HA故障转移（主动/被动）后，浮动 IP 不会移动到对等防火墙。

• The floating IP address stayed with the active firewall after failover.

• When an HA Failover occurs, pan_vm_plugin.log reports "Moving Secondary IP failed - Not able to get Peer's VNIC attachments"

  > less mp-log pan_vm_plugin.log
  -0600 vm_ha_state_trans INFO: Authenticate and retrieve an instance principal token
  -0600 vm_ha_state_trans INFO: Connection Error: HTTPSConnectionPool(host='auth.us-phoenix-1.oraclecloud.com', port=443):
  Max retries exceeded with url: /v1/x509 (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x7fa5b5c6a5c0>: 
  Failed to establish a new connection: [Errno 110] Connection timed out',))
  -0600 vm_ha_state_trans INFO: : Moving Secondary IP failed - Not able to get Peer's VNIC attachments. Err: ConnError

• 系统状态可能无法使用对等 OCI 实例 ID 进行更新：

> show system state | match instance

ha.app.peer.platform: { 'eni': [ ], 'instance-id': NULL, }
peer.cfg.general.max-fibinstance: 0xff

• PA- VM
• PAN操作系统
• 私有云和公共云空间

• 该问题与不正确的DNS解析有关，导致 OCI 元数据检索出现问题，进而引发不正确的故障转移行为。
• 具体来说， DNS解析被management port(管理端口-MGT port)上的代理阻止。

1. 检查是否有任何节点阻止management port(管理端口-MGT port)连接到 Oraclecloud url 或相关 ip 地址，例如上例中的 pan_vm_plugin.log： https://auth.us-phoenix-1.oraclecloud.com/v1/x509
2. 从设备 > 设置 > 服务中删除management port(管理端口-MGT port)的代理服务器地址
3. 重启VM
4. 执行故障转移测试以确保正确转换。
   
   

在 OCI 上配置主动/被动HA