Active/Passive HA Sync Issues

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Active/Passive HA Sync Issues

Not applicable

I'm in the process of testing out two PAN-M-100's in the lab and more specifically testing the HA functionality at this point.

The issue that I am running into:

I have changed the Primary to Passive and the Secondary to Active, made a change to the Active/Secondary and then reverted the M-100's back to Active/Primary - Passive/Secondary. After doing this, instead of the Active/Primary pulling the latest config from the Passive/Secondary, it tries to overwrite the config with it's own. So in a nut shell, when we are failed over to our secondary M-100, all the changes we make will have to be redone on the Primary upon fail back.

Running version 5.1.3 (STIG compliance disallows us to upgrade, trust me I wish I could).

Any thoughts?

24 REPLIES 24

L7 Applicator

Hello Davecorwin,

Could you please try below mentioned command before doing a failover.

admin@114-PANORAMA> request high-availability sync-to-remote

> candidate-config   Sync candidate configuration to peer

> clock              Sync the local time and date to the peer

> running-config     Sync running configuration to peer

admin@114-PANORAMA> request high-availability sync-to-remote running-config

admin@114-PANORAMA> show jobs all --- just to ensure that sync job has been completed.

Then do a failover test and let us know the result.

Thanks

L7 Applicator

Forgot to mention, please verify JOBS on the secondary box as well. It should show that, Secondary received a config-sync job from primary and completed successfully.

Thanks

Roger that...stand by...

Yeah, only the PEER will show the sync job. We have successfully performed the sync. Our next step is to unplug the primary M-100 from the switch (totally take it off the network) to cause the secondary to take over as Active/Passive on it's own. I will then make a config change on the Active/Secondary. Once that is complete, I am going to plug the Primary back into the switch...this should automatically make the Primary Active. The issue is that when we do this, the Primary wants to overwrite the config.

Ok, so when the Primary came back in line, as assumed it went straight into active mode. When you go to sync it overwrites the changes you made on the secondary. I was able to get the primary, once back online, to go into passive state and push the sync from the secondary, which worked! The issue is, after only a minute or two, the primary automatically reverts back to active. The M-100 is currently in preemptive mode, so I don't see why this is happening. These devices should successfully/correctly sync without me having to do all of this extra.

Thoughts?

Hello Dave,

In your situation try disabling pre-emptive on both firewalls.

Regards,

Hari Yadavalli

I actually just got done doing that and disconnected the primary from the switch. The secondary automatically switched to active (as expected) and I created another rule. Once the commit is done, I will plug the primary back into the network. Hopefully the primary stays as passive (since preemptive is turned off). I also hope that the sync process kicks off automatically.

So, once the primary was plugged back into the network, it automatically went into ACTIVE mode...how is this?? That tells me that there is absolutely NOTHING different between preemptive and non-preemptive.

What we are trying now is to leave preemptive off on the primary but turn it on the secondary and see what happens.

Still the same issue. We set up a case with Palo...hopefully they can figure out the issue.

Hello Dave,

Make sure you commit the changes and disabled pre-emptive on both firewalls.

Regards,

Hari Yadavalli

I've done all that...makes no difference. I have tried every kind of way imaginable and the outcome is always the same: The primary automatically switches back to active and the changes on the secondary don't sync with the primary. I have to manually push the sync from the cli of the secondary to properly sync them...I shouldn't have to do that.

L3 Networker

Perhaps worth checking the time on the two units.

If the primary has a clock time further into the future than the secondary; perhaps this causing its config to be considered more fresh than the secondary and therefore the version that gets pushed out?

The preemptive feature has to be activated on both devices to use it. If it's activated the device with the higher priority(lower number) becomes active/(primary). If it's not active the device with the longer uptime and lower MAC will be active. Can you post a screenshot of the HA configuration?

I understand all of that...the issue is, I want the "Secondary" to be able to send any new configs to the now, "Active/Primary" upon reinstatement. With the preemptive setting in place, upon reinstatement of the Primary device (making it Active), that device wants to sync it's config with the secondary...I don't want that! By this happening, I'm erasing any config changes that I made, on the secondary, while the primary was down.

  • 9439 Views
  • 24 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!