HA Configuration Out-of-Sync Due to Certificate

Printer Friendly Page

Issue

The passive unit in an HA pair cannot sync to the active device because it does not have a certificate. When trying to sync the certificate to the passive unit it fails. When trying to add the certificate to the passive unit and perform the sync-to- peer from the active unit, the sync fails and the passive unit deletes the newly installed certificate.

 

Resolution

Import the missing certificate into the passive unit. If the same certificate is used for options like "Forward Trust, Forward Untrust and etc" on the active firewall, make sure that the same Certificate on the passive device must be selected with same options as shown below.

Shown below is the Active Device:

cert act.JPG

 

Shown below is the Passive Device:

cert pas.JPG

 

Commit

Perform a commit sync from passive to primary by using the following CLI command:

> request high-availability sync-to-remote running-config

 

See Also

High Availability Synchronization

 

owner: nayubi

Comments

The instructions in DOC-2617 worked for me, once I understood them.   Perhaps I'm slow today.

It is time to renew my Certificate for Secure Web GUI on an HA pair.   I was able to load the new cert on both units with no options selected, commit, and have both units in sync.

After that I selected the new cert as the secure web GUI cert on the primary unit and hit commit.  I assumed that as both units had the new cert, the commit on the primary would sync with the secondary.   Instead, the sync got stuck in pending mode.

The fix was to select this same cert as the secure web GUI cert on the secondary unit and then perform a commit on the secondary unit.   After this the sync state showed failed, but the new cert was in place on both units.   On the primary unit I performed the command request high-availability sync-to-remote running-config.   After this, both units have the same secure web GUI cert and are in sync.

I post this to aid others as well as my future self.  I wont remember this when the new cert expires 3 years from now.

Very,very helpful!!!

Worked fine for me.