HA with encryption - HA1 stays down

• HA1 link stays down.
• Encryption enabled

• Palo Alto Networks Firewalls
• Panorama
• Pan-OS

• Issue with SSH key.

• Check the HA logs
  2020-10-27 11:03:36.850 -0700 Error: ha_peer_disconnect(src/ha_peer.c:1763): Group 5 (HA1-MAIN): peer connection error msg set: SSH Tunnel reset
  2020-10-27 11:03:36.850 -0700 Error: ha_peer_primary_link_switchover(src/ha_peer.c:2364): Group 5: Unable to find a primary interface to switch
  2020-10-27 11:03:36.850 -0700 debug: ha_sysd_peerip_modify(src/ha_sysd.c:3370): Attempting 1 modify for sw.sysd.peers

• Disabled Encryption and the link comes up.

• Disable encryption on Passive firewall.

• Perform commit

• Reset the HA SSH key on the Passive firewall.
  >  debug system ssh-key-reset high-availability

Note: Please be aware that this command will cause the firewall to reboot automatically.

• Reboot the Passive Firewall.

• Disable encryption on Active Firewall.

• Perform commit

• Reset the HA SSH key on the Active firewall.
  >  debug system ssh-key-reset high-availability

Note: Please be aware that this command will cause the firewall to reboot automatically.

• Reboot the Active Firewall.

• Export HA key from Active firewall and Import it on Passive Firewall.

• Export HA key from Passive firewall and Import it on Active Firewall.

• Enable encryption on both firewalls

• Perform commit on both firewalls.

For devices in FIPS mode, it is not possible to disable the encryption. Just proceed with resetting the ssh-key on both devices and exporting/importing the ssh-key on both devices.