cancel
Showing results for 
Search instead for 
Did you mean: 

Who Me Too'd this topic

Expedition migrated ASA configuration is giving "Configuration is invalid" error on validation

L1 Bithead

Hi Experts,

 

I have merged 9 different ASA firewall/contexts to create 3 Vsys on Paloalto 5220.

Till 2 vsys migration worked fine and configuration was ready to get pushed with few warnings as validation said "configuration is valid"

Now after migrating/merging configuration for last Vsys validation on firewall is continuously failing with message "configuration is invalid", their are no errors but quite a lot of warnings but i think that's just fine (correct me if wrong).

 

Commit Error Screenshot.PNG

 

Had initiated real time log capture before hitting validation again, can you please have a look and advise its critical.

 

Logs are attached as codes.

 

Thanks/Sharad

dc-p-fw-01(active)> tail follow yes mp-log devsrv.log
2019-02-08 12:08:52.420 +0300 Config commit phase0 started
2019-02-08 12:08:54.211 +0300 pan_ha_is_sync_needed: needed=1, is_peer_up=1, state=5, peer_state=4
2019-02-08 12:08:54.212 +0300 /opt/pancfg/cache/pan/VSYS_ZONE.db saved to disk, digest: 8b5f0c2b681f86716208002e7d56d8f1
2019-02-08 12:08:54.225 +0300 Config commit phase0 done
2019-02-08 12:08:56.742 +0300 Config commit phase1 started
2019-02-08 12:08:56.742 +0300 flags 0x40000, content 0x1, not devsrvr only, not content only
2019-02-08 12:08:56.763 +0300 Get virus from last committed config
2019-02-08 12:08:56.763 +0300 Get wildfire from last committed config
2019-02-08 12:08:56.763 +0300 Get wpc from last committed config
2019-02-08 12:08:56.763 +0300 Get raven from last committed config
2019-02-08 12:08:56.763 +0300 TDB compilation started. tdb_compile_flag: 0x1 custom_dns 0
2019-02-08 12:08:56.763 +0300 compile type 0x1 (1)
2019-02-08 12:08:58.670 +0300 Warning:  pan_tdb_do_file_2_version(pan_tdb_comp.c:83): open app version file /opt/pancfg/mgmt/content//pan_threatversion error
2019-02-08 12:08:58.670 +0300 Warning:  pan_tdb_content_version(pan_tdb_comp.c:143): pan_tdb_file_2_version threat error, reset to 0
2019-02-08 12:08:58.670 +0300 Content Engine version: 0x8010101 APP version: 0x3011157, Threat 0x0, virus 0x0, wildfire 0x0 type 1
2019-02-08 12:08:58.683 +0300 Primary checking
2019-02-08 12:08:58.708 +0300 [Cache] Load /opt/pancfg/mgmt/content//cache/80101//tdb.cache.ser-1 success
2019-02-08 12:08:58.712 +0300 Primary checks done
2019-02-08 12:08:58.712 +0300 [TDB] Loading tdb cache /opt/pancfg/mgmt/content//cache/80101//tdb.cache.ser-1 with wildfire 0/0 virus 0/0
2019-02-08 12:08:58.712 +0300 calc md5
2019-02-08 12:09:00.960 +0300 End of parsing custom threat
2019-02-08 12:09:01.101 +0300 [Cache] Load /opt/pancfg/mgmt/content//cache/80101//tdb.cache.ser-1 success
load cache is successful
2019-02-08 12:09:01.111 +0300 Get tdb_only from last committed config
2019-02-08 12:09:01.112 +0300 No Any content change
2019-02-08 12:09:01.112 +0300 TDB compilation done, return 0
2019-02-08 12:09:02.490 +0300 Use stored file_type_hash table as tdb->dlp_file_type_hash is invalid
2019-02-08 12:09:02.490 +0300 Error:  pan_profile_compile_memory(pan_profile_comp.c:7341): Stored file_type_hash table is also in valid entry
'cfg.hal.appid-dfa': NO_MATCHES
2019-02-08 12:09:02.783 +0300 Loading PaloAltoNetworks URL categories...
2019-02-08 12:09:02.783 +0300 Found URL categories
2019-02-08 12:09:02.783 +0300 Number of categories: 93 Order exists in content: no
2019-02-08 12:09:02.792 +0300 auto_mac_detect not configured, set to false, auto_mac_detect=0
2019-02-08 12:09:02.796 +0300 Warning:  pan_hash_init(pan_hash.c:112): nbuckets 1028 is not power of 2!
2019-02-08 12:09:02.823 +0300 Retrieved stored platform base MAC address e8:98:6d:41:bc:00
2019-02-08 12:09:02.823 +0300 HA in active-passive mode, construct base MAC from HA group ID
2019-02-08 12:09:02.823 +0300 Computed platform base MAC address e8:98:6d:41:bc:00 from configuration
2019-02-08 12:09:03.466 +0300 Warning:  pan_cfg_get_anchored_pat_config(pan_config_parser.c:23974): files /opt/pancfg/mgmt/content/global/countrycode.txt does not exist
2019-02-08 12:09:03.466 +0300 Warning:  pan_global_from_obj(pan_config_parser.c:21044): pan_cfg_get_anchored_pat_config failed
2019-02-08 12:09:03.477 +0300 vsys1 Security Policy:  783 platform accumulated rules;  783 total rules;  783 active rules;  0 disabled rules;
2019-02-08 12:09:03.526 +0300 vsys1 App Override Policy:  0 platform accumulated rules;  0 total rules;  0 active rules;  0 disabled rules;
2019-02-08 12:09:03.526 +0300 vsys1 Decryption:  0 platform accumulated rules;  0 total rules;  0 active rules;  0 disabled rules;
2019-02-08 12:09:03.527 +0300 vsys1 NAT Policy:  349 platform accumulated rules;  349 total rules;  349 active rules;  0 disabled rules;
2019-02-08 12:09:03.538 +0300 vsys1 QoS Policy:  0 platform accumulated rules;  0 total rules;  0 active rules;  0 disabled rules;
2019-02-08 12:09:03.538 +0300 vsys1 PBF Policy:  0 platform accumulated rules;  0 total rules;  0 active rules;  0 disabled rules;
2019-02-08 12:09:03.538 +0300 vsys1 DOS Policy:  0 platform accumulated rules;  0 total rules;  0 active rules;  0 disabled rules;
2019-02-08 12:09:03.538 +0300 vsys1 Tunnel Inspection:  0 platform accumulated rules;  0 total rules;  0 active rules;  0 disabled rules;
2019-02-08 12:09:03.540 +0300 vsys2 Security Policy:  1231 platform accumulated rules;  511 total rules;  448 active rules;  63 disabled rules;
2019-02-08 12:09:03.614 +0300 vsys2 App Override Policy:  0 platform accumulated rules;  0 total rules;  0 active rules;  0 disabled rules;
2019-02-08 12:09:03.614 +0300 vsys2 Decryption:  0 platform accumulated rules;  0 total rules;  0 active rules;  0 disabled rules;
2019-02-08 12:09:03.614 +0300 vsys2 NAT Policy:  349 platform accumulated rules;  0 total rules;  0 active rules;  0 disabled rules;
2019-02-08 12:09:03.614 +0300 vsys2 QoS Policy:  0 platform accumulated rules;  0 total rules;  0 active rules;  0 disabled rules;
2019-02-08 12:09:03.614 +0300 vsys2 PBF Policy:  0 platform accumulated rules;  0 total rules;  0 active rules;  0 disabled rules;
2019-02-08 12:09:03.614 +0300 vsys2 DOS Policy:  0 platform accumulated rules;  0 total rules;  0 active rules;  0 disabled rules;
2019-02-08 12:09:03.614 +0300 vsys2 Tunnel Inspection:  0 platform accumulated rules;  0 total rules;  0 active rules;  0 disabled rules;
2019-02-08 12:09:03.628 +0300 vsys3 Security Policy:  4708 platform accumulated rules;  3768 total rules;  3477 active rules;  291 disabled rules;
2019-02-08 12:09:03.667 +0300 Processing 1000 rules take 0 sec
2019-02-08 12:09:03.707 +0300 Processing 2000 rules take 0 sec
2019-02-08 12:09:03.747 +0300 Processing 3000 rules take 0 sec
2019-02-08 12:09:03.812 +0300 vsys3 App Override Policy:  0 platform accumulated rules;  0 total rules;  0 active rules;  0 disabled rules;
2019-02-08 12:09:03.812 +0300 vsys3 Decryption:  0 platform accumulated rules;  0 total rules;  0 active rules;  0 disabled rules;
2019-02-08 12:09:03.812 +0300 vsys3 NAT Policy:  683 platform accumulated rules;  334 total rules;  334 active rules;  0 disabled rules;
2019-02-08 12:09:03.823 +0300 vsys3 QoS Policy:  0 platform accumulated rules;  0 total rules;  0 active rules;  0 disabled rules;
2019-02-08 12:09:03.823 +0300 vsys3 PBF Policy:  0 platform accumulated rules;  0 total rules;  0 active rules;  0 disabled rules;
2019-02-08 12:09:03.823 +0300 vsys3 DOS Policy:  0 platform accumulated rules;  0 total rules;  0 active rules;  0 disabled rules;
2019-02-08 12:09:03.823 +0300 vsys3 Tunnel Inspection:  0 platform accumulated rules;  0 total rules;  0 active rules;  0 disabled rules;
2019-02-08 12:09:03.824 +0300 wrote 0 custom dns domains
2019-02-08 12:09:03.824 +0300  pan_config_from_obj(pan_config_parser.c:23590): appsig use regex
2019-02-08 12:09:03.838 +0300  pan_config_from_obj(pan_config_parser.c:23590): appsig use regex
2019-02-08 12:09:03.838 +0300  pan_config_from_obj(pan_config_parser.c:23590): appsig use regex
2019-02-08 12:09:03.846 +0300  pan_config_from_obj(pan_config_parser.c:23590): appsig use regex
2019-02-08 12:09:04.009 +0300 Get custom from last committed config
2019-02-08 12:09:04.009 +0300 No TDB compilation needed custom_dns 1
2019-02-08 12:09:04.119 +0300 syncfs on /opt/pancfg/mgmt returns 0
2019-02-08 12:09:04.119 +0300 phase1: modifying cfgpush.*.*.cfg
2019-02-08 12:09:04.305 +0300 push config takes 0 sec
2019-02-08 12:09:04.305 +0300 check cfgpush.s1.comm.cfg object
2019-02-08 12:09:04.305 +0300 appsig not changed
2019-02-08 12:09:04.305 +0300 tdb not changed
2019-02-08 12:09:04.311 +0300 NTDB-vr 1 may need an updated
2019-02-08 12:09:04.311 +0300 NTDB-Update VR 1 - 2 ipv4, 0 ipv6, and 0 ospfv3
2019-02-08 12:09:04.313 +0300 NTDB-Updated VR 1 - total ip4 2 - dynamic 0
2019-02-08 12:09:04.313 +0300   NTDB-IP4 unchanged 2, new 0, del 0
2019-02-08 12:09:04.313 +0300 NTDB-Updated VR 1 - total ip6 0 dynamic 0
2019-02-08 12:09:04.313 +0300   NTDB-IP6 unchanged 0 new 0, del 0
2019-02-08 12:09:04.313 +0300 NTDB-vr 2 may need an updated
2019-02-08 12:09:04.313 +0300 NTDB-Update VR 2 - 2 ipv4, 0 ipv6, and 0 ospfv3
2019-02-08 12:09:04.315 +0300 NTDB-Updated VR 2 - total ip4 2 - dynamic 0
2019-02-08 12:09:04.315 +0300   NTDB-IP4 unchanged 1, new 1, del 1
2019-02-08 12:09:04.315 +0300 NTDB-Updated VR 2 - total ip6 0 dynamic 0
2019-02-08 12:09:04.315 +0300   NTDB-IP6 unchanged 0 new 0, del 0
2019-02-08 12:09:04.315 +0300 NTDB-vr 3 may need an updated
2019-02-08 12:09:04.315 +0300 NTDB-Update VR 3 - 3 ipv4, 0 ipv6, and 0 ospfv3
2019-02-08 12:09:04.316 +0300 NTDB-Updated VR 3 - total ip4 3 - dynamic 0
2019-02-08 12:09:04.316 +0300   NTDB-IP4 unchanged 3, new 0, del 0
2019-02-08 12:09:04.316 +0300 NTDB-Updated VR 3 - total ip6 0 dynamic 0
2019-02-08 12:09:04.316 +0300   NTDB-IP6 unchanged 0 new 0, del 0
2019-02-08 12:09:04.317 +0300 NTDB-vif_create_increment_script: 0 sec
2019-02-08 12:09:08.296 +0300 Config commit phase1 done
2019-02-08 12:09:08.300 +0300 Config commit phase1 abort
2019-02-08 12:09:08.300 +0300 kill SIGUSR1 to pid 0 

 

Who Me Too'd this topic