In multi-VSYS configuration Push from Panorama fails with message "already in use" after PAN-OS upgrade

• Firewall with 2 or more VSYS.
• One of the VSYS is not associated with a Device Group, but it was was associated in the older version (10.1)
• This firewall has shared objects being pushed from Panorama.
• After upgrade to PAN-OS 10.2.x, the Panorama push fails with error "already in use"
• An example of the error message below.

vsys -> vsys1 -> application -> app-name 'app-name' is already in use

• Panorama managed Firewalls
• Multi-VSYS with at least two VSYS configured
• PAN-OS 10.2.X

• A new feature called 'Shared optimization' is introduced in 10.2.X. 
• Shared configuration for some objects on Panorama is  pushed to Shared section of the firewall eliminating need to replicate to each VSYS.
• Shared objects when pushed to firewall will be under “Panorama shared” location on firewall instead of “Panorama” location and hence no replication to each VSYS.
• When firewall has two or more VSYS configured and associated with a Device Group in Panorama, then Panorama will convert the previous config from Panorama location to Panorama Shared and the Push will work fine.
• The error message is displayed because the VSYS configuration is already present in the Firewall.

There are four possible solutions to solve the issue: 

1. Add failing VSYS to dummy device group. This action creates two VSYS instances, allowing Panorama to prepare and sent the shared optimization configuration to the firewall.
2. Rename existing objects. To obtain a complete list of objects that requires renaming, use 'Validate Device Group Push' and check the output.
3. Remove existing objects. To generate a list of objects that need removal, use 'Validate Device Group Push' and check the output. This option is only applicable if the objects are not referenced in another VSYS configuration.
4. Modify the Device State XML file. Edit the XML from the Firewall to remove the references to the already existing Objects, then import this edited device state in the Firewall, validate the configuration, and commit.

The shared optimization feature works fine without errors in the following cases:

• Firewall has only one VSYS
• Firewall has two VSYS and one is not associated to a Device Group and it was not associated to any Device Group in the past so it has no shared objects for that VSYS.
• Firewall has more than two VSYS associated to Device Groups 

References:

• Changes to default behavior in PAN-OS 10.2
• Shared Objects Pushed to a Multi-VSYS Firewall