HA Sync (Manual & Auto) Failure in Active/Passive due to certificate used in Management SSL/TLS Profile was used in other features where the certificate requires
37051
Created On 01/15/21 17:32 PM - Last Modified 03/16/21 21:22 PM
Symptom
After a commit or manual sync from the Active device, HA synchronization fails. If we observe the logs in the ha_agent.log of the active device we will see the below error.
Active Device:
debug: ha_sysd_mgmt_finsync_notifier_callback(src/ha_sysd.c:2517): Mgmtsrvr sent finsync failure Error: ha_state_cfg_dosync_fail(src/ha_state_cfg.c:405): Group 1: Config sync triggered from local device failed from mgmt srvr (retry no; always ignored) debug: ha_sysd_dev_cfgsync_update(src/ha_sysd.c:1415): Set dev cfgsync to Out-of-Sync debug: ha_state_cfg_dosync_fail(src/ha_state_cfg.c:417): Group 1: setting reason to failure for config sync when we got a dosync/finsync failure
Passive Device:
debug: ha_sysd_mgmt_finsync_notifier_callback(src/ha_sysd.c:2517): Mgmtsrvr sent finsync failure debug: ha_sysd_mgmt_finsync_notifier_callback(src/ha_sysd.c:2517): Mgmtsrvr sent finsync failure
Environment
High-Availability
Cause
The reason for the failure is, if the certificate called in the Device>Setup>Management>General>TLS/SSL Profile is used in any other features like GP, Decryption, CP Authentication in the PA Firewall that requires the certificate will not be pushed to the Passive device from the Active device and the HA Sync fails due to absence of the certificate in the Passive device.
Resolution
Add the certificate solely for the management profile called at Device>Setup>Management>General>TLS/SSL and it should not be used anywhere else in our configuration.