01-26-2022 02:34 AM
Hi, I did a factory reset and upgraded my PA-220 to 9.1.12-h3. Installed device certificate and licenses. No interface, no policys, just a clean firewall. Connected successfully it to my Panorama 10.1.3-h31 and successfully made an import. When doing an export I get:
Validation Error:
import -> network -> logical-router unexpected here
import -> network is invalid
Commit failed
Have tried different approach but get the same results what ever I do. Deas anyone have an idea what to do?
Thanks
/Jan P.
01-30-2022 11:56 PM
I had similar issue with my PA- 3260 in 9.1.11 and Panorama in 10.1.3-h1. I upgraded the firewall to 10.0.7 and the issue got fixed. Luckily the firewall was not production one. I was staging that.
02-07-2022 04:38 AM
Hi all, I got an answer from TAC that it is a conflict between 9.1.x and 10.x with the new "<logical-router/>".
The workaround i got was:
> configure
# delete import network
# commit
So, first export(not push+commit), then the delete + commit. This did work for me.
01-27-2022 05:32 AM
It seems to be related to this :
set import network logical-router
I'm on a PA-220 running 9.1.12-h3 and Panorama 10.1.3-h1
I had the exact same issue. I can remove that line and then push the config locally, but not from panorama.
I've been through the whole remove from Panorama, re-import to panorama and try to send device group and template again but I can't make it comply so I'm going to try to upgrade the 220 to 10.0.x
I have heard tell that it would better to downgrade panorama to 10.0.x but I can't do that for operational reasons.
01-27-2022 05:52 AM
Thanks for your answer. I will try to remove that line and see if I got better luck, otherwice I guess an upgraded to 10.x.x is next step.
Please let me know if the upgrade solved the problem.
01-30-2022 11:56 PM
I had similar issue with my PA- 3260 in 9.1.11 and Panorama in 10.1.3-h1. I upgraded the firewall to 10.0.7 and the issue got fixed. Luckily the firewall was not production one. I was staging that.
01-31-2022 05:19 AM
I waiting for respons from support but to me it looks like it is that Panorana 10.1.3.x adding "<logical-router/>" to the template but the firewall does not recognize that line. But, we´ll see what they say when the come back to me.
02-07-2022 04:38 AM
Hi all, I got an answer from TAC that it is a conflict between 9.1.x and 10.x with the new "<logical-router/>".
The workaround i got was:
> configure
# delete import network
# commit
So, first export(not push+commit), then the delete + commit. This did work for me.
02-10-2022 06:45 PM
Do you know what this command does? I have implemented as per direction. It was imported successfully but brought all the site to site tunnels down after force push template. The error on the site to site tunnel was for authentication. I had to reconfigure the pre-shared key again after importing firewalls. I did import 2 firewalls and it was exactly the same case. Firewalls are on 9.1.x and panorama on 10.1.4h2.
I believe command is deleting more than we need.
02-11-2022 12:33 AM
Hi, I don´t know exact what this command does but my firewall did not have any configuration that could be deleted. Previous, with another firewall I had the same experience that a force push did delete all pre-shared keys but I never found the reason why.
03-30-2022 01:45 AM
Hi
Was there any impact due to this change?
Thanks
03-30-2022 05:37 AM
Hi, not for me. It did work without any problems.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
