Why Do I See Two Autocommits on the Firewall After Reboot?
14592
Created On 04/02/19 12:25 PM - Last Modified 04/03/19 16:53 PM
Question
Upon reboot of a next-generation firewall in an active/passive HA pair, why do I see two autocommits after reboot?
admin@firewall(active)> show jobs all Enqueued Dequeued ID PositionInQ Type Status Result Completed -------------------------------------------------------------------------------------------------- 2018/11/01 14:23:10 14:23:10 2 AutoCom FIN OK 14:23:24 2018/11/01 14:20:50 14:20:50 1 AutoCom FIN OK 14:21:55
Answer
The first autocommit job is to push the configuration to dataplane and basically get the dataplane up and ready for accepting and processing traffic. This would be seen in both stand-alone as well as devices in high availability after a device restart or a dataplane restart.
The second autocommit is to sync ID manager (igmgr) between the devices, pushed from the active node to the passive node.
You can check the devsrvr (device server) logs under mp-logs.
admin@firewall(active)> less mp-log devsrvr.log <snip> 2018-11-01 14:22:55.514 -0700 Peer idmgr is ready 2018-11-01 14:22:55.514 -0700 Sync idmgr to active device <snip>
Additional Information
idmgr maintains IDs corresponding to policies, objects and some networking elements.
The idmgr is synced to ensure that traffic is processed as expected post an event of HA failover.
Here is how to get the list of all idmgrs:
admin@firewall(active)> debug device-server dump idmgr type ? > custom-url-filter Only custom-url-filter name and id > dns-proxy Only dns-proxy name and id > dos-rule Only dos-rule name and id > global-if-counter Only global-if-counter name and id > global-interface Only global-interface name and id > global-rib-instance Only global-rib-instance name and id > global-tunnel Only global-tunnel name and id > global-vlan Only global-vlan name and id > global-vlan-domain Only global-vlan-domain name and id > global-vrouter Only global-vrouter name and id > http-header-insert-header-value Only http-header-insert-header-value name and id > ike-gateway Only ike-gateway name and id > interface-group Only interface-group name and id > log-setting Only log-setting name and id > macl-rule Only macl-rule name and id > monitor-tag Only dns-proxy name and id > nat-rule Only nat-rule name and id > ospfv3-virtual-link Only ospfv3-virtual-link name and id > override-rule Only app override-rule name and id > pbf-rule PBF rule name and id > qos-rule Only qos-rule name and id > security-rule Only security-rule name and id > shared-app-signature Only shared-app-signature name and id > shared-application Only shared-application name and id > shared-bgp-aggr-address Only shared-bgp-aggr-address name and id > shared-bgp-peer Only shared-bgp-peer name and id > shared-bgp-peergrp Only shared-bgp-peergrp name and id > shared-custom-url-category Only shared-custom-url-category name and id > shared-gateway Shared gateway > shared-header-insert-hosts Only shared-header-insert-hosts name and id > shared-qos-group Only shared-qos-group name and id > shared-qos-member Only shared-qos-member name and id > shared-qos-profile Only shared-qos-profile name and id > shared-region Shared region code name and id > shared-url-filtering Only shared-url-filtering name and id > ssl-rule Only ssl-rule name and id > tci-rule Only tci-rule name and id > vsys Only vsys name and id > vsys-app-signature Only vsys-app-signature name and id > vsys-application Only vsys-application name and id > vsys-custom-url-category Only vsys-custom-url-category name and id > vsys-header-insert-hosts Only vsys-header-insert-hosts name and id > vsys-region Vsys region code name and id > vsys-url-filtering Only vsys-url-filtering name and id > zone Only zone name and id