topic Re: Active Active HA Out of Sync due to invalid interface address commit failed. in Next-Generation Firewall Discussions

Active Active HA Out of Sync due to invalid interface address commit failed.

N.Gibson577756 — Mon, 22 Jun 2026 15:08:06 GMT

Our customer has 2 PA-3420's running in Active Active HA which are currently out of sync.

All criteria on the HA widget matches across the two devices.

When we attempt to sync to peer from the active-primary we get a commit failure on the active secondary stating:

invalid interface address XXX-XXX-XXX-XXX-30(Module: routed)

client routed phase 1 failure

Commit failed.

Can anyone tell me why this is? The address stated in the error message is currently configured to a sub interface on the active secondary.

All dataplane interface IP's across the two devices do not match.

Kind Regards

Nathan Gibson

Re: Active Active HA Out of Sync due to invalid interface address commit failed.

kiwi — Tue, 23 Jun 2026 09:20:10 GMT

Hi @N.Gibson577756 ,

I've seen this happen because of a timing issue in the commit validation process.

The interface configuration requires an immediate, validated IP address. When it encounters the name of a new, uncommitted address object, the system fails to resolve it because the object has not yet been formally saved to the configuration database. This triggers the "Invalid IP" error and causes the commit to fail.

The solution there was doing a two-stage commit. We must ensure the address object exists in the configuration *before* assigning it to an interface.

Stage 1: Create and Commit the Object - First, create the new address object with its corresponding IP address. Perform a commit.

This action validates the new object and adds it to the firewall's configuration database. At this point, the firewall "knows" that your new object name represents a valid IP address.

Stage 2: Assign the Object and Commit Again - Now that the address object is a recognized part of the running configuration, you can assign it to the network interface and perform a second commit.

This time, when the validation process checks the interface, it will successfully look up the object name, find the corresponding IP address in its database, and the commit will pass without error.

This two-step process "pre-registers" the address object, making it available for the firewall to use in more sensitive configuration areas like interface IP assignments.

Hope this helps,

Re: Active Active HA Out of Sync due to invalid interface address commit failed.

N.Gibson577756 — Tue, 23 Jun 2026 14:57:11 GMT

Hi Kiwi,

Thank you for your response thats good to know, unfortunately in this situation the address object and interface where the address object is assigned are already part of the running configuration, would you suggest we remove the address object and enter the address manually for the interface to see if this succeeds?

Kind Regards