Skip to main content

200106 - Failed to Delete Address Object

This error indicates that the Knocknoc agent was unable to delete an address object from the Palo Alto Networks firewall during access revocation. This error occurs when using Active mode: TODOmode, where Knocknoc directly manages address objects and address groups on the firewall.

This error typically occurs when:

  • The address object is still referenced by another configuration element on the firewall (e.g., a security policy rule, NAT rule, or another address group not managed by Knocknoc)
  • A configuration lock held by another administrator is preventing changes
  • Network connectivity issues prevented the request from completing successfully

Steps to Resolve

Check for External References to the Address Object

PAN-OS will not allow deletion of an address object that is still referenced by other configuration elements. If the address object was manually added to security policies, NAT rules, or other address groups outside of Knocknoc, those references must be removed first.

This could only occur via manual intervention.

  1. Log into Panorama or the firewall's web interface
  2. Navigate to Objects > Addresses within the appropriate device group or vsys
  3. Locate the address object (named auto-<username>-<ip>)
  4. Check if the object is referenced by any security policies, NAT rules, or other address groups beyond the one managed by Knocknoc
  5. Remove any external references to the address object, then allow Knocknoc to retry the revocation

Check for Configuration Locks

Another administrator or management session holding a configuration lock will prevent the agent from deleting the address object:

  1. Log into the firewall or Panorama web interface
  2. Check for any pending configuration locks by navigating to the lock icon in the top bar
  3. Release any locks that are no longer needed

Palo Alto configuration lock

Check Network Connectivity

Verify that the agent can reach the firewall or Panorama management interface:

  1. Confirm the hostname or IP address in the backend configuration is correct
  2. Verify that the management port (typically 443) is accessible from the agent
  3. Check for any firewall rules or network policies that may be blocking the connection

Still Having Issues?

We can help you out, contact us at support@knocknoc.io.

Back to top