Error:
An unexpected error occurred. Please click Reload to try again.
Error:
An unexpected error occurred. Please click Reload to try again.
Error when switching mode from Panorama to Management-only mode - Knowledge Base - Palo Alto Networks

Error when switching mode from Panorama to Management-only mode

18700
Created On 06/29/20 20:44 PM - Last Modified 04/19/21 23:24 PM


Symptom


When trying to switch from panorama mode to management-only mode, this error "cannot switch to management-only mode; all devices must be included in log-collector-group(s)" appears.
  
>request system system-mode management-only
Executing this command will change the system to management-only mode, logs will be removed. This will restart the system.
Are you sure you want to continue? (y or n)

Server error : Failed to change to management-only mode.
cannot switch to management-only mode; all devices must be included in log-collector-group(s).

In configd.log, check for a similar line as below
  
Error:  pan_cfg_mgr_is_ready_for_mgmt_only_mode(pan_cfg_mgr.c:6585): cannot switch to management-only
mode; all devices must be included in log-collector-group(s)
(dev=517:lcg_dev=493) <--Both of the dev and lcg_dev must have the same amount of devices.

Error:  pan_mgmtop_change_system_mode_to_mgmt_only_handler(pan_ops_cms.c:17898): system is not ready to 
switch to management-only mode -- cannot switch to management-only mode; all devices must be included 
in log-collector-group(s).

Another place to look at the number of firewalls assigned to the LCG is under GUI: Panorama > Collector Groups > Device Log Forwarding > Log Forwarding Preferences > more. We need to match this number with the number of devices in the Panorama configd log (dev).

number of firewalls assigned to log_collector_group
 

Environment


  • Any PAN OS version: any
  • Panorama VMs

Cause


By design, all the devices must be included into the log collector group before Panorama can switch mode.

For example: If you have 5 log collector groups, the exact number of Firewalls managed by Panorama, must be the same number of firewalls included in the Log Collector Group(s).

In the example above, the display provides the information (dev=517:lcg_dev=493)
  • dev is the number of firewalls in Panorama.
  • lcg_dev is the number of firewalls under the Log Collector Group(s).
  • Both of the dev and lcg_dev must have the same amount of devices

Resolution


Identify the devices that are not included in the collector group and add them:
  1. Use the command: " > show devices all"  to collect all the devices managed by panorama
  2. Compare those against the devices under GUI: Panorama Collector Groups > Device Log Forwarding > Log Forwarding Preferences > more.
  3. Add the missing devices to the collector group.
  4. Once committed, the issue is no longer seen.

 
Other users also viewed:
How to download GlobalProtect from the Customer Support Portal
Download and Install the GlobalProtect App for Windows
Resource List: GlobalProtect Configuring and Troubleshooting
PAN-OS Software Updates
Where to find the current preferred software versions? (PAN-OS, GlobalProtect, User-ID Agent, Plugins)
Results 1-5 of 240,200
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008Ub7CAE&lang=en_US%E2%80%A9&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language