Commit failed warning “Fail to count address groups”
57113
Created On 09/25/18 19:50 PM - Last Modified 07/06/23 04:47 AM
Symptom
Environment
- PAN-OS 8.1 and above.
- Any Panorama or Palo Alto Firewall.
Cause
The above error indicates that there is an address-group configured without members assigned. Most of the time this can happen while configuring address groups from the CLI as from GUI it will not allow to Click OK unless you have added at least 1 member. This can also happen if the configuration file is generated using the migration tool.
Resolution
- Go through your address groups and see if any of them have no individual address objects or empty address objects.
- Open Address Groups in the WebGUI or Panorama WebGUI by going to Objects > Address Groups, then check for the Members count value in all address groups to make sure the member count value is not 0.
- If any address-group members have zero addresses, delete them or add addresses to the address-group.
- Once completed, the commit operation should complete without errors.
Additional Information
To find the address-group at fault, check the device server logs:
> tail follow yes mp-log devsrv.log
……
2016-03-30 10:12:48.043 +0800 Config commit phase0 started
2016-03-30 10:12:53.599 +0800 Config commit phase0 done
2016-03-30 10:13:07.311 +0800 Config commit phase1 started
….
2016-03-30 10:13:19.566 +0800 Vsys 'vsys1' contains 12 users and 1041 user-groups
2016-03-30 10:13:19.578 +0800 Error: pan_addresses_get_grp_cnt(pan_config_parser.c:1885): unknow address group type for group Group1
2016-03-30 10:13:19.578 +0800 Error: pan_addresses_from_obj(pan_config_parser.c:1939): pan_addresses_get_grp_cnt failed
2016-03-30 10:13:19.578 +0800 Error: pan_vsys_from_obj(pan_config_parser.c:16634): pan_addresses_from_obj failed
2016-03-30 10:13:19.582 +0800 Error: pan_config_from_obj(pan_config_parser.c:17551): pan_vsyses_from_obj failed
2016-03-30 10:13:19.676 +0800 Error: pan_ctrl_save_config(pan_config_handler_sysd.c:1696): Error compiling config
<<vsys1>>
Error: Fail to count address groups
<</vsys1>>
.....
2016-03-30 10:13:19.680 +0800 Config commit phase1 failed
2016-03-30 10:13:19.880 +0800 Config commit phase1 abort
2016-03-30 10:13:19.880 +0800 kill SIGUSR1 to pid 0