Unable to synchronize running configuration on HA Panorama

Unable to synchronize running configuration on HA Panorama

35251
Created On 01/28/20 04:31 AM - Last Modified 05/19/20 01:42 AM


Symptom


Unable to synchronize running configuration on High Availability (HA) Panorama.

Environment


  • Panorama VM.
  • PAN-OS 7.1, 8.1, 9.0.

Cause


Synchronization requires some application ports to be open. When these application ports are blocked by intermediate devices or they are inaccessible, synchronization may fail.

 Panorama oponal debug include verify ports are opened. In some case, there maybe a ,Firewall or Security Appliance maybe be in-between result in certain ports required are being block.

Resolution


  1. Verify ping and traceroute between Panorama devices are reachable through management interface.
  2. Ensure the application ports used by Panorama are open (see below for ports used by Panorama) and none of the intermediate devices are blocking these ports. 
Example Debug below indicates problem when ports are blocked by intermediate device.

HA is formed between Primary and Secondary Panorama but running configuration is not synchronized.

User-added image

Output of show high-availability state indicate failure of synchronization of running configuration. 
admin@Panorama(primary-active)> show high-availability state 

High-Availability:
  Local Information:
    Version: 1
    State: primary-active (last 23 hours)
    Device Information:
      Management IPv4 Address: 10.100.5.200/16; MAC: 00:50:56:97:d1:31
...
  Configuration Synchronization:
    Enabled: yes
    Running Configuration: not synchronized
      Out-of-sync Reason: Started with config out-of-sync
admin@Panorama(primary-active)>

Output of netstat on passive Panorama indicates 1 way traffic with only SYN for application port 28260; whereas primary-active does not have any issue.
This indicates issue with Passive Panorama.  In this case, there is a Checkpoint Firewall blocking communication from Passive to Active Panorama for port 28260.

Ports Used for Panorama

28769 (5.1 and later)
28260 (5.0 and later)
49160 (5.0 and earlier)		TCP
TCP
TCP		Used for the HA connectivity and synchronization between Panorama HA peers using clear text communication. Communication can be initiated by either peer.
User-added image

TCPDUMP can also be done to verify that port 28260 (in this case) is being blocked.

HOW TO PACKET CAPTURE (TCPDUMP) ON MANAGEMENT INTERFACE

Wireshark output
 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000POR4CAO&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail