failed to generate selective push

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

failed to generate selective push

L0 Member

Hello,

 

I'm struggling with the integration of new devices, after many tries, I finally removed the new devices, but 2 of the other firewall can't commit anymore :

when I try to push to devices, I've got the following error "Failed to generate selective push configuration. Last in-sync configuration for the device is from a different version, selective push is not supported. Please try a full push."

 

What is a full push  by the way?

 

In summary page the status is :

- both devices of the device group are connected

- shared policy is "out of sync Panorama pushed version :360"

- template is "out of sync Panorama pushed version :331"

 

I've tried from Setup> Operation, to "export or push device config bundle" on these specific devices using version 331".

the load is working fine, then I commit to Panorama, which is also fine.

But pushing to devices fails for template and device group.

 

What would be the next step to recover a valid configuration that won't disturb the service on the firewalls ?

 

40 REPLIES 40

L0 Member

Hi there,

 

this is a known problem and will be fixed in the upcoming version 10.2.4. Check this article for the workaround provided by palo:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000kGFFCA2 

 

What is a full push  by the way?

When you commit and push the configuration there are 2 options  as mention below.

Select the option 1 is full push

1. Commit And Push All Changes - If you select this is full push 
2. Commit And Push Changes Made By: - If you select this is changes push by individual users.

1.PNG

L0 Member

A full push will send the existing configuration from the panorama to all firewalls without any changes.

If there is a Panorama OS Upgrade the full push will update the XML structure that is used in the new OS Version on the firewalls. The push still will not change anything related to the configuration. 

When I try to do their workaround - Commit And Push All Changes - my commit and push button is grayed out.

Community Team Member

Hi @Aimee ,

 

Make sure it's not a permission issue (your user can perform this action ?)

Check if Device State shows as connected under Panorama > Managed Devices > Summary section.

Seems obvious but make sure there's a Push Scope to push to... if there isn't then edit the selections and select the Device Group/Template to push to.

 

If all else fails, you can try restarting the mgmt server process.

 

Kind regards,

-Kim.

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

Issue still exists in 10.2.4-h3. Was told to move to 10.2.4-h3 to avoid the issue, no luck.

L1 Bithead

Same.  Currently running 10.2.4-h2 and this is still happening.

L0 Member

Any update on this?  I'm having the issue after upgrading firewalls to 10.2.4-h2.  3 out of 10 firewalls.  2 PA-220's and 1 PA-820.

L1 Bithead

This is happening to our entire deployment.  Panorama and log collectors are on 10.2.4h2 and all firewalls attached are at 10.1.8.  Full push never helps.  

L2 Linker

Still no update from my Case or SAM team on this one. A full push should resolve the issues but only temporarily. For us right now we have to do a full push about every 3 or so commit/pushes. It sucks, I believe I see the issue and have relayed it to TAC. The safety feature of forcing a full push when something is over 100 revs off is taking into account items that are in a disconnected state. When I look at my required full push, everything that is labelled as out of sync and in need of a push are items that are either Disconnected or not fully managed by Panorama.

I downgraded to Software Version 10.2.3-h4 and I don't have the issue anymore.

Try downgrading to Version 10.2.3-h4 if you can. (I don't know what version your firewalls are running) I don't have the issue anymore after moving to 10.2.3-h4.

L1 Bithead

Does it matter what version the firewalls are on?  I thought it had to do with what version Panorama was running.  Firewalls are on 10.1.8 and Panorama and log collectors are on 10.2.4h2

It should just be the version of Panorama and for me it seems to be with 10.2.4 code. Was on 10.2.3 no issues, moved to 10.2.4 issue started, was told by TAC the issue was resolved in 10.2.4-h3 they even have it posted as a resolved issue in the Release notes. Issue still persists. It seems like 10.2.4 should just be avoided if you are able to, especially if you have a large Palo footprint and a lot of people making changes in Panorama.

  • 35831 Views
  • 40 replies
  • 3 Likes
  • 29 Subscriptions
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!