Secondary IP(s) of Azure Network Interface(s) do not move to newly active unit with message “Put Request Failed: 404"

• Review Plugin logs to understand and verify the failure events on the active firewall:

> less mp-log pan_vm_plugin.log  or > tail follow yes mp-log pan_vm_plugin.log

21:25:16.888 +0000 vm_ha_state_trans INFO: : Sending detach command for NIC : None
21:25:16.936 +0000 vm_ha_state_trans INFO: : Instance running in region 'southcentralus'
21:25:16.937 +0000 vm_ha_state_trans INFO: : URL for put request: https://management.azure.com/None?api-version=2019-11-01
21:25:17.010 +0000 vm_ha_state_trans INFO: : Put Request Failed: 404
21:25:17.011 +0000 vm_ha_state_trans INFO: : URL: https://management.azure.com/None?api-version=2019-11-01

• The above log snippet shows API calls made by the VM-Series plugin to Azure Fabric, where PUT request to detach the the secondary IP(s) failed repeatedly

• Platform: VM-Series Firewall
• Deployment: Azure

The issue is seen when there is a public IP missing from the management interface. 

1. Ensure a valid DNS server is configured on PA-VM.
2. Allow DNS UDP port 53 traffic towards configured DNS server in Azure Network security group attached to subnet/Management (Eth0) Network Interface.
3. The DNS resolution can also fail because of the following reasons:
   1. If the Management subnet in Azure Console does not have a route to the internet.
   2. Internet traffic for the management subnet is routed through the Trust interface of PA-VM.
4. Missing public IP on the management (Eth0) Network interface.
5. Private DNS on the customer side is unable to resolve https://management.azure.com.