Commit failed warning “Fail to count address groups”

Commit failed warning “Fail to count address groups”

52534
Created On 09/25/18 19:50 PM - Last Modified 07/06/23 04:47 AM


Symptom


Symptoms

When committing a configuration from the CLI, WebGUI, or from Panorama, the commit could fail with the following error message:

 

admin@PA-200# commit 
config commit phase 1 aborted(Module: routed)
vsys1
Error: Fail to count address groups
(Module: device)
commit failed
 

 

 

Environment


  • PAN-OS 8.1 and above.
  • Any Panorama or Palo Alto Firewall.

Cause


The above error indicates that there is an address-group configured without members assigned. Most of the time this can happen while configuring address groups from the CLI as from GUI it will not allow to Click OK unless you have added at least 1 member. This can also happen if the configuration file is generated using the migration tool.

Resolution


  1. Go through your address groups and see if any of them have no individual address objects or empty address objects. 
  2. Open Address Groups in the WebGUI or Panorama WebGUI by going to Objects > Address Groups, then check for the Members count value in all address groups to make sure the member count value is not 0. 
  3. If any address-group members have zero addresses, delete them or add addresses to the address-group.
  4. Once completed, the commit operation should complete without errors.

5-10-16-pan1.png
The above diagram shows the details of the Address Groups section with every group has at least 1 member.

Additional Information


To find the address-group at fault, check the device server logs:

> tail follow yes mp-log devsrv.log 

…… 

2016-03-30 10:12:48.043 +0800 Config commit phase0 started
2016-03-30 10:12:53.599 +0800 Config commit phase0 done
2016-03-30 10:13:07.311 +0800 Config commit phase1 started
….
2016-03-30 10:13:19.566 +0800 Vsys 'vsys1' contains 12 users and 1041 user-groups
2016-03-30 10:13:19.578 +0800 Error:  pan_addresses_get_grp_cnt(pan_config_parser.c:1885): unknow address group type for group Group1
2016-03-30 10:13:19.578 +0800 Error:  pan_addresses_from_obj(pan_config_parser.c:1939): pan_addresses_get_grp_cnt failed
2016-03-30 10:13:19.578 +0800 Error:  pan_vsys_from_obj(pan_config_parser.c:16634): pan_addresses_from_obj failed
2016-03-30 10:13:19.582 +0800 Error:  pan_config_from_obj(pan_config_parser.c:17551): pan_vsyses_from_obj failed
2016-03-30 10:13:19.676 +0800 Error:  pan_ctrl_save_config(pan_config_handler_sysd.c:1696): Error compiling config
<<vsys1>>
Error: Fail to count address groups
<</vsys1>>

 

.....

2016-03-30 10:13:19.680 +0800 Config commit phase1 failed
2016-03-30 10:13:19.880 +0800 Config commit phase1 abort
2016-03-30 10:13:19.880 +0800 kill SIGUSR1 to pid 0
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClfiCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language