Panorama shows Shared Policy "Out of Sync" while its HA peer shows In-Sync

Panorama shows Shared Policy "Out of Sync" while its HA peer shows In-Sync

19232
Created On 10/22/21 20:23 PM - Last Modified 01/04/24 03:17 AM


Symptom


  • The Active Panorama shows devices "In sync" for the "Shared Policy" 
  • The Passive Panorama shows devices "Out of Sync" for the "Shared Policy" 
  • Both Panorama Dashboards show:
Running Config Synchronized 
App Version Match 
Antivirus Version Match 
Panorama Version Match 
HA1 Up 

 

Environment


  • Panorama configured in (High-Availability)
  • Palo Alto Firewalls in HA Pair managed by Panorama.
  • PAN-OS 8.1 and above.

Resolution


  1. Compare the md5sum for each Device Group by running "show devicegroups name <name>"
primary-active)> show devicegroups name AZUS-DG
==========================================================================
Group: AZEUS2-Common-DG Shared policy md5sum:bc6e2758ae0e6854084343c23972a55c

(secondary-passive)> show devicegroups name AZUS-DG
==========================================================================
Group: AZEUS2-Common-DG Shared policy md5sum:b835dafbd8cde5a4d774719311e57ead
  1. If the md5sum is different for the DG's on both Panorama, then clear the md5cache on both active and passive panorama.
> debug md5sum_cache clear
> configure
# commit force
# exit
  1. The shared policy will now be in sync.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004M4xCAE&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail