This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew

Unable to revert local changes to aggregate interface

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Unable to revert local changes to aggregate interface

GGarolla
L1 Bithead

‎10-14-2022 08:05 AM

Hello all,

I have an issue with a couple of HA Palo Alto firewalls managed by Panorama.

I was doing some tests for LACP and I overrode the configuration of an aggregate interface enabling LACP. Then I disabled it again from the firewall GUI (not from Panorama - so I overrode my previous override, I think).

 

The problem is that now, when I try the revert button, I obtain the following error: "member cannot be deleted because of references from:
network -> virtual-router -> vr -> routing-table -> ip -> static-route -> default -> interface"
I tried the following KB but it did not help (I also did not modify the virtual router configuration at all): Unable to Revert the Interface Config to Panorama Pushed Config - Knowledge Base - Palo Alto Network...

However I noticed that the VR has also the override symbol near the name, even though I did not change it.

 

What can I do to remove the override and have Panorama push the templates again?

 

Firewalls are running PAN-OS 9.1.14-h4.

 

Many thanks!

1 person had this problem.
0 Likes Likes
3 REPLIES 3

dmifsud
L3 Networker

‎10-15-2022 02:04 PM

You can use "Force Template Values" to replace the overrides.

Panorama Commit Operations (paloaltonetworks.com)

 

Check the warning text on the above page, as you need to be really sure before using this option.

 

- DM

Sr. Technical Support Engineer, Strata
0 Likes Likes

GGarolla
L1 Bithead
In response to dmifsud

‎10-17-2022 01:44 AM

Thanks for your response.

Is there a way to quickly check all the values that are currently overriden in the running configuration?

If I select the option "Force Template Values" from Panorama, shall I disable also "Merge with candidate configuration"?

0 Likes Likes

nohash4u
L3 Networker
In response to GGarolla

‎05-28-2026 07:53 AM

@GGarolla reviving this thread as I ran into a similar issue during a recent change window (on eth1/1 instead of an AE int). I too attempted the troubleshooting steps outlined in the KB article you shared to no avail. Unfortunately, forcing template values was not a viable solution as there were other overrides on the HA pair that I needed to keep as is to avoid causing an outage or inducing loss of management access. I did resolve the issue through the following: 

 

  1. Modifying the static route that referenced the interface in question by changing the next-hop parameter. In my case it was the default route for the VR. I set the next-hop interface to none. While doing this I also had to redefine all other attributes in the static route, however, I was able to click ok once this change was made. 
  2. After removing the reference to eth1/1 in the VR I was able to successfully revert the local override on eth1/1 itself. 
  3. Once eth1/1 was reverted I was able to revert the VR itself (thus ensuring the default route remains intact). 
  4. Finally, I validated and committed the change locally. 

In short, it seem there is a dependency loop between the interface you need to revert, and a static route (in my case) defined on the VR. Note that this process must be done locally on both units in the HA pair. 

0 Likes Likes
  • 3823 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks