Unable to push configs from Panorama to Managed Firewall or to Prisma Access

Unable to push configs from Panorama to Managed Firewall or to Prisma Access

7315
Created On 07/01/21 14:25 PM - Last Modified 02/21/24 03:43 AM


Symptom


  • Commit from Panorama to Managed Firewalls
  • Commit error message "Commit job not queued as platform limit for commit queue was reached" Maximum commit queue length is xx" (xx varies according to platform)
  • On Panorama managed Prisma Access error message "Job status query timeouts” message is displayed.
  • System logs (show log system) display the same message.
high general general 0 Commit job not queued as platform limit for commit queue was reached.Maximum commit queue length is 10
  • On the firewall, CLI command "show jobs all" displays the commit jobs in queue
Enqueued Dequeued ID PositionInQ Type Status Result Completed 
----------------------------------------------------------------------------- 
2021/06/25 16:04:25 44984 1 Antivirus QUEUED PEND 0% 
2021/06/26 03:34:06 44986 2 Content QUEUED PEND 0% 
2021/06/24 11:00:05 44972 3 CommitAll QUEUED PEND 0% 
.....

 

Environment


  • Panorama managed Firewalls
  • PANOS - 9.0 and above
  • Panorama managed Prisma Access

Cause


  • The number of commit jobs pending is higher than the commit queue length.
  • Example, if commit queue length is 10, first 10 commit jobs can be accepted and 11th or later commit jobs will be denied with the above error message.
  • Commit queue length varies across firewall models.

Resolution


  1. Wait for the commit jobs to be completed before sending another commit job.
  2. If the commit jobs are stuck and not getting cleared, one can use the following method to clear the jobs.
  3. On the firewall, Restart the management server, device server and check for the pending jobs
> debug software restart process management-server
> debug software restart process device-server 
> show jobs all
  1. On the Panorama restart the config services
> debug software restart process configd 
> show jobs all
  1. Perform another fresh commit-all locally on the firewall initially to check the behavior from the CLI running the command
> configure 
# commit force
# exit
  1. If the commit force from firewall was successful, Try a "commit push" from panorama.
  2. If the issue is not resolved or if the issue is seen several times, contact Support for assistance.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000oMGLCA2&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail