02-06-2022 02:05 AM
Hello, im experiencing issues with upgradeing my PA220 from 9.1.x to 10.0.0.
The new software installs, but autocommit fails after upgrade.
So i figured i had something in my config that is either changed or not supported in 10.0.0, so i wiped my box clean with
a debug command and booted it up in 9.1.0 without config. Then tried to upgrade to 10.0.0 from CLI. But the autocommit
still failes after removing all the config.
Iv done this before and never had any issue.
Any tips would be welcome!
Thanks!
/MAH
02-06-2022 04:16 PM
Hi @149999mah3 ,
First, you need to lookup the auto-commit in the Task Manager and find the reason for the failure. Typically, it is a config that wasn't correctly reformatted for the new PAN-OS. Then, you can work on fixing the specific error.
Thanks,
Tom
02-06-2022 07:29 PM
Initially if you've been able to reproduce the issue again I'm actually leaning towards content ID minimum versions not being met. What is your Application and Threat content version at when you attempt to do the upgrade, is it at least 8332 or higher?
06-29-2022 07:35 PM
Did you ever resolve this? We are trying to upgrade multiple 220s from 9.1.13 to 10.0.X and it's failing on the auto commit
06-30-2022 07:20 AM
Hi @JoshuaSanders ,
I have been able to resolve all my auto-commit errors through looking up the auto-commit in the Task Manager and finding the reason for the failure. I am either able to fix the syntax error in the CLI or, worst case, modify the HTML and reload.
For your case with multiple upgrades, maybe wait until a newer version of 10.0.X fixes the error.
Thanks,
Tom
06-30-2022 01:58 PM
yeah, the only EDLs we are currently using are the predefined high-risk IPs, bulletproof IPs, that kind of thing and we tried with the most recent flavor of 10.0.10h1. Unfortunately, 10.0 is EOL next month and we are trying to get to 10.1 which you can't do without going through 10.0 first. We aren't using any custom EDLs with strange characters in them. All I'm getting when I look at the task that is failing in the GUI is.
Error: Profile compiler : invalid profile name default
Error: Profile compiler : Global section error
Error: Profile compiler : parsing config error
(Module: device)
Commit failed
Failed to commit policy to device
Back to Google I guess.
07-15-2022 01:32 AM
Yes, the problem was EDLs. So i removed all EDLs from the configuration and it was ok.
Marius
07-15-2022 07:29 AM
Great, thank you. In case anyone else is experiencing the same issue we are, here is our resolution. We were able to resolve our issue by getting a PA engineer (after escalating with 2 others) with root access to the box and delete the .global-fin file under /opt/pancfg/mgmt/global/ from root shell followed by a management server restart. Still no word on why that was necessary. One of the engineers told us that upgrading our FWs through Panorama is not recommended and that they should only be upgraded through the FW UI itself. We aren't sure why that is being suggested since PA specifically refers to upgrading via Panorama in their documentation and are seeking more information on the case.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
