Panorama Commit Validation Error

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Panorama Commit Validation Error

L0 Member

Hello All,

 

I spin up a new VM ESXi appliance for our new secondary Panorama server. After loading the config from our primary server the following errors below are shown. Please note that I did not input yet the serial number on this server. Maybe it is the cause of the problem?

 

  • Validation Error:
  • devices -> localhost.localdomain -> device-group -> ALLSEGPA-N -> post-rulebase -> security -> rules -> UCS Migration Subnet -> target -> devices -> 013201012162 '013201012162' is not a valid reference
  • devices -> localhost.localdomain -> device-group -> ALLSEGPA-N -> post-rulebase -> security -> rules -> UCS Migration Subnet -> target -> devices is invalid
  • devices -> localhost.localdomain -> device-group -> C7SSIPA-N -> post-rulebase -> security -> rules -> Network Protocols -> target -> devices -> 013201006061 '013201006061' is not a valid reference
  • devices -> localhost.localdomain -> device-group -> C7SSIPA-N -> post-rulebase -> security -> rules -> Network Protocols -> target -> devices is invalid
  • devices -> localhost.localdomain -> device-group -> ALLRSNPA-N -> post-rulebase -> nat -> rules -> 192.168.140.135-in -> target -> devices -> 013201012111 '013201012111' is not a valid reference
  • devices -> localhost.localdomain -> device-group -> ALLRSNPA-N -> post-rulebase -> nat -> rules -> 192.168.140.135-in -> target -> devices is invalid

 

Software Version: 10.1.5 - h2

 

Appreciate your help and response on this matter.

 

Regards,

Earvin

1 REPLY 1

Cyber Elite
Cyber Elite

Thank you for the post @EarvinYu

 

when it comes to secondary Panorama, the only concept that is supported is Panorama HA where 2 units are acting as either of the roles: primary-active / secondary-passive. If you built a standalone Panorama as your secondary appliance, the limitation you are going to face is a managed Firewall can be registered only to a single Panorama set at a time.

 

Regarding the error you posted, it looks like you configured post policy security/nat rules with target Firewalls and Firewalls Serial Numbers are not in the configuration as registered Firewalls. Could you please confirm how you exported / import configuration? Based on my experience running configuration export includes everything including all Serial Numbers and there is no manual intervention needed to add Serial Numbers manually.

Just in case, could you navigate to: Panorama > Setup > Operations > Export named Panorama configuration snapshot, then select: running-config.xml. Do not check: "Select Device Group & Templates". In this way full configuration will be exported. Edit the configuration file to change Panorama management interface IP address to new Panorama (Otherwise you will have IP address duplication) and change the name to avoid confusion. Login to other Panorama you built and navigate to Panorama > Setup > Operations > Import > Import named Panorama configuration snapshot, then Load configuration by going to: Panorama > Setup > Operations > Load > select file to load, then select only this option: "Retain rule UUID", then perform commit. After performing this step all configuration will be on one to one bases with your original Panorama.

 

As closing note, even though I do not know exactly how you ended up in the state that configuration is imported with missing Firewall Serial Numbers, I believe that adding Serial Numbers manually fill fix the issue. Alternatively, changing your post policy security/nat rules to remove limit to push policies only to target devices should resolve the issue as well.

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.
  • 3090 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!