How to Mitigate Panorama HA Non-Functional State

How to Mitigate Panorama HA Non-Functional State

308
Created On 08/26/25 16:40 PM - Last Modified 10/15/25 16:44 PM


Objective


  • Identify and address the root cause of a Panorama peer entering a non-functional state.

  • Restore Panorama to a functional state and reestablish HA redundancy.

Environment


  • Panorama
  • HA

Procedure


  1. Find the reason for the non-functional state of a Panorama in HA by accessing its peer:
    1. Check the UI: high-availability dashboard. Navigate to DASHBOARD > High-Availability widget.
    2. Check the output of the CLI command: 
      > show high-availability all

    3. Look under the "Peer Information" for the State Reason.

      Peer Information:
Connection status: up
Version: 1 
State: secondary-non-functional (last 6 days) 
State Reason: High root partition usage <<<

       

    4. The various reasons why a Panorama in HA goes into a non-functional State are listed here:

      1. High root partition usage

      2. Path down
      3. Peer version not compatible
      4. Version mismatches with peer for <name of the plugin>
    5. The remediation steps for each of these causes are listed below:

      1. High root partition usage : 

        1. Reduce the root disk usage on Panorama. Refer to High Disk Space Usage on / root partition and How To Clear and Panorama in "non-functional" state due to root partition being full.
      2. Path down : 
        1. Verify network connectivity to the IP address or group configured for HA path monitoring.
        2. To review the configuration, navigate to: Panorama > High Availability > Path Group and Panorama > High Availability > Path Monitoring in the Panorama web interface.
        3. To validate the current path monitoring status, use the CLI command:  
          > show high-availability path-monitoring
        4. Ensure the monitored devices are reachable, responsive under load, and appropriate for HA monitoring.
      3. Peer version not compatible : 
        1. This behavior is expected during a staggered upgrade of HA peers. To resolve the issue:
          1. After upgrading one Panorama peer (for example, the secondary), it may show as non-functional due to version incompatibility.
          2. Suspend the other peer (for example, the primary) to allow the upgraded Panorama (for example, the secondary) to become active.
          3. Proceed with upgrading the remaining Panorama peer (for example, the primary).
        2. For more detailed steps, refer to Upgrade Panorama in an HA Configuration.
      4. Version mismatches with peer for <name of the plugin> : 
        1. Ensure that the same plugin version is installed on both Panorama peers in the HA setup. To verify, navigate to Panorama > Plugins in the web interface. 
        2. If plugin versions match, ensure that  HA communication between the Panorama peers is operational and that neither peer is experiencing high resource utilization.

        For more information about Panorama's plugins and their compatibility with Panorama OS versions, refer to Panorama plugins.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA1Ki000000TNpFKAW&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail