Panorama unable to commit changes related to SD-WAN VPN Cluster
3862
Created On 03/17/21 16:13 PM - Last Modified 04/15/25 23:30 PM
Symptom
- After adding a Passive firewall to Panorama > SDWAN > Devices and VPN Cluster; commit to Panorama fails with the following errors: "plugin validation failed"
- Following errors are seen in the Panorama configd.log (less mp-log configd.log)
-0700 Error: pan_get_admin_user_stat(pan_auth_admin_login_stat.c:219): Admin user "__sd_wan" auth statistics file "/opt/pancfg/home/__sd_wan/login_statistics.txt" doesn't exist
-0700 Error: _get_admin_login_stat(pan_cfg_auth_handler.c:394): Admin user "__sd_wan" has not logged in yet
File "/opt/plugins/installed/sd_wan/scripts/cluster_map.py", line 1830, in <module>
cluster_map_obj.gen_mapping()
File "/opt/plugins/installed/sd_wan/scripts/cluster_map.py", line 1658, in gen_mapping
rm_vif_nd = PXL.xml_get_node_by_xpath(local_node_obj.node, "vif-name")
-0700 Error: pan_plugin_python_transform(pan_plugin_input.c:468): Failed to run python command for input: cluster_mapping
-0700 Error: pan_cfg_transform_fullpath(pan_cfg_utils.c:6599): error generating transform /opt/plugins/xsl/input-plugins.xsl
-0700 Error: pan_cfg_save_persist_plugin_config(pan_plugin_input.c:808): Plugin: unable to generate plugin config for ztp
-0700 Error: pan_plugin_pre_commit_process(pan_plugin_commit.c:166): plugin validation failed
-0700 Error: pan_get_content_release_date_by_sysd(pan_ops_content.c:1443): Failed to fetch from sysd for GPclient
Environment
- Panorama managed Palo Alto Firewalls
- PAN-OS 10.0
- High Availability (Active/Passive) configured on Firewalls
Cause
- Both the Active Passive pair are advised to be added together on the Panorama SDWAN > Devices and VPN Cluster and commit to Panorama.
- Updates can be pushed one by one to the firewalls from panorama for testing purposes.
Resolution
- Add both Active and Passive firewalls together to the Panorama > SDWAN > Devices and VPN Cluster
- Commit the configuration on Panorama. Is should be successful.