https://live.paloaltonetworks.com/t5/general-topics/ha-sync-time/m-p/235414#M67499 <P>I have 400 rules and it takes my PA 5050 HA pair 4 minutes to sync, that seesm long to me anyone else know their sync times or what should be a reasonable time?</P> Mon, 15 Oct 2018 20:30:29 GMT jdprovine 2018-10-15T20:30:29Z https://live.paloaltonetworks.com/t5/general-topics/ha-sync-time/m-p/235414#M67499 <P>I have 400 rules and it takes my PA 5050 HA pair 4 minutes to sync, that seesm long to me anyone else know their sync times or what should be a reasonable time?</P> Mon, 15 Oct 2018 20:30:29 GMT https://live.paloaltonetworks.com/t5/general-topics/ha-sync-time/m-p/235414#M67499 jdprovine 2018-10-15T20:30:29Z https://live.paloaltonetworks.com/t5/general-topics/ha-sync-time/m-p/235419#M67500 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/18719">@jdprovine</a>,</P><P>On one of my PA-5020 pairs I regularly&nbsp;saw 3-5 minute sync times with 600+ policies applied to that pair, however I also had a large amount of validation errors due to how the policies were built out. I wouldn't consider what you are seeing an unreasonable&nbsp;time period.&nbsp;</P><P>If you don't have any validation errors, or a very small amount, then I would say that's maybe slightly longer then I would expect; however this would really depend on your configuration on how much processing the firewall needs to do in the validation stage, which from my experiance is the longest part of the sync/commit process.&nbsp;</P> Mon, 15 Oct 2018 21:13:00 GMT https://live.paloaltonetworks.com/t5/general-topics/ha-sync-time/m-p/235419#M67500 BPry 2018-10-15T21:13:00Z https://live.paloaltonetworks.com/t5/general-topics/ha-sync-time/m-p/235472#M67518 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480">@BPry</a></P><P>So where do i check to see if I have validation errors? In the past before I upgraded to 7.1.19 the sync also would fail at times, so they recommended I upgrade from 7.1.16 which appears to have had a HA sync issue. But now that I have upgraded I want to verify that the issue I had has been resolved.</P> Tue, 16 Oct 2018 12:29:07 GMT https://live.paloaltonetworks.com/t5/general-topics/ha-sync-time/m-p/235472#M67518 jdprovine 2018-10-16T12:29:07Z https://live.paloaltonetworks.com/t5/general-topics/ha-sync-time/m-p/235583#M67537 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/18719">@jdprovine</a>,</P><P>So validation happens in two different places.&nbsp;</P><P>1) Validate</P><UL><LI>You can choose to validate the configuration at any time in the GUI, CLI, or API. Once the validate has finished it'll display a group of warnings if anything in the validation process triggered.&nbsp;</LI></UL><P>2) Commit</P><UL><LI>Whenever a comit is ran, the firewall will first validate the canidate-config.xml to verify that it's a valid configuration.&nbsp;</LI></UL><P>Whenever the validation process runs into issues, I've generally noticed that it takes a slightly longer time for everything to actually complete, and therefore when HA members sync the configuration this process can take slightly longer as well.&nbsp;</P> Tue, 16 Oct 2018 17:21:36 GMT https://live.paloaltonetworks.com/t5/general-topics/ha-sync-time/m-p/235583#M67537 BPry 2018-10-16T17:21:36Z https://live.paloaltonetworks.com/t5/general-topics/ha-sync-time/m-p/235595#M67542 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480">@BPry</a></P><P>Not running into any commit issues, just the sync after the commit finishes. So if there are issues with the commit why would it let the commit finish? I know it gives me some suggestions at the end of the commit sometimes when things are not 100% done the best way.&nbsp; Could it be the physical connection affecting the sync and is there a good way to test that and rule it out. TAC has no more suggestion for me other that the upgrade I did was supposed to fix it and to create a bunch of fake rules and see if I can get it to fail to sync</P> Tue, 16 Oct 2018 18:04:57 GMT https://live.paloaltonetworks.com/t5/general-topics/ha-sync-time/m-p/235595#M67542 jdprovine 2018-10-16T18:04:57Z https://live.paloaltonetworks.com/t5/general-topics/ha-sync-time/m-p/235597#M67543 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/18719">@jdprovine</a>,</P><P>The only time the firewall won't let you commit the configuration would be if one of the changes invalidated the configuration, meaning that the firewall is simply incapable of functioning with the proposed changes. You can make some really funky changes and it'll only give you validation warnings, but since the configuration is still technically valid it would commit those changes.&nbsp;</P><P>&nbsp;</P><P>It's possible that you could be running into retransmission errors on the physical connection. The only real way to test this however would be to use the same link and monitor for drops/retransmissions and such; depending on the setup you may be able to do this without having to disconnect the HA members.&nbsp;</P><P>&nbsp;</P><P>Really though a 4 minute sync time on a 5000 series really doesn't seem that out of the norm to me. How long does it take your primary unit to actually complete the commit process?&nbsp;</P> Tue, 16 Oct 2018 18:12:19 GMT https://live.paloaltonetworks.com/t5/general-topics/ha-sync-time/m-p/235597#M67543 BPry 2018-10-16T18:12:19Z https://live.paloaltonetworks.com/t5/general-topics/ha-sync-time/m-p/235598#M67544 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480">@BPry</a></P><P>The commit took about 45 seconds, when I had the 4 minutes sync time</P> Tue, 16 Oct 2018 18:15:00 GMT https://live.paloaltonetworks.com/t5/general-topics/ha-sync-time/m-p/235598#M67544 jdprovine 2018-10-16T18:15:00Z https://live.paloaltonetworks.com/t5/general-topics/ha-sync-time/m-p/235599#M67545 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/18719">@jdprovine</a>,</P><P>That seems a little odd. Are the two units directly connected or going through some type of switch?&nbsp;</P> Tue, 16 Oct 2018 18:16:25 GMT https://live.paloaltonetworks.com/t5/general-topics/ha-sync-time/m-p/235599#M67545 BPry 2018-10-16T18:16:25Z https://live.paloaltonetworks.com/t5/general-topics/ha-sync-time/m-p/235602#M67546 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480">@BPry</a></P><P>&nbsp;</P><P>they go through a switch and live in different building I have tossed around the idea of connecting them via fiber connection. I put in a ticket to make sure the issue wasn't anything else and TAC suggested there was a bug in 7.1.16 that would cause this issue so I upgraded to 7.1.19 thinking maybe it would resolve the issues. Sometime the HA sync but not alot,but the more commits you do in a row and don't wait till the sync finishes that longer it takes and then fails</P> Tue, 16 Oct 2018 18:33:03 GMT https://live.paloaltonetworks.com/t5/general-topics/ha-sync-time/m-p/235602#M67546 jdprovine 2018-10-16T18:33:03Z