I have a message when I attempt to run a commit:
"The running configuration is not currently synchronized to the HA peer, and therefore, this commit will only be applied to the local device.
Please synchronize the peers by going to the dashboard and clicking on 'Sync to peer' on the High Availability widget.
The following component(s) are mismatched with the peer device:
A commit on the peer device may or may not succeed.
Doing a commit will overwrite the running configuration. Do you want to continue?"
I view this in my dashboard:
Is it secure to push the botton "Sync to peer" in the dashboard?
Why the syncronization is not automatic?
I noticed this behavior at other times but then the synchronization took place without my manual intervention.
Configuration synchronisation is automatic, once HA is fully in place and you perform a commit, a task to sync the config to the peer will take place. Since this is the initial setup of HA you will have to do this configuration sync manually and in which case there is no issue with clicking "Sync to peer" manually on the active device.
Ah, apologies. In which case I'd put this down to a bug or an issue with the management server on the unit at the time when the sync was trying to take place.
I've also seen this before where even a manual sync of the configuration fails; after looking at the ms.log of the active we can see evidence that the symbolic link to the configuration was temporarily broken so the config couldn't be pushed from the active to the passive. A restart of the management-server fixes this particular issue and more on it can be found on the below article.
Otherwise, if you take a look in the ms.log (less mp-log ms.log) you should be able to find more information there.
So your primary issue is actually likely caused by everything being mismatched versions on the peer unit. Ensure that you have the Dynamic Updates shceduled on the peer unit and make sure that they are actually matching; then go ahead and set the same active GlobalProtect package to clear that warning. Once you have things out of sync these issues become more apparent.
Once that's cleared up then just hit the Sync to Peer button and see if everything actually syncs back up. It's possible that something is so out of date that your peer unit isn't able to validate the running-configuration due to mismatched content versions.
I have made a mistake in writing my firewall model. I have a PA-500 but I think that it's the same.
Now I have mismatch only in Global Protect (and obviously the passive node). Which is the procedure to set the same active GlobalProtect package?
GlobalProtect package activations don't actually sync in the HA process. Whenever you 'activate' the GlobalProtect package on the Active firewall, you'll also need to login to the passive HA member and 'activate' the same GlobalProtect package as you did on the Active firewall.
how can I login to the passive device? I have the management IP of the active device and I can connect to that IP also in SSH but where can I find the IP for the passive? As you can see in the screenshot I attached at the biginning of the post, you can see a 192.168.1.2 but I can't connect to it.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!