03-10-2025 09:56 PM
Hello Team,
We are currently facing an issue with logging into the secondary firewall in an Active-Passive HA setup using any superuser credentials other than the admin credentials.
When we create a new superuser account or make changes on the active firewall, they are successfully replicated on the passive firewall, indicating that HA synchronization is working properly. However, we are unable to log in to the secondary device using any superuser credentials.
We are not using any authentication profile, and after checking the system logs, we found no entries related to credentials or authentication.
Additionally, we have tried performing a hard reboot of the secondary firewall, but the issue persists.
Has anyone encountered a similar issue? Kindly assist with possible resolutions or troubleshooting steps based on your expertise.
Thank you in advance for your support.
03-11-2025 05:36 AM
Hi @Mebinbaby ,
That is a good one. The only possibility that I can think of is that the master key was configured on the active NGFW, but not the passive. The master key encrypts passwords and is not synced between HA pairs and must be configured locally. https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/high-availability/reference-ha-synchroniz...
Since your configuration is safely saved on the active NGFW, you can factory reset the passive. Configure HA, and sync the configuration again. You will still need to configure the master key on the passive if it was changed.
Thanks,
Tom
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
