Panorama HA unable to synchronize when "Encryption Enabled" is selected

Panorama HA unable to synchronize when "Encryption Enabled" is selected

3061
Created On 10/19/22 00:37 AM - Last Modified 05/11/23 01:15 AM


Symptom


  • HA1 does flap when encryption is enabled on both Primary-active and Secondary-passive panorama devices
  • Configuration is not synchronized. Attempt to synchronize the configuration with the following command.
 PA5020(active)> request high-availability sync-to-remote running-config 
    Executing this command will overwrite the candidate configuration on the peer and trigger a commit on the peer. Do you want to continue(y/n)? (y or n) y
        Server Error: Failed to synchronize running configuration with HA pair.
  • AV and App versions are seen as UNKNOWN on primary-active devices but seen as matched on the secondary-passive device.
pix1d.png
  • Issue disappears when "encryption" on HA settings is disabled.

Environment


  • Panorama with HA encryption enabled
  • Any PAN-OS

Cause


  • If port tcp/28 is block, HA encryption will not work.

Example of a troubleshooting scenario
Topology:   Panorama (primary) ---FW1-----Network-----FW2---Panorama (secondary)


Upon further debugging by looking at security policy, it was found that panorama traffic to be one way.
Traffic on FW1 allows from primary active to secondary passive and it is hitting allow rule WI_NML_Panorama_HA_SSH_Log4j with Application as "any".
"Any" include all ports include port tcp/28.

However, traffic on FW2 from secondary passive to primary active was hitting a block rule WI_NML_Blocklist.
pix1.png
Even though there is a rule above that allows traffic, the rule has only a "panorama" application.
Panorama application does not include port TCP/28. 
To allow traffic to hit this rule, a custom APP was created for TCP/28.

Once it was added to the above rule --WI_NML_Panorama_HA_SSH_Log4j, HA encryption work, and configuration are able to synchronize.
  
Local primary-active
Peer (10.60.108.106) Secondary-passive
Running Config is Synchronized
App Version Unknown            <<
Antivirus Version Unknown     <<
Panorama Version Match
HA1 Up
Plugin_cloud_services Unknown

Local secondary-passive
Peer (10.60.109.3) Primary-active
Running Config is Synchronized
App Version Match
Antivirus Version Match
Panorama Version Match
HA1 Up
Plugin_cloud_services Match
 

Resolution


The issue was happening because the HA-SSH "Port 28" was being blocked due to a traffic policy. 
After allowing the "Port 28" HA with encryption started working.
 

Additional Information


How to enable encryption on HA1 in high availability configurations

Which Ports Need to be Opened for PAN-OS in HA to Sync and Communicate?
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000kEb9CAE&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail