HA moved to non-functional due to vm license mismatches with peer even when both firewalls have identical licenses
3066
Created On 08/09/22 02:47 AM - Last Modified 01/02/24 17:14 PM
Symptom
After the PAN-OS upgrade HA moved to Non-functional (Vm license mismatches with peer).
When checking both VM-Series Firewalls have identical licenses are showing installed on CLI and GUI.
PA-VM-FW1(active)> show system info hostname: PA-VM-FW1 family: vm model: PA-VM serial: 007251000199563 vm-uuid: 42138903-7CFC-E468-7584-138F74B8AB0C vm-cpuid: ESX:F0060300FFFB8B1F vm-license: VM-300 <===== vm-mode: VMware ESXi cloud-mode: non-cloud sw-version: 9.1.12
PA-VM-FW2(non-functional)> show system info hostname: PA-VM-FW2 family: vm model: PA-VM serial: 007251000199564 vm-uuid: 42138903-7CFC-E468-7584-138F74B8AB0D vm-cpuid: ESX:F0060300FFFB8B1F vm-license: VM-300 <===== vm-mode: VMware ESXi cloud-mode: non-cloud sw-version: 9.1.12
If you run "request license info" on CLI and go to WebUI > Device > Licenses, you will see both VM-Series Firewalls have exactly the same licenses listed.
Environment
VM-Series Firewall
Cause
VM License Type in sdb file was changed to a different VM capacity during the PAN-OS upgrade.
PA-VM-FW1(active)> show system state filter-pretty cfg.vm-license-type cfg.vm-license-type: vm50 <=====
PA-VM-FW02(non-functional)> show system state filter-pretty cfg.vm-license-type cfg.vm-license-type: vm300
Resolution
Log into the root and update the sdb:
[root@PA-VM-FW01 ~]# sdb cfg.vm-license-type cfg.vm-license-type: vm50 [root@PA-VM-FW01 ~]# sdb "cfg.vm-license-type=vm300" cfg.vm-license-type: vm300