This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Factory reset on a PA-3220 that was part of an HA cluster

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Factory reset on a PA-3220 that was part of an HA cluster

rbottiglieri
L1 Bithead

‎12-03-2024 09:02 AM

I have been working with Palo Alto support on our passive PA-3220, which can no longer boot up successfully. Power cycling the device doesn’t bring it back; it just keeps rebooting until eventually it ends up in maintenance mode. Palo Alto recommends performing a factory reset on the device and then restoring the device from a backup configuration. Here’s some background on our configuration:

 

  • 2 x Palo Alto PA-3220 devices in a HA configuration (active/passive).
  • Both appliances are running PAN-OS 10.1.14-h6, which is the current preferred release for 10.1.
  • The crashed device is the passive node at the time of crash.
  • The crashed device was the lower priority device in the HA configuration.
  • I have backup configurations saved for both devices after they were updated to their current PAN-OS version.
  • Everything is still connected to together in the rack; no physical changes have been made to any cables or connections.
  • The active device correctly reports that the passive node in the cluster is not available.

 

 

Is it safe to just connect a laptop to the console on the crashed device to perform the reset, or do I have to completely disconnect all Ethernet and HA cables from the down device first? As I understand it, the steps are:

 

  1. Perform a factory reset of the crashing device from the console.
  2. After the reset and reboot, and while still connected to the console, logon to the device and set the management interface IP address. The device reboots.
  3. At that point, connect to the management interface via web GUI or SSH.
  4. Update the device to the desired PAN-OS version. Reboot.
  5. Apply the saved configuration from the backup configuration file. Reboot. This should restore all the settings, including the ethernet interface configurations.

 

At that point, the active node should see the other device in the pair, and it should all be in sync? Am I missing anything here

 

Thanks!

 

Rich

0 Likes Likes
1 REPLY 1

JayGolf
Community Team Member

‎12-03-2024 06:35 PM

Hi @rbottiglieri ,

 

You'll be fine leaving the cables (data + HA) connected to the passive device while you're consoled in. Once passive device is operational and config committed, the active PA should detect the passive PA and should sync automatically. If they don’t sync automatically, you can manually sync the config from the active PA (Device > High Availability > Operational Commands). 

LIVEcommunity team member
Stay Secure,
Jay
Don't forget to Like items if a post is helpful to you!

Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.
0 Likes Likes
  • 119 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks