Validation Error: interface 'ethernet1/2' is already in use, but it isn't ... and zones are type unknown, but they aren't

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Validation Error: interface 'ethernet1/2' is already in use, but it isn't ... and zones are type unknown, but they aren't

L2 Linker

Hi,

When I try to push a config from Panorama to a PA-440, the commit fails because of these reasons.  Which is strange because ethernet1/2 isn't in use (on the PA-440).

Also the zones are configured and their type is defined.

What am I missing here ?

 

Thank you very much,

1 accepted solution

Accepted Solutions

L2 Linker

Hello @ozheng ,

 

Yes, I was able to do the commit force on the local firewall. In the meanwhile I contacted PA support, we deleted the standard factory settings (default virt router, default vwire, default interfaces,...) and were able to push the templates and device groups from Panorama...

 

I'm glad this seems to be the solution. Tomorrow I'm going to connect another fw and see if it works again.

View solution in original post

6 REPLIES 6

L4 Transporter

Hello Jeroen_Proost,

 

Can you run a "blank" commit on the firewall?

If it fails, the issue is on your firewall, not on the configuration you are pushing from the Panorama.

 

Otherwise, you will need to give more info on the change you have done between the last successful commit from Panorama to this PA-400 and the unsuccessful one.

 

Olivier

PCSNE - CISSP

Best Effort contributor

Check out our PANCast Channel

Disclaimer : All messages are my personal ones and do not represent my company's view in any way.

Hello @ozheng ,

 

Do you mean a template with no configuration in it ?

 

Thank you,

Hello Jeroen Proost,

 

You connect to the CLI to the firewall then you run the following commands:

> configure
# commit force

Then you wait the commit result.

 

Olivier

PCSNE - CISSP

Best Effort contributor

Check out our PANCast Channel

Disclaimer : All messages are my personal ones and do not represent my company's view in any way.

Hello @ozheng ,

This is what I get:

Performing panorama connectivity check (attempt 1 of 5)
Panorama connectivity check was successful for 10.222.222.20
Configuration committed successfully

 

So that works...

The only difference from the last succesful commit is that in between, for some reason nobody could login anymore so I had to do a factory reset...

 

I connected an other PA-440, added it to Panorama but when I try to push the templates and device groups to this device, I get the exact same errors.

 

For reference, these are the error messages when pushing the device group and template to the PA-440's:


Details:

. In VSYS vsys1 from zone untrust-l3 of type unknown and to zone untrust-l3 of type unknown are incompatible in security rule allow ike-ipsec

. In VSYS vsys1 from zone trust-l3 of type unknown and to zone trust-l3 of type unknown are incompatible in security rule drop paxton to non-paxton

. In VSYS vsys1 from zone intern-l2 of type unknown and to zone intern-l2 of type unknown are incompatible in security rule allow intern to intern

. In VSYS vsys1 from zone trust-l3 of type unknown and to zone trust-l3 of type unknown are incompatible in security rule allow trust to trust

. In VSYS vsys1 from zone trust-l3 of type unknown and to zone untrust-l3 of type unknown are incompatible in security rule allow trust to untrust

. In VSYS vsys1 from zone trust-l3 of type unknown and to zone untrust-l3 of type unknown are incompatible in nat rule to-internet

. Configuration is invalid

=> the zones trust-l3 and untrust-l3 aren't of type unknown, they are type Layer 3

 

Details:

. Validation Error:

. network -> vlan -> vlan-intern -> interface 'ethernet1/2' is already in use

. network -> vlan -> vlan-intern -> interface is invalid

. Commit failed

=> I don't see where interface 'ethernet1/2' is in use. So just for testing I removed 'ethernet1/2' from "vlan-intern", but then I get:

. Validation Error:

. network -> virtual-wire -> default-vwire -> interface1 'ethernet1/1' is not a valid reference

. network -> virtual-wire -> default-vwire -> interface1 is invalid

. Commit failed

 

=> But there are no virtual-wire's configured !

Hello Jeroen_Proost.

 

Maybe there is the vwire on the firewall config?

 

Anyway, have you run the commit force on the firewall (with no pending change)?

If it fails --> the issue is on the firewall not on Panorama.

 

Olivier

 

PCSNE - CISSP

Best Effort contributor

Check out our PANCast Channel

Disclaimer : All messages are my personal ones and do not represent my company's view in any way.

L2 Linker

Hello @ozheng ,

 

Yes, I was able to do the commit force on the local firewall. In the meanwhile I contacted PA support, we deleted the standard factory settings (default virt router, default vwire, default interfaces,...) and were able to push the templates and device groups from Panorama...

 

I'm glad this seems to be the solution. Tomorrow I'm going to connect another fw and see if it works again.

  • 1 accepted solution
  • 5634 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!