03-11-2024 12:39 AM
Hi All,
When pushing Panorama stack template configuration to devices i encounter error message as per below. Verified no Masterkey was in use. Please advise.
Operation Commit All
Status Completed
Result Failed
Details Validation Error:
deviceconfig -> system -> snmp-setting -> access-setting -> version ->v3 ->user ->Extv3usr -> authpwd bad encryption or wrong masterkey
deviceconfig -> system -> snmp-setting -> access-setting -> version ->v3 ->user ->Extv3usr -> authpwd is invalid
vsys1
Error: can't translate password
Commit failed
Regards,
Andrew
03-11-2024 04:11 AM
Was the password hash pasted via a CLI command instead of being input as a password in the GUI?
Most likely the hash wasn't submitted correctly or fetched from a different device that does have a master key/different OS/... ?
please try resubmitting the authpwd via the GUI
03-12-2024 06:40 PM
Resubmitting the authpwd from Panorama GUI and push the stack template or submit on the PA device having issue?
Anyway to decrypt the authpwd as it was handle over by previous engineer unsure if it is correct.
Also my current environment was HA devices. If i push different authpwd into the passive RMA PA replacement will there be any impact on my current active operation running PA?
Please advise.
Thank you.
03-13-2024 01:56 AM
- on panorama
- the hash cannot be decrypted (it's a hash, not a password)
- panorama config is pushed to individual firewalls. HA clusters do not sync panorama config
- you could snatch the hash from another template?
03-13-2024 06:49 PM
Hi Reaper,
I will try the steps you provided previously.
If we replaced PA5220 is there any pre-requisite on the new appliance before syncing to working HA PA5220?
Just to add on We noticed multiple error message. Please refer to below.
Thank you.
03-15-2024 07:11 AM
make sure your templates are in the device group as 'reference template' so that log forwarding error goes away
the bad encryption stuff indicates one of two things
- one or both sides are using a master key that does not match with the donor
- hashes where somehow damaged (bad copy-paste, or extracted from a techsupport file instead of clean config export)
the only way to fix that is to recreate the damaged hashes
03-17-2024 06:21 PM
Hi Reaper,
I'm quite new in Palo alto. Thank you for the explanation before i proceed like to know the impact on the system.
Palo alto 5220 was HA, tried pushing stack template into active/passive only passive(replacement unit) having this error.
If I make amendment on authpwd/Hash now, will it affect my current active(working) unit? example causes network outrage or network intermittent issue?
Thank you.
03-18-2024 07:46 AM
that would suggest the passive unit has the default master key while the active has a custom one?
if you go take a look at the active and passive unit under system > master key (all the way at the bottom), do both look the same or is the active one showing timers ?
if both are the same (blank) you can safely push the correct authpwd. if there's a difference, you'll first need to set the correct master key on the passive unit (this will also fix your error so you won't need to change the authpwd)
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
