What is error "management server failed to send phase 1 abort to client logrcvr" and "management server failed to send phase 1 client ssl VPN" ?

Hi All,.

PAN OS 4.1.11 and we are using user id feature,.. is this is due to bug in this release for "high management CPU utilization" ?

What is error "management server failed to send phase 1 abort to client logrcvr" and "management server failed to send phase 1 client ssl VPN" ?

due to this i am unable to do any changes in my firewall,...kindly help me to understand this,..

Regards,

Gururaj

8 REPLIES 8

I guess the commits are failing. Right ?

I would say those processes ( logrcvr and ssl VPN) are failing.

What PAN OS version is it ?

Can you paste the output of -

>show management-clients

We also see this problem on a system with a lot of vsys'es on 4k series. The problem is the lack of resources on the mgmt plane. The main cause of the issue is the fact that the device needs to log /a lot/ of traffic, which takes up all the resources.

In our case, the best solution would be to buy new hardware. What platform and version do you have? Is the box doing user-ID of needs to log a lot of traffic?

I would say it is due to bug in 4.1.11. If the commits are failing then restarting the management server will fix it.

If you check the system resources, the management server will be running high.

To check system resources -

>show system resources follow.

To restart the management server

> debug software restart management-server.

However restarting the management-server might reboot the device. It is a very very rare situation. Just a heads up.

[24;1H [K [?1l >Ravi@INBASEZFR01(active)> show management-clients

[?1h = [24;1H [K

Client PRI State Progress

-------------------------------------------------------------------------

routed 30 P2-ok 100

ha_agent 25 P2-ok 100

device 20 P2-ok 100

ikemgr 10 P2-ok 100

keymgr 10 init 0 (op cmds only)

logrcvr 10 P2-ok 100

dhcpd 10 P2-ok 100

varrcvr 10 P2-ok 100

l3svc 10 P2-ok 100

sslvpn 10 P2-ok 100

rasmgr 10 P2-ok 100

useridd 10 P2-ok 100

websrvr 10 P2-ok 100

sslmgr 10 P2-ok 100

authd 10 P2-ok 100

pppoed 10 P2-ok 100

dnsproxyd 10 P2-ok 100

cryptod 10 P2-ok 100

dagger 10 init 0 (op cmds only)

[24;1H [K [7mlines 1-23 [27m [24;1H [24;1H [KOverall status: P2-ok. Progress: 0

Warnings:

Errors:

device: VSYS1

device: vsys1: Rule 'Social_media_access' application dependency warning:

device: Application 'facebook-chat' requires 'jabber' be allowed, but 'j

abber' is denied in Rule 'Chat Blocking'

device: vsys1: Rule 'Facebook_access' application dependency warning:

device: Application 'facebook-chat' requires 'jabber' be allowed, but 'j

abber' is denied in Rule 'Chat Blocking'

device: vsys1: Rule 'Gtalk_Access' application dependency warning:

device: Application 'google-talk-base' requires 'jabber' be allowed, but

'jabber' is denied in Rule 'Chat Blocking'

device: vsys1: Rule 'HR_Facebook_allow' application dependency warning:

device: Application 'facebook-chat' requires 'jabber' be allowed, but 'j

abber' is denied in Rule 'Chat Blocking'

device: Security Policy:

device: - Rule 'DMZ_Trust' shadows rule 'DMZ to Trust for Internal ADFS'

device: - Rule 'Social_media_access' shadows rule 'Microsoft_app_sprinklr_ac

cess'

device: (Module: device)

Was the above output taken when the commit failed ?

When you look at the output of 'show management-clients', it will indicate the process that failed phase 1 with an * next to it. You can then look at that process to see why its failing.

Hi Harsha,.

While doing the commit i was unable login to CLI using SSH,..may be because of high management CPU utilization. This output taken after commit is failed with error mentioned in this discussion.

Regards,

Gururaj

Hello Gururaj

> show system resources follow

Then hit Shift + m ( can you paste this output).

"debug software restart core yes process log-receiver"

11825 Views
8 replies
0 Likes

Like what you see?