5 Replies Latest reply on Apr 8, 2015 11:51 AM by johnsrs

    Support license expired - are policy changes prohibited?

    johnsrs

      Sidewinder 8.1.3:  license is non-expiring, but support expired 6 months ago.

      I cannot make a change to an existing policy.  The error is:

      Administrator: System

      Conflict:  An object referenced by Network group <>

      Message:  Another administrator has made changes which conflict with your changes.  Your changes have been lost?
      I tried making the change on 30 Mar 2015, but the conflict message is dated 12 Mar 2015.  March 12, 2015 is 184 days after support ended.

      Or is this totally unrelated to licensing and support?

      I created a host network object and saved the configuration.  When I tried putting it into a netgroup (which was used in a policy) I got the above error and Sidewinder deleted the host I had created.

        • 1. Re: Support license expired - are policy changes prohibited?
          sliedl

          The Support license-feature does not prevent you from Saving changes to the policy if it has expired.

           

          Try this command:

          $> cf policy repair

          • 2. Re: Support license expired - are policy changes prohibited?
            johnsrs

            "cf policy validate" shows no errors. I will try the cf policy repair command in a test lab before trying in production.  Any cautions when using cf policy repair?  I'm concerned about its deleting the policy database and restoring.  Can this command be executed while the firewall is up?  Where does it restore the policy database from?  Thanks for the quick response to my initial question!

            • 3. Re: Support license expired - are policy changes prohibited?
              sliedl

              The command should not cause any traffic issues on the firewall.  The 'cf' database is compiled into some format that ACLd uses to process your rules; this command will cause the firewall to 'redo' the compilation.

               

              A reboot of the firewall will fix the problem with conflicting changes.  We don't really ever see that message here in Support so I am not sure why you're getting it.  If you pasted the entire error message there may be more information there that we could investigate further.  The version you are at is very old but since the Support-license is expired you are unable to upgrade, which is what I would recommend here.

              • 4. Re: Support license expired - are policy changes prohibited?
                johnsrs

                We're actually on 8.3.1. I had reversed the digits.  We've renewed our contract so will be updating. Our immediate issue seems to be that our cluster is broken which is preventing updating a policy.  The GUI shows that only one of our two firewalls is in the cluster pair.  It is listed as the primary.  The second is shown as not in the cluster.  However, the command line cluster status shows both as primary and that the failover daemon is not running on the second firewall.  We will reboot at our next scheduled outage.

                • 5. Re: Support license expired - are policy changes prohibited?
                  johnsrs

                  Reboot of the malfunctioning Sidewinder in the cluster let the Sidewinder rejoin the cluster.  This allowed a network object to be created and the policy edited.