Palo Alto HA running config not synchronized .

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

Palo Alto HA running config not synchronized .

L4 Transporter

image001.png 

Can you advice how to resolve this issues?

13 REPLIES 13

Cyber Elite
Cyber Elite

Hello,

Clickthe 'Sync to Peer' button on that same line. If this is a new HA deployemnt, it is a requirement. If not, something could have goofed during the sync, you may want to check the logs. If its happening frequently, might want to open a support case.

 

Regards,

Cyber Elite
Cyber Elite

@Radmin_85,

Outside of what @OtakarKlier already mentioned I would ensure that the peer doesn't have an active commit lock which would prevent the active unit from syncing the configuration. As for the Antivirus version you may want to ensure that you've staged the scheduled install times so that you don't have both firewalls downloading and pushing the updates at the same time, that can cause a few issues. 

Hello .we have clicked on Sync to peer and also updated on both FW Antivirus updates.But problem still exist.And itis not a new deployment

Screenshot_5.png

@Radmin_85,

I've outlined the follow three steps in likelyhood that they will actually fix your issue. Work through this list and see if that doens't fix your issue. 

1) Have you logged into the peer firewall and verified that it doesn't have an active commit lock or half-complete configuration statements that are blocking the active member from pushing the running-config to the peer. If you can get access to the peer firewall then ensure that you don't have any active locks and revert to running-config to ensure that all possible changes are wiped away; then from the active member run 'request high-availability sync-to-remote running-config', 'request high-availability sync-to-remote runtime-state'.  

 

2) Outside of that you can monitor the ha-agent logs by running 'less mp-log ha_agent.log' which should show an error that would give some insight into what exactly is causing the sync issue.

 

3) You can also try restarting the mgmtsrvr process on the passive device by running 'debug software restart process management-server'; I've seen instances where this needs to be ran on both to actually bring the config back in-sync, but usually just the passive will fix any issues. 

We did all the things you wrote but nothing help.May be to get device off the cluster and then join again?

 

image004.png

@Radmin_85,

If non of that is working I would simply call TAC and work through the issue with them. You shouldn't have to break HA to get this functional at all. 

or restart the managment plane on the active PA

MP

Help the community: Like helpful comments and mark solutions.

L2 Linker

Hello, I understand this is an old post but were you able to fix the issue? We're having the same problem and have tried every solution out there. TAC advised to reset the Passive device to factory settings but that still didn't fix the issue.

L0 Member

I am here with the same issue..

software version: 9.1.13-h3

 

 

L0 Member

Maybe it will help someone in the future, that I fought similar issue today for some hours and found solution for my case.


While all logs stated that sync was done successfully, dashboard still stated that config is not synced.

In my case, the solution was to check the SSL certificates. On passive one, I did delete few months ago main HTTPS certificate as the old one was no longer valid, and never created a new one for that time. Now issue showed up after cluster software update, and it was enough to just create new SSL certificate, attach it to the Management page. Then forced sync via browser and it surprisingly worked this time.

L0 Member

Thank you @BPry   I restarted Management plane on passive unit first and tried sync, still didn't show as synced on dashboard despite showing in tasks as completed successfully.  Restarted management plane on active FW and ran again.  Now running config status is showing as synced on the dashboard.  

Normally clicking on syn to peer works most of the time.

MP

Help the community: Like helpful comments and mark solutions.

L1 Bithead

Hello.

I also observed the mentioned problems.
After Dynamic updates of the anti-virus, the problem will be solved.
The anti-virus version must be the same on both firewalls. The prerequisites for HA are:

same model, same PAN-OS version, the same type of interfaces, the same set of licenses, same anti-virus updates, same threat version.

Best regards!

Rashadat Seyidzada
Azerbaijan, Baku
  • 37419 Views
  • 13 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!