- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
04-19-2021 07:24 AM - edited 04-19-2021 07:27 AM
Hi, I'm brand new to PA firewalls. Have a new pair of 3220's in active-passive HA. This is not in production. We are using them to learn on and eventually, hopefully later in the year move to production, replacing an active-passive Cisco ASA.
I have two 10gbps fiber links to both our core switches in an mlag at the switch (so it looks like a redundant lag). Thats plenty of bandwidth so we want to trunk all our internal networks back here. The outside will come in from load balancers output to a switch where we can pick off a ethernet cable to each 3220 - in time of course.
So I create an ae1 interface out of ethernet/19 and 20. Main interface is going to be "LAN", ae1.20 subinterface is tagged vlan 20 "DMZ", ae1.21 subinterface is tagged vlan 21 "DMZ2" for now at least. I incorrectly made this a layer2 interface and I need IP's on each of these and make it a layer 3 to do a little routing too. So I go to change it and every time I try to commit, it says commit failed. I found an online kb how to look up in the logs if the web ui does not indicate why it failed. Here is the last few lines of the log file...
2021-04-19 10:19:49.936 -0400 NTDB-vif_create_increment_script: 0 sec
runtime error
File write for /tmp/.tMZlAq refused
runtime error
xsltApplyStylesheet: forbidden to save to /tmp/.tMZlAq
runtime error
File write for /tmp/.Jkn2O0 refused
runtime error
xsltApplyStylesheet: forbidden to save to /tmp/.Jkn2O0
2021-04-19 10:19:50.753 -0400 kill SIGUSR1 to pid 0
2021-04-19 10:19:50.753 -0400 Sending phase_abort to DP
2021-04-19 10:19:50.754 -0400 Error: cfgagent_modify_callback(pan_cfgagent.c:94): Modify string (sw.mgmt.runtime.clients.device.err) error: USER (1)
2021-04-19 10:19:50.774 -0400 Phase_abort to DP done, Setting ctrl state to IDLE
2021-04-19 10:19:50.774 -0400 Config commit phase1 failed
2021-04-19 10:19:50.774 -0400 Deleted alt data in redis
2021-04-19 10:19:50.774 -0400 No need to sync base ids in cfg
2021-04-19 10:19:50.774 -0400 devsrvr only commit failed, phase_abort skipped , after SIGTERM, set config to idle
2021-04-19 10:19:51.015 -0400 Error: bool_modify_callback(pan_cfgagent.c:112): Modify boolean (sw.mgmt.runtime.clients.device.p1done) error USER (1)
Does this shed any light on whats going on?
04-19-2021 07:49 AM - edited 04-19-2021 07:50 AM
I got my changes to commit.
I had to go to the device > setup > operations area and export the configuration candidate. Then in notepad++ delete a blank <certificates/> line entry and also delete all the ddns-config that we don't use but I was forced to configure just to disable it to get past moving an ip off of vlan "vlan".
Then I was able to save this xml and import and then a load and commit it.
04-19-2021 07:49 AM - edited 04-19-2021 07:50 AM
I got my changes to commit.
I had to go to the device > setup > operations area and export the configuration candidate. Then in notepad++ delete a blank <certificates/> line entry and also delete all the ddns-config that we don't use but I was forced to configure just to disable it to get past moving an ip off of vlan "vlan".
Then I was able to save this xml and import and then a load and commit it.
04-22-2021 12:23 AM
that blank certificates line should not be an issue unless it was manually manipulated before (it just indicates where in the config the certificates will get stored)
to completely switch from layer2 to layer3, first go about deleting all the L2 configuration: take out the vlan interface, remove the aggregate config, .., then rebuild in L3. else there will be conflicts because resources are held by other objects
whenever you get snagged in configuration issues where you made changes and lost track of what you did and are unable to fix what is broken, you can go to device > setup > operations > 'revert to running config', which overwrites your candidate config with the config that is currently running on the dataplane.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!