- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
10-14-2023 04:12 AM - edited 10-14-2023 04:16 AM
Hi Guys.
I have a Palo 220 in HA A/P managed by the panorama.
The customer made mgmt IP change and Added a Zone but then ever since the config is out of Sync Between the HA pairs.
So all the articles are referenced, request high-availability sync-to-remote running-config' has been performed from both passive and active fw, force committed, pushed the template values from Panorama with all the force values and others selected, nothing works.
Pano is on 9.1.16 and the Firewalls are on 9.1.14-h4.
the only option left is to manual sync from the xml file which the customer is hesitant to do.
ha-agent logs gives below error from the passive Firewall
(Peer namespace on peer device missing too long, trying to restart)
LV[3]: type 11 (SYSD_PEER_DOWN); len 4; value:
00000001
Msg Hdr
-------
version : 1
groupID : 1
type : Hello (2)
token : 0x1b4e
flags : 0x1 (req:)
length : 122
Hello Msg
---------
flags : 0x1 (preempt:)
state : Active (5)
priority : 100
cookie : 17043
num tlvs : 3
Printing out 3 tlvs
TLV[1]: type 62 (CONFIG_MD5_PRE); len 33; value:
62656362 63383863 64663634 36636336 39373337 32356162
39373436 64333362 00
TLV[2]: type 2 (CONFIG_MD5SUM); len 33; value:
35653537 63313638 36646165 66623137 39323163 38306263
31663966 33333466 00
TLV[3]: type 11 (SYSD_PEER_DOWN); len 4; value:
00000001
2023-10-13 13:11:25.309 +1100 Error: ha_peer_hello_callback(src/ha_peer.c:5076): Group 1 (HA1-MAIN): Peer namespace on peer device missing too long, trying to restart
2023-10-13 13:11:25.309 +1100 debug: ha_sysd_peerip_modify(src/ha_sysd.c:3353): Attempting 1 modify for sw.sysd.peers
2023-10-13 13:11:25.309 +1100 debug: ha_sysd_peerip_modify(src/ha_sysd.c:3394): Setting up to modify sw.sysd.peers to peer. -> peerip:10…..xxx; sourceip:10.117.21.XXX; port:0x6e64
2023-10-13 13:11:25.309 +1100 debug: ha_sysd_peerip_modify(src/ha_sysd.c:3418): Setting sysd node to: { 'peer.': { 'peerip': 10…..'port': 28260, 'reset': True, 'sourceip': 10.xxxXXX, }, }
2023-10-13 13:11:25.309 +1100 debug: sysd_queue_wr_event_add(sysd_queue.c:915): QUEUE: queue write event already added
2023-10-13 13:11:25.329 +1100 debug: ha_sysd_peerip_modify_callback(src/ha_sysd.c:3322): Successfully modified sw.sysd.peers
2023-10-13 13:12:45.388 +1100 Error: ha_peer_hello_callback(src/ha_peer.c:5076): Group 1 (HA1-MAIN): Peer namespace on peer device missing too long, trying to restart
2023-10-13 13:12:45.388 +1100 debug: ha_sysd_peerip_modify(src/ha_sysd.c:3353): Attempting 1 modify for sw.sysd.peers
2023-10-13 13:12:45.389 +1100 debug: ha_sysd_peerip_modify(src/ha_sysd.c:3394): Setting up to modify sw.sysd.peers to peer. -> peerip:10.xxxxxx; sourceip:10…xxx; port:0x6e64
2023-10-13 13:12:45.389 +1100 debug: ha_sysd_peerip_modify(src/ha_sysd.c:3418): Setting sysd node to: { 'peer.': { 'peerip': 10….. Xxx, 'port': 28260, 'reset': True, 'sourceip': 10…XXX, }, }
2023-10-13 13:12:45.389 +1100 debug: sysd_queue_wr_event_add(sysd_queue.c:915): QUEUE: queue write event already added
2023-10-13 13:12:45.408 +1100 debug: ha_sysd_peerip_modify_callback(src/ha_sysd.c:3322): Successfully modified sw.sysd.peers
2023-10-13 13:14:05.466 +1100 Error: ha_peer_hello_callback(src/ha_peer.c:5076): Group 1 (HA1-MAIN): Peer namespace on peer device missing too long, trying to restart
2023-10-13 13:14:05.466 +1100 debug: ha_sysd_peerip_modify(src/ha_sysd.c:3353): Attempting 1 modify for sw.sysd.peers
2023-10-13 13:14:05.467 +1100 debug: ha_sysd_peerip_modify(src/ha_sysd.c:3394): Setting up to modify sw.sysd.peers to peer. -> peerip:10.xx; sourceip:10..1.XXX; port:0x6e64
2023-10-13 13:14:05.467 +1100 debug: ha_sysd_peerip_modify(src/ha_sysd.c:3418): Setting sysd node to: { 'peer.': { 'peerip': 10.117… 'port': 28260, 'reset': True, 'sourceip': 10.117…XXX, }, }
2023-10-13 13:14:05.467 +1100 debug: sysd_queue_wr_event_add(sysd_queue.c:915): QUEUE: queue write event already added
2023-10-13 13:14:05.486 +1100 debug: ha_sysd_peerip_modify_callback(src/ha_sysd.c:3322): Successfully modified sw.sysd.peers
^Z2023-10-13 13:15:25.568 +1100 Error: ha_peer_hello_callback(src/ha_peer.c:5076): Group 1 (HA1-MAIN): Peer namespace on peer device missing too long, trying to restart
2023-10-13 13:15:25.568 +1100 debug: ha_sysd_peerip_modify(src/ha_sysd.c:3353): Attempting 1 modify for sw.sysd.peers
2023-10-13 13:15:25.569 +1100 debug: ha_sysd_peerip_modify(src/ha_sysd.c:3394): Setting up to modify sw.sysd.peers to peer. -> peerip:10.117…; sourceip:10.117….XXX; port:0x6e64
2023-10-13 13:15:25.569 +1100 debug: ha_sysd_peerip_modify(src/ha_sysd.c:3418): Setting sysd node to: { 'peer.': { 'peerip': 10.117.. 'port': 28260, 'reset': True, 'sourceip': 10.117….XX, }, }
2023-10-13 13:15:25.569 +1100 debug: sysd_queue_wr_event_add(sysd_queue.c:915): QUEUE: queue write event already added
2023-10-13 13:15:25.589 +1100 debug: ha_sysd_peerip_modify_callback(src/ha_sysd.c:3322): Successfully modified sw.sysd.peers
^PA-220-02(passive)>
PA-220-02(passive)>
PA-220-02(passive)> debug software resstart process management-server
Many Thanks,
10-25-2023 04:26 PM - edited 10-25-2023 04:29 PM
@MayurLaddha45454545: Thanks !!!! I forgot to update here but that's exactly what was done to resolve the issue, manually sync'd the config and then restarted the Firewalls, as you said.
10-14-2023 03:30 PM
Firewalls are fully managed from Panorama so zone was added into Panorama template and pushed to firewall?
Management IP change was done inside active firewall right? Not in the Panorama. Mgmt IP needs to be different on both firewalls (management interface IP is not syncronized with HA sync).
10-15-2023 02:39 AM - edited 10-15-2023 02:17 PM
Yes thats correct.
ips are different in both Fws and Yes, zone pushed from Panorama. Also this was working fine before.
Forgot to mention, with all this happening with HA ,the Panorama actually says its in sync and theres no issue there.
Note: No zombie processes are running on the firewalls but the sysd msg and "Peer namespace on peer device missing too long, trying to restart" msg seem to be the clue for the issue.
Thanks
10-24-2023 08:46 PM
We had similar issue.
The fix is to reboot both firewalls in the HA pair as SYSD_PEER_DOWN.
Reboot will fix this issue right away.
Tried restarting manual sync, mgmt server reboot before reboot of PAN and no luck.
Hope this helps
Cheers,
Mayur
10-25-2023 04:26 PM - edited 10-25-2023 04:29 PM
@MayurLaddha45454545: Thanks !!!! I forgot to update here but that's exactly what was done to resolve the issue, manually sync'd the config and then restarted the Firewalls, as you said.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!