Errors and commit warnings after 11.1.2-h3 upgrade

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Errors and commit warnings after 11.1.2-h3 upgrade

L0 Member

Hi,

If anyone could shed some light on the issue below, it would be greatly appreciated. Since upgrading my PA-440 to 11.1.2-h3 (preferred version), I am seeing the following two issues:

1. Every 5 minutes, there is a system log error:
Failed to perform task resulting in connection timeout with WildFire Cloud wildfire.paloaltonetworks.com

 

2. After committing changes to the firewall, the following is observed:
Configuration committed successfully
Local configuration size: 174 KB
Predefined configuration size: 17 MB
Merged configuration size(local, panorama pushed, predefined): 18 MB
Maximum recommended merged configuration size: 35 MB (51% configured)

Anyone else experiencing these issues or have some kind of idea what has happened or how to fix it?

 

Thanks,

G

8 REPLIES 8

L1 Bithead

Same issue here. Upgraded from 10.2.8-h3 to 11.1.2-h3 on a VM series KVM firewall.

 

If ospf router ID changed,it require restart ospf processor(Module: routed)
client routed phase 1 failure
Commit failed
Local configuration size: 7 KB
Predefined configuration size: 17 MB
Merged configuration size(local, panorama pushed, predefined): 18 MB
Maximum recommended merged configuration size: 17 MB (105% configured)
Failed to commit policy to device

L0 Member

Same issue here with the 17MB limit. Need a fix for this asap.

L0 Member

Apart from the limit "issue", can anyone shed some light on the the matter of:

Failed to perform task resulting in connection timeout with WildFire Cloud wildfire.paloaltonetworks.com

 

I am loosing my mind 🙂

L1 Bithead

I am also seeing this on multiple PA-850's since moving to 11.1.4-h1:

Local configuration size: 429 KB
Predefined configuration size: 18 MB
Merged configuration size(local, panorama pushed, predefined): 20 MB
Maximum recommended merged configuration size: 23 MB (86% configured)

L0 Member

It sounds like you're running into configuration size issues after upgrading to 11.1.4-h1 on the PA-850s. The merged config size being at 86% of the max recommended could definitely be a cause for concern, especially as you continue to push updates or add new policies. Have you tried reaching out to Palo Alto support to see if there's a way to optimize the config? Sometimes there are unused objects or old rules that can be cleaned up to reduce the overall size. Alternatively, it might be worth monitoring it closely and planning for a more efficient setup if you anticipate growth. 

Hi there, thanks for responding! yes, I believe that's exactly whats going on. I've cleaned up my config but in looking at whats taking the space, the majority of it is the pre-defined data sent from Palo Alto. I'm hoping they have a way to trim that down, it will be a hard-sell to my client to purchase new firewalls. 😞

Have you heard anything back from Palo Alto in regard to trim the predefined config? We just got his with a full 1MB change overnight for their predefined config and it is annoying that Palo Alto is doing this. I guess it's their way of forcing people to upgrade, yet their newer firewalls aren't that high in max config size & they can't be straight forward how much will this increase over the years. I seriously feel like Palo Alto has gone south on their products. We are actively considering moving to another vendor due to this. Our config is very small and we even removed any unused items. Support has gone nowhere for a solution, just stated we should upgrade and yet our firewalls aren't EOL until 2029.

Hi there. Unfortunately, I haven't had a chance to speak with them yet about it but planning to. I've got 2 clients with PA-850's and PA-220s and all devices are reporting the issue. My suspicion is that it's pre-defined config and dynamically downloaded content like threat signatures, etc, etc. Not sure if anything can be done about that. I will open a case and let you know if I get any good answers.

  • 3639 Views
  • 8 replies
  • 4 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!