so our organization recently upgraded our firewalls from PANOS 9.1 to 10.1. ever since the upgrade, we've had an issue with HA pairs not synchronizing their configs automatically. this does not seem to happen every time a commit is pushed from PAN but it happens regularly enough that we have to manually sync at least one pair weekly. is this something the rest of the community is noticing as well? is this something that can be corrected with a simple config change somewhere? I'd like to avoid opening a ticket if possible because our recent experiences with PA support have been less than stellar.
just checked and yes, config sync is enabled in the HA general menu in the device tab.
Recommendation is to save and export the running config from the Primary FW and import and load the config on the backup FW.
Then change the mgmt IP, the HA configuration, and the host name, so that you will have a 100% identical config (minus the mgmt IP, HA and hostname), and try that. I have used this technique and it seems to resolve issues.
that's not really an option in our case. these are live production firewalls and that would take the HA peer offline for several hours, possibly even days as there are a lot of tunnels, routing instances, and IP instances that would need to be completely rebuilt.
the issue is apparently caused by Panorama pushes using the "merge with candidate config" option. if one FW finishes its commit first, it will attempt to do a synchronizing push to the HA peer while it is still working on the PAN push commit, which then fails out. even though both FWs have the same policy and object bases, they still show out of sync because of the failed sync commit.
I would make sure you are running a recommended version. I recall reading about an HA sync bug in some of the release notes.
Not sure if youre hitting it or not.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!