07-20-2024 08:49 AM
Dear all,
since a couple of days I'm getting alerts like:
Configuration size 19MB is above 80% of the maximum recommended configuration size 23MB for the platform. Please consider removing unused configuration
I removed all old auto saved configs after upgrades, and the config size looks ok:
> show management-server last-committed config-size
392261 bytes
What seems to be strange is the size of the candidate configs;
> show management-server candidate config-size
20213190 bytes
Apparently there is no way to delete these, except may be TAC getting root access.
Did anyone else see this and found a solution?
Regards
Andreas
06-27-2025 09:08 AM - edited 06-27-2025 09:09 AM
@robertsmyth wrote:
I'm on 11.1.5 and getting this error message on my PA-820.... very frustrating, I've cleared out any unused configuration items and its still the same, I dont believe that our config is particularly complicated either. Naturally I'm not willing to remove any ones that are in operation so what are we to do? I don't see that we should downgrade to V10.2 again utter nonsense so a workaround is needed...
It's an issue still on 11.1.6-h10 on the PA-850, the current preferred release for on the 11.1 feature release, and the only feature release with Standard support in a month (10.2 loses Standard support as of Aug 27, 2025). Downgrading to 10.2 is not an option for full Standard support, and Limited support is barely support at all.
06-27-2025 09:13 AM
Glad ths
@idelconsulting wrote:
Without any warranty:
Check first if the commands are available, Not sure in which version they were added:
find command keyword max-config-size
debug management-server max-config-size set size <1-500>
debug management-server max-config-size show
Should be self-explanatory
One command to check the current size and the other to change it.
Size for the set size command is in MByte
I set the size for my PA-820 to 35 MB and so far no issues.
Regards,
Andreas
Glad this works, but we really need TAC-supported guidance.
06-27-2025 09:36 AM
@idelconsulting wrote:
Without any warranty:
Check first if the commands are available, Not sure in which version they were added:
find command keyword max-config-size
debug management-server max-config-size set size <1-500>
debug management-server max-config-size show
Should be self-explanatory
One command to check the current size and the other to change it.
Size for the set size command is in MByte
I set the size for my PA-820 to 35 MB and so far no issues.
Regards,
Andreas
This fix needs to be made permanent and not a debug work-around not blessed by Palo TAC. This work-around does not persist through reboots.
07-01-2025 12:36 PM - edited 07-01-2025 12:38 PM
Still producing errors after recommended fix (debug management-server max-config-size set size 24)
Alert: Configuration size 23MB is above 90% of the maximum recommended configuration size 24MB for the platform. Please remove unused configuration.
user@PA850> show system info | match sw-v
sw-version: 11.1.6-h10
user@PA850> show management-server last-committed config-size
859623 bytes
user@PA850> show management-server candidate config-size
24366648 bytes
user@PA850> debug management-server max-config-size show
Max config size(Bytes):25165824
07-29-2025 11:51 AM - edited 07-29-2025 12:06 PM
We have just upgraded from PanOS 10.2 to PanOS 11.1.6-h14 and now we are seeing this error on our PA-820 / PA-850 as well. We use Panorama in our environment.
Does anyone have any information on how this affects the PA-820 / PA-850?
Does it make the PA-820 / PA-850 randomly crash and reboot? Has anyone experienced any issues with their PA-820 / PA-850 since upgrading to PanOS 11.1 that is related to this error?
Sure we can increase the config size threshold with the command "debug management-server max-config-size set xx" but that's just masking the issue if the hardware is truly having trouble with a configuration that is bigger than 23MB.
I too have also opened a TAC case about this and as usual they have no clear answer to this error and no real answer as to how this will affect the PA-820 / PA-850. They only recommended to use the "debug management-server max-config-size set xx" to increase the threshold to 30MB in our situation. Again, this is only masking the issue if their initial recommended config size threshold is 23MB.
This is what Palo Alto TAC provided as a work around for this error that we are getting (HERE).
07-29-2025 12:33 PM
Hi there, there's no real solution that I'm aware of and I believe that increasing the config size is only a temporary fix that reverts on a reboot. I increased my config max size to 27mb as I was constantly getting messages (current actual config size is 24Mb). It has never caused an issue, no reboots and no crashes. I've also since increased the amount of processing that the PA-820 is doing as I now have two external internet connections and two distinct separate internet networks passing through it without any issues. I'm currently running 11.1.5 and i have to admit i'm reluctant to upgrade the OS until there is better guidance from Palo Alto on this issue, I'm rather Wary!
07-29-2025 02:59 PM
We started getting when we moved from our PA-850s from 10.2.x to 11.1.6-h10. We're recently moved to 11.1.6-h14 and continue receive this event on all 5 PA-850 units. No Panorama in use. Two pairs of the 5 are in HA configuration, so that doesn't appear to be a factor of being configured for HA or not.
Even if we use the "debug management-server max-config-size set size XX" (e.g. 25) we still get alarms. Also, the "debug management-server max-config-size set size" command doesn't survive reboots, so it must be set each time, and doesn't appear to help anyway.
.
I don't feel that our config is that large either. There is nothing we're going to delete from it either as every object, object group, policy, etc., are all required for operations.
Regardless of the alarm, units are perfectly stable in a very sensitive 24/7 OT environment. We have config edits a couple times a month max, and then no changes for many months.
07-31-2025 06:08 AM
While yes running those commands is more like a band aid that gets ripped off upon reboot, we haven't really had any issues with our firewalls, we are on 11.1.6-h## and no issues from what we have seen. We just apply the band aid fix every time we upgrade to suppress the alerts.
The article you provided was what Arrow (3rd Party Support) provided us at the beginning, but then when we actually review the full config and notice all the IOT's and other junk that Palo Alto was injecting that is when we had to escalate our ticket, went back/forth with Palo Alto, that is when they provided the Band aid fix.
Originally Palo Alto insisted we needed new firewalls & tried to sell us new units, when the current one's we are on are good until 2029. Even with new units they recommended the max config size isn't that much larger, we weren't on board as no one could confirm that Palo Alto won't inject more stuff to the config, and we'll be on the same boat a few years later.
So far with our current firewall, we haven't had any issues & the config size is a bit over the limit now with everything Palo Alto injected (our config for those firewalls is very slim, its the fluff from Palo Alto that takes it up mostly).
09-07-2025 12:42 PM
Did anyone try 11.1.6-h17?
I see the following in the release notes:
|
PAN-281721
|
Fixed an issue where the firewall generated high-severity system alerts indicating that the configuration size exceeded the maximum recommended size, even when the configuration size was within the expected limits.
|
09-07-2025 12:57 PM
Also 11.1.10-h4 includes the same fix
09-07-2025 04:21 PM
After upgrading to 11.1.10-h4:
debug management-server max-config-size show
Max config size(Bytes):31457280
Looks like the default is now 30 MB
09-08-2025 06:43 AM
Here's a new post from Palo Alto.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HEUuCAO&lang=en_US
09-08-2025 10:26 AM
PAN-281721 is the real fix. It's in 11.1.6-h17 or 11.1.10-h4, both released in early Sept, 2025. Confirmed this changes the max-config-size value to 31457280.
09-08-2025 10:27 AM
Yes, I've confirmed 11.1.6-h17 fixes it as advertised. Also 11.1.10-h4.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
