https://live.paloaltonetworks.com/t5/general-topics/ip-confilicting-error/m-p/67207#M39462 <P>Are you running as active-passive or active-active</P> Fri, 23 Oct 2015 13:34:14 GMT OtakarKlier 2015-10-23T13:34:14Z https://live.paloaltonetworks.com/t5/general-topics/ip-confilicting-error/m-p/67194#M39455 Hi We have configured HA pair on our two PA-VM200 Palo alto firewall. Now IP address of my interfaces eth1/1 (inside 10.1.1.1) and eth1/2 ( out side 10.1.1.2) are showing same as primary 10.1.1.1 on both firewalls and I am getting IP confilicting error. Any idea ? Regards, Fri, 23 Oct 2015 11:30:03 GMT https://live.paloaltonetworks.com/t5/general-topics/ip-confilicting-error/m-p/67194#M39455 MohammedRafiq 2015-10-23T11:30:03Z https://live.paloaltonetworks.com/t5/general-topics/ip-confilicting-error/m-p/67197#M39456 Fri, 23 Oct 2015 19:01:23 GMT https://live.paloaltonetworks.com/t5/general-topics/ip-confilicting-error/m-p/67197#M39456 pankaku 2015-10-23T19:01:23Z https://live.paloaltonetworks.com/t5/general-topics/ip-confilicting-error/m-p/67207#M39462 <P>Are you running as active-passive or active-active</P> Fri, 23 Oct 2015 13:34:14 GMT https://live.paloaltonetworks.com/t5/general-topics/ip-confilicting-error/m-p/67207#M39462 OtakarKlier 2015-10-23T13:34:14Z https://live.paloaltonetworks.com/t5/general-topics/ip-confilicting-error/m-p/67212#M39466 <P>Hi Mohammed</P> <P>&nbsp;</P> <P>This could be normal behavior until you complete the configuration</P> <P>&nbsp;</P> <P>In an ActivePassive configuration (the only option available to VM series) the IP addresses used on the interfaces are shared between the two HA peers, so upon config sync the ip's should be made identical on all interfaces.</P> <P>They calculate a virtual MAC address and depending on their stance (active or passive) will respond to arp requests and process traffic etc</P> <P>&nbsp;</P> <P>to coordinate these actions, they need to be aware of eachother and how 'helathy' the other member is. if the HA configuration has not been completed, one member may not be able to see the other member yet. if the HA configuration was completed, but this issue still exists, they may not be able to 'see' eachother and coordinate HA operations</P> <P>in the case where they are not able to communicate, both sides may believe the other side is down and will assume an active role&nbsp; (we call this a split brain)</P> <P>&nbsp;</P> <P>to resolve this you should try to figure out if the config has been committed properly and the config is identical on both sides:</P> <UL> <LI>is the group ID identical</LI> <LI>is tha HA1 ip subnet configured properly</LI> <LI>is the peer ha1 IP correct on both sides</LI> <LI>are both sides running the same PAN-OS</LI> </UL> <P>on the dashboard you can open the HighAvailability widget that may help you see more clearly what could be the problem</P> <P>&nbsp;</P> <P><IMG src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/937i75E33475E8C63897/image-size/original?v=mpbl-1&amp;px=-1" alt="2015-10-23_16-46-42.png" title="2015-10-23_16-46-42.png" border="0" /></P> <P>&nbsp;</P> Fri, 23 Oct 2015 14:49:30 GMT https://live.paloaltonetworks.com/t5/general-topics/ip-confilicting-error/m-p/67212#M39466 reaper 2015-10-23T14:49:30Z https://live.paloaltonetworks.com/t5/general-topics/ip-confilicting-error/m-p/67438#M39527 Thanks, The issue were resolved by enabling/disabling HA on Primary and secondary. The firewall is V-200 and both HA1 and HA2 ( session sync) are configured, I am not sure this will do stateful failover or not. According to PA documentation, VM series does not support stateful failover, but when you configure HA , it will not let you complete until you configure HA2 ( session Sync ) as well. Regards, Thu, 29 Oct 2015 12:16:50 GMT https://live.paloaltonetworks.com/t5/general-topics/ip-confilicting-error/m-p/67438#M39527 MohammedRafiq 2015-10-29T12:16:50Z