anyone notice issues with HA pair synchronization with panos 10.1?

cancel
Showing results for 
Search instead for 
Did you mean: 

anyone notice issues with HA pair synchronization with panos 10.1?

L1 Bithead

so our organization recently upgraded our firewalls from PANOS 9.1 to 10.1. ever since the upgrade, we've had an issue with HA pairs not synchronizing their configs automatically. this does not seem to happen every time a commit is pushed from PAN but it happens regularly enough that we have to manually sync at least one pair weekly. is this something the rest of the community is noticing as well? is this something that can be corrected with a simple config change somewhere? I'd like to avoid opening a ticket if possible because our recent experiences with PA support have been less than stellar. 

update:

just checked and yes, config sync is enabled in the HA general menu in the device tab. 

You cant believe everything you see on the internet- Benjamin Franklin
2 REPLIES 2

Cyber Elite
Cyber Elite

Recommendation is to save and export the running config from the Primary FW and import and load the config on the backup FW.
Then change the mgmt IP, the HA configuration, and the host name, so that you will have a 100% identical config (minus the mgmt IP, HA and hostname), and try that.  I have used this technique and it seems to resolve issues.

Help the community: Like helpful comments and mark solutions

L1 Bithead

that's not really an option in our case. these are live production firewalls and that would take the HA peer offline for several hours, possibly even days as there are a lot of tunnels, routing instances, and IP instances that would need to be completely rebuilt. 

 

the issue is apparently caused by Panorama pushes using the "merge with candidate config" option. if one FW finishes its commit first, it will attempt to do a synchronizing push to the HA peer while it is still working on the PAN push commit, which then fails out. even though both FWs have the same policy and object bases, they still show out of sync because of the failed sync commit.   

You cant believe everything you see on the internet- Benjamin Franklin
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!