06-22-2026 08:08 AM
Our customer has 2 PA-3420's running in Active Active HA which are currently out of sync.
All criteria on the HA widget matches across the two devices.
When we attempt to sync to peer from the active-primary we get a commit failure on the active secondary stating:
invalid interface address XXX-XXX-XXX-XXX-30(Module: routed)
client routed phase 1 failure
Commit failed.
Can anyone tell me why this is? The address stated in the error message is currently configured to a sub interface on the active secondary.
All dataplane interface IP's across the two devices do not match.
Kind Regards
Nathan Gibson
06-23-2026 02:20 AM
Hi @N.Gibson577756 ,
I've seen this happen because of a timing issue in the commit validation process.
The interface configuration requires an immediate, validated IP address. When it encounters the name of a new, uncommitted address object, the system fails to resolve it because the object has not yet been formally saved to the configuration database. This triggers the "Invalid IP" error and causes the commit to fail.
The solution there was doing a two-stage commit. We must ensure the address object exists in the configuration *before* assigning it to an interface.
Stage 1: Create and Commit the Object - First, create the new address object with its corresponding IP address. Perform a commit.
This action validates the new object and adds it to the firewall's configuration database. At this point, the firewall "knows" that your new object name represents a valid IP address.
Stage 2: Assign the Object and Commit Again - Now that the address object is a recognized part of the running configuration, you can assign it to the network interface and perform a second commit.
This time, when the validation process checks the interface, it will successfully look up the object name, find the corresponding IP address in its database, and the commit will pass without error.
This two-step process "pre-registers" the address object, making it available for the firewall to use in more sensitive configuration areas like interface IP assignments.
Hope this helps,
06-23-2026 07:57 AM
Hi Kiwi,
Thank you for your response thats good to know, unfortunately in this situation the address object and interface where the address object is assigned are already part of the running configuration, would you suggest we remove the address object and enter the address manually for the interface to see if this succeeds?
Kind Regards
NG
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
