Service principal is not working on the Palo Alto firewall running in HA ( Active/passive) mode.
3466
Created On 03/09/24 00:06 AM - Last Modified 03/14/24 13:17 PM
Symptom
Azure ha validation test is successful, however secondary ips are not moving from primary to secondary NVA
Following logs are observed:
vm_ha_state_trans INFO: : DEBUG: Starting secondary IP move failover process
vm_ha_state_trans INFO: : DEBUG: Failover seems complete: ip_move_done = True, ha_trans_done= True
vm_ha_state_trans INFO: : DEBUG: ip_move_done: ip_move_done= True, ha_trans_done= True
vm_ha_state_trans INFO: : DEBUG: ha_trans_done: ha_trans_done= True
vm_ha_state_trans INFO: : DEBUG: HA failure logs:
vm_ha_state_trans INFO: : DEBUG: HA switchover successfully completed
vm_ha_state_trans INFO: : DEBUG: Failover time duration: 8 Seconds
vm_ha_state_trans INFO: : DEBUG: Gracefully returning from vm_ha_trans ...
m_ha_state_trans INFO: : After execution of vm_ha_trans function
Environment
PA-VM-FLEX
2 VM firewalls in Active/Passive state in Azure
Cause
This has happened because the "Contributor Role" was at resource group level
Resolution
After changing the role scope of "Contributor Role" in IAM to Subscription level, the failover has started working