Issue
When two Palo Alto Networks VM-Series firewalls are configured together in High Availability (HA) mode, one peer goes into suspended state due to a license mismatch between the pair. The following message appears on the web UI: "suspended (VM License mismatches with peer)".
The logs on the active VM-Series Firewall shows the following:
Oct 04 18:00:21 Group 1 State is going from Suspended to Initial
Oct 04 18:00:21 Warning: ha_event_log(src/ha_event.c:47): HA Group 1: Peer device VM License not matching; going to Suspended state
Oct 04 18:00:21 Group 1: User request to move group to Initial state, which results in no state changes, staying in state Suspended
Oct 04 18:00:21 ha_state_transition(src/ha_state.c:1116): Group 1: transition to state Suspended
Oct 04 18:00:21 ha_state_move(src/ha_state.c:1202): Group 1: moving from state Suspended to Suspended
Oct 04 18:00:21 ha_peer_send_hello(src/ha_peer.c:4629): Group 1 (HA1-MAIN): Sending hello message
Resolution
An HA pair cannot be formed if the VM licenses are different between the peer VM-Series firewalls.
On both firewalls, go to Device > License and click "Retrieve license keys from license server":
Check to ensure the licenses are the same on both VM-Series firewalls.
Apply following command on the suspended firewall.
> request high-availability state functional
Successfully changed HA state to functional
The High Availability configuration with the pair of VM-Series firewalls should now function properly.
owner: hshah