Palo Alto Networks Knowledgebase: Regenerating the HA Encryption Key for Panorama

Regenerating the HA Encryption Key for Panorama

2016
Created On 02/07/19 23:48 PM - Last Updated 02/07/19 23:49 PM
Cortex Data Lake Panorama
Resolution

Issue

A user has two instances of Panorama in the production network and is preparing to turn on Panorama HA.  The Panorama VM at the primary site has been cloned and brought up on the secondary site,  The MAC address, serial number, and management IP address have been changed. However, the two VMs have the same HA key and get an error when attempting the HA key exchange.  Is there a way to regenerate the HA key in one of these instances of Panorama?

 

Resolution

To regenerate the HA encryption key:

  1. Reset the SSH keys on one of the Panorama boxes by using the following CLI command:
    admin@Panorama97> debug system ssh-key-reset high-availability

  2. Resync the keys between the two Panoramas by using the SCP export/import commands:

    admin@Panorama97> SCP export high-availability-key
    + remote-port SSH port number on remote host
    * from from
    * to Destination (username@host:path)

    admin@Panorama97> scp import high-availability-key
    + remote-port SSH port number on remote host
    * from Source (
    username@host:path)

 

owner: gutierrez



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm0nCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language