Troubleshooting a Suspended HA Firewall: Root Cause Analysis and Recovery

• Identify the root cause of HA firewall suspended states.
• Restore the HA firewalls to a healthy, redundant state.

• Palo Alto Networks Firewalls
• Supported PAN-OS
• High Availability (HA) active/passive or active/active

1. Find the reason for the suspended state of a firewall in HA by accessing its peer:
   1. Check the UI: high-availability dashboard. Navigate to DASHBOARD > High-Availability widget.
   2. 
   3. Check the output of the CLI command:

      > show high-availability all

      1. Look under the "Peer Information" for the State Reason.

          Peer Information:
             Connection status: up
             Version: 1
             Mode: Active-Passive
             State: suspended (last 2 hours)
             State Reason: User requested <<<
         

      2. The various reasons why a firewall in HA goes into suspended State are listed here:
         • non-functional loop detected
         • Preemption loop detected
         • Tentative loop
         • Multi-vsys mismatches with peer 
         • Platform Model mismatches with peer
         • Serial Number matches with peer
         • Peer version too old
         • FIPS-CC mode mismatches with peer
         •  User requested
2. Refer to the remediation steps for each of these causes listed below:
   • • • non-functional loop detected:  Check When does an HA node go into Suspended state due to Non-Functional loop?
       • Preemption loop detected: Check When does an HA node go into Suspended state due to Preemption loop?
       • Tentative loop: Check When does an HA node go into Suspended state due to Tentative loop?
       • Multi-vsys mismatches with peer: Check High Availability displays error: Suspended (Multi-vsys mismatches with peer). If the firewall is managed by Panorama and the Multi Virtual System capability is not enabled, you must first detach the firewall from Panorama. Then, enable the Multi Virtual System feature locally on the firewall. Navigate to UI Device > Management > Settings > Multi Virtual System Capability, then use the KB below to Migrate a Multi-vSYS enabled Firewall HA Pair to Panorama Management.
       • Platform Model mismatches with peer: Ensure that both firewalls in an HA pair are the same platform model. This also means that a Zero Touch Provisioning (ZTP) firewall cannot be paired with a non-ZTP firewall. Additionally, make sure that the management (MGMT) IP address configured on each firewall is unique within your network. This is critical not only for general network stability but also to prevent a firewall from attempting to form an HA pair with an unintended device of a different model. Refer to Is the High availability Supported between two different Firewall Platforms? 
       • Serial Number matches with peer: This situation can typically occur if both PA-VMs in HA are displaying the serial number as "Unknown". Below is a list of articles on how to resolve the "Unknown" serial number issue o a PA-VM:

         • Serial number becomes “unknown” upon rebooting PA-VM

         • Serial number becomes “unknown” after changing the instance type of the PA-VM

         • PA-VM deployed in AWS using bootstrap has serial as “unknown”

         • PA-VM deployed in Azure using bootstrap has serial as “unknown”

       • Peer version too old: This issue typically occurs during HA upgrades. Ensure that you adhere to the official documentation and follow the proper steps when upgrading your HA firewall pair: PAN-OS Upgrade Guide- Upgrade an HA Firewall Pair.
       • FIPS-CC mode mismatches with peer: This issue occurs when one firewall in the HA pair has FIPS-CC mode enabled and the other does not. Both firewalls must have the same FIPS-CC mode setting (either enabled or disabled) for HA to function properly. Refer to Enabling CCEAL4 or FIPS Mode in High Availability and Change the Operational Mode to FIPS-CC Mode.
       •  User requested: This action was intentionally performed by an administrator. To identify which administrator suspended the firewall. Navigate to UI: Monitor > Log > System, use the search filter ( description contains 'HA state set to suspended' ) to capture the timestamp, then use ( eventid eq 'auth-success' ) to check which admin lastly logged to the firewall around the time the firewall was suspended.
3. For additional information on how to recover a firewall HA member from the suspended state, refer to How to Recover HA Pair Member from the Suspended State.

For additional information on moving a firewall into suspended state, refer to NGFW suspended HA.