This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Paloalto HA probem

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Paloalto HA probem

GabrielePiccini
L1 Bithead

‎09-29-2022 01:53 AM

Hello,

 

we have a few PA440 clusters where we are unable to activate HA. Software version is 10.1.6-h6.

 

As soon as we enable HA on first node, everything goes down (including internet access) and then the config gets rolled back (due to lost connectivity to panorama).

 

I cannot seem to find any hint in the system logs.

 

Has this happened to anyone?

0 Likes Likes
3 REPLIES 3

aleksandar.astardzhiev
Cyber Elite
Cyber Elite

‎09-29-2022 03:03 PM

Hi @GabrielePiccini ,

Are both firewalls currently managed by Panorama?

Are both firewalls receiving configuration from Panorama - are both assigned to same templates/device-group?

Are you using management interface for HA1? Are there any other PAN firewalls in the same network?

Are you able to login to the firewall while it is "down"?

 

One of the possible think I am imagine is that when enabling the HA, firewalls are trying to sync the config - if "Enable Config Sync" is enabled. This option will sync firewalls local config, Panorama pushed config is not synced between HA members - Panorama always push config to each member in the HA separately. So it is possible that syncing local config to actually telling the firewall to remove everything (since the local config is empty and everything is pushed from Panorama).

This could explain why FW loose connectivity with Panorama - assuming it is reaching it over OOB network, not passing over dataplane.

 

Another option would be that firewall is detecting another PAN HA cluster - if HA Group ID is the same. For that reason firewall is going to either non-functional or passive state and stop processing traffic.

0 Likes Likes

GabrielePiccini
L1 Bithead
In response to aleksandar.astardzhiev

‎09-29-2022 11:46 PM

Hello,

 

Are both firewalls currently managed by Panorama? YES

Are both firewalls receiving configuration from Panorama - are both assigned to same templates/device-group? YES

Are you using management interface for HA1? Are there any other PAN firewalls in the same network? NO, DEDICATED ONE. NO OTHER DEVICES ON NETWORK

Are you able to login to the firewall while it is "down"? YES, VIA PUBLIC IP ADDRESS

 

 

I also tried with "sync config" off. No matter what, even if firewall 2 has HA disabled, enabling HA on firewall 1 brings everything down.

 

Also , this occured on another installation (so it's not hardware related).

 

Thanks for reply

0 Likes Likes

GabrielePiccini
L1 Bithead

‎10-04-2022 01:36 AM

We finally managed to enable HA by starting from the secondiary node. Really strage.

0 Likes Likes
  • 1350 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks