- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
02-05-2018 08:48 AM
Happens alot depending on what you are modifying in the regions; generally throws a parsing issue. The default-regions entries are hidden and they can get weird when you start adding custom regions. Generally running 'debug device-server reset id-manager type vsys-region' will cause the issue to resolve itself.
02-05-2018 08:51 AM
I was asked by TAC if i was using regions and I have been for some time and it never caused an issue upgrading before so i was just curious if anyone else had seen this issue.
02-06-2018 02:41 AM
've seen one instance where the region object was not created properly and a region was added directly into a security policy instead of through an object, which then caused an issue after the upgrade.
this was fixed by properly creating the region object and adding that to the security policy
02-06-2018 06:46 AM
I have had regions configured for sometime and it has never been an issue before but TAC thinks it might be a possiblity.
02-07-2018 09:57 AM
When you bring up autocommit failures I almost always start looking at the regions, and to a lesser extent the security policies in general to verify everything carried over correctly. It's easier if you are looking directly at the XML file, easier yet if you generate a tech-support file and take a look at the mergesp.xml file that actually includes the default stuff you usually don't see if you just take a look at the running-config.xml
02-08-2018 12:09 PM
what is it in the configuration that tells that it is a custom region and not a builit in one?
02-08-2018 12:27 PM
Easy, the running-config.xml isn't going to have anything but your custom regions. It doesn't actually display any of the built-in regions. Same on the GUI, you'll only have the custom regions shown under objects, not the defaults.
There really isn't a great easy way to see both the custom and the built-in on the same config file unless you dig through the Technical Support file and go into the mergesp.xml file. Everything that is built by you as a custom region will be where you would expect to see it in the running-config; however this file also includes everything that's been predefined by Palo Alto, including the regions.
02-08-2018 12:34 PM
I can tell that there is a custom region because I can see one under object/regions but I can't tell the custom ones from the built-in one on the security policies.
02-08-2018 12:38 PM
Are you trying to get rid of it or something? That's the issue when you step on built-in groups, there really isn't a way of specifying the "US" that you made or the "US" that is included by default. If this is a group that you are actually looking to maintain I would change it to something like "US-Custom" or "US-Specified" or something like that; get it away from matching the predefined entry and you shouldn't ever experiance the issue again.
02-08-2018 12:45 PM
I am trying to make sure we don't repeat the same issue we had before where someone accidentally created Brazil as a custom region, deleted it and the rule associated with it,then later created a new rule with the region Brazil back in it again. That what is causing my autocommit to fail.
So if I change the name of the current custom region US to US-Custom will I be able to see the built-in rule again?
02-08-2018 01:10 PM
Yes. The only thing to watch on this will be all of your policies that reference "US" will change to "US-Custom" and you'll need to go back and change them to the pre-defined "US" instead. Then you'll be able to remove the "US-Custom" object and everything should commit like normal.
02-08-2018 01:15 PM
I think that is what I need to do and clean it all up, then i could delete the custom US region,run the CLI command "debug device-server dump idmgr type vsys-region all" and then do my upgrade.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!