Recover a peer (either Active or Passive) using Device State from another peer in Active/Passive HA
32429
Created On 07/13/19 00:38 AM - Last Modified 01/08/21 03:51 AM
Symptom
- Unable to synchronize peer firewall.
- Firewall is in the 'Not Ready' state.
- The configuration on the firewall is corrupt and the firewall is in a non recoverable state
- RMA of a HA peer has been done but no configuration backup is available.
- Configuration push from panorama has caused a huge number of errors and speedy recovery is needed. Provided the push was done only to one of the peers and the other peer still has valid configuration and is in operational state.
Environment
Firewall is part of Active/Passive HA setup.
One of the firewalls is up with valid configuration while the other firewall has to be recovered.
It covers RMA replacement scenarios as well.
Cause
- Missing configurations
- Configuration got corrupted
Resolution
The steps below assume that the Passive firewall is the non working firewall. Please note that it can be the other way around as well.
Note :
If the non-working firewall has been freshly rebooted, then please wait for the auto commit to succeed or fail before the below steps are done.
Also, configuration pushed from Panorama is also part of Device State.
1) First take device state backups of both the active as well as the passive firewalls.
2) Take a screenshot of the passive devices High Availability General Settings.
3) Take a screenshot of the passive devices Management Interface Settings.
4) Take a screenshot of the passive devices Hostname.
5) Import the device state that you took from the active or working firewall and import it into the passive or non working firewall.
Device > Setup > Operations. Click Import device state. DO NOT CLICK COMMIT
6) After you have imported the device state click the refresh icon next to the help icon that is located in the top right corner.
7) Now you should see the same Management IP Address, HA Settings, and Name on the passive or non working firewall. DO NOT COMMIT.
8) Change the HA Settings, Management IP Address, and Name to be that of the passive or non working firewall. This is why we took screenshots at step 2.
9) Disable 'Enable Config Sync' as well as Preemption on the passive firewall.
10) Make sure that the current passive firewall has a higher device priority so that it stays passive until the entire process is done. The lower the priority the higher the precedence.
11) Go to the cli on the passive or non working firewall. Go into configuration mode and do a commit force.
>configure
>#commit force
12) Make sure to let the auto commit complete and after it completes please enable, 'Enable Config Sync' and try to synchronize the device by going to the active firewall.
Additional Information
To take the device state backup please follow the below steps:
0) Take Backups of both firewalls if they are in a HA pair.
Device > Setup > Operations:
1) Save named configuration snapshot, give it a name and then click export configuration snapshot and find the saved file.
2) Export named configuration snapshot, select the running config as well.
3) Export Device State <---------- If you have trouble exporting this please use Internet Explorer
---------------------------
HA General Settings:
Device > High Availability
------------------------------
Hostname
Device > Setup > Interfaces. In the Management Tab under General Settings you will find the hostname.
-----------------------------------------------
Name:
Device > Setup > Management.