Commit Push fails with message "Error: Failed to get policy objects: NO_MATCHES(Module: useridd)".

Commit Push fails with message "Error: Failed to get policy objects: NO_MATCHES(Module: useridd)".

4845
Created On 11/08/23 04:54 AM - Last Modified 06/11/25 21:02 PM


Symptom


  • After performing a private data reset on a managed device,
  • Attempting to push a configuration to a managed device using Panorama fails with the following error:
  • The error message can be seen in the configd.log in Panorama.
  <errors>
    <line>Error: Failed to get policy objects: NO_MATCHES(Module: useridd)</line>
    <line>client useridd phase 1 failure</line>
    <line>Commit failed</line>
  </errors>
  • The devsrv.log in a managed device also display error.
2023-11-07 20:37:39.398 +0900 Error:  pan_util_file_to_buf(pan_util.c:338): Error 2. open('/opt/pancfg/mgmt/Device Security/global/global_Device Security.xml') failed
2023-11-07 20:37:39.398 +0900 Error:  pan_devid_build_device_tree(pan_devid_cfg.c:133): reading predefined xml failed : /opt/pancfg/mgmt/Device Security/global/global_Device Security.xml
  • The devsrvr on the corresponding process is crashing.
> show system files

/opt/panlogs/cores/:
total 4.0K
drwxr-xr-x 2 root root 4.0K Nov  7 19:44 crashinfo

/opt/panlogs/cores/crashinfo:
total 0

/var/cores/:
total 78M
drwxr-xr-x 2 root root 4.0K Nov  7 20:36 crashinfo
drwxr-xr-x 2 root root 4.0K Nov  7 20:37 crashjobs
-rw-r--r-- 1 root root  78M Nov  7 20:45 devsrvr-20231107203654-10.2.4-h4.tar.gz

/var/cores/crashinfo:
total 64K
-rw-rw-rw- 1 root root 63K Nov  7 20:37 devsrvr-202311073654-10.2.4-h4.info

Environment


  • PA-Series Next-Generation Firewall
  • Panorama
  • PAN-OS 10.2.4-h4

Cause


  • The device-dictionary file was deleted by private-data-reset. 
> show system info
<snip>
device-dictionary-version: 0
device-dictionary-release-date:
  • Files are deleted, the following file is not found, and configuration push fails on managed devices.
'/opt/pancfg/mgmt/Device Security/global/global_Device Security.xml'


 

Resolution


  1. The device-dictionary files cannot be manually downloaded and installed. It will be run by Cron at around every 2hours
  2. Manually configure the mgmt interface and execute the Retrieve License.
  3. After that wait for at least 2 hours while being able to connect externally.
    Device Security update logs will be output to the system log (show log system) as below. 
'Device Security version 102-448 downloaded by Auto update agent' 
  1. If the download fails, Check whether access to the URL below is permitted.
updates.paloaltonetworks.com
proditpdownloads.paloaltonetworks.com


 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000Xh9ZCAS&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail