When running CLI command show rule hit count, the following error appears “Server error : Timed out while getting config lock. Please try again."

When running CLI command show rule hit count, the following error appears “Server error : Timed out while getting config lock. Please try again."

6377
Created On 10/31/23 01:37 AM - Last Modified 11/02/23 02:49 AM


Symptom


  • When issuing the command, show rule-hit-count xxx, it causes the device to get lockout and become inaccessible for GUI and cli.
  • A Popup appears with the message "No device-groups configured" message,
  • Entering with local or TACACS credentials would never complete a login.
  • The issue is resolved via a reboot
PANORAMA(primary-active)> show devicegroups
Server error: Timed out while getting config lock. Please try again.
  • configd.log (less mp-log configd.log) reports the following error "Could not get rule uuid for rule name", which device is having "config lock time out" condition.
Error: pan_cfg_mongo_get_rule_hit_usage_stats(pan_cfg_rule_hit.c:10940): Failed to get cfg result
Error: pan_cfg_get_show_rule_hit_rule_create_modify_ts(pan_cfg_rule_hit.c:5813): Could not get rule uuid for rule name intrazone-default on panorama

 

Environment


  • Affect PAN-OS 10.2.5 or below
  • Affect any Panorama devices

Cause


Software Issue.
 

Resolution


  1. The issue is fixed under PAN-229705 in PAN-OS 11.2.0, 11.0.1, 10.2.6.
  2. Upgrade to the fixed release will resolve the issue.
Workaround:
  1. Disable show rule-hit-count feature  with the following commands   
    Pano> configure 
Pano# set deviceconfig setting management rule-hit-count no
Pano> exit
  2. Restart management-server
  3. Reboot Panorama
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008VgSCAU&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language