HA1 control link with encryption enabled, keeps flapping after upgrade from PAN-OS version 9.1 to 10.0

HA1 control link with encryption enabled, keeps flapping after upgrade from PAN-OS version 9.1 to 10.0

16641
Created On 07/29/22 17:16 PM - Last Modified 04/29/26 21:55 PM


Symptom


  •  In an Active/Passive or Active/Active HA setup, after an upgrade from 9.1 to 10.0, HA1 link keeps on flapping that can be observer on both Active and Passive peers in Monitor > System log.

  •  The below error message seen in the ha_agent logs.

flags : 0x2 (close:) 
err code : SSH Tunnel reset (17) 
num tlvs : 1
Printing out 1 tlvs
TLV[1]: type 5 (ERR_STRING); len 17; value:
53534820 54756e6e 656c2072 65736574 00
2025-12-17 03:33:01.309 +0000 Error: ha_peer_disconnect(src/ha_peer.c:1874): Group 9 (HA1-MAIN): peer connection error msg set: SSH Tunnel reset

 

  •  The encryption is enabled on HA1 interface through CLI command "show high-availability all | match Encryption" or in GUI Device > High Availability > HA Communications > Control links > HA 1 > Encryption enabled option.


GUI :






CLI :


admin@PA-VM(active)> show high-availability all | match Encryption
     
     Encryption Enabled: yes
admin@PA-VM(active)> 





 



              
Environment

  • Next Gen Firewalls
  • PAN-OS Upgrade from 9.1 to 10.0 
  • High Availability (HA)



              
Cause

  1. With PAN-OS 10.0.x PAN-OS uses aes128-ctr for SSH while in 9.1, it uses aes128-cbc. 
  2. Due to this difference in algorithm, SSH Tunnel keeps resetting and hence HA1 flaps.
  3. This is expected until the HA upgrade is completed.



              
Resolution

Disable the HA1 encryption to recover the device from the HA1 interface flapping. Follow the below steps to disable the HA1 encryption.



  1. Step 1 : Select Device > High Availability > General and edit the Control Link (HA1) section.
  2. Step 2 : Uncheck Encryption Enabled so that it is disabled.
  3. Step 3 : Commit the change on the HA both peers.


Note : Disabling encryption should not have any impact on traffic or HA


The methods listed below helps to resolve the issue for HA1 interface flapping after the software upgrade. Use any one of method to mitigate the HA1 interface flapping.


Method 1 :


  1. Step 1 : Disable the HA1 Encryption on both HA Active and Passive device.
  2. Step 2 : Run the following command " request high-availability sync-to-remote ssh-key " from the HA Active device.
  3. Step 3 : Re-enable the HA1 Encryption on both the Active and Passive and commit on both the devices .
  4. Step 4 : Check the HA is stable without HA1 interfaces is flapping.


Method 2 :


  1. Step 1 : Disable the HA1 Encryption on both Active and Passive device.
  2. Step 2 : Export the HA key from the active firewall under Device > Certificate Management > Certificate > Export HA Key.
  3. Step 3 : Import the HA key to the secondary firewall under Device > Certificate Management > Certificate > Import HA Key.
  4. Step 4 : Re-enable the HA1 Encryption on both the Active and Passive and commit on both the devices.
  5. Step 5 : Check the HA is stable without HA1 interfaces is flapping. 



              
Additional Information

Upgrade an HA Firewall Pair





        
       
      





      

        
        
        

    

    

    

      

        
Other users also viewed:

        

             

               
              

        

    

        

        
        

          
Actions

          
    
           
            
            
            
  • 
                Print
            
    • 
            
  • 
            
    • 
            
  • 
              Copy Link
                
                
    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000CqupCAC&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail
    
            
    • 
          

        
 

        

         
        

          

            
Choose Language