10-15-2018 07:58 AM
Hey Team,
I thought I would share my experiences with adding firewalls into Panorama and receiving the error message in the subject. The scenario is a HA pair with multi-vsys compatibility enabled - and 5 virtual systems. In all cases, adding the Primary/Active firewall to Panorama works perfectly fine; the issue lies with adding the Secondary/Passive firewall after doing the operation "Import device configuration to Panorama" the message "Failed to add imported nodes into Panorama" is shown.
After looking at the confd logs with TAC we can see that its failing because it mentions that the device group names already exist. In step 5.3 in the below documentation, the device group names for the Secondary/Passive firewall have already been prefixed with a character to avoid name duplicates yet the issue still arises.
Upon further investigation from TACs side they gave us a workaround to modify the names of the virtual systems on the Secondary/Passive firewall then proceed once more with the import - this seems to work. As this is of course a workaround and not an actual solution they looked into this further and found that this is actually expected behaviour, but the documentation should be updated to include the below steps which also work - if anyone has ever faced this before let me know but this issue does seem specific to importing HA firewalls with multiple virtual systems so I'm surprised it hasn't been raised before.
1. Import device group from HA peer-1 followed by panorama commit.
2. Export, Push and commit the configuration bundle to HA Peer-1.
3. Delete Device groups from Panorama after Push&Commit to HA Peer-1.
4. Import device group from HA peer-2 followed by panorama commit.
5. Export, Push and commit the configuration bundle to HA Peer-2.
6. Associate HA peer-1 and HA peer-2 into one device group (the one created during HA Peer-2 import)
The steps are also the same and also work if you start with the Secondary/Passive unit and resume "HA-peer-1" is the Passive device.
Thanks,
Luke.
