On one of my PA-5020 pairs I regularly saw 3-5 minute sync times with 600+ policies applied to that pair, however I also had a large amount of validation errors due to how the policies were built out. I wouldn't consider what you are seeing an unreasonable time period.
If you don't have any validation errors, or a very small amount, then I would say that's maybe slightly longer then I would expect; however this would really depend on your configuration on how much processing the firewall needs to do in the validation stage, which from my experiance is the longest part of the sync/commit process.
So where do i check to see if I have validation errors? In the past before I upgraded to 7.1.19 the sync also would fail at times, so they recommended I upgrade from 7.1.16 which appears to have had a HA sync issue. But now that I have upgraded I want to verify that the issue I had has been resolved.
So validation happens in two different places.
Whenever the validation process runs into issues, I've generally noticed that it takes a slightly longer time for everything to actually complete, and therefore when HA members sync the configuration this process can take slightly longer as well.
Not running into any commit issues, just the sync after the commit finishes. So if there are issues with the commit why would it let the commit finish? I know it gives me some suggestions at the end of the commit sometimes when things are not 100% done the best way. Could it be the physical connection affecting the sync and is there a good way to test that and rule it out. TAC has no more suggestion for me other that the upgrade I did was supposed to fix it and to create a bunch of fake rules and see if I can get it to fail to sync
The only time the firewall won't let you commit the configuration would be if one of the changes invalidated the configuration, meaning that the firewall is simply incapable of functioning with the proposed changes. You can make some really funky changes and it'll only give you validation warnings, but since the configuration is still technically valid it would commit those changes.
It's possible that you could be running into retransmission errors on the physical connection. The only real way to test this however would be to use the same link and monitor for drops/retransmissions and such; depending on the setup you may be able to do this without having to disconnect the HA members.
Really though a 4 minute sync time on a 5000 series really doesn't seem that out of the norm to me. How long does it take your primary unit to actually complete the commit process?
they go through a switch and live in different building I have tossed around the idea of connecting them via fiber connection. I put in a ticket to make sure the issue wasn't anything else and TAC suggested there was a bug in 7.1.16 that would cause this issue so I upgraded to 7.1.19 thinking maybe it would resolve the issues. Sometime the HA sync but not alot,but the more commits you do in a row and don't wait till the sync finishes that longer it takes and then fails
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!