PA 500 cluster synchronization failure

licenselu · ‎10-02-2012

Hello,

I've a problem with a cluster of PA500 running PANOS 4.1.8.

Config File synchronization is not working between members.

After a config change is done on the master, the following error message appears in the log file of the passive member:

HA Group 1: Running configuration not synchronized after retries

The only way to sync is to move on the CLI on the master and sync manually (request high-availability sync-to-remote running-config)

No problem before upgrading to 4.1.8...

Regards,

HA

ppatel · ‎10-10-2012

The fix to HA sync will be introduced in software version 4.1.9 .

However 4.1.8 hotfix is now available. So please open a support ticket with Palo Alto Networks and once verified, it would be made available to you.

4.1.8-hotfix should take care of HA A/P, A/A, and Panorama HA.

For more details look up this document:-

https://live.paloaltonetworks.com/docs/DOC-3890

Regards

Parth

View solution in original post

ppatel · ‎10-03-2012

Hello,

So, as far as I understand after upgrade to 4.1.8 customer is seeing automatic HA config sync not being triggered after a config change.

Do you see the following behavior:-

>When commit is successful on the active unit, HA sync on the passive will go on for long.

>No jobs will be seen under the passive device for HA sync. (admin@PA>show jobs processed)

>Running Configuration on the passive will show:- synchronization in progress

>After few minutes , the config on the passive device will be out of sync

It will show the following:-

Running Configuration: not synchronized

Out-of-sync Reason: Failure to complete config sync

>However at this time the the active device running configuration will show "synchronized.

If the ABOVE is the case please open a support ticket with Palo Alto Networks and get the issue looked upon.

I might have seen this issue while doing a recreation in-house but will be curious to get into the details.

Regards

Parth

licenselu · ‎10-03-2012

Hello,

First, thanks for comment.

Q: Do you see the following behavior:"

A: No jobs will be seen under the passive device for HA sync. (admin@PA>show jobs processed)

After few minutes , the config on the passive device will be out of sync

It will show the following:-

Running Configuration: not synchronized

Out-of-sync Reason: Running configuration not synchronized after retries

Q :However at this time the the active device running configuration will show "synchronized.

A: Exact.

I had to upgrade from 4.1.6 to 4.1.8 because of the bug ID 43575 (mgmt-plane unresponsive).

This is the only problem I face with 4.1.8.

Regards,

HA

ppatel · ‎10-03-2012

Hello,

When commit is successful on the active unit, HA sync on the passive will go on for long.

At this time, On the passive device, when the automatic synchronization is going on execute the following command:-

admin@PA-500> tail lines 100 follow yes mp-log ha_agent.log

Look for the error:-

mp \ ha_agent.log ha_state_cfg_from_insync_to_outsync(src/ha_state_cfg.c:609): peer group 1 has changed the md5, waiting for an update

Submit all these details by opening up a support ticket.

Regards

Parth

ppatel · ‎10-03-2012

Also when you open a support ticket, please make sure you attach the tech support files from active and passive unit to the case.

How to generate the TS file?

From the Palo Alto Device Web Interface,

1) Go to Device Tab --> Support

2) Click Generate Tech Support File

3) Once Generated, Download it to your Desktop

4) Log into your case management Tool to open up the case, scroll down towards the bottom and Click "Upload File"

5)Click OK

Let me know if the above details helped you to proceed with the next steps.

Regards

Parth

PA 500 cluster synchronization failure

PA 500 cluster synchronization failure

Show your appreciation!