https://live.paloaltonetworks.com/t5/next-generation-firewall/paloalto-ha-probem/m-p/516414#M434 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/221866">@GabrielePiccini</a> ,</P> <P>Are both firewalls currently managed by Panorama?</P> <P>Are both firewalls receiving configuration from Panorama - are both assigned to same templates/device-group?</P> <P>Are you using management interface for HA1? Are there any other PAN firewalls in the same network?</P> <P>Are you able to login to the firewall while it is "down"?</P> <P>&nbsp;</P> <P>One of the possible think I am imagine is that when enabling the HA, firewalls are trying to sync the config - if "Enable Config Sync" is enabled. This option will sync firewalls local config, Panorama pushed config is not synced between HA members - Panorama always push config to each member in the HA separately. So it is possible that syncing local config to actually telling the firewall to remove everything (since the local config is empty and everything is pushed from Panorama). </P> <P>This could explain why FW loose connectivity with Panorama - assuming it is reaching it over OOB network, not passing over dataplane.</P> <P>&nbsp;</P> <P>Another option would be that firewall is detecting another PAN HA cluster - if HA Group ID is the same. For that reason firewall is going to either non-functional or passive state and stop processing traffic.</P> Thu, 29 Sep 2022 22:03:33 GMT aleksandar.astardzhiev 2022-09-29T22:03:33Z https://live.paloaltonetworks.com/t5/next-generation-firewall/paloalto-ha-probem/m-p/516340#M431 <P>Hello,</P> <P>&nbsp;</P> <P>we have a few PA440 clusters where we are unable to activate HA. Software version is 10.1.6-h6.</P> <P>&nbsp;</P> <P>As soon as we enable HA on first node, everything goes down (including internet access) and then the config gets rolled back (due to lost connectivity to panorama).</P> <P>&nbsp;</P> <P>I cannot seem to find any hint in the system logs.</P> <P>&nbsp;</P> <P>Has this happened to anyone?</P> Thu, 29 Sep 2022 08:53:32 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/paloalto-ha-probem/m-p/516340#M431 GabrielePiccini 2022-09-29T08:53:32Z https://live.paloaltonetworks.com/t5/next-generation-firewall/paloalto-ha-probem/m-p/516414#M434 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/221866">@GabrielePiccini</a> ,</P> <P>Are both firewalls currently managed by Panorama?</P> <P>Are both firewalls receiving configuration from Panorama - are both assigned to same templates/device-group?</P> <P>Are you using management interface for HA1? Are there any other PAN firewalls in the same network?</P> <P>Are you able to login to the firewall while it is "down"?</P> <P>&nbsp;</P> <P>One of the possible think I am imagine is that when enabling the HA, firewalls are trying to sync the config - if "Enable Config Sync" is enabled. This option will sync firewalls local config, Panorama pushed config is not synced between HA members - Panorama always push config to each member in the HA separately. So it is possible that syncing local config to actually telling the firewall to remove everything (since the local config is empty and everything is pushed from Panorama). </P> <P>This could explain why FW loose connectivity with Panorama - assuming it is reaching it over OOB network, not passing over dataplane.</P> <P>&nbsp;</P> <P>Another option would be that firewall is detecting another PAN HA cluster - if HA Group ID is the same. For that reason firewall is going to either non-functional or passive state and stop processing traffic.</P> Thu, 29 Sep 2022 22:03:33 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/paloalto-ha-probem/m-p/516414#M434 aleksandar.astardzhiev 2022-09-29T22:03:33Z https://live.paloaltonetworks.com/t5/next-generation-firewall/paloalto-ha-probem/m-p/516445#M438 <P>Hello,</P> <P>&nbsp;</P> <P>Are both firewalls currently managed by Panorama? YES</P> <P>Are both firewalls receiving configuration from Panorama - are both assigned to same templates/device-group? YES</P> <P>Are you using management interface for HA1? Are there any other PAN firewalls in the same network? NO, DEDICATED ONE. NO OTHER DEVICES ON NETWORK</P> <P>Are you able to login to the firewall while it is "down"? YES, VIA PUBLIC IP ADDRESS</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>I also tried with "sync config" off. No matter what, even if firewall 2 has HA disabled, enabling HA on firewall 1 brings everything down.</P> <P>&nbsp;</P> <P>Also , this occured on another installation (so it's not hardware related).</P> <P>&nbsp;</P> <P>Thanks for reply</P> Fri, 30 Sep 2022 06:46:05 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/paloalto-ha-probem/m-p/516445#M438 GabrielePiccini 2022-09-30T06:46:05Z https://live.paloaltonetworks.com/t5/next-generation-firewall/paloalto-ha-probem/m-p/516723#M447 <P>We finally managed to enable HA by starting from the secondiary node. Really strage.</P> Tue, 04 Oct 2022 08:36:53 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/paloalto-ha-probem/m-p/516723#M447 GabrielePiccini 2022-10-04T08:36:53Z