HA Sync Failure Due to Inconsistent Management Settings

by jperry1 on ‎09-14-2014 12:24 PM - edited on ‎08-20-2015 07:50 AM by (11,809 Views)


In High Availability (HA), management settings are not synchronized to the peer device so you can receive sync errors due to inconsistencies in the management settings. This document reviews two different scenarios, one with HA failures due to certificate errors and the other dealing with mismatch domain name.


Scenario One

Changes have been made on the active HA device in which an SSL Certificate to be used for the WebGUI was imported. From the active device the user will attempt to Sync to Peer however the HA-Sync job on the HA peer fails.



When looking at the failed 'HA-Sync' job ID on the HA peer see a similar output:

    admin@PAN-FW1> show jobs id x

    HA-Sync FIN FAIL  x     
    Details:Error: can't find cert 'your_cert' for vsys 1
    (Module: device)
    Commit failed

The reason for this error is because although management settings are not synchronized they are verified. In this scenario, as synchronization takes place the firewall checks the certificate settings on the HA Peer and fails to sync due to a missing SSL certificate.


Export the certificate from the active device and select to export the private key. Import the SSL certificate on the HA peer .

Be sure to name the certificate exactly the same as it was named on the active device and configure the exact same usage as well. If the certificate is used for WebGUI be sure that is selected, as shown below:



Scenario Two

Because management settings are not synchronized between HA pairs synchronization will fail due mismatch domain name settings.



When trying to sync active device with the HA Peer receiving a failure message similar to the output below. If running the command, > less mp-log ha_agent.log the similar output will show as appears below:


Details:Error:Domain Name Invalid

(Module: device)

Commit failed



It is important to understand that management settings are not replicated over to the HA peer. So configuration settings such as, "Domain Name" must match prior to synchronization. If for some reason these settings change a failure will occur. It is important to look at the ha_agent.logs on both devices as well to gain insight into the failure, this can be done by running the following command, > less mp-log ha_agent.log


To correct this go to Device > Setup, then click Management and type in an exact matching domain name of the peer to be synced with, as shown below:



Once complete the HA Pair will synchronize successfully.


owner: jperry

Ask Questions Get Answers Join the Live Community