Commit Error With Reason "Error: Error unserializing profile objects ; failed to handle CONFIG_UPDATE_START"
27796
Created On 10/31/22 13:04 PM - Last Modified 04/13/24 00:06 AM
Symptom
- Migration from a PA-3000 or above series firewalls to a PA-400 series (PA-460, PA-450, PA-440, PA-410)
- Commit or a content installation fails with the following error.
Details: Error: Error reading tom data
failed to handle CONFIG_UPDATE_START
(Module: device)
client device phase 1 failure
Commit failedEnvironment
- Platform : PA-400 series (PA-460, PA-450, PA-440, PA-410)
- PAN-OS less than 10.1.7
Cause
- This error typically indicates that the configuration memory available is insufficient to commit the changes/configuration to the dataplane.
- The dataplane configuration memory statistics can be identified using "debug dataplane show cfg-memstat statistics" command. This shows "VSYS Config Allocator Usage" shows closer to 100% used.
> debug dataplane show cfg-memstat statistics
Policy cache usage threshold = 100%
VSYS Config Allocator Usage : 76544KB (96% of 78976 KB)
Current config memory usage
Misc : 10368 KB (Actual 10191 KB)
Custom URL : 18048 KB (Actual 17925 KB)
Global : 6400 KB (Actual 6362 KB)
vsys1 : 2944 KB (Actual 2676 KB)
-
In a PA-400 series device, the allotted dataplane memory was 78976KB which is similar to a PA220. When such a configuration is migrated from a PA-3000 series firewall to a PA-400 series, the commit fails due to insufficient config-memory.
Resolution
- Upgrade the PAN-OS to 10.1.7 or higher.
- In 10.1.7 , the memory allocated for DP configuration has been increased to 488576KB which 6 times more.
> debug dataplane show cfg-memstat statistics
VSYS Config Allocator Usage : 39552KB ( 8% of 488576 KB)Additional Information
For PA-400 series: refer to related the SW issue PAN-198509 fixed in 10.1.7, 10.2.6, 11.0.3 and later releases.