Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
kamilazat
Collaborator

Policy installation failure due to expired time objects

Hello all!

In R81.10 JHF Take 150, the policy package that gets installed on a cluster fails with the error message below.

"Some Access rules have time objects that are expited at least 2 days ago and were not loaded to the GW. See sk155253 for more details."

Policy debug script did not give us anything other than the same message. sk155253 suggests cleaning the relevant rules, understandably.

After several installation trials the policy gets installed. Until the successful installation, no changes are being made other than repeatedly trying to install policy.

I tried replicating the issue on a lab with the same version and hotfix, but I can install policy with expired rules successfully every single time. So I have 2 questions at this point.

1. Is policy installation failure when there are expired rules an expected behavior, or should I look deeper into the system for other issues that may have caused the failure?

2. We plan to delete the time objects and disable the relevant rules temporarily, do expired time objects render a rule as if it is disabled, or are there nuances to it?

 

Cheers!

 

0 Kudos
4 Replies
PhoneBoy
Admin
Admin

Unlikely that expired Time objects are the cause of the issue.

Having one or more rules with expired Time objects should not cause a policy installation failure unless EVERY rule in the policy has an expired Time object (which sk155253 states).
Rules with expired Time objects will function similar to how "Disabled" rules behave (i.e. they'll be ignored).

0 Kudos
the_rock
Legend
Legend

That should be easy to fix. Just navigate to below and delete whats expired, install policy, will work 100% 🙂

Andy

 

whatever is in red, make sure its not used, delete, install policy

 

Screenshot_1.png

 

 

Screenshot_2.png

 

 

Screenshot_3.png

0 Kudos
kamilazat
Collaborator

@the_rock thank you for the answer. Right now what's more important is to understand why the policy installation fails. I tried messing with the rules in my lab to make it fail, but it turned out to be pretty resilient 🙂

For what it's worth, we opened a TAC ticket to investigate further.

0 Kudos
the_rock
Legend
Legend

Hey bro,

I believe from the sk, its fairly clear why it would fail. For sure sounds like its because of the expired time object. I even replicated this in R81.20 and R82 labs myself.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events