topic Re: Cannot sync two machines in HA mode in General Topics

Cannot sync two machines in HA mode

luisneves — Tue, 15 May 2012 09:29:17 GMT

Hi,
Heres my case: Machine A and B was working in HA mode.Meanwhile their antivirus and threat licenses expired and we didnt renewed them. Both machines has valid and up-to-date URL filtering license.

Machine B went dead after some power problems and no longer worked anymore.

We replaced it with machine C. Registered Machine C on paloalto and installed the URL filtering license on it

Now we want to join again machine C to machine A, in HA mode.

The HA sync starts normally but is always aborted because the versions of the Threat and Antivirus on machine A is not the same on C!

the versions on the C machine are 0 (zero) (thats correct as I said we no longer renewed them and the updating of the software didnt installed them) while A machine has the expired licenses

I cannot remove or update the expired threat and Virus versions from A, and I cannot install any Threat and Virus license on C machine so I am stucked and caanot do any HA sync!

Please any clue on how do I can solve this situation?

Regards,

Luis

Re: Cannot sync two machines in HA mode

mikand — Tue, 15 May 2012 10:30:04 GMT

Sounds like you should contact your Sales Engineer.

The quickfix would of course be to get a threat license for both boxes (or a regular + HA license if that exists).

Otherwise I would try to factory reset both boxes and then import the backup of the running-config (dont forget to change its name otherwise you end up with two "running-config" :smileysilly:) - downside with this method is that you would lose the current threat db in machine A.

Does anyone know if one can import a threat db without license?

If so then perhaps your Sales Engineer could provide you with a copy of the db used in machine A.

Re: Cannot sync two machines in HA mode

luisneves — Tue, 15 May 2012 10:39:00 GMT

Hi Mikand, thanks for replying.

regarding asking for licenses:

Can I generate and use a Trial license for both machines? will this trial license OVERLAY the old expired license on the A machine? If positive, you think the trial license will not generate problems in a HA sync?

Regards, Luis

Re: Cannot sync two machines in HA mode

mikand — Tue, 15 May 2012 10:54:59 GMT

Again, contact your Sales Engineer (and dont forget to reply to this thread once you have regarding which answers your SE gave you).

According to the admin guide the recommended way regarding HA (specially when you run into problems) is to do factory reset on both boxes and configure them from scratch (again dont forget to take backup of running-config before you reset them).

The tricky part in your case is that no matter which method you use you will end up with downtime.

If downtime is no problem I would try the trial license method to get both boxes to the same PANOS aswell as same URL db and Threat db and then try to connect them using HA again. The question then is what will happen when the trial license expires (unless you load the boxes with proper licenses, mainly thinking of the threat db stuff which you dont seem to want to buy any longer?)...

Re: Cannot sync two machines in HA mode

luisneves — Mon, 28 May 2012 10:24:14 GMT

Hi Mikland, thankyou for all the tips, Ive used the factory reset method and it worked out ok, everything is in HA now

Regards,

Luis