08-28-2023 07:59 AM
Hi All, Commit is getting failed on only Active unit while pushing it from Panorama.
Commit Failed from Panorama
Error : Management server failed to send phase 1 to client sslvpn
Commit is failing only on Active unit while commit is successful on passive unit.
Device Details:
Panorama : M-500 PAN-OS : 9.1.8
Firewall : PA-5060 PAN-OS : 8.1.18
From Firewall :
adm(active)> show management-clients
Client PRI State Progress
-------------------------------------------------------------------------
routed 30 init 0
ha_agent 25 init 0
device 20 init 0
ikemgr 10 init 0
keymgr 10 init 0 (op cmds only)
logrcvr 10 init 0
dhcpd 10 init 0
varrcvr 10 init 0
sslvpn 10 init 0
rasmgr 10 init 0
useridd 10 init 0
satd 10 init 0
websrvr 10 init 0
sslmgr 10 init 0
authd 10 init 0
pppoed 10 init 0
dnsproxyd 10 init 0
cryptod 10 init 0
dagger 10 init 0 (op cmds only)
l2ctrld 10 init 0
cord 10 init 0
Overall status: init. Progress: 0
From Panorama:
adm> show management-clients
Client PRI State Progress
-------------------------------------------------------------------------
ha_agent 25 P2-ok 100
sslmgr 10 P2-ok 100
authd 10 P2-ok 100
cryptod 10 P2-ok 100
dagger 10 init 0 (op cmds only)
cord 10 P2-ok 100
logd 10 init 0 (op cmds only)
reportd 10 init 0 (op cmds only)
useridd 10 P2-ok 100
Overall status: P2-ok. Progress: 0
08-28-2023 04:48 PM
Hello @Ankit1Singh
to drill down root cause could you check logs from CLI:
08-28-2023 05:23 PM
Hi @Ankit1Singh ,
Could you run the CLI command "show system software status | match sslvpn" and confirm the process is running? If not, you can restart the process with the CLI command "debug software restart process sslvpn". Then commit again.
Thanks,
Tom
08-29-2023 01:09 AM
Thank you TomYoung for the reply.
Command need to run or Panorama or the managed firewall?
Also restarting sslvpn process cause any traffic impact?
08-29-2023 01:17 AM
Below logs from firewall might help to identify the issue.
2023-08-28 00:59:43.454 -0700 [Cache] Load /opt/pancfg/mgmt/content//cache/80101//tdb.cache.ser-1 success
load cache is successful
2023-08-28 00:59:43.512 -0700 Get tdb_only from last committed config
2023-08-28 00:59:43.512 -0700 No Any content change
2023-08-28 00:59:43.512 -0700 TDB compilation done, return 0
2023-08-28 01:00:05.601 -0700 Use stored file_type_hash table as tdb->dlp_file_type_hash is invalid
2023-08-28 01:00:05.603 -0700 Error: pan_profile_compile_memory(pan_profile_comp.c:7341): Stored file_type_hash table is also in valid entry
2023-08-28 01:00:06.404 -0700 Config commit phase1 abort
2023-08-28 01:00:06.404 -0700 tdb compile flag is still up, abort thread wait 1 second
2023-08-28 01:00:06.416 -0700 Error: cfgagent_modify_callback(pan_cfgagent.c:84): Modify string (sw.mgmt.runtime.clients.device.err) error: USER (1)
2023-08-28 01:00:07.404 -0700 tdb compile flag is still up, abort thread wait 1 second
08-29-2023 04:47 AM
Hi @Ankit1Singh ,
Please run the commands on the managed NGFW. The commit is failing there. As long as you have not reverted the configuration, the Panorama pushed configuration is still part of the candidate configuration. You can still try to commit it.
Thanks,
Tom
08-29-2023 06:55 AM
I tried with the mgmt-server restart but still it is failing with the same error.
-------debug software restart process management-server---------
I believe restarting mgmt-server will restart all the process including sslvpn.
debug software restart process sslvpn ---- will hit be helpful now?
If I run this command will it impact live traffic?
Thank you for your reply!!!!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
