Palo Alto Networks Knowledgebase: HA Configuration Out-of-Sync Due to Certificate
HA Configuration Out-of-Sync Due to Certificate
Created On 02/08/19 00:02 AM - Last Updated 02/08/19 00:02 AM
The passive unit in an HA pair cannot sync to the active device because it does not have a certificate. When trying to sync the certificate to the passive unit it fails. When trying to add the certificate to the passive unit and perform the sync-to- peer from the active unit, the sync fails and the passive unit deletes the newly installed certificate.
Import the missing certificate into the passive unit. If the same certificate is used for options like "Forward Trust, Forward Untrust and etc" on the active firewall, make sure that the same Certificate on the passive device must be selected with same options as shown below.
Shown below is the Active Device:
Shown below is the Passive Device:
Perform a commit sync from passive to primary by using the following CLI command: