Cannot Sync from Active to Passive Member in HA Pair

Cannot Sync from Active to Passive Member in HA Pair

Created On 09/27/18 07:47 AM - Last Modified 02/07/19 23:36 PM



Cannot sync from active to passive device in high availability (HA) pair. However, sync from the passive to active device occurs with no issues.

Note: Another symptom that may arise is that the passive device encounters problems updating the apps and threat content.



The issue may occur because the symbolic link needed for the global.xml file is lost. Look for the following message inside of the mp\ms.log on the passive device:

> less mp-log ms.log


Error: pan_file_to_xml(pan_xml_utils.c:373): file /opt/pancfg/mgmt/global/global.xml doesn't exist



The simplest way to resolve this issue is to restart the management server on the passive device. Reboot the passive Palo Alto Networks firewall or manually restart the management server on the CLI using the following command:

> debug software restart management-server

Note: Restarting the management server disconnects you from the WebGUI. Be sure to save any changes or commit before performing this step.


After the management server restarts (in a couple of minutes), log into the WebGUI, then sync from the active member.


owner: jdelio

  • Print
  • Copy Link

Choose Language