This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Who Me Too'd this topic

Expedition migrated ASA configuration is giving "Configuration is invalid" error on validation

Sharad09
L1 Bithead

‎02-08-2019 02:49 AM - edited ‎02-08-2019 02:56 AM

Hi Experts,

 

I have merged 9 different ASA firewall/contexts to create 3 Vsys on Paloalto 5220.

Till 2 vsys migration worked fine and configuration was ready to get pushed with few warnings as validation said "configuration is valid"

Now after migrating/merging configuration for last Vsys validation on firewall is continuously failing with message "configuration is invalid", their are no errors but quite a lot of warnings but i think that's just fine (correct me if wrong).

 

Commit Error Screenshot.PNG

 

Had initiated real time log capture before hitting validation again, can you please have a look and advise its critical.

 

Logs are attached as codes.

 

Thanks/Sharad

dc-p-fw-01(active)> tail follow yes mp-log devsrv.log
2019-02-08 12:08:52.420 +0300 Config commit phase0 started
2019-02-08 12:08:54.211 +0300 pan_ha_is_sync_needed: needed=1, is_peer_up=1, state=5, peer_state=4
2019-02-08 12:08:54.212 +0300 /opt/pancfg/cache/pan/VSYS_ZONE.db saved to disk, digest: 8b5f0c2b681f86716208002e7d56d8f1
2019-02-08 12:08:54.225 +0300 Config commit phase0 done
2019-02-08 12:08:56.742 +0300 Config commit phase1 started
2019-02-08 12:08:56.742 +0300 flags 0x40000, content 0x1, not devsrvr only, not content only
2019-02-08 12:08:56.763 +0300 Get virus from last committed config
2019-02-08 12:08:56.763 +0300 Get wildfire from last committed config
2019-02-08 12:08:56.763 +0300 Get wpc from last committed config
2019-02-08 12:08:56.763 +0300 Get raven from last committed config
2019-02-08 12:08:56.763 +0300 TDB compilation started. tdb_compile_flag: 0x1 custom_dns 0
2019-02-08 12:08:56.763 +0300 compile type 0x1 (1)
2019-02-08 12:08:58.670 +0300 Warning:  pan_tdb_do_file_2_version(pan_tdb_comp.c:83): open app version file /opt/pancfg/mgmt/content//pan_threatversion error
2019-02-08 12:08:58.670 +0300 Warning:  pan_tdb_content_version(pan_tdb_comp.c:143): pan_tdb_file_2_version threat error, reset to 0
2019-02-08 12:08:58.670 +0300 Content Engine version: 0x8010101 APP version: 0x3011157, Threat 0x0, virus 0x0, wildfire 0x0 type 1
2019-02-08 12:08:58.683 +0300 Primary checking
2019-02-08 12:08:58.708 +0300 [Cache] Load /opt/pancfg/mgmt/content//cache/80101//tdb.cache.ser-1 success
2019-02-08 12:08:58.712 +0300 Primary checks done
2019-02-08 12:08:58.712 +0300 [TDB] Loading tdb cache /opt/pancfg/mgmt/content//cache/80101//tdb.cache.ser-1 with wildfire 0/0 virus 0/0
2019-02-08 12:08:58.712 +0300 calc md5
2019-02-08 12:09:00.960 +0300 End of parsing custom threat
2019-02-08 12:09:01.101 +0300 [Cache] Load /opt/pancfg/mgmt/content//cache/80101//tdb.cache.ser-1 success
load cache is successful
2019-02-08 12:09:01.111 +0300 Get tdb_only from last committed config
2019-02-08 12:09:01.112 +0300 No Any content change
2019-02-08 12:09:01.112 +0300 TDB compilation done, return 0
2019-02-08 12:09:02.490 +0300 Use stored file_type_hash table as tdb->dlp_file_type_hash is invalid
2019-02-08 12:09:02.490 +0300 Error:  pan_profile_compile_memory(pan_profile_comp.c:7341): Stored file_type_hash table is also in valid entry
'cfg.hal.appid-dfa': NO_MATCHES
2019-02-08 12:09:02.783 +0300 Loading PaloAltoNetworks URL categories...
2019-02-08 12:09:02.783 +0300 Found URL categories
2019-02-08 12:09:02.783 +0300 Number of categories: 93 Order exists in content: no
2019-02-08 12:09:02.792 +0300 auto_mac_detect not configured, set to false, auto_mac_detect=0
2019-02-08 12:09:02.796 +0300 Warning:  pan_hash_init(pan_hash.c:112): nbuckets 1028 is not power of 2!
2019-02-08 12:09:02.823 +0300 Retrieved stored platform base MAC address e8:98:6d:41:bc:00
2019-02-08 12:09:02.823 +0300 HA in active-passive mode, construct base MAC from HA group ID
2019-02-08 12:09:02.823 +0300 Computed platform base MAC address e8:98:6d:41:bc:00 from configuration
2019-02-08 12:09:03.466 +0300 Warning:  pan_cfg_get_anchored_pat_config(pan_config_parser.c:23974): files /opt/pancfg/mgmt/content/global/countrycode.txt does not exist
2019-02-08 12:09:03.466 +0300 Warning:  pan_global_from_obj(pan_config_parser.c:21044): pan_cfg_get_anchored_pat_config failed
2019-02-08 12:09:03.477 +0300 vsys1 Security Policy:  783 platform accumulated rules;  783 total rules;  783 active rules;  0 disabled rules;
2019-02-08 12:09:03.526 +0300 vsys1 App Override Policy:  0 platform accumulated rules;  0 total rules;  0 active rules;  0 disabled rules;
2019-02-08 12:09:03.526 +0300 vsys1 Decryption:  0 platform accumulated rules;  0 total rules;  0 active rules;  0 disabled rules;
2019-02-08 12:09:03.527 +0300 vsys1 NAT Policy:  349 platform accumulated rules;  349 total rules;  349 active rules;  0 disabled rules;
2019-02-08 12:09:03.538 +0300 vsys1 QoS Policy:  0 platform accumulated rules;  0 total rules;  0 active rules;  0 disabled rules;
2019-02-08 12:09:03.538 +0300 vsys1 PBF Policy:  0 platform accumulated rules;  0 total rules;  0 active rules;  0 disabled rules;
2019-02-08 12:09:03.538 +0300 vsys1 DOS Policy:  0 platform accumulated rules;  0 total rules;  0 active rules;  0 disabled rules;
2019-02-08 12:09:03.538 +0300 vsys1 Tunnel Inspection:  0 platform accumulated rules;  0 total rules;  0 active rules;  0 disabled rules;
2019-02-08 12:09:03.540 +0300 vsys2 Security Policy:  1231 platform accumulated rules;  511 total rules;  448 active rules;  63 disabled rules;
2019-02-08 12:09:03.614 +0300 vsys2 App Override Policy:  0 platform accumulated rules;  0 total rules;  0 active rules;  0 disabled rules;
2019-02-08 12:09:03.614 +0300 vsys2 Decryption:  0 platform accumulated rules;  0 total rules;  0 active rules;  0 disabled rules;
2019-02-08 12:09:03.614 +0300 vsys2 NAT Policy:  349 platform accumulated rules;  0 total rules;  0 active rules;  0 disabled rules;
2019-02-08 12:09:03.614 +0300 vsys2 QoS Policy:  0 platform accumulated rules;  0 total rules;  0 active rules;  0 disabled rules;
2019-02-08 12:09:03.614 +0300 vsys2 PBF Policy:  0 platform accumulated rules;  0 total rules;  0 active rules;  0 disabled rules;
2019-02-08 12:09:03.614 +0300 vsys2 DOS Policy:  0 platform accumulated rules;  0 total rules;  0 active rules;  0 disabled rules;
2019-02-08 12:09:03.614 +0300 vsys2 Tunnel Inspection:  0 platform accumulated rules;  0 total rules;  0 active rules;  0 disabled rules;
2019-02-08 12:09:03.628 +0300 vsys3 Security Policy:  4708 platform accumulated rules;  3768 total rules;  3477 active rules;  291 disabled rules;
2019-02-08 12:09:03.667 +0300 Processing 1000 rules take 0 sec
2019-02-08 12:09:03.707 +0300 Processing 2000 rules take 0 sec
2019-02-08 12:09:03.747 +0300 Processing 3000 rules take 0 sec
2019-02-08 12:09:03.812 +0300 vsys3 App Override Policy:  0 platform accumulated rules;  0 total rules;  0 active rules;  0 disabled rules;
2019-02-08 12:09:03.812 +0300 vsys3 Decryption:  0 platform accumulated rules;  0 total rules;  0 active rules;  0 disabled rules;
2019-02-08 12:09:03.812 +0300 vsys3 NAT Policy:  683 platform accumulated rules;  334 total rules;  334 active rules;  0 disabled rules;
2019-02-08 12:09:03.823 +0300 vsys3 QoS Policy:  0 platform accumulated rules;  0 total rules;  0 active rules;  0 disabled rules;
2019-02-08 12:09:03.823 +0300 vsys3 PBF Policy:  0 platform accumulated rules;  0 total rules;  0 active rules;  0 disabled rules;
2019-02-08 12:09:03.823 +0300 vsys3 DOS Policy:  0 platform accumulated rules;  0 total rules;  0 active rules;  0 disabled rules;
2019-02-08 12:09:03.823 +0300 vsys3 Tunnel Inspection:  0 platform accumulated rules;  0 total rules;  0 active rules;  0 disabled rules;
2019-02-08 12:09:03.824 +0300 wrote 0 custom dns domains
2019-02-08 12:09:03.824 +0300  pan_config_from_obj(pan_config_parser.c:23590): appsig use regex
2019-02-08 12:09:03.838 +0300  pan_config_from_obj(pan_config_parser.c:23590): appsig use regex
2019-02-08 12:09:03.838 +0300  pan_config_from_obj(pan_config_parser.c:23590): appsig use regex
2019-02-08 12:09:03.846 +0300  pan_config_from_obj(pan_config_parser.c:23590): appsig use regex
2019-02-08 12:09:04.009 +0300 Get custom from last committed config
2019-02-08 12:09:04.009 +0300 No TDB compilation needed custom_dns 1
2019-02-08 12:09:04.119 +0300 syncfs on /opt/pancfg/mgmt returns 0
2019-02-08 12:09:04.119 +0300 phase1: modifying cfgpush.*.*.cfg
2019-02-08 12:09:04.305 +0300 push config takes 0 sec
2019-02-08 12:09:04.305 +0300 check cfgpush.s1.comm.cfg object
2019-02-08 12:09:04.305 +0300 appsig not changed
2019-02-08 12:09:04.305 +0300 tdb not changed
2019-02-08 12:09:04.311 +0300 NTDB-vr 1 may need an updated
2019-02-08 12:09:04.311 +0300 NTDB-Update VR 1 - 2 ipv4, 0 ipv6, and 0 ospfv3
2019-02-08 12:09:04.313 +0300 NTDB-Updated VR 1 - total ip4 2 - dynamic 0
2019-02-08 12:09:04.313 +0300   NTDB-IP4 unchanged 2, new 0, del 0
2019-02-08 12:09:04.313 +0300 NTDB-Updated VR 1 - total ip6 0 dynamic 0
2019-02-08 12:09:04.313 +0300   NTDB-IP6 unchanged 0 new 0, del 0
2019-02-08 12:09:04.313 +0300 NTDB-vr 2 may need an updated
2019-02-08 12:09:04.313 +0300 NTDB-Update VR 2 - 2 ipv4, 0 ipv6, and 0 ospfv3
2019-02-08 12:09:04.315 +0300 NTDB-Updated VR 2 - total ip4 2 - dynamic 0
2019-02-08 12:09:04.315 +0300   NTDB-IP4 unchanged 1, new 1, del 1
2019-02-08 12:09:04.315 +0300 NTDB-Updated VR 2 - total ip6 0 dynamic 0
2019-02-08 12:09:04.315 +0300   NTDB-IP6 unchanged 0 new 0, del 0
2019-02-08 12:09:04.315 +0300 NTDB-vr 3 may need an updated
2019-02-08 12:09:04.315 +0300 NTDB-Update VR 3 - 3 ipv4, 0 ipv6, and 0 ospfv3
2019-02-08 12:09:04.316 +0300 NTDB-Updated VR 3 - total ip4 3 - dynamic 0
2019-02-08 12:09:04.316 +0300   NTDB-IP4 unchanged 3, new 0, del 0
2019-02-08 12:09:04.316 +0300 NTDB-Updated VR 3 - total ip6 0 dynamic 0
2019-02-08 12:09:04.316 +0300   NTDB-IP6 unchanged 0 new 0, del 0
2019-02-08 12:09:04.317 +0300 NTDB-vif_create_increment_script: 0 sec
2019-02-08 12:09:08.296 +0300 Config commit phase1 done
2019-02-08 12:09:08.300 +0300 Config commit phase1 abort
2019-02-08 12:09:08.300 +0300 kill SIGUSR1 to pid 0

 

1 person had this problem.
0 Likes Likes
Who Me Too'd this topic
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks