HA Sync Job Fails on Passive Firewall when NetFlow Profile appl... - Knowledge Base - Palo Alto Networks

HA Sync Job Fails on Passive Firewall when NetFlow Profile applied on Active Firewall

14225

Created On 04/29/19 11:28 AM - Last Modified 12/04/19 22:42 PM

Active-Active

Active-Passive

NetFlow

PA-5200 Series

PA-7000 Series

High Availability

Reporting and Logging

PAN-OS

Symptom

The Netflow profile is applied on the active firewall and committed successfully. When the config is synced to the passive firewall, the HA Sync job fails with the below error:

Error: NetFlow profile NetFlow-Profile used on interface ethernet1/3 without a valid service-route
(Module: device)
Commit failed

Screenshot showing the error:

Environment

PA-5200 Series firewalls
PA-7000 Series firewalls

Cause

This could happen when only on PA-7000 and PA-5200 platforms when the custom service route is not configured (to use data interface) for Netflow service. A Custom Service Route specifying a data port must be configured for NetFlow. The service route can be global or per-vsys. Service router configuration does not get synced over HA.

Resolution

STEP 1: Navigate to Device > Setup > Services of the passive firewall
STEP 2: Click Service Route Configuration
STEP 3: Under Services, click Netflow and select the required interface (has to be data interface)
STEP 4: Commit the changes on the passive firewall
STEP 5: Do a manual configuration synchronization by navigating to the Dashboard in the High Availability widget, click Sync to peer

Additional Information