VM firewall loses session capacity after reboot

15050

Created On 09/25/18 19:44 PM - Last Modified 06/10/23 00:53 AM

VM-Series

Next-Generation Firewall

Symptom

Symptoms

- When you spin up a new firewall instance in AWS, VMWare, Azure or other environment, the initial session capacity is 1248 sessions. This can be verified from WebUI -> Dashboard -> System Resources Widget -> Session count

- Once you apply the licenses by activating the authorization code under Device tab -> Licenses -> License Management, the VM instance reboots and shows the session count as per the license applied.

ex.

VM-50: 50,000 sessions

VM-100: 250,500 session

VM-500: 2,000,000 sessions an so on...

- However after any subsequent reboot, the firewall loses session capacity and the session count drops to 1248 sessions.

- The License(s) are still visible on the sytem

Diagnosis

admin@PA-VM> less mp-log pan_license.log

License_file /opt/pancfg/mgmt/licenses/PA_VM_.key
uuid EC265B5D-2FE2-F69F-944F-85264DC9E3A4^M
cpuid AWS:F1060400FFFB8917^M
expires 2018/06/23^M
vmcapacity 500^M
pl 0

- - License check done ***

2017-08-04 17:19:59:795 -0700: BYOL Product code: 6njl1pau431dv1qxipg63mvah

2017-08-04 17:20:05.095 -0700 vmlib INFO vm_license_check: Decrypting license file: /opt/pancfg/mgmt/licenses/PA_VM_.key
2017-08-04 17:20:05.199 -0700 vmlib INFO vm_license_check: uuid : EC265B5D-2FE2-F69F-944F-85264DC9E3A4^M
2017-08-04 17:20:05.199 -0700 vmlib INFO vm_license_check: cpuid : AWS:F1060400FFFB8917^M
2017-08-04 17:20:05.199 -0700 vmlib INFO vm_license_check: expire : 2018/06/23^M
2017-08-04 17:20:05.200 -0700 vmlib INFO vm_license_check: pl : 0
2017-08-04 17:20:05.200 -0700 vmlib INFO vm_license_check: cap : 500^M
2017-08-04 17:20:05.252 -0700 vmlib INFO vm_license_check: File system size check for nolic...
2017-08-04 17:20:05.520 -0700 vmlib INFO vm_license_check: Applying nolic license capacity. --->>> Issue, applying no license capacity
2017-08-04 17:20:05.520 -0700 vmlib INFO vm_license_check: Applying nolic license capacity, prepare /etc/cfgdb_license/cfgdb.nolic.xml and /etc/cfgdb_license/cfgdb.nolic.xml

Resolution

- Issue with the licensing server was fixed which was causing UUID check failures resulting in applying no license capacity of 1248 sessions. From this point in time (August 11 2017 at 10:45 AM PST) , issue should no longer seen when a new instance is created.

- However instances that were deployed prior to August 11, if you encounter this issue after rebooting the instance, the quickest way to resolve is to spin up a new instance and apply the auth code to get the desired session capacity. Then migrate the config by exporting the device state from old to new instance by following the below steps:

Step 1: Apply licenses to the new VM using the same auth code and verify session capacity. Reboot this instance to verify the session capacity is not lost.

** Note if the auth code is completely provisioned with no space to accomodate additional VM's, note down the serial number and follow step 6 to restore the quantity provisioned (reclaim license)

Please follow instructions at below link:

https://www.paloaltonetworks.com/documentation/80/virtualization/virtualization/license-the-vm-series-firewall/deactivate-the-license-s

Step 2: Export the configuration from old instance

Old instance:

WebUI -> Setup -> Operations -> Export Device State

Step 3: Note down the serial number from Dashboard, change management interface IP and shut down old instance

(Change management IP if you wish to preserve the instance for future)

Step 4: Import the config on the new instance

New Instance:

WebUI -> Setup -> Operations -> Import Device State

Step 5: Commit the changes

Step 6: Open a Webcase or Call Support and provide the serial number of old instance to scrub it from the auth code

VM firewall loses session capacity after reboot

Symptom

Symptoms

Diagnosis

Resolution

Other users also viewed: