Error: Unable to process fabrics after HA switch-over. please make modifications to configuration and commit
8846
Created On 10/28/20 21:47 PM - Last Modified 06/12/25 03:48 AM
Symptom
Error: Unable to process fabrics after HA switch-over. please make modifications to configuration and commit
This can be seen with the Cisco TrustSec plugin on version 1.0.1 and 1.0.2 in the plugin_cisco_trustsec_ret.log log file
> less mp-log plugin_cisco_trustsec_ret.log ... 2020-10-26 17:46:45.178 -0500 ERROR: [RET] Unable to process fabrics after HA switch-over. please make modifications to configuration and commit 2020-10-26 17:46:45.371 -0500 DEBUG: [RET] Fabric change occurred in ise-server01 2020-10-26 17:46:45.371 -0500 DEBUG: [RET] Fabric change occurred in ise-server02 2020-10-26 17:46:46.423 -0500 DEBUG: [RET] full-sync retrieval triggered 2020-10-26 17:46:46.423 -0500 DEBUG: [RET] Process Current RSS Mem: 2581148 2020-10-26 17:46:46.643 -0500 ERROR: [RET] Unable to process fabrics after HA switch-over. please make modifications to configuration and commit ...
Environment
- PAN-OS Next Generation Firewall
- Cisco TrustSec
Cause
We see this when the Cisco TrustSec plugin has multiple pxGrid servers configured and one or more cannot be reached after a Panorama HA failover. By design, the plugin has been written to ignore newly-discovered devices on Panorama HA failover if one or more monitored pxGrid servers are not reachable so we don't have a situation in which the two Panoramas have a different configuration.
Resolution
This is working as designed as of Cisco TrustSec Plugin v1.0.2. This article is intended only to inform.
If you are in a situation where one or more monitored pxGrid server is offline and a Panorama HA failover happens, you should disable the monitoring definition and then commit.
- Go to Panorama > Cisco TrustSec > Monitoring Definition:
- Click your monitoring definition
- Click to uncheck the "Enable" box and then click OK
- Click Commit