In a HA pair, secondary Firewall's ssh connectivity(management port ) is lost after disable weak ciphers on Primary Firewall

• All PAN-OS
• Palo Alto Networks Firewalls or Panorama in high availability(HA) pair

• Previous steps:
  1. For fixing the sweet-32 vulnerable configuration on PAN following steps are included. 
  2. Remove the weak cipher, such as SHA1, 3DES, and RC4.
  3.  Update the ssl-tls service profile by selecting a secure cipher algorithm such as SHA256, AES-256-GCM. 
  4. Set the key exchange algorithm as ECDHE, and set ssh ciphers for mgmt as aes256-ctr and others. 
  5. The full detail can be found here.
  6. The last step is always to restart the SSH service again (set ssh service-restart mgmt) so the newly configured setting can take place. 
• Side effect: 
  1. However, sometimes as a side effect PA-FW SSH access is not successful. It could be due to the old SSH client that doesn't support new update keys, hence we recommend all have updated versions of the software, especially putty.  You can always use Teraterm, SecureCRT, or other SSH client software.
  2. The bigger issue occurs if you have an HA-pair, and SSH access to secondary FW is failed. The reason is, although due to configuration sync, the SSH configures from primary is passed to secondary,  but SSH service was not restarted on secondary.  Hence the new SSH related configuration is not applied on the management port, and FW is in hung status
• Solution 1: 
  1. Generate the API key as found in the Get Your API Key page f the PAN-OS and Panorama API Usage Guide
  2. Utilize the following API call by replacing the IP with the IP or FQDN/hostname of the affected device and the APIKEY with the key retrieved in the previous step:

https://IP/api/?key=APIKEY&type=op&cmd=<set><ssh><service-restart><mgmt></mgmt></service-restart></ssh></set>

• Solution 2: 
  1. On secondary FW, turn off SSH from the WebUI.
  2. Log in through the console, first delete the existing configuration and then make the cipher changes again.
  3. Restart the service "set ssh service-restart mgmt"
  4. Then turned on SSH from the WebUI Or You can change the SSH related configuration on both FW simultaneously and restart SSH service on management together.