Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
08-29-2013 11:56 PM
Hi All,.
PAN OS 4.1.11 and we are using user id feature,.. is this is due to bug in this release for "high management CPU utilization" ?
What is error "management server failed to send phase 1 abort to client logrcvr" and "management server failed to send phase 1 client ssl VPN" ?
due to this i am unable to do any changes in my firewall,...kindly help me to understand this,..
Regards,
Gururaj
08-30-2013 12:06 AM
I guess the commits are failing. Right ?
I would say those processes ( logrcvr and ssl VPN) are failing.
What PAN OS version is it ?
Can you paste the output of -
>show management-clients
08-30-2013 12:20 AM
We also see this problem on a system with a lot of vsys'es on 4k series. The problem is the lack of resources on the mgmt plane. The main cause of the issue is the fact that the device needs to log /a lot/ of traffic, which takes up all the resources.
In our case, the best solution would be to buy new hardware. What platform and version do you have? Is the box doing user-ID of needs to log a lot of traffic?
08-30-2013 12:29 AM
I would say it is due to bug in 4.1.11. If the commits are failing then restarting the management server will fix it.
If you check the system resources, the management server will be running high.
To check system resources -
>show system resources follow.
To restart the management server
> debug software restart management-server.
However restarting the management-server might reboot the device. It is a very very rare situation. Just a heads up.
08-30-2013 01:43 AM
[24;1H [K [?1l >Ravi@INBASEZFR01(active)> show management-clients
[?1h = [24;1H [K
Client PRI State Progress
-------------------------------------------------------------------------
routed 30 P2-ok 100
ha_agent 25 P2-ok 100
device 20 P2-ok 100
ikemgr 10 P2-ok 100
keymgr 10 init 0 (op cmds only)
logrcvr 10 P2-ok 100
dhcpd 10 P2-ok 100
varrcvr 10 P2-ok 100
l3svc 10 P2-ok 100
sslvpn 10 P2-ok 100
rasmgr 10 P2-ok 100
useridd 10 P2-ok 100
websrvr 10 P2-ok 100
sslmgr 10 P2-ok 100
authd 10 P2-ok 100
pppoed 10 P2-ok 100
dnsproxyd 10 P2-ok 100
cryptod 10 P2-ok 100
dagger 10 init 0 (op cmds only)
[24;1H [K [7mlines 1-23 [27m [24;1H [24;1H [KOverall status: P2-ok. Progress: 0
Warnings:
Errors:
device: VSYS1
device: vsys1: Rule 'Social_media_access' application dependency warning:
device: Application 'facebook-chat' requires 'jabber' be allowed, but 'j
abber' is denied in Rule 'Chat Blocking'
device: vsys1: Rule 'Facebook_access' application dependency warning:
device: Application 'facebook-chat' requires 'jabber' be allowed, but 'j
abber' is denied in Rule 'Chat Blocking'
device: vsys1: Rule 'Gtalk_Access' application dependency warning:
device: Application 'google-talk-base' requires 'jabber' be allowed, but
'jabber' is denied in Rule 'Chat Blocking'
device: vsys1: Rule 'HR_Facebook_allow' application dependency warning:
device: Application 'facebook-chat' requires 'jabber' be allowed, but 'j
abber' is denied in Rule 'Chat Blocking'
device: Security Policy:
device: - Rule 'DMZ_Trust' shadows rule 'DMZ to Trust for Internal ADFS'
device: - Rule 'Social_media_access' shadows rule 'Microsoft_app_sprinklr_ac
cess'
device: (Module: device)
08-30-2013 02:05 AM
Was the above output taken when the commit failed ?
When you look at the output of 'show management-clients', it will indicate the process that failed phase 1 with an * next to it. You can then look at that process to see why its failing.
08-30-2013 02:14 AM
Hi Harsha,.
While doing the commit i was unable login to CLI using SSH,..may be because of high management CPU utilization. This output taken after commit is failed with error mentioned in this discussion.
Regards,
Gururaj
08-30-2013 02:27 AM
Hello Gururaj
> show system resources follow
Then hit Shift + m ( can you paste this output).
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
