Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Management server failed to send phase 1 to client sslvpn

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Management server failed to send phase 1 to client sslvpn

L2 Linker

Hi All, Commit is getting failed on only Active unit while pushing it from Panorama.

 

Commit Failed from Panorama

Error : Management server failed to send phase 1 to client sslvpn

 

Commit is failing only on Active unit while commit is successful on passive unit.

Device Details:

Panorama : M-500 PAN-OS : 9.1.8

Firewall : PA-5060 PAN-OS : 8.1.18

 

From Firewall : 

adm(active)> show management-clients

Client PRI State Progress
-------------------------------------------------------------------------
routed 30 init 0
ha_agent 25 init 0
device 20 init 0
ikemgr 10 init 0
keymgr 10 init 0 (op cmds only)
logrcvr 10 init 0
dhcpd 10 init 0
varrcvr 10 init 0
sslvpn 10 init 0
rasmgr 10 init 0
useridd 10 init 0
satd 10 init 0
websrvr 10 init 0
sslmgr 10 init 0
authd 10 init 0
pppoed 10 init 0
dnsproxyd 10 init 0
cryptod 10 init 0
dagger 10 init 0 (op cmds only)
l2ctrld 10 init 0
cord 10 init 0

Overall status: init. Progress: 0

 

From Panorama:

adm> show management-clients

Client PRI State Progress
-------------------------------------------------------------------------
ha_agent 25 P2-ok 100
sslmgr 10 P2-ok 100
authd 10 P2-ok 100
cryptod 10 P2-ok 100
dagger 10 init 0 (op cmds only)
cord 10 P2-ok 100
logd 10 init 0 (op cmds only)
reportd 10 init 0 (op cmds only)
useridd 10 P2-ok 100

Overall status: P2-ok. Progress: 0

6 REPLIES 6

Cyber Elite
Cyber Elite

Hello @Ankit1Singh

 

to drill down root cause could you check logs from CLI:

 

Panorama: tail follow yes mp-log configd.log
FW: tail follow yes mp-log devsrv.log
 
Typically logs from these files can reveal more details than the error displayed in GUI. Also, both Panoramas as well as Firewall have outdated PAN-OS. If there is a chance, I would recommend to upgrade both.
 
Kind Regards
Pavel
Help the community: Like helpful comments and mark solutions.

Cyber Elite
Cyber Elite

Hi @Ankit1Singh ,

 

Could you run the CLI command "show system software status | match sslvpn" and confirm the process is running?  If not, you can restart the process with the CLI command "debug software restart process sslvpn".  Then commit again.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

Thank you TomYoung for the reply.

Command need to run or Panorama or the managed firewall?

Also restarting sslvpn process cause any traffic impact?

 

Below logs from firewall might help to identify the issue.

2023-08-28 00:59:43.454 -0700 [Cache] Load /opt/pancfg/mgmt/content//cache/80101//tdb.cache.ser-1 success
load cache is successful
2023-08-28 00:59:43.512 -0700 Get tdb_only from last committed config
2023-08-28 00:59:43.512 -0700 No Any content change
2023-08-28 00:59:43.512 -0700 TDB compilation done, return 0
2023-08-28 01:00:05.601 -0700 Use stored file_type_hash table as tdb->dlp_file_type_hash is invalid
2023-08-28 01:00:05.603 -0700 Error: pan_profile_compile_memory(pan_profile_comp.c:7341): Stored file_type_hash table is also in valid entry
2023-08-28 01:00:06.404 -0700 Config commit phase1 abort
2023-08-28 01:00:06.404 -0700 tdb compile flag is still up, abort thread wait 1 second
2023-08-28 01:00:06.416 -0700 Error: cfgagent_modify_callback(pan_cfgagent.c:84): Modify string (sw.mgmt.runtime.clients.device.err) error: USER (1)
2023-08-28 01:00:07.404 -0700 tdb compile flag is still up, abort thread wait 1 second

 

Cyber Elite
Cyber Elite

Hi @Ankit1Singh ,

 

Please run the commands on the managed NGFW.  The commit is failing there.  As long as you have not reverted the configuration, the Panorama pushed configuration is still part of the candidate configuration.  You can still try to commit it.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

I tried with the mgmt-server restart but still it is failing with the same error.

-------debug software restart process management-server---------

I believe restarting mgmt-server will restart all the process including sslvpn.

 

 

debug software restart process sslvpn ---- will hit be helpful now?

If I run this command will it impact live traffic?

 

Thank you for your reply!!!!

  • 2077 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!