Post upgrade to 8.1 Panorama unable to commit due to template error after creating a new PA-VM on NSX

Post upgrade to 8.1 Panorama unable to commit due to template error after creating a new PA-VM on NSX

10877
Created On 04/11/19 13:59 PM - Last Modified 04/22/19 20:45 PM


Symptom


After upgrade to PAN-OS 8.1, templates with devices attached will be converted into template stacks that contain the original template. The template stack name will be <Template Name>_mig_stack. At the same time, the template name on NSX service definition will also be converted into <Template Name>_mig_stack. As a result, the NSX Plugin on panorama pushes these updates to NSX Manager as part of Service Definition (Service) registration.

In some cases, the existing service installation on the cluster in NSX manager is NOT being updated with the information being sent to the NSX Manager API by the Panorama NSX Plugin. So new service VMs that are created, when a new host is added to the cluster, will still have the old template information. As a result, the commit on Panorama fails with the error,
"devices -> localhost.localdomain -> template -> <Template Name> -> devices unexpected here".

Run the below curl command to confirm that the NSX Plugin has been updated. 
Note: On the the NSX manager curl for the <Template Name>_mig_stack name 
$ curl --tlsv1.1  -k -u $USER:$PASS https://$NSXMGR/api/2.0/si/services | xmllint --format - | grep -A 2 PAN_Panorama_Config_Template

<attribute>
<id>xxx</id>
<revision>xxx</revision>
<key>PAN_Panorama_Config_Template</key>
<value><Template Name>_mig_stack</value>

To confirm that NSX manager didn't update the template on the back end, check the display attributes of the service instance

User-added image

Environment


  • Panorama
  • New PA-VM being added
  • VMware NSX

Resolution


The resolution is troubleshooting further why NSX manager is not updating PAN_Panorama_Config_Template on the service instance with the Template Name>_mig_stack. Two workarounds are available:
 

Workaround 1

Rename the template "<Template Name>_mig_stack" to be "<Template Name>"
  • Before upgrade to PAN-OS 8.1
-Template "<Template Name>"
  • After upgrade to PAN-OS 8.1 (with issue):
-Template "<Template Name>"
-Template Stack "<Template Name>_mig_stack"
  • Suggested workaround:
-Template "<Template Name>_01"
-Template Stack "<Template Name>_mig_stack"
>> This matches the template name before the upgrade


Workaround 2

The Panorama XML configuration file can be edited. Steps are listed below:
  1. Remove the serial numbers of the new PA-VMs deployed on the ESXi hosts from the XML configuration file 
  2. Import the edited XML configuration file 
  3. Add the respective serial numbers of the device to the template stack
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLWu&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language