Unable to Login on Secondary Device in Active Passive HA Using Superuser

Mebinbaby — Tue, 11 Mar 2025 04:56:16 GMT

Hello Team,

We are currently facing an issue with logging into the secondary firewall in an Active-Passive HA setup using any superuser credentials other than the admin credentials.

When we create a new superuser account or make changes on the active firewall, they are successfully replicated on the passive firewall, indicating that HA synchronization is working properly. However, we are unable to log in to the secondary device using any superuser credentials.

We are not using any authentication profile, and after checking the system logs, we found no entries related to credentials or authentication.

Additionally, we have tried performing a hard reboot of the secondary firewall, but the issue persists.

Has anyone encountered a similar issue? Kindly assist with possible resolutions or troubleshooting steps based on your expertise.

Thank you in advance for your support.

Re: Unable to Login on Secondary Device in Active Passive HA Using Superuser

TomYoung — Tue, 11 Mar 2025 12:36:53 GMT

Hi @Mebinbaby ,

That is a good one. The only possibility that I can think of is that the master key was configured on the active NGFW, but not the passive. The master key encrypts passwords and is not synced between HA pairs and must be configured locally. https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/high-availability/reference-ha-synchronization

Since your configuration is safely saved on the active NGFW, you can factory reset the passive. Configure HA, and sync the configuration again. You will still need to configure the master key on the passive if it was changed.

Thanks,

Tom

topic Re: Unable to Login on Secondary Device in Active Passive HA Using Superuser in Next-Generation Firewall Discussions

Unable to Login on Secondary Device in Active Passive HA Using Superuser

Re: Unable to Login on Secondary Device in Active Passive HA Using Superuser