Error when switching mode from Panorama to Management-only mode
15537
Created On 06/29/20 20:44 PM - Last Modified 04/19/21 23:24 PM
Symptom
When trying to switch from panorama mode to management-only mode, this error "cannot switch to management-only mode; all devices must be included in log-collector-group(s)" appears.
>request system system-mode management-only
Executing this command will change the system to management-only mode, logs will be removed. This will restart the system.
Are you sure you want to continue? (y or n)
Server error : Failed to change to management-only mode.
cannot switch to management-only mode; all devices must be included in log-collector-group(s).
In configd.log, check for a similar line as below
Error: pan_cfg_mgr_is_ready_for_mgmt_only_mode(pan_cfg_mgr.c:6585): cannot switch to management-only
mode; all devices must be included in log-collector-group(s)
(dev=517:lcg_dev=493) <--Both of the dev and lcg_dev must have the same amount of devices.
Error: pan_mgmtop_change_system_mode_to_mgmt_only_handler(pan_ops_cms.c:17898): system is not ready to
switch to management-only mode -- cannot switch to management-only mode; all devices must be included
in log-collector-group(s).
Another place to look at the number of firewalls assigned to the LCG is under GUI: Panorama > Collector Groups > Device Log Forwarding > Log Forwarding Preferences > more. We need to match this number with the number of devices in the Panorama configd log (dev).
Environment
- Any PAN OS version: any
- Panorama VMs
Cause
By design, all the devices must be included into the log collector group before Panorama can switch mode.
For example: If you have 5 log collector groups, the exact number of Firewalls managed by Panorama, must be the same number of firewalls included in the Log Collector Group(s).
In the example above, the display provides the information (dev=517:lcg_dev=493)
- dev is the number of firewalls in Panorama.
- lcg_dev is the number of firewalls under the Log Collector Group(s).
- Both of the dev and lcg_dev must have the same amount of devices
Resolution
Identify the devices that are not included in the collector group and add them:
- Use the command: " > show devices all" to collect all the devices managed by panorama
- Compare those against the devices under GUI: Panorama > Collector Groups > Device Log Forwarding > Log Forwarding Preferences > more.
- Add the missing devices to the collector group.
- Once committed, the issue is no longer seen.