Push to Devices failed

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Push to Devices failed

L2 Linker

Hello,

We're using Panorama for the first time and I have a config that I want to push to a PA440. The device state is connected in Panorama and device certificate is valid.

 

In "Shared Policy Commit State" I have a "commit failed" saying:
. Validation Error:
. rulebase -> pbf -> rules -> default-via-tunnel -> from -> zone 'trust-l3' is not a valid reference
. rulebase -> pbf -> rules -> default-via-tunnel -> from -> zone is invalid
. vsys1
. Error: Rulebase 'pbf'
. 'trust-l3' zone is invalid from rule 'default-via-tunnel'
. Error: Failed to parse pbf policy
. (Module: device)
. client device phase 1 failure
. Commit failed

 

I copied that zone and rule from the PA220 that this PA440 is supposed to replace in a branch office and I don't see anything wrong with it.

 

"Template Last Commit State" says the commit is reverted:

  • . Performing panorama connectivity check (attempt 1 of 1)
  • . Panorama connectivity check failed for [IP]. Reason: TCP channel setup failed, reverting configuration
  • . Configuration reverted successfully

I 've found several workarounds, also in this community, and I've tried them all. Only nothing seems to work.

 

What else can I do ? Does this look familiar to you ?

 

Thank you very much,

1 accepted solution

Accepted Solutions

L2 Linker

The solution in this case was not only to factory reset the PA440, but also delete every remaining default configuration in it. After that, there was no problem pushing config to the PA440's.

View solution in original post

8 REPLIES 8

Cyber Elite
Cyber Elite

Hello @Jeroen_Proost

 

thanks for posting.

 

If you are migrating from Panorama managed PA-220 to PA-440, you typically do not need to copy any configuration. You should add PA-440 to the same Device Group and Template Stack, then push the configuration. If configuration was working for PA-220, it should work for PA-440 as well. Could you please share what configuration you copied? 

 

By looking into the error you are getting. The PBF is not referencing zone. The PBF is configured in Device Group while zone is configured in Template. Make sure to push Template Stack to PA-440 first, then push the Device Group configuration. If that does not resolve the problem, try to delete the PBF from Device Group and configure it from scratch after you push zone from Template Stack.

 

The last error message in your post is related to feature added in PAN-OS 9.1 Doc to automatically rollback configuration if Panorama's configuration breaks connection. It looks like that something in the Template Stack is breaking connectivity. Unless you resolve this one, you will likely not be able to resolve the first issue with Device Group configuration. Unfortunately, there is not enough information to suggest what the issue might be. I would recommend to review your setting in Template. Are you making changes to management interface or IP address?

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.

L2 Linker

Hello @PavelK,

 

Thank you very much for your input. The PA220's (5 of them need to be replaced in branch offices with PA440's) were not deployed by Panorama in the past. I simply took one of the PA440's, did a basic config on it, added it in Panorama using the "Add" button under "Managed Devices - Summary" using an Auth Key and serial number.

I can see here the PA440 is connected and that the license is valid.

 

There was not much of config to take over from the PA220. So I made a template and DG for the PA440 and litterally typed over the config that I could see in the PA220 (policies, mgmt ip, DHCP, gateway,...) using variables in Panorama for the IP's that will be different on every PA440.

I pushed the DG without the PBF, this worked, only I don't see any of the configured settings from this DG in the PA440... Pushing the template stack isn't successfull yet, TBC... 🙂

 

Kind regards,

Cyber Elite
Cyber Elite

Thank you for reply @Jeroen_Proost

 

For Device Group configuration, I am not aware of any scenario that Device Group configuration is pushed and configuration is not in Panorama managed Firewall. The only scenario I can think of is ether a tag limiting target where policies are being pushed (Sample reference below) or error preventing successful push.

 

PavelK_0-1686777820157.png

If you did not encounter either of these issues and PA-440 Firewall is in the right Device Group, then this will have to be investigated in depth.

 

Regarding Template configuration, you mentioned that you added management interface into Template. I would recommend to remove it from Template and keep management interface configuration managed locally. If you still encounter an error, you can check more details from CLI logs. SSH to Panorama and Firewall and issue below commands and search for the error:

 

Panorama: tail follow yes mp-log configd.log
FW: tail follow yes mp-log devsrvr.log

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.

L2 Linker

Hello @PavelK ,

 

I wasn't able to remove the management interface from the template. I wanted to update the PAN OS version on the FW but during the update we faced a network outage and since than, I can't connect to the FW anymore. Next week I'm not able to look into this, but if I'm still not able to push the config after I've solved this the week after that, I'm going to contact PA support.

 

tail follow yes mp-log configd.log gave me the same error message as in the gui, the command on the FW didn't work (maybe I did something wrong).

I thank you for your time and guidance, I learned some new things now 🙂

Greetings,

Cyber Elite
Cyber Elite

Hello @Jeroen_Proost

 

thank you for reply.

 

Could you please share the error or describe the issue preventing you to remove management interface from Template?

 

Regarding the Firewall's PAN-OS upgrade, after the image is downloaded to the Firewall, the upgrade is running locally, so network outage should not play any role. When you say, you can't connect to Firewall, is Firewall completely offline? Do you have access to console port?

 

To troubleshoot the Template configuration push issues, you should run below command in Panorama: 

tail follow yes mp-log configd.log
and below command in Firewall: 
tail follow yes mp-log devsrvr.log
 
Since you mentioned that running that in Panorama does not reveal more details than GUI, could you check what information the devsrvr.log log in Firewall gives?
 
Kind Regards
Pavel
Help the community: Like helpful comments and mark solutions.

Hello PavelK,

Sorry for the late reply, but I'm just back to continue on this issue.  I don't get to see an error when I want to remove the management interface, I just can't do it because I don't see the possibility to do it (button,...).

 

Concerning the commands, on the FW:
admin@PA-440> tail follow yes mp-log devsrvr.log
/usr/bin/tail: cannot open '/var/log/pan/devsrvr.log' for reading: No such file or directory

 

On the Panorama CLI: I don't see anything about the PA-440 anymore... I don't get it...

 

I do notice in the GUI from Panorama that the Device State is saying "disconnected" (but he's not) and software version is 10.2, which is the version I installed through CLI this morning (!). I have to say, I re-installed that version because I was installing that version last time I could connect to the PA-440's GUI when that network outage took place and wasn't sure it was completed.

Cyber Elite
Cyber Elite

Hello @Jeroen_Proost

 

thank you for reply.

 

By default a Template includes Management interface with blank configuration. If you have done any changes to the management interface in Template you can set it back to default by setting everything to "none", however you will not find a button to completely remove the interface from Template. Below are screens and KB reference:

 

PavelK_0-1688337575164.png

PavelK_1-1688337672032.png

 

Regarding Firewall being disconnected from Panorama, could you please check this KB.

 

Regarding the error you posted, I am sorry, I made a typo. The correct command is: 

tail follow yes mp-log devsrv.log

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.

L2 Linker

The solution in this case was not only to factory reset the PA440, but also delete every remaining default configuration in it. After that, there was no problem pushing config to the PA440's.

  • 1 accepted solution
  • 8003 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!