High Availability displays error: Suspended (Multi-vsys mismatches with peer)
17885
Created On 12/16/21 16:11 PM - Last Modified 01/11/24 19:29 PM
Symptom
After "Multi Virtual System Capability (step 1)" is enabled on only one firewall in High Availability (HA) Pair, the system log will report Multi-vsys mismatch between HA pair.
Environment
- Palo Alto Firewalls with HA configuration.
- Supported PAN-OS.
- High Availability (HA).
- Multi Virtual System Capability.
Cause
When one device has the "Multi Virtual System Capability" enabled the HA partner identifies the mismatch in configuration and the partner device is suspended.
Resolution
To enable multi-vsys on HA firewalls, there is no need to failover but it is best to perform this change during a maintenance window. The procedure is as follows:
1. Ensure there are no pending changes that need to be Commit.
2. Enable multi-vsys functionality on Active firewall.
3. Select Yes to trigger a commit.
As soon as the multi-vsys functionality is enabled on one of the HA peers, the other one will suspend due to the "Multi-vsys mismatches with peer"
4. Enable multi-vsys functionality on the Passive firewall which is in suspended state.
5. Select Yes to trigger a commit.
6. Unsuspend the Passive device.
Note: Multi-vsys Capability doesn't sync between firewalls in HA A/P or A/A
If needed perform a recovery of the HA pair member from a suspended state.