PA-200 HA Sync

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

PA-200 HA Sync

L3 Networker

Hi,

I have a message when I attempt to run a commit:

 

"The running configuration is not currently synchronized to the HA peer, and therefore, this commit will only be applied to the local device.

Please synchronize the peers by going to the dashboard and clicking on 'Sync to peer' on the High Availability widget.
The following component(s) are mismatched with the peer device:
Application Content
Threat Content

A commit on the peer device may or may not succeed.

Doing a commit will overwrite the running configuration. Do you want to continue?"

 

I view this in my dashboard:

 

sync.jpg

 

Is it secure to push the botton "Sync to peer" in the dashboard?

Why the syncronization is not automatic?

I noticed this behavior at other times but then the synchronization took place without my manual intervention.

15 REPLIES 15

L5 Sessionator

Configuration synchronisation is automatic, once HA is fully in place and you perform a commit, a task to sync the config to the peer will take place. Since this is the initial setup of HA you will have to do this configuration sync manually and in which case there is no issue with clicking "Sync to peer" manually on the active device.

Hi,

but this is not the first time I make a commit. The configuration has been online for more than 1 year.

Why this behavior?

Ah, apologies. In which case I'd put this down to a bug or an issue with the management server on the unit at the time when the sync was trying to take place. 

 

I've also seen this before where even a manual sync of the configuration fails; after looking at the ms.log of the active we can see evidence that the symbolic link to the configuration was temporarily broken so the config couldn't be pushed from the active to the passive. A restart of the management-server fixes this particular issue and more on it can be found on the below article.

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm8NCAS

 

Otherwise, if you take a look in the ms.log (less mp-log ms.log) you should be able to find more information there.

Hi,

if I restart the managment server have I a down of the firewall or everything remains up?

Traffic will still parse, however, the management-server is the core process that runs the CLI and GUI so you will lose access to those for 5 minutes whilst it restarts.

Cyber Elite
Cyber Elite

@s_quasar,

So your primary issue is actually likely caused by everything being mismatched versions on the peer unit. Ensure that you have the Dynamic Updates shceduled on the peer unit and make sure that they are actually matching; then go ahead and set the same active GlobalProtect package to clear that warning. Once you have things out of sync these issues become more apparent. 

Once that's cleared up then just hit the Sync to Peer button and see if everything actually syncs back up. It's possible that something is so out of date that your peer unit isn't able to validate the running-configuration due to mismatched content versions. 

Hi,

I have made a mistake in writing my firewall model. I have a PA-500 but I think that it's the same.

Now I have mismatch only in Global Protect (and obviously the passive node). Which is the procedure to  set the same active GlobalProtect package?

@s_quasar,

GlobalProtect package activations don't actually sync in the HA process. Whenever you 'activate' the GlobalProtect package on the Active firewall, you'll also need to login to the passive HA member and 'activate' the same GlobalProtect package as you did on the Active firewall. 

Hi,

how can I login to the passive device? I have the management IP of the active device and I can connect to that IP also in SSH but where can I find the IP for the passive? As you can see in the screenshot I attached at the biginning of the post, you can see a 192.168.1.2 but I can't connect to it.

@s_quasar,

It's possible that someone updated the <permitted-ips/> on just the active PA granting you access. If you can connect to the active unit, see if you can ssh to the peer directly from the active PA via the CLI. 

I have an interface named "management" with IP 10.254.1.1 and this is the IP that I can access in HTTPS (and I can also use SSH for the CLI) to manage the firewall but the active has IP 192.168.1.1 and the passive 192.168.1.2. These 2 IPs are unreachable.

The configuration was made by an external company.

OT: this is also linked to another problem because I would like to activate the logs to an excternal software but to do the tests I can not understand which IP with MIB Browser I have to connect to.

@s_quasar,

Whoever set this up really did you a disservice. You should always be able to access a management interface on both your HA peer members; usually this is accomplished through the managment interface as it's the only interface that accepts traffic on both peers in an A/P HA setup. There also isn't a great way for you do to this anymore outside of actually using a console cable on the passive box or setting a PC with a static and plugging it into the management port. 

As for the MIB question you would need to enable SNMP on the management profile currently assigned to the "management" interface and actually setup your box to allow SNMP connections. 

If you have Panorama configured and it can detect both sides of the HA pair, you can use the drop-down list in the top-left to switch to / access the passive member.  It's how we do it when we're not actually in the same building as the HA pair as the management network isn't accessible from outside the building.  But Panorama has full access to the management interfaces.

L3 Networker

Hi,

now with this problem I have another one: "failed to handle tdb_update_block" when commit. Now also in local firewall I can't commit. This is a great problem!

  • 5133 Views
  • 15 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!