Palo Alto Networks Knowledgebase: HA Configuration Out-of-Sync Due to Certificate

HA Configuration Out-of-Sync Due to Certificate

5104
Created On 02/08/19 00:02 AM - Last Updated 02/08/19 00:02 AM
Resolution

Issue

The passive unit in an HA pair cannot sync to the active device because it does not have a certificate. When trying to sync the certificate to the passive unit it fails. When trying to add the certificate to the passive unit and perform the sync-to- peer from the active unit, the sync fails and the passive unit deletes the newly installed certificate.

 

Resolution

Import the missing certificate into the passive unit. If the same certificate is used for options like "Forward Trust, Forward Untrust and etc" on the active firewall, make sure that the same Certificate on the passive device must be selected with same options as shown below.

Shown below is the Active Device:

cert act.JPG

 

Shown below is the Passive Device:

cert pas.JPG

 

Commit

Perform a commit sync from passive to primary by using the following CLI command:

> request high-availability sync-to-remote running-config

 

See Also

High Availability Synchronization

 

owner: nayubi



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CldECAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language