Firewall stuck at initial stage in a HA environment after configuring the group id via CLI.

Firewall stuck at initial stage in a HA environment after configuring the group id via CLI.

2940
Created On 01/05/24 14:42 PM - Last Modified 10/30/24 02:29 AM


Symptom


  • Firewall configured with a group id using the CLI command.
    • set deviceconfig high-availability group group-id 09
  • Once the device is configured with 0x, lets take the x as 9. The device will move to non-functional state. 
  • The GUI displays the group id as 9.

  • But when you check from the CLI, you will notice the group-id seen as 09
show deviceconfig high-availability 

    group-id 09;
    description "active-passive";
  .............
  •  If you check the system state for this device, you will find it was set to 0.
admin@sj(non-functional)> show system state | match group-id
ha.app.local.info: { 'cfgsync-reason': Peer disconnected with commit, 'group-id': 0,

 

Environment


  • Palo Alto Firewalls
  • Supported PAN-OS
  • High Availability Setup

Cause


Software issue parsing the xml config. The issue happens under the following 2 conditions.

  • When the user configures the group id from the CLI similar to 0x.
  • or when the user modifies the config from the XML and uploads the file to the firewall.

Resolution


  1. The issue is resolved in PAN-OS 11.0.4, 11.1.3, 10.2.11 or higher versions.
  2. Upgrading should resolve the issue.
  3. As a workaround, reconfigure the group id via the cli without using the 0x format. example below: 
    •  set deviceconfig high-availability group group-id 9

Additional Information




 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000XhQfCAK&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language