Commit Fails in Panorama locally with Validation Errors related to "sdwan-link-settings unexpected here".

Commit Fails in Panorama locally with Validation Errors related to "sdwan-link-settings unexpected here".

654
Created On 12/09/22 16:53 PM - Last Modified 11/12/25 23:47 PM


Symptom


  • Unable to commit the local changes on Panorama after downgrading from 10.1.4-h2 to PAN-OS 10.0.9.
  • After the downgrade, errors were with all templates related to "sdwan-link-settings unexpected here".
  • After removing tags for "sdwan-link-settings" from the config file, commit still fails and shows no errors in job. pl-mdb-update process shows in continuous restarting status with Exit Code:1
  • While performing the commit locally in the panorama observed the below validation error:
Validation Error:

devices -> localhost.localdomain -> template -> DE-MUNCH1-HB-FW-EXT-T-FBMD -> config -> devices -> localhost.localdomain -> network -> interface -> ethernet -> ethernet1/19 -> layer3 -> units -> ethernet1/19.3 -> sdwan-link-settings unexpected here

devices -> localhost.localdomain -> template -> MXNO-SO-FW-EXT-WH_NEW_T -> config -> devices -> localhost.localdomain -> network -> interface -> aggregate-ethernet -> ae3 -> layer3 is invalid


  • With 10.0.0, after an interface is enabled layer3, the config became:



admin# show network interface ethernet ethernet1/1
ethernet1/1 {
  layer3 {
    ndp-proxy {
      enabled no;
    }
    lldp {
      enable no;
    }
  }
}


  • With 10.1, the generated config was:


admin# show network interface ethernet ethernet1/5
ethernet1/5 {
  layer3 {
    ndp-proxy {
      enabled no;
    }
    sdwan-link-settings {
      upstream-nat {
        enable no;
        static-ip;
      }
      enable no;
    }
    lldp {
      enable no;
    }
  }
}

Environment


  • Panorama M-600
  • Affected PAN-OS:- 10.0.9


Cause


  • When the feature "upstream-nat" was enabled in the Seattle MR, the "sdwan-link-settings" node was added automatically for all interfaces except vlan. So the AEs, AE subinterfaces and ethernet subinterfaces all have the "sdwan-link-settings" node added for the configuration automatically.
  • Earlier downgrade script for SDWAN AEs, AE subinterfaces and ethernet subinterfaces is based on the assumption that SDWAN configuration would only be added with the customer's action.
  • The downgrade script would prevent the downgrade from happening if the SDWAN configuration for AEs, AE subinterfaces and ethernet subinterfaces exists, and it requires the user to manually remove the related sdwan configuration and run the downgrade after that, which avoids removing the configuration without the customer's notice.
  • However, with "sdwan-link-setting" automatically added, it broke the above assumption. The ideal fix is to not have "sdwan-link-setting" automatically added, but it appears UI requires it.

Resolution


  • Fix Version - 10.2.2, 10.1.8
  • As a workaround, you can resolve the issue by restarting the process with the following command.
    >debug software restart process web-backend-cms
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000kFYpCAM&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail