AIOps Alert "Process Memory Depletion - Configd"

• Palo Alto Firewalls
• Supported PAN-OS
• AIOps

• Collect the following Troubleshooting Data and open a Support Case.
• After data is collected, Follow the Mitigation Steps to bring down the memory usage of configd till Support can analyze the data. 

Troubleshooting Data:

1. Collect Tech Support File  (GUI: Device > Support  Click Generate Tech Support File)

2. Generate a trace file using the following CLI command

debug software trace configd

3. Generate a core file using following command

debug software core configd

4. Collect the Device State (GUI: Device>Setup>Operations- Export: Export device state)
5. Export the core file  (How To Export Core Files From A Palo Alto Networks Device)
6. Gather data below from AIOps
   1. Check the dates indicated by AIOps as to when the memory depletion started.
   2. Check if there were any config modifications, PANOS upgrades/downgrades, or any other changes performed around the time that might have triggered this behavior.
7. (Optional) If performing Mitigation Steps below, collect another Tech Support File after completing steps
8. Open a case with the above data.
    

Mitigation Steps:

1. Till the issue is resolved, you can restart the configd process that is consuming excessive memory.
2. Prior to PAN-OS 10.1, configd is only available on Panorama.
3. Starting from 10.1, configd is also available on firewall as well

Option 1 (Standalone Device)

1. Save and export the candidate config.
2. Save and export the current configuration
3. Perform a full commit
4. From CLI to restart the process run: 

   debug software restart process configd 

   Note: This will cause the loss of access to CLI and GUI for few minutes.
5. (For devices on 10.0.X or 10.1.X) Restart the device-server debug software restart process device-server

Option 2 (Device in Active/Passive HA)

1. Disable "Preemptive" mode (GUI: Device > High Availability > General > Election Settings: Uncheck Preemptive )
2. Failover to the passive device (From Active Device: Device > High Availability > Operations > Click Suspend local device)
3. Restart configd from the CLI from the now Suspended device (debug software restart process configd)
4. From CLI run show management-clients to ensure that all processes have started succesfully.

> show management-clients
              Client PRI    State Progress
-------------------------------------------------------------------------
            ha_agent  25     init        0
              sslmgr  10     init        0
               authd  10     init        0
             cryptod  10     init        0
              dagger  10     init        0    (op cmds only)
                cord  10     init        0
                logd  10     init        0    (op cmds only)
             reportd  10     init        0    (op cmds only)
             useridd  10     init        0
        distributord  10     init        0
                iotd  10     init        0
Overall status: init. Progress: 0
Warnings:
Errors:

PAN-169173 - Fixed an issue where, if you continuously performed partial commits of a configuration with a high number of Dynamic Address Groups, Panorama became unresponsive and commits were slower than expected. (Fixed in 9.1.12)
PAN-171159 - Fixed a memory leak on the configd process on Panorama caused during multi-clone operations for rules. (Fixed in 9.1.12, 10.0.9)

PAN-259344 - Fixed an issue where performing a configuration commit on a firewall locally or from Panorama caused a memory leak related to the *configd* process and resulted in a out-of-memory (OOM) condition. (Fixed in 10.2.10-h2)