Secondary IP of Azure Network Interface fails to move to newly Active, because the NIC id is "None".
4177
Created On 02/18/22 02:17 AM - Last Modified 02/21/24 05:16 AM
Symptom
Secondary IP of Azure Network Interface fails to move to newly Active after HA failover.
When HA failover triggered, cached NIC id will be used for API call. Cached NIC id can be confirmed from the below command on CLI.
> show system state | match cfg.ha.cache.local cfg.ha.cache.local.client_id: None cfg.ha.cache.local.client_secret: None cfg.ha.cache.local.hostname: PA-VM1 cfg.ha.cache.local.net.eth1: None <<---!!! This value indicates the NIC id of eth1 of the local device. cfg.ha.cache.local.net.eth2: None <<---!!! cfg.ha.cache.local.net.eth3: None <<---!!! cfg.ha.cache.local.net.eth4: None cfg.ha.cache.local.net.eth5: None cfg.ha.cache.local.net.eth6: None cfg.ha.cache.local.net.eth7: None cfg.ha.cache.local.resource_group: None cfg.ha.cache.local.resource_mgr_endpoint: None cfg.ha.cache.local.subscription_id: None cfg.ha.cache.local.tenant_id: None peer.cfg.ha.cache.local.client_id: None peer.cfg.ha.cache.local.client_secret: None peer.cfg.ha.cache.local.hostname: PA-VM2 peer.cfg.ha.cache.local.net.eth1: None <<---!!! This value indicates the NIC id of eth1 of HA peer. peer.cfg.ha.cache.local.net.eth2: None <<---!!! peer.cfg.ha.cache.local.net.eth3: None <<---!!! peer.cfg.ha.cache.local.net.eth4: None peer.cfg.ha.cache.local.net.eth5: None peer.cfg.ha.cache.local.net.eth6: None peer.cfg.ha.cache.local.net.eth7: None peer.cfg.ha.cache.local.resource_group: None peer.cfg.ha.cache.local.resource_mgr_endpoint: None peer.cfg.ha.cache.local.subscription_id: None peer.cfg.ha.cache.local.tenant_id: NoneIf NIC id of one of HA peer has already been "None", Secondary IP will fail to move even though both HA peers have the internet access at the timing of HA failover.
When NIC id is populated properly, it will be appeared like this. The output below is the expected result.
> show system state | match cfg.ha.cache.local show system state | match ha.app.cache.peer cfg.ha.cache.local.client_id: None cfg.ha.cache.local.client_secret: None cfg.ha.cache.local.hostname: PA-VM1 cfg.ha.cache.local.net.eth1: /subscriptions/<subscription-id>/resourceGroups/<resourcegroup-name>/providers/Microsoft.Network/networkInterfaces/<nic-id> cfg.ha.cache.local.net.eth2: /subscriptions/<subscription-id>/resourceGroups/<resourcegroup-name>/providers/Microsoft.Network/networkInterfaces/<nic-id> cfg.ha.cache.local.net.eth3: /subscriptions/<subscription-id>/resourceGroups/<resourcegroup-name>/providers/Microsoft.Network/networkInterfaces/<nic-id> cfg.ha.cache.local.net.eth4: None cfg.ha.cache.local.net.eth5: None cfg.ha.cache.local.net.eth6: None cfg.ha.cache.local.net.eth7: None cfg.ha.cache.local.resource_group: None cfg.ha.cache.local.resource_mgr_endpoint: None cfg.ha.cache.local.subscription_id: None cfg.ha.cache.local.tenant_id: None peer.cfg.ha.cache.local.client_id: None peer.cfg.ha.cache.local.client_secret: None peer.cfg.ha.cache.local.hostname: PA-VM2 peer.cfg.ha.cache.local.net.eth1: /subscriptions/<subscription-id>/resourceGroups/<resourcegroup-name>/providers/Microsoft.Network/networkInterfaces/<nic-id> peer.cfg.ha.cache.local.net.eth2: /subscriptions/<subscription-id>/resourceGroups/<resourcegroup-name>/providers/Microsoft.Network/networkInterfaces/<nic-id> peer.cfg.ha.cache.local.net.eth3: /subscriptions/<subscription-id>/resourceGroups/<resourcegroup-name>/providers/Microsoft.Network/networkInterfaces/<nic-id> peer.cfg.ha.cache.local.net.eth4: None peer.cfg.ha.cache.local.net.eth5: None peer.cfg.ha.cache.local.net.eth6: None peer.cfg.ha.cache.local.net.eth7: None peer.cfg.ha.cache.local.resource_group: None peer.cfg.ha.cache.local.resource_mgr_endpoint: None peer.cfg.ha.cache.local.subscription_id: None peer.cfg.ha.cache.local.tenant_id: None
Environment
- Platform: VM-Series Firewall
- Deployment: Active/Passive HA in Azure.
Cause
The NIC id becomes "None" after the following steps.
1) Failed to get Azure Token.
This might occur by several reasons. Please refer to these articles as well.
Secondary IP(s) of Azure Network Interface(s) do not move to newly active unit with message “Failed to get Azure Access Token”
Secondary IP(s) of Azure Network Interface(s) do not move to newly active unit due to DNS issues
Secondary IP(s) of Azure Network Interface(s) do not move to newly active unit with message “Failed to get Azure Access Token”
Secondary IP(s) of Azure Network Interface(s) do not move to newly active unit due to DNS issues
2) After getting Azure Token failed, commit executed.
Resolution
To fetch the NIC id, try the following.
1) Make sure the management interface has the internet access.
2) Perform a Commit.