Palo Alto Networks Knowledgebase: Mismatched URL Vendor on High Availability Pair
Mismatched URL Vendor on High Availability Pair
Created On 07/29/19 17:23 PM - Last Updated 07/29/19 17:51 PM
Two Palo Alto Networks devices are running the same PAN-OS version. The active device is configured for PAN-DB and the passive device is set to BrightCloud. High Availability (HA) is enabled on the active device. HA is then enabled on the passive device. As the commit operation finishes on the passive device, the active device goes into the non-functional state, and the passive device becomes active.
The log on the original active device shows:
State: active (last 21 hours)
Last non-functional state reason: URL vendor mismatch
The passive device (with BrightCloud) forced the active unit to go into a non-functional state with the message, Set dev peer state to Non-Functional. This triggers the passive device to become the active.
The failover is due to the mismatch of URL vendor between the HA pair of devices.
Further, if different URL vendors are used on the HA pair of devices, the one with PAN-DB will go into the non-functional state. For example, if the scenario has the active device using BrightCloud and passive device with PAN-DB, the passive unit with PAN-DB will go into the non-functional state.
Ensure that both HA devices are using the same URL vendor (PAN-DB or BrightCloud).
If you do not have a license for either URL database vendor, generate a trial license to load on the passive firewall to match the database that the active firewall has loaded.
If the active firewall is running BrightCloud, and the passive firewall is running PAN-DB, generate a trial license for BrightCloud to load on your passive firewall.
Suspend the HA for the passive firewall.
Load the BrightCloud trial license on the passive firewall.
Activate and download the BrightCloud database on the passive firewall.
Restore the high-availability state to functional for the passive firewall.
Note: If a new configuration snapshot is loaded on a Palo Alto Networks device with PAN-DB activated, the admin will still have to activate PAN-DB after the load. If a device with an activated PAN-DB has no DNS connection, it will still remain activated.