What to check when observing "Config push is blocked to <serial number> in tenant <tenant id>. Reason: Routing stack mode of the device doesn't match the one for the tenant" while onboarding PA-Series Next-Generation Firewalls
3600
Created On 05/28/24 06:40 AM - Last Modified 07/11/25 20:15 PM
Question
What to check when observing the following error message while onboarding PA-Series Next-Generation Firewalls.
Config push is blocked to <serial number> in tenant <tenant id>. Reason: Routing stack mode of the device doesn't match the one for the tenant
Environment
- Strata Cloud Manager
- PA-Series Next-Generation Firewalls
- Supported PAN-OS versions (Onboarding to Strata Cloud Manager is supported for firewalls running PAN-OS 10.2.3 and later releases)
Answer
This error occurs when the advanced-routing feature is turned off. To resolve this, the feature can be enabled through the CLI (Command-Line Interface) by following the steps provided below.
- Make sure if advanced-routing is turned on from CLI.
> show system info | match model\|sw-\|advanced-routing hostname: PA-415-5G sw-version: 11.1.2-h3 advanced-routing: off <<<---!!!
- If the result shows "advanced-routing: off," enable advanced-routing using the CLI command provided below.
> configure # set deviceconfig setting advance-routing yes
- Commit the change.
# commit
- Reboot the device.
# run request restart system
Additional Information
Onboard a Firewall
https://docs.paloaltonetworks.com/ngfw/administration/onboard-devices-and-deployments/onboard-your-devices/onboard-a-firewall