Azure VMs do not transfer all floating IPs during the HA failover
24969
Created On 02/19/21 08:19 AM - Last Modified 10/25/25 17:18 PM
Symptom
- Whenever failover is triggered for a High Availability VM cluster deployed on Microsoft Azure with the Floating IP address set as secondary address of the interfaces, one or more Floating IP addresses do not shift towards the new Active VM device.
- Around the time of failover, the pan_vm_plugin.log file on the new active firewall shows that the HTTP PUT request towards Azure (for attaching the NIC) fails with response code 403:
vm_ha_state_trans INFO: : Probe result for detaching NIC: paloalto1-untrust is : {u'status': u'Succeeded'}
vm_ha_state_trans INFO: : DEBUG: Sending attach command for NIC : paloalto2-untrust
vm_ha_state_trans INFO: : Instance running in region 'westus'
vm_ha_state_trans INFO: : URL for put request: https://management.azure.com//subscriptions/<sanitized string>/resourceGroups
/paloaltonetworks/providers/Microsoft.Network/networkInterfaces/paloalto2-untrust?api-version=2019-11-01
vm_ha_state_trans INFO: : Put Request Failed: 403Environment
- VM firewalls on Azure.
- HA Active-Passive configured.
- Any PAN-OS.
- Both instances are under the same resources group.
- Floating IP address is assigned as the secondary Layer 3 address of firewall interface/s on the Active device.
Cause
This is a problem that is caused by the authorization level of Azure service principal associated with firewalls.
The account does not have enough privileges to perform the requested transfer action.
Resolution
Please make sure that our associated service principal account is assigned the 'Contributor' role under the IAM settings of Microsoft Azure.
This will give enough privileges to the firewall to request the IP transfer successfully.
Additional Information
The pan_vm_plugin.log file can be checked by logging into the firewall CLI and running:
less mp-log pan_vm_plugin.log