PA-200 HA Sync

Reply
Highlighted
L3 Networker

PA-200 HA Sync

Hi,

I have a message when I attempt to run a commit:

 

"The running configuration is not currently synchronized to the HA peer, and therefore, this commit will only be applied to the local device.

Please synchronize the peers by going to the dashboard and clicking on 'Sync to peer' on the High Availability widget.
The following component(s) are mismatched with the peer device:
Application Content
Threat Content

A commit on the peer device may or may not succeed.

Doing a commit will overwrite the running configuration. Do you want to continue?"

 

I view this in my dashboard:

 

sync.jpg

 

Is it secure to push the botton "Sync to peer" in the dashboard?

Why the syncronization is not automatic?

I noticed this behavior at other times but then the synchronization took place without my manual intervention.

Highlighted
L5 Sessionator

Configuration synchronisation is automatic, once HA is fully in place and you perform a commit, a task to sync the config to the peer will take place. Since this is the initial setup of HA you will have to do this configuration sync manually and in which case there is no issue with clicking "Sync to peer" manually on the active device.

Highlighted
L3 Networker

Hi,

but this is not the first time I make a commit. The configuration has been online for more than 1 year.

Why this behavior?

Highlighted
L5 Sessionator

Ah, apologies. In which case I'd put this down to a bug or an issue with the management server on the unit at the time when the sync was trying to take place. 

 

I've also seen this before where even a manual sync of the configuration fails; after looking at the ms.log of the active we can see evidence that the symbolic link to the configuration was temporarily broken so the config couldn't be pushed from the active to the passive. A restart of the management-server fixes this particular issue and more on it can be found on the below article.

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm8NCAS

 

Otherwise, if you take a look in the ms.log (less mp-log ms.log) you should be able to find more information there.

Highlighted
L3 Networker

Hi,

if I restart the managment server have I a down of the firewall or everything remains up?

Highlighted
L5 Sessionator

Traffic will still parse, however, the management-server is the core process that runs the CLI and GUI so you will lose access to those for 5 minutes whilst it restarts.

Highlighted
Cyber Elite

@s_quasar,

So your primary issue is actually likely caused by everything being mismatched versions on the peer unit. Ensure that you have the Dynamic Updates shceduled on the peer unit and make sure that they are actually matching; then go ahead and set the same active GlobalProtect package to clear that warning. Once you have things out of sync these issues become more apparent. 

Once that's cleared up then just hit the Sync to Peer button and see if everything actually syncs back up. It's possible that something is so out of date that your peer unit isn't able to validate the running-configuration due to mismatched content versions. 

Highlighted
L3 Networker

Hi,

I have made a mistake in writing my firewall model. I have a PA-500 but I think that it's the same.

Now I have mismatch only in Global Protect (and obviously the passive node). Which is the procedure to  set the same active GlobalProtect package?

Highlighted
Cyber Elite

@s_quasar,

GlobalProtect package activations don't actually sync in the HA process. Whenever you 'activate' the GlobalProtect package on the Active firewall, you'll also need to login to the passive HA member and 'activate' the same GlobalProtect package as you did on the Active firewall. 

Highlighted
L3 Networker

Hi,

how can I login to the passive device? I have the management IP of the active device and I can connect to that IP also in SSH but where can I find the IP for the passive? As you can see in the screenshot I attached at the biginning of the post, you can see a 192.168.1.2 but I can't connect to it.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!