High-Availability - Out of Sync Peers - Configuration
144422
Created On 04/25/22 15:52 PM - Last Modified 10/23/23 15:59 PM
Symptom
Alert regarding "Out of Sync Peers - Configuration"
Environment
- PAN-OS
- High-availability
Cause
The running config of one of the devices is not synchronized with its HA Peer.
Resolution
To fix this problem:
- Sync to peer under the high-availability widget:
- Login to the UI of the "active" Firewall for A/P setup ("active primary" Firewall for A/A setup) and on the Dashboard tab check the high-availability widget.
- Check the "Running Config" line, hover your mouse over the Magnifier icon, and click to see local and peer running configuration diff. The same can be checked under Device > Config Audit by selecting first the local Running config, the Peer's Running config, and finally clicking on the Go button.
- Verify that the configuration difference is valid and needs to be pushed/synchronized to the peer. Then go back to the Dashboard > High Availability widget and click the underlined blue "Sync to peer" hyperlink.
- Note: If "Sync to peer" blue link is not present then check if "Enable Config Sync" is checked under Device > High Availability > General. Otherwise, best (to be on the safe side) would be to manually match the configuration between the two peer (Step 2, Step 3 or Step 4) after having both firewall in sync, you need to click on the gear icon in order to edit that setting and check the "Enable Config Sync" button on both peers for future config synchronization use and commit that change on both peers.
- Click yes when the message of "Overwrite Peer Configuration" is shown.
- If step 1 fails to fix the problem, then check step 2.
- Synchronize configuration via command line:
- After verifying and validating the config diff between local and peer as mentioned in A login to the CLI for the "active" Firewall for A/P setup ("active primary" Firewall for A/A setup) and issue following command:
> request high-availability sync-to-remote running-config
- If step 2 fails to fix the problem, then check step 3.
- Manually synchronize the configuration between peer:
- Login to the "passive" Firewall for A/P setup ("active secondary" Firewall for A/A setup) Check under the Tasks Manager bar the job of "Synchronize HA Peer" click this hyperlink and check the reason of failure.
- Base on the reason seen for failure found in 3-a and config diff checked in 1-b adjust the config of the passive (active secondary firewall) and commit the change.
- If step 3 fails to fix the problem, then check step 4.
- As last resort schedule a maintenance window to export the configuration from the "active" Firewall for A/P setup ("active primary" Firewall for A/A setup) to import to the peer. This step needs to be done very cautiously and only if steps 1, 2 and 3 fail to fix the problem. The firewall administrator should be aware of the part of the configuration that needs to stay different between the peers. They should understand the design and configuration of the high-availability firewalls. This step can be used in a simple setup like A/P where the difference in the config is minimal and mostly include hostname, management interface and high-availability config.
- Disable the enable config sync on both firewall and the preemptive on both firewall and commit the change on both firewalls.
- Export the device-state and the running config of the "passive" firewall and take notes of its hostname, its management interface ip and allow list under Device > Setup > Interfaces; also make note of the high-availability configuration for HA1, HA2 priority etc...
- Export device state from the "active" firewall.
- Import device state of the "active" firewall to the "passive" firewall then edit the hostname, the management interface and the high-availability configuration including the priority of the firewall based on the notes taken in step b.
- Commit the configuration on the "passive" firewall.
- Check if step 4 fixed the problem if it does then make sure to reenable config sync on and if needed the preemptive setting under HA for both peers and commit the change to both peers.
- If step 4 doesn't fix the problem and if needing to fall back to original state import the device-state of the "passive" firewall to the "passive" firewall and commit the configuration on the "passive" firewall.
- For step 4 can also be used in A/A setup but while taking into consideration all the configuration difference between "active primary" and "active secondary" and while making sure to edit those configuration differences before committing the imported device-state to the "active secondary" firewall.
- This document assumes that the firewall administrator wants a configuration synchronized between the peers in HA and has checked the "Enable Config Sync" under Device > High Availability > General > Setup but for some reason the peers have went out of config sync.
- "Out of Sync Peers - Configuration" takes into consideration only local config; For Panorama managed firewalls and to ensure that both firewalls have also synchronized merged configs, make sure that both firewalls have the same configuration pushed from Panorama and Panorama pushed configuration is synched to them.
- As best practice, it is recommended to check the "Enable Config Sync" on both peers in HA refer to this video for more information.
Additional Information
For more information about