Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
07-11-2014 09:15 AM
I'm in the process of testing out two PAN-M-100's in the lab and more specifically testing the HA functionality at this point.
The issue that I am running into:
I have changed the Primary to Passive and the Secondary to Active, made a change to the Active/Secondary and then reverted the M-100's back to Active/Primary - Passive/Secondary. After doing this, instead of the Active/Primary pulling the latest config from the Passive/Secondary, it tries to overwrite the config with it's own. So in a nut shell, when we are failed over to our secondary M-100, all the changes we make will have to be redone on the Primary upon fail back.
Running version 5.1.3 (STIG compliance disallows us to upgrade, trust me I wish I could).
Any thoughts?
07-11-2014 09:34 AM
Hello Davecorwin,
Could you please try below mentioned command before doing a failover.
admin@114-PANORAMA> request high-availability sync-to-remote
> candidate-config Sync candidate configuration to peer
> clock Sync the local time and date to the peer
> running-config Sync running configuration to peer
admin@114-PANORAMA> request high-availability sync-to-remote running-config
admin@114-PANORAMA> show jobs all --- just to ensure that sync job has been completed.
Then do a failover test and let us know the result.
Thanks
07-11-2014 09:40 AM
Forgot to mention, please verify JOBS on the secondary box as well. It should show that, Secondary received a config-sync job from primary and completed successfully.
Thanks
07-11-2014 09:45 AM
Roger that...stand by...
07-11-2014 10:08 AM
Yeah, only the PEER will show the sync job. We have successfully performed the sync. Our next step is to unplug the primary M-100 from the switch (totally take it off the network) to cause the secondary to take over as Active/Passive on it's own. I will then make a config change on the Active/Secondary. Once that is complete, I am going to plug the Primary back into the switch...this should automatically make the Primary Active. The issue is that when we do this, the Primary wants to overwrite the config.
07-11-2014 10:42 AM
Ok, so when the Primary came back in line, as assumed it went straight into active mode. When you go to sync it overwrites the changes you made on the secondary. I was able to get the primary, once back online, to go into passive state and push the sync from the secondary, which worked! The issue is, after only a minute or two, the primary automatically reverts back to active. The M-100 is currently in preemptive mode, so I don't see why this is happening. These devices should successfully/correctly sync without me having to do all of this extra.
Thoughts?
07-11-2014 10:55 AM
Hello Dave,
In your situation try disabling pre-emptive on both firewalls.
Regards,
Hari Yadavalli
07-11-2014 11:06 AM
I actually just got done doing that and disconnected the primary from the switch. The secondary automatically switched to active (as expected) and I created another rule. Once the commit is done, I will plug the primary back into the network. Hopefully the primary stays as passive (since preemptive is turned off). I also hope that the sync process kicks off automatically.
07-11-2014 11:12 AM
So, once the primary was plugged back into the network, it automatically went into ACTIVE mode...how is this?? That tells me that there is absolutely NOTHING different between preemptive and non-preemptive.
What we are trying now is to leave preemptive off on the primary but turn it on the secondary and see what happens.
07-11-2014 11:58 AM
Still the same issue. We set up a case with Palo...hopefully they can figure out the issue.
07-11-2014 12:13 PM
Hello Dave,
Make sure you commit the changes and disabled pre-emptive on both firewalls.
Regards,
Hari Yadavalli
07-11-2014 12:19 PM
I've done all that...makes no difference. I have tried every kind of way imaginable and the outcome is always the same: The primary automatically switches back to active and the changes on the secondary don't sync with the primary. I have to manually push the sync from the cli of the secondary to properly sync them...I shouldn't have to do that.
07-11-2014 01:05 PM
Perhaps worth checking the time on the two units.
If the primary has a clock time further into the future than the secondary; perhaps this causing its config to be considered more fresh than the secondary and therefore the version that gets pushed out?
07-14-2014 01:26 AM
The preemptive feature has to be activated on both devices to use it. If it's activated the device with the higher priority(lower number) becomes active/(primary). If it's not active the device with the longer uptime and lower MAC will be active. Can you post a screenshot of the HA configuration?
07-14-2014 08:42 AM
I understand all of that...the issue is, I want the "Secondary" to be able to send any new configs to the now, "Active/Primary" upon reinstatement. With the preemptive setting in place, upon reinstatement of the Primary device (making it Active), that device wants to sync it's config with the secondary...I don't want that! By this happening, I'm erasing any config changes that I made, on the secondary, while the primary was down.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
