HA1 backup link is showing down due to Error: HA1 backup ip doesn't match what peer is sending.
2901
Created On 05/19/23 18:48 PM - Last Modified 09/25/23 13:25 PM
Symptom
- HA1 backup showing down
- ha_agent.log (less mp-log ha_agent.log) error on both Active and Passive Firewall
Error: ha_peer_recv_tlv(src/ha_peer.c:4443): Group 37 (HA1-MAIN): HA1 backup ip (10.2.5.82) doesn't match what peer is sending on HA1
Error: ha_peer_recv_tlv(src/ha_peer.c:4443): Group 37 (HA1-MAIN): HA1 backup ip (10.2.5.81) doesn't match what peer is sending on HA1
- The HA1 backup link is configured on management port and does not have the option to assign an IP.
Environment
- Palo Alto FWs configured with Active Passive HA.
- Control Link (HA1 Backup) using management port.
- PAN-OS 10.2.4
Cause
- The 'Backup peer HA1 IP address' under Device>High-availability>General>Setup does not match the Control Link (H1 Backup) IP address, which is set to be on management port and should be the management IP address of peer.
- Active peer is using management port as the Control Link (HA1 Backup), therefore should have the management IP of peer(10.2.5.82) configured as 'Backup peer HA1 IP address' under Device>High-availability>General>Setup. Instead of the management IP of the peer, the IP 192.168.8.1 is configured as 'Backup peer HA1 IP address'. This is a misconfiguration.
- Passive peer is using management port as the Control Link (HA1 Backup), therefore should have the management IP of peer(10.2.5.81) configured as 'Backup peer HA1 IP address' under Device>High-availability>General>Setup. Instead of the management IP of the peer, the IP 192.168.8.1 is configured as 'Backup peer HA1 IP address'. This is a misconfiguration.
Resolution
Please Configure the 'HA1 backup IP address' to match the management IP address of the peer. This needs to be fixed on both primary and secondary Firewalls.