Passive firewall displays zero session count
14561
Created On 10/11/19 23:00 PM - Last Modified 07/30/20 02:00 AM
Symptom
When using the show session meter command, the passive firewall displays a session count of zero.
5260(passive)> show session meter
VSYS Maximum Current Throttled
--------------------------------------------------------------------------------
1 0 0 0
Environment
- All PAN-OS.
- All Palo Alto Firewalls that support High Availability.
- Active-Passive or and Active-Active configured.
Cause
Link issues on HA2 port or high dataplane CPU may cause this issue.
Resolution
- Check if the active firewall has session count displayed and passive firewall is displaying a count of 0 by using show session meter command.
5260(active)> show session meter
VSYS Maximum Current Throttled
--------------------------------------------------------------------------------
1 0 146557 0
5260(passive)> show session meter
VSYS Maximum Current Throttled
--------------------------------------------------------------------------------
1 0 0 0
- If the CPU on dataplane is high, troubleshoot to resolve High Dataplane CPU.
- HA2 link is responsible for the synchronization of sessions from active to passive firewalls. Troubleshoot Link issues of HA2 port.
- Check for physical layer issues such as bad cable or faulty HA2 port and resolve the same.
- Reboot the passive firewall.
- If the above steps fail, try to disable and enable the config sync between firewalls.
- Disable config sync on both Firewalls.
GUI: Device > High Availability > General > Setup.
un-check "Enable Config Sync" option on both devices.
Commit to both firewalls.
- Suspend Passive firewall only.
GUI: Device > High Availability > Operational Commands
Click on "Suspend local device".
- Enable config sync on both devices.
GUI: Device > High Availability > General > Setup
check "Enable Config Sync" option on both devices.
Commit to both firewalls.
- Make the Passive firewall as functional.
GUI: Device > High Availability > Operational Commands
Click on "Make local device functional" .
Commit.
- Check session count on the passive firewall using the command show session meter.
- If the steps above fail and the session count on the passive firewall is still 0, call into TAC support for further assistance.