failed to generate selective push

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

failed to generate selective push

L0 Member

Hello,

 

I'm struggling with the integration of new devices, after many tries, I finally removed the new devices, but 2 of the other firewall can't commit anymore :

when I try to push to devices, I've got the following error "Failed to generate selective push configuration. Last in-sync configuration for the device is from a different version, selective push is not supported. Please try a full push."

 

What is a full push  by the way?

 

In summary page the status is :

- both devices of the device group are connected

- shared policy is "out of sync Panorama pushed version :360"

- template is "out of sync Panorama pushed version :331"

 

I've tried from Setup> Operation, to "export or push device config bundle" on these specific devices using version 331".

the load is working fine, then I commit to Panorama, which is also fine.

But pushing to devices fails for template and device group.

 

What would be the next step to recover a valid configuration that won't disturb the service on the firewalls ?

 

43 REPLIES 43

Well the issue is still an issue in 10.2.3-h4. And I see another user posted it is still apparently an issue in 10.2.6.. Is there a true bug fix in any of these revisions?

Editing to add that I still have the issue with my firewalls. It appeared to have gone away, but started again. And on top of the selective push issue, Panorama will say a push completed, the firewall will say the push completed, but when you look for the changes in the firewall, they do not exist. Then you have to do a push to devices to force the push.
I decided to downgraded to 10.2.3-h4 and I don't have the issue anymore. I can commit and push without any errors. But my firewalls are on 10.1.10 build, so I was able to downgrade Pano without having any issues.

L1 Bithead

Just downgraded to 10.2.3h4 and we are not having this issue anymore.  Thanks for the advice folks.

L0 Member

Interesting thread. I am too experiencing this issue and am running 10.2.4. (Still no update from my Case or SAM team on this one. A full push should resolve the issues but only temporarily. For us right now we have to do a full push about every 3 or so commit/pushes. It sucks, I believe I see the issue and have relayed it to TAC. The safety feature of forcing a full push when something is over 100 revs off is taking into account items that are in a disconnected state. When I look at my required full push, everything that is labelled as out of sync and in need of a push are items that are either Disconnected or not fully managed by Panorama). <- this is an interesting remark. I have a couple of firewalls in this scenario where customers have delegated rights and neglect to inform us of key activities resulting in firewalls being in a semi decommissioned state. Will open a case with PANW and update the thread (if there is anything positive to report)  just in case others are still facing this issue, but housekeeping is my next tactical approach as downgrading is not an option open to me.

L2 Linker

For those that are sticking with 10.2.4 The workaround from Tac didn't work. This though does work but it is still not a proper selective push. Without Fail we have been able to do pushes to specific firewalls but you still have to select the all Admins section. This is the only way we can consistently make pushes with out a failure and being asked to do a Full Push. Not a great work around but it has been working for us so far, since you can still do a selective commit.

Confirmed. This indeed does work. Commit (Full Option) then Edit Selection of which NGFWs need to be device-pushed via commit cycle. Note Commit and Push does not work. Thanks all. 

L0 Member

This behaviour still existing in 10.2.4-h3 where I could observe this closely post upgrading from 10.1.6-h6 to 10.2.4-h3. TAG creations, user account creation (related template config ) able to push to devices from panorama but not device group related config like object/service/policy creation etc....

PaloAlto mentioned PAN-217053 addressed in 10.2.4-h3 but it is not real. I would also recommend the guys who need to avoid 10.2.4-h3 version if you plan for upgradation. I still yet to hear the answer from TAC team who still in the process of analysing TSFs and TAC checking internally with engineering team and so on....

L1 Bithead

Got hit by this several times so far in 10.2.4-h2, hoping there's a hotfix soon

L1 Bithead

Solution that worked for me.... Select "Push All Changes" instead of "Push Changes Made By".

You can still edit the selections to push only to a single Template or Device Group.

L2 Linker

I would suggest anyone on 10.2.4 that is hitting this issue open a TAC case. I just had a call with a Root Engineer and they did the following.

 

1. Removed the corrupt file /opt/pancfg/mgmt/audit/cfg-audit.xml,v
2. From cli, ran debug md5sum_cache clear (this is to force gen all DG/TPL configs so their versions will get updated)
3. Did commit force which recreated the cfg-audit.xml,v
4. Did full push to firewalls and verified versions are getting updated on Panorama with a couple of commits.
5. Did a selective push to one of the firewall and verified the selective push is working.

 

So far we have not hit an issue with doing selective pushes. It has only been a day so far but my fingers are crossed.

Thank you for the detail.  Can you share how you discovered /opt/pancfg/mgmt/audit/cfg-audit.xml,v was corrupted?  Was there any adverse impact from deleting the file and clearing the cache?

TAC Engineer figured it out. My case got pretty high up the ladder because I was putting a lot of pressure on my SAM team to figure it out. The only issues we experienced was Panorama ended up crashing when we tried to do the first mass push. I would suggest a reboot of Panorama after the file delete by TAC is completed. We are still running without any issues. I am pretty confident that this is the solution to the issue.

I'm having the same issue after upgrading the Panorama to 10.2.5.

Workaround:

First, do a full push.

Second, do a partial push, and it will work. But this is really annoying, and not good in a production environment.

 

I will raise a case with the TAC and see if it could be fixed.

 

 

I've tried doing a full push following by partial pushes and continue to receive the error message "Failed to generate selective push configuration. Last in-sync configuration for the device is from a different version, selective push is not supported. Please try a full push."

 

Did TAC respond with any guidance?

L1 Bithead

We just ran into this as well - Panorama is running 10.2.6 and the firewall we were pushing to where we saw the issue is currently running 10.1.8-h2. Going into Pano and doing a "Push to Devices" > "Push All Changes" vs trying to just push a single user's changes seems to be the workaround.

  • 50941 Views
  • 43 replies
  • 3 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!