but there was no outstanding Phase 0/Phase 1/Phase 2. Ignoring - verify: 0
2021-05-28 23:29:00.744 -0700 Error: pan_cfg_commit_to_local_device(pan_cfg_commit_handler.c:3497): Commit failed
2021-05-28 23:46:17.699 -0700 Config commit for devsrvr only commit
2021-05-28 23:46:17.699 -0700 pan_config_commit is called
2021-05-28 23:46:18.275 -0700 commit config takes 1 sec
2021-05-28 23:46:18.275 -0700 Last committed config saved
2021-05-28 23:46:18.276 -0700 Config commit for devsrvr only commit done
2021-05-28 23:50:15.639 -0700 Config commit phase1 started
2021-05-28 23:50:15.639 -0700 Config commit phase1 try parsing without cfgbuf
2021-05-28 23:50:15.639 -0700 Get tdb_only from last committed config
2021-05-28 23:50:15.639 -0700 Get virus from last committed config
2021-05-28 23:50:15.639 -0700 Get wpc from last committed config
2021-05-28 23:50:15.639 -0700 Get raven from last committed config
2021-05-28 23:50:15.683 -0700 Get custom from last committed config
2021-05-28 23:50:16.921 -0700 Config commit phase1 done
2021-05-28 23:50:16.921 -0700 Config commit for devsrvr only commit
2021-05-28 23:50:16.921 -0700 pan_config_commit is called
2021-05-28 23:50:17.950 -0700 commit config takes 1 sec
2021-05-28 23:50:17.950 -0700 Last committed config saved
2021-05-28 23:50:17.951 -0700 Config commit for devsrvr only commit done
2021-05-28 23:50:22.174 -0700 Config commit phase1 started
2021-05-28 23:50:22.174 -0700 Config commit phase1 try parsing without cfgbuf
2021-05-28 23:50:22.174 -0700 Get tdb_only from last committed config
2021-05-28 23:50:22.174 -0700 Get virus from last committed config
2021-05-28 23:50:22.174 -0700 Get wpc from last committed config
2021-05-28 23:50:22.174 -0700 Get raven from last committed config
2021-05-28 23:50:22.190 -0700 Get wildfire from last committed config
2021-05-28 23:50:22.191 -0700 Get custom from last committed config
2021-05-28 23:50:22.599 -0700 Config commit phase1 done
2021-05-28 23:50:22.599 -0700 Config commit for devsrvr only commit
2021-05-28 23:50:22.599 -0700 pan_config_commit is called
2021-05-28 23:50:23.026 -0700 commit config takes 1 sec
2021-05-28 23:50:23.026 -0700 Last committed config saved
2021-05-28 23:50:23.027 -0700 Config commit for devsrvr only commit done
05-29-2021 06:30 AM
@raji_toor does commit only to panorama work or does it fail there already? You could also check the config logs for the changes between the last working commit and this failing one - there probably is something which lead to this error. I think once had a problem like this one where a service object was created and in the port field there was a space character. Panorama accepted this object but pushing it to the firewall lead to a commit error.
05-29-2021 11:54 PM
@Remo It seems to be special character, Panorama is accepting but firewall doesnot. But atleast I cannot see in the GUI anything suspicious for what was typed. I disabled the last NAT policy I was working on and it working now.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!