Troubleshooting errors: Error: ERROR: Failed to modify POLICY <Policy_name>#<id>. Error: ERROR: POLICY version <Policy_name>#<id> is already finalized. Fatal: Failed to execute GeneralEvent. ERROR MESSAGE: Event execution failed

Document ID : KB000019087
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

This error is usually obtained when trying to modify a Policy for which a newer version existed, but which was undeployed. The reason for the problem is that the newer version was never totally removed from the Policy Database and it leaves in one or more of the GPOLICY, DEPLOYMENT or GDEPLOYMENT records. This document describes how to totally remove the previously partially removed version so that it can either be redeployed or an updated version be created.

Solution:

For the sake of simplicity we will assume that Policy_name#01 is the policy version we are trying to modify, to deploy again to certain endpoints. Following deletion of Policy_name#02, and on attempting modification of Policy_name#01, the error indicated above is obtained, so that now it is impossible to deploy a new version of the policy to the endpoints.

To solve the problem, follow these steps. Repeat them at the DMS, DH and endpoint

  1. Determine if there is any deployment containing Policy_name#02. Scroll the listing of sr DEPLOYMENT * for policy version Policy_name#02. Let's assume these are

    DEPLOYMENT 1390405583#918d9463-8ebe-4f34-bb13-d113fc72c5d5
    DEPLOYMENT 1390405582#918d9463-8ebe-4f34-bb13-d113fc72c5d5

  2. Find out the GDEPLOYMENT associated with the previous DEPLOYMENT records. For instance doing sr GDEPLOYMENT * and looking for any of them. Let's assume the associated GDEPLOYMENT containing both DEPLOYMENT objects is:

    GDEPLOYMENT 1390405580#918d9463-8ebe-4f34-bb13-d113fc72c5d5

  3. Determine whether the old policy version still exists in the database. To do so, do a find POLICY ('Policy_name#02')

  4. If the Policy in step #3 is found do rr POLICY ('Policy_name#02') noexit

  5. Assuming that the RULESET associated to 'Policy_name#02' is called as well 'Policy_name#02', do rr RULESET ('Policy_name#02') noexit

  6. Repeat the rr selang command for the DEPLOYMENT and GDEPLOYMENT objects listed in steps 1 and 2

  7. Do a sr GPOLICY Policy_name and make sure it contains no reference to policy #02. Should it still contain the reference do a er GPOLICY Policy_name mem-('Policy_name#02')

This process needs to be done at the DMS and also at the DH and endpoint to make sure the information is consistent across ControlMinder objects.

This same procedure is valid when attempting to modify a ruleset returns a similar message error reporting it is already finalized.