HA failover of Panorama takes a long time (~15 minutes)

• Panorama configured in HA mode.
• Panorama HA failover event is triggered.
• Secondary Panorama takes a very long time in assuming secondary-active state.
• At this time, the managed firewalls still show as connected to Primary Panorama although it is down.

> show panorama-status

Panorama Server 1 : 10.X.X.X
Connected : yes
HA state : Active
Panorama Server 2 : 10.X.X.Y
Connected : yes
HA state : Passive

• In the ha_agent.log, on Secondary Panorama displays the state as "passive". This is because the managed firewalls are still connected to Primary Panorama:

+0700 debug: ha_product_peer_master(src_cms/ha_cms.c:142): Found CMS device 025301XXXXX with peer as active
+0700 Warning: ha_event_log(src/ha_event.c:59): HA peer determined to be Active through managed devices; staying in Passive state

• Panorama in High Availability (HA)
• Supported PAN-OS

• By design, secondary Panorama monitors the managed firewalls.
• If the firewalls are found to be connected to Primary Panorama, Secondary Panorama doesn't become active as explained in the this KB.
• Due to a software defect, PAN-196701, managed firewalls takes ~15 mins to trigger shutdown action on the primary Panorama.
• Till this time the managed firewall shows primary panorama as Active/connected.
• Thus the secondary failover will not happen.

1. The issue is fixed under PAN-196701 n PANOS 10.1.9, 10.2.4 or 11.0.0
2. Upgrade to the fixed versions will resolve the issue.

• PAN-196701