Validation Error "exclude-access-route 20.203.xxx.xx is an invalid subnet address. Did you mean 20.203.xxx.x/20?" when pushing GlobalProtect changes to Prisma Access

Validation Error "exclude-access-route 20.203.xxx.xx is an invalid subnet address. Did you mean 20.203.xxx.x/20?" when pushing GlobalProtect changes to Prisma Access

7757
Created On 07/20/20 04:33 AM - Last Modified 01/30/23 03:21 AM


Symptom


  • After making a few changes and pushing to Prisma Access received the Validation Error "exclude-access-route 20.203.158.80 is an invalid subnet address. Did you mean 20.203.144.0/20?"
    Validation Error

  • From Panorama > Cloud services > Status > Monitor > Select Mobile Users  and selecting the region deployed from the map shows the location deployed and the respective commit validation error details.error-on-plugin-screen

Environment


  • Prisma Access Mobile Users managed by Panorama


 

Cause


  • ​​​​​​The commit failure is due to invalid configuration.
  • The split tunnel exclude access route entry is an invalid subnet and hence the validation fails on the Prisma Access mobile user security processing nodes.

 

Resolution


Configure a valid Subnet notation
  1. From Panorama GUI navigate to Network > GlobalProtect  (Mobile_User_Template) > Gateway and edit the GlobalProtect_External_Gateway.
  2. Edit the gateway and navigate to Agent >DEFAULT> Split tunneling> exclude-access-route and edit the invalid subnet from 20.203.158.80/20 to 20.203.144.0/20 which is a valid subnet notation.
  3. Commit & Push
 

Additional Information


The same steps can be used to view the commit validation on for Prisma Access remote networks as well. 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008UusCAE&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language