09-05-2023 08:06 PM
Needing your help I'm newbie on Palo alto . We have a Panorama on one of our sites this is PA 200 before I'm seeing the primary on panorama but not its not. Although I can access it via SSH and use the CLI but when I run the show running sync-to-panorama command it was not on list. This panoramas are old ones and slow. The mgmt and policies are allowed. We have a fail over testing within the next 2 weeks for audit.
09-05-2023 08:24 PM
Hello @weezy
to troubleshoot Firewall connection / registration issue with Panorama, could you check this KB: Troubleshooting Panorama Connectivity. If the issue is not resolved after following steps in KB, could you provide output from below commands from Firewall:
show panorama-status
show netstat all yes numeric-hosts yes numeric-ports yes
Also, could you check content of below file from CLI?
less mp-log ms.log
Kind Regards
Pavel
09-05-2023 08:39 PM
Hi when I check the status it says HA disconnected
Connected : no
HA state : disconnected
We have our senior engr on Palo alto working on this and I don't have an update yet as still waiting for his reply. I know as well that this old Palo alto 200 are lots of issues before I came in. But I notice before HA is connected and I'm seeing the primary on Panorama
09-05-2023 08:43 PM
Hi Pavel,
When I do the sh netstat command I got this message
Server error : op command for client dagger timed out as client is not available
Also when doing a fail over test on palo alto the best way is shutting down the primary device? or suspend HA and shut the interface of primary PA facing internet
09-05-2023 09:22 PM
Hello @weezy
thank you for reply.
The error you reported seems related to this KB: CLI command 'show netstat listening yes' fails intermittently.
Regarding HA Failover, no need to reboot Firewall nor shut down interface. You can trigger a failover by suspending Firewall:
CLI: request high-availability state suspend
GUI: Device > High Availability > Operational Commands - click Suspend local device
Kind Regards
Pavel
09-05-2023 09:57 PM
Hi Pavel,
I tried to do it on LAB suspending the HA will lead only to split brain. from active passive setup. It will become active active as they are both forwarding the same data and it might cause a problem. So was it better to shut the primary firewall instead?
09-05-2023 10:44 PM
Hello @weezy
thank you for reply.
Regarding split brain, could you confirm whether you enabled HA1 backup link? This is a mitigation against split brain scenario.
High-Availability - Split Brain
DotW: What is Peer-Split-Brain?
If you have no other choice, then I would shut down / disconnect data plane interfaces (In this case you can still access Firewall by management port) or power Firewall off.
Kind Regards
Pavel
09-05-2023 10:55 PM
Hi Pavel,
Unfortunately we don't have a back up MGMT ip configured and I don't want to add because our PA 200 is so slow it has a lot of weird issues. So what I will do is disconnect the cables
09-05-2023 11:08 PM
Also I see some post on group that the heartbackup will help on preventing split brain. Please see below the post that I see on PA live community
Split brain conditions can be prevented by configuring an HA1 Backup link and/or enabling Heartbeat Backup.
https://live.paloaltonetworks.com/t5/general-topics/what-is-peer-split-brain/m-p/19825#U19825
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
