push to devices failed after upgrade to 10.0.6

cancel
Showing results for 
Search instead for 
Did you mean: 

push to devices failed after upgrade to 10.0.6

L1 Bithead

Push to devices failed after upgrade to 10.0.6, we currenty try to push a change on Panorama for a pair of firewalls

running all 10.0.6 , the commit to panorama went well , but after choice the specific device group and template stack we clicked validate to device group and this showed failed, the same for validate for template, we push anyway and we found also a failed push to the pair. 

Prior was working with no issues.

on the system logs we see failed push as well.

any hint?

thank for the ideas to fix.

cordially

jose

 

Security Eng Consultant
1 ACCEPTED SOLUTION

Accepted Solutions

L4 Transporter

Thank you for quick reply @Jose_Espinoza

 

To me it looks like local issue on Firewall rather than issue on Panorama side. I believe you will get the same error even for commit on Firewall locally.

 

There is a KB corresponding to this issue: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PNVKCA4

 

As a next step, could you go to Device > High Availability > General > Active/Passive Settings and check setting on both Active / Passive Firewall? Could you try to set both Firewalls to: Shutdown on both Firewalls and commit.

 

Kind Regards

Pavel

Pavel Kucera

View solution in original post

5 REPLIES 5

L4 Transporter

Thank you for posting the issue @Jose_Espinoza

 

Could you please post full failure error? Typically the error message gives further details what prevented validation to succeed. You can re-call last failure from Panorama > Managed Devices > Summary > [Firewall Name] > Shard Policy Last Commit State / Template Last Commit State.

 

Kind Regards

Pavel

Pavel Kucera

hello Pavelk

 

I found the follow from the column SHARED POLICY LAST COMMIT STATE:  Details:
. Validation Error:
. deviceconfig -> high-availability -> group -> mode -> active-passive -> passive-link-state unexpected here
. deviceconfig -> high-availability -> group -> mode -> active-passive is invalid
. Commit failed

From the columm TEMPLATE LAST COMMIT STATE: 

Details:
. Validation Error:
. deviceconfig -> high-availability -> group -> mode -> active-passive -> passive-link-state unexpected here
. deviceconfig -> high-availability -> group -> mode -> active-passive is invalid
. Commit failed

HA status is OK  active/passive by the way on Panorama.

any thoughts?

thank you 

jose

 

Security Eng Consultant

L4 Transporter

Thank you for quick reply @Jose_Espinoza

 

To me it looks like local issue on Firewall rather than issue on Panorama side. I believe you will get the same error even for commit on Firewall locally.

 

There is a KB corresponding to this issue: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PNVKCA4

 

As a next step, could you go to Device > High Availability > General > Active/Passive Settings and check setting on both Active / Passive Firewall? Could you try to set both Firewalls to: Shutdown on both Firewalls and commit.

 

Kind Regards

Pavel

Pavel Kucera

View solution in original post

hi there

 

I am runnning 10.0.6 on those pairs, the HA configuration on both is exactly the same, since this pair are in production, I cannot shutdown this pair, looks like local issue rather than a Panorama issue like you mention.

I will look for this later on the week.

thanks

jose

Security Eng Consultant

hello Pavel

 

we finally ran the script on CLI yesterday night and the link-state issue goes away.

we notice that pushing first on Device group make all works, however if you try the push to the device group and template stack will fail.

we checked the link state and sync and all looks good, so we decide to use the follow method>

commit to pano> push to device-group> validate on firewall locally ( works)

second step push to template stack> validate on firewall locally,

after that we monitored the managed devices on Panorama and the column HA status is correct, the shared policy is green with In Sync message and template as well, we also monitor the column: shared policy last commit state and template last commit state and both said : " commit succeded".

 

thanks for your contribution of the KB

cordially

jose

Security Eng Consultant
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!