02-11-2025 07:45 AM - edited 02-11-2025 04:01 PM
Hello,
If you deploy Panorama VM with 1 active instance on-premises and 1 passive instance in the cloud, you might encounter issues with HA Sync when enforcing the permitted IP address restriction on the Panorama management interface.
Panorama Management IP address
pan-on-prem - 10.10.10.10
pan-on-cloud - 20.20.20.10
Let's assume that for High availability setting, we use the Management interface IP address to communicate between Active and Passive Panorama instances.
HA sync between the active and passive Panorama will not function as expected after applying the permitted IP address restriction in the Management Interface Settings under Panorama --> Setup --> Interfaces --> Management, even if the management IP address of both Panorama is included in the permit list on both Panorama instances.
set deviceconfig system permitted-ip 10.10.10.10/32 description pan-on-prem
set deviceconfig system permitted-ip 20.20.20.10/32 description pan-on-cloud
set deviceconfig system permitted-ip <rest-of-the-ips> description all-other-ips
Issue: HA sync failure
Symptoms:
On Active Panorama
Running config: Not Synchronized
App version : unknown
Antivirus version: unknown
Plugin vm_series: unknown
On Passive Panorama
Running config: Not Synchronized
App version : Mismatch
Antivirus version: Mismatch
Plugin vm_series: Mismatch
Solution:
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
