VM-Series HA Error on Web UI: VM License mismatches with peer""

VM-Series HA Error on Web UI: VM License mismatches with peer""

32377
Created On 09/26/18 19:10 PM - Last Modified 06/12/23 18:14 PM


Resolution


Issue

When two Palo Alto Networks VM-Series firewalls are configured together in High Availability (HA) mode, one peer goes into suspended state due to a license mismatch between the pair. The following message appears on the web UI: "suspended (VM License mismatches with peer)".
HA_Notworking.png

The logs on the active VM-Series Firewall shows the following:

Oct 04 18:00:21 Group 1 State is going from Suspended to Initial

Oct 04 18:00:21 Warning: ha_event_log(src/ha_event.c:47): HA Group 1: Peer device VM License not matching; going to Suspended state

Oct 04 18:00:21 Group 1: User request to move group to Initial state, which results in no state changes, staying in state Suspended

Oct 04 18:00:21 ha_state_transition(src/ha_state.c:1116): Group 1: transition to state Suspended

Oct 04 18:00:21 ha_state_move(src/ha_state.c:1202): Group 1: moving from state Suspended to Suspended

Oct 04 18:00:21 ha_peer_send_hello(src/ha_peer.c:4629): Group 1 (HA1-MAIN): Sending hello message

 

Resolution

An HA pair cannot be formed if the VM licenses are different between the peer VM-Series firewalls.

On both firewalls, go to Device > License and click "Retrieve license keys from license server":

License.png

 

Check to ensure the licenses are the same on both VM-Series firewalls.

PA-VM.png

 

Apply following command on the suspended firewall.
> request high-availability state functional
Successfully changed HA state to functional

 

The High Availability configuration with the pair of VM-Series firewalls should now function properly.

HA_Woorking.png

 

owner: hshah
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm2XCAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language