Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Import devices configuration into Panorama stucked at 99% since last 48 hours

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Import devices configuration into Panorama stucked at 99% since last 48 hours

L3 Networker

We are import PA5220 firewall backup ( selecting import shared object)  into Panorama VM , but stucked at 99% since last 48 hours.

 

If we unselect import shared object , job is completing in minutes. But while selecting shared object option its taking time.

There are 16000 objects in PA5220 firewall. 

What could be the reason for slowness in import job ?

Is it because of object counts or Panorama resource ?

6 REPLIES 6

Cyber Elite
Cyber Elite

@Deepak_K,

That almost sounds like something got hung up on the job. An import shouldn't take 48 hours to complete. I would reach out to TAC on this if the issue is reproducible and have them gather logs and troubleshoot it. 

L1 Bithead

Hello,

I am having the same issue.

We tried to import a PA-5250 with up to 40 000 objects and job stayed at 99%.

No error, no warning and no indication in config.log and ms.log.

It stays at 99% for more than 4 hours, and when we tried to cancel the job ... we couldn't. the message said: "Cannot stop job 21531 at this time".

 

So contacted TAC, and after several log investigation, we decided to restart the management server to clear the job, and attempt the device configuration import again. And agan it stays at 99%.

The thing is that the job is not hunged or in error. Looks like it works in the background but no clues on what it doing.

May be we should let it run for several hours due to the high number of objects ?

 

TAC is investigating the issue.

 

L4 Transporter

Hi

 

We have recently hit the same issue, I wonder what version of code you had during this problem? 

I would assume that that you could just make the imported firewalls standalone again (at this point they are not actually in Panorama) and then restart the management server on the Panorama, I appreciate this was a while ago now but could you share any info that TAC provided?

PCCSA PCNSA PCNSE PCSAE
Mode44 LTD Palo Alto Consultants

It was on 9.1.6. We didn't get any solution from the TAC case.

Instead, we let the import job run for at least 48hours 😉 and it completed sucessfully.

 

My apology for the delay in responding.

Best,

L4 Transporter

Hello all,

 

I remember, there is a new documented behavior (I reviewed the KB) about some commit taking a long time due to a check during the commit.

But I don't think this was in PAN-OS 9.1.

 

Need to check on Monday, I will update the post.

Update: my bad, the KB is about the number of rules (not the number of objects), and it started from 10.1

 

Olivier

PCSNE - CISSP

Best Effort contributor

Check out our PANCast Channel

Disclaimer : All messages are my personal ones and do not represent my company's view in any way.

L2 Linker

Hi All,

I also encountered the same issue yesterday. Just to share the workaround (without waiting 40+ hours) hope it helps.

 

  1. Under the Panorama tab > Managed Devices > Summary, delete the serial number of the firewall which you tried to import the configurations.
  2. In the Panorama CLI run the command debug software restart process management-server
  3. At the Panorama task manager check the import job status will show failed. This will not have impact to the firewall operations.
  4. Redo the onboarding of the firewall and import the configurations, this time ensure "import devices' shared objects into Panorama's shared context" is not enabled. If need to move the objects into the shared context use the Expedition migration tool or load partial commands to do the moving of the objects from firewall device group to shared device group.

 

 

  • 4277 Views
  • 6 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!