HA pair not synchronizing

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

HA pair not synchronizing

L1 Bithead

Hi all,

 

I have a PA-220 HA pair without licenses running on PANOS 9.1.13-h3. Recently I had an issue with a HA passive Firewall, so it had to be replaced. I extracted the active firewall's running-config and uploaded it into the new passive one. I was able to synchronize App&Threat version by re-installing the active's FW current version. I have 2 problems now:

JuanFelipeAyala_1-1703613361357.png

 

1. Whenever I execute the command request high-availability sync-to-remote running-config I keep getting the error

Server error : Failed to synchronize running configuration with HA peer; operation not allowed: Version mismatch with Peer for DLP

I do not have DLP configured in this FW neither see any tab to do it.

 

2. Apparently, neither FW has any Antivirus version installed but when i execute show system info on the active one, I have this output:

JuanFelipeAyala_2-1703613751019.png

 

I tried deleting the actual AV version but the file doesn't seem to exist, I don't see any files to actually delete.

JuanFelipeAyala_4-1703613921986.png

 

My hypothesis is that I can't sync both firewall until AV version is matched but I'm not really sure.

 

Does anyone have an idea to what could be wrong here?

1 accepted solution

Accepted Solutions

L1 Bithead

Im updating this with a possible solution for this problem that worked for me. The problematic device was used for labs before it was sent to production. In the lab we used PANOS 10, where the DLP plugin was automatically installed. I downgraded the device to PANOS 9 as the active one in production was already in that version. DLP plugin is not deleted automatically when you downgrade, so there's the root of the problem.

 

For the HA Pair to syncronize properly I had to upgrade the firewall back to PANOS 10 and manually delete the DLP Plugin. Then come back to the current PANOS 9 version then I could syncronize as normal.

View solution in original post

2 REPLIES 2

Community Team Member

Hi @JuanFelipeAyala ,

 

Can you speak more about your firewalls being unlicensed? It looks like you at least have threat prevention and URL-filtering. Before setting up your transfer device, I would recommend following How to Configure and RMA replacement firewall. The replacement device must be set up with the previous firewalls' licenses. As far as HA is concerned, both firewalls should have an identical set of licenses as well as matching versions for app, threat, antivirus, and PAN-OS. Once you can get the antivirus matched, I would check to see if you have any additional errors when trying to sync HA.

 

LIVEcommunity team member
Stay Secure,
Jay
Don't forget to Like items if a post is helpful to you!

Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

L1 Bithead

Im updating this with a possible solution for this problem that worked for me. The problematic device was used for labs before it was sent to production. In the lab we used PANOS 10, where the DLP plugin was automatically installed. I downgraded the device to PANOS 9 as the active one in production was already in that version. DLP plugin is not deleted automatically when you downgrade, so there's the root of the problem.

 

For the HA Pair to syncronize properly I had to upgrade the firewall back to PANOS 10 and manually delete the DLP Plugin. Then come back to the current PANOS 9 version then I could syncronize as normal.

  • 1 accepted solution
  • 3511 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!