- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
03-13-2023 10:09 AM
Hello,
I'm struggling with the integration of new devices, after many tries, I finally removed the new devices, but 2 of the other firewall can't commit anymore :
when I try to push to devices, I've got the following error "Failed to generate selective push configuration. Last in-sync configuration for the device is from a different version, selective push is not supported. Please try a full push."
What is a full push by the way?
In summary page the status is :
- both devices of the device group are connected
- shared policy is "out of sync Panorama pushed version :360"
- template is "out of sync Panorama pushed version :331"
I've tried from Setup> Operation, to "export or push device config bundle" on these specific devices using version 331".
the load is working fine, then I commit to Panorama, which is also fine.
But pushing to devices fails for template and device group.
What would be the next step to recover a valid configuration that won't disturb the service on the firewalls ?
03-28-2023 03:00 AM
Hi there,
this is a known problem and will be fixed in the upcoming version 10.2.4. Check this article for the workaround provided by palo:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000kGFFCA2
04-27-2023 08:13 AM
What is a full push by the way?
When you commit and push the configuration there are 2 options as mention below.
Select the option 1 is full push
1. Commit And Push All Changes - If you select this is full push
2. Commit And Push Changes Made By: - If you select this is changes push by individual users.
04-27-2023 08:39 AM
A full push will send the existing configuration from the panorama to all firewalls without any changes.
If there is a Panorama OS Upgrade the full push will update the XML structure that is used in the new OS Version on the firewalls. The push still will not change anything related to the configuration.
06-28-2023 11:15 AM
When I try to do their workaround - Commit And Push All Changes - my commit and push button is grayed out.
06-30-2023 02:57 AM
Hi @Aimee ,
Make sure it's not a permission issue (your user can perform this action ?)
Check if Device State shows as connected under Panorama > Managed Devices > Summary section.
Seems obvious but make sure there's a Push Scope to push to... if there isn't then edit the selections and select the Device Group/Template to push to.
If all else fails, you can try restarting the mgmt server process.
Kind regards,
-Kim.
07-19-2023 08:11 PM
Issue still exists in 10.2.4-h3. Was told to move to 10.2.4-h3 to avoid the issue, no luck.
07-20-2023 10:50 AM
Same. Currently running 10.2.4-h2 and this is still happening.
07-26-2023 07:43 PM
Any update on this? I'm having the issue after upgrading firewalls to 10.2.4-h2. 3 out of 10 firewalls. 2 PA-220's and 1 PA-820.
07-27-2023 05:23 AM
This is happening to our entire deployment. Panorama and log collectors are on 10.2.4h2 and all firewalls attached are at 10.1.8. Full push never helps.
07-27-2023 07:21 AM
Still no update from my Case or SAM team on this one. A full push should resolve the issues but only temporarily. For us right now we have to do a full push about every 3 or so commit/pushes. It sucks, I believe I see the issue and have relayed it to TAC. The safety feature of forcing a full push when something is over 100 revs off is taking into account items that are in a disconnected state. When I look at my required full push, everything that is labelled as out of sync and in need of a push are items that are either Disconnected or not fully managed by Panorama.
07-27-2023 08:21 AM
I downgraded to Software Version 10.2.3-h4 and I don't have the issue anymore.
07-27-2023 08:24 AM
Try downgrading to Version 10.2.3-h4 if you can. (I don't know what version your firewalls are running) I don't have the issue anymore after moving to 10.2.3-h4.
07-27-2023 08:26 AM
Does it matter what version the firewalls are on? I thought it had to do with what version Panorama was running. Firewalls are on 10.1.8 and Panorama and log collectors are on 10.2.4h2
07-27-2023 08:54 AM
It should just be the version of Panorama and for me it seems to be with 10.2.4 code. Was on 10.2.3 no issues, moved to 10.2.4 issue started, was told by TAC the issue was resolved in 10.2.4-h3 they even have it posted as a resolved issue in the Release notes. Issue still persists. It seems like 10.2.4 should just be avoided if you are able to, especially if you have a large Palo footprint and a lot of people making changes in Panorama.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!