What happens to the candidate-config on the Passive Firewall when a config sync from the Active Firewall to the Passive Firewall fails?
9446
Created On 07/06/20 02:07 AM - Last Modified 10/21/20 01:50 AM
Question
What happens to the candidate-config on the Passive Firewall when a config sync from the Active Firewall to the Passive Firewall fails?
Environment
- Active Firewall triggers a HA Sync to the Passive Firewall, either after a commit or manually using "Sync to Peer".
- The commit is received by the Passive Firewall as a HA Sync Job.
- The HA Sync job on the Passive Firewall fails due to a failed commit.
Answer
NOTE:
This could be due to inconsistent management settings:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClpuCAC
In such a scenario, even though the HA Sync job commit has failed on the Passive Firewall, the Passive Firewall still has the synced config from the Active in its candidate-config.
This can be seen using the following:
> show config candidate
The output will include the uncommitted changes which were synced from the peer Firewall as a result of the HA Sync.
Additional Information
- The following also shows the candidate-configuration on the FW :-
> configure # show