Panorama HA sync between on-prem and cloud VM Series

bpride — Wed, 12 Feb 2025 00:01:05 GMT

Hello,

If you deploy Panorama VM with 1 active instance on-premises and 1 passive instance in the cloud, you might encounter issues with HA Sync when enforcing the permitted IP address restriction on the Panorama management interface.

Panorama Management IP address

pan-on-prem - 10.10.10.10

pan-on-cloud - 20.20.20.10

Let's assume that for High availability setting, we use the Management interface IP address to communicate between Active and Passive Panorama instances.

HA sync between the active and passive Panorama will not function as expected after applying the permitted IP address restriction in the Management Interface Settings under Panorama --> Setup --> Interfaces --> Management, even if the management IP address of both Panorama is included in the permit list on both Panorama instances.

set deviceconfig system permitted-ip 10.10.10.10/32 description pan-on-prem

set deviceconfig system permitted-ip 20.20.20.10/32 description pan-on-cloud

set deviceconfig system permitted-ip <rest-of-the-ips> description all-other-ips

Issue: HA sync failure

Symptoms:

On Active Panorama

Running config: Not Synchronized

App version : unknown

Antivirus version: unknown

Plugin vm_series: unknown

On Passive Panorama

Running config: Not Synchronized

App version : Mismatch

Antivirus version: Mismatch

Plugin vm_series: Mismatch

Solution:

Modify the Panorama management interface MTU size from 1500 to 1380 on both the Panorama virtual appliances.
Commit the changes on both the Panorama virtual appliances.
HA Sync will be working as expected.

topic Panorama HA sync between on-prem and cloud VM Series in Panorama Discussions

Panorama HA sync between on-prem and cloud VM Series