HA group change through Panorama causes both devices in HA Active and Passive pair going to Init state causing traffic outage

HA group change through Panorama causes both devices in HA Active and Passive pair going to Init state causing traffic outage

3120
Created On 02/09/24 06:42 AM - Last Modified 10/21/24 21:04 PM


Symptom


After a commit operation involving HA group id change in template stack from Panorama to PaloAlto NGFW Active Passive HA pair,

  • Dataplane goes into initial state causing number of interfaces go down including the HA interfaces.
  • The same happened for both the active and passive firewall and this causes network traffic outage for few seconds.

      Environment


      • Panorama managed Firewalls
      • Supported PAN-OS
      • High Availability (HA) Active/Passive

      Cause


      Changing the HA group id causes the change in Virtual MAC and thus dataplane is reset.

      Resolution


      1. Follow the steps outlined in How to Change The Group ID in a HA Environment OR
      2. Plan this change during during a maintenance window.

      Additional Information


      Feature request (FR) ID: 22638 is created to Generate alert if there is HA group id change due to configuration that causes HA state change and create outage.
      Other users also viewed:
      Actions
      • Print
      • Copy Link

        https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008X4kCAE&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

      Choose Language