Active/Passive HA Sync Issues

cancel
Showing results for 
Search instead for 
Did you mean: 

Active/Passive HA Sync Issues

Not applicable

I'm in the process of testing out two PAN-M-100's in the lab and more specifically testing the HA functionality at this point.

The issue that I am running into:

I have changed the Primary to Passive and the Secondary to Active, made a change to the Active/Secondary and then reverted the M-100's back to Active/Primary - Passive/Secondary. After doing this, instead of the Active/Primary pulling the latest config from the Passive/Secondary, it tries to overwrite the config with it's own. So in a nut shell, when we are failed over to our secondary M-100, all the changes we make will have to be redone on the Primary upon fail back.

Running version 5.1.3 (STIG compliance disallows us to upgrade, trust me I wish I could).

Any thoughts?

24 REPLIES 24

L7 Applicator

Hello Davecorwin,

Could you please try below mentioned command before doing a failover.

admin@114-PANORAMA> request high-availability sync-to-remote

> candidate-config   Sync candidate configuration to peer

> clock              Sync the local time and date to the peer

> running-config     Sync running configuration to peer

admin@114-PANORAMA> request high-availability sync-to-remote running-config

admin@114-PANORAMA> show jobs all --- just to ensure that sync job has been completed.

Then do a failover test and let us know the result.

Thanks

L7 Applicator

Forgot to mention, please verify JOBS on the secondary box as well. It should show that, Secondary received a config-sync job from primary and completed successfully.

Thanks

Roger that...stand by...

Yeah, only the PEER will show the sync job. We have successfully performed the sync. Our next step is to unplug the primary M-100 from the switch (totally take it off the network) to cause the secondary to take over as Active/Passive on it's own. I will then make a config change on the Active/Secondary. Once that is complete, I am going to plug the Primary back into the switch...this should automatically make the Primary Active. The issue is that when we do this, the Primary wants to overwrite the config.

Ok, so when the Primary came back in line, as assumed it went straight into active mode. When you go to sync it overwrites the changes you made on the secondary. I was able to get the primary, once back online, to go into passive state and push the sync from the secondary, which worked! The issue is, after only a minute or two, the primary automatically reverts back to active. The M-100 is currently in preemptive mode, so I don't see why this is happening. These devices should successfully/correctly sync without me having to do all of this extra.

Thoughts?

Hello Dave,

In your situation try disabling pre-emptive on both firewalls.

Regards,

Hari Yadavalli

I actually just got done doing that and disconnected the primary from the switch. The secondary automatically switched to active (as expected) and I created another rule. Once the commit is done, I will plug the primary back into the network. Hopefully the primary stays as passive (since preemptive is turned off). I also hope that the sync process kicks off automatically.

So, once the primary was plugged back into the network, it automatically went into ACTIVE mode...how is this?? That tells me that there is absolutely NOTHING different between preemptive and non-preemptive.

What we are trying now is to leave preemptive off on the primary but turn it on the secondary and see what happens.

Still the same issue. We set up a case with Palo...hopefully they can figure out the issue.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!