Saturday, July 17, 2021

Palo Alto firewall - "Timed out while getting config lock. Please try again"


When you access a firewall via GUI/web browser, you got an error message as below and cannot log in.

"Timed out while getting config lock. Please try again."

You should be able to ssh into the firewall. However, you still get the error message when you execute CLI commands.

admin@firewall> show admins

Server error : Timed out while getting config lock. Please try again.


The first thing you can try is restarting the management server by running the below command:

debug software restart process management-server

If the issue is still seen, reach out to Palo Alto TAC while referencing the following article for further troubleshooting.

What command can resolve the error message "Timed out while getting config lock. Please try again"?

admin@firewall> debug software restart process management-server

Server error : Timed out while getting config lock. Please try again.


After you open a case, you will need a TAC engineer who has the root permission. Some of the outsourced TAC engineers don't have the root access.

The Palo Alto TAC engineer should execute the following steps. The debug tac-login is only intended for use by a TAC engineer, and access is restricted outside of TAC.


admin@firewall> debug tac-login challenge
Please use the following string as your challenge:

PTAHMf4y4ThkMHMxJjL9MF4yNTGYOJA4VXykOfEuRTGwLhA58gDTAVunJf

admin@firewall> debug tac-login response
Please enter challenge response (^C to cancel):
-----BEGIN RESPONSE-----
hzBnciA3W00YL0E8mbMQLDtXLfL4Ka9bCNasT3Uaz+IluQFZ8STtHToGRxVCWu0tunTi2l/BoqRsgbx7TveCZytKhlCzb9qugHrwR18hUe6FOFV+jPSCtiMeIxMTWN7YfUs+SP1kdeQJU/UySFd
QA1rEAnHW7lruZsXqurTvxMsKY6FeKXHgKHEjp1MCJ66hEE0Rmk0M//psUCQ5p4NmdSBw5rtPCavyNxmGus/UpZ+ASroGuv/W+t9nMppIg3wVsetL/rNeWlb1EyamtldUhXnSD8PGh+oVEMU/Wnhdoa89T9Jc1ZiM4Iw9kKlNhgoMxidxZ2szwb7D4Q==
-----END RESPONSE----
-

* The above change and response codes are modified and scrambled, so it is not the real ones.


[root@firewall~]# << TAC got into the root access on Linux

Your TAC engineer can restart the management-server process on Linux with the root access.

[root@firewall~]# masterd mgm tsrvr restart
Process 'mgmtsrvr' executing RESTART



Your ssh session will be disconnected.

[root@firewall~]# Connection to 192.168.1.1 closed.

After some time, you should be able to access the firewall via GUI and execute CLI commands without the error message.

admin@firewall> show admins
Admin From Client Session-start Idle-for
--------------------------------------------------------------------------
admin 192.168.1.42 CLI 07/23 19:29:10 00:00:00s



No comments: