Issue
The commit finished with an error:
phase 2 commit failed: error pre-installing config failed to handle CONFIG_COMMIT
error: response from cfgpush.s1.dp1.comm.cfg-dp: error pre-installing config.
The commit shows the job finished with status OK:
Enqueued ID Type Status Result Completed
--------------------------------------------------------------------------
2015/02/05 18:13:53 750 Commit FIN OK 18:14:11
Warnings:Error: Error pre-installing config
failed to handle CONFIG_COMMIT
(Module: device)
The dataplane did not accept the configuration changes.
It is possible to see the following logs in the device server logs:
Mar 01 03:14:26 Error: pan_address_parse_address(pan_address.c:128): pan_prefix_compare(): from_addr is larger than to_addr
Mar 01 03:14:26 Error: pan_region_from_region_entries(pan_region.c:197): pan_address_parse_address failed
Resolution
The issue is with the number of PBF rules with an "symmetric return" configured.
The number of rules varies per platform and it can be seen from the system state:
admin@IlijaFW-2> show system state | match cfg.general.max-return-address
cfg.general.max-return-address: 0x30
In this case on the PA-5020 it is 0x30 in HEX, which is 48 in the decade system. If there are more rules than 48 PBF that have symmetric return configured this will cause the explained behavior.
Lowering the amount of PBF rules with symmetric return below the hard coded limit will resolve the issue.