HA Sync Job Fails on Passive Firewall when NetFlow Profile applied on Active Firewall
14213
Created On 04/29/19 11:28 AM - Last Modified 12/04/19 22:42 PM
Symptom
The Netflow profile is applied on the active firewall and committed successfully. When the config is synced to the passive firewall, the HA Sync job fails with the below error:
Error: NetFlow profile NetFlow-Profile used on interface ethernet1/3 without a valid service-route (Module: device) Commit failed
Screenshot showing the error:
Environment
PA-5200 Series firewalls
PA-7000 Series firewalls
Cause
This could happen when only on PA-7000 and PA-5200 platforms when the custom service route is not configured (to use data interface) for Netflow service. A Custom Service Route specifying a data port must be configured for NetFlow. The service route can be global or per-vsys. Service router configuration does not get synced over HA.
Resolution
STEP 1: Navigate to Device > Setup > Services of the passive firewall
STEP 2: Click Service Route Configuration
STEP 3: Under Services, click Netflow and select the required interface (has to be data interface)
STEP 4: Commit the changes on the passive firewall
STEP 5: Do a manual configuration synchronization by navigating to the Dashboard in the High Availability widget, click Sync to peer
Additional Information
For additional information, please view the following references:
https://knowledgebase.paloaltonetworks.com/servlet/fileField?entityId=ka10g000000CySSAA0&field=Attachment_1__Body__s
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClLnCAK