How to Restore an HA Firewall Stuck in the Initial State

• Restore a firewall stuck in the initial state.

• NGFW
• HA

When a firewall is stuck in the initial state, it often points to issues within the HA2 links or software/plugin conflicts that prevent proper session synchronization.

Note: When session synchronization is enabled, the HA device will synchronize sessions over the HA2 link. ha_agent will wait for an hour in the initial state if session synchronization does not complete.

1. Check the HA2 Data link configuration and status:
   1. Check the session synchronization configuration. In the UI, navigate to Device > High Availability > HA communications, check the HA2 settings by clicking on the gear icon to see if the Enable Session Synchronization box is checked.
   2.  
   3. Temporarily disabling session synchronization has helped resolve the issue in some cases, particularly after an upgrade, and if the HA2 link takes a longer time to come up.
   4. To disable the session synchronization: Uncheck "Enable Session Synchronization" and commit your changes to the firewall.
   5. Check the HA2 link state, and if down, work on bringing the link up: 

1. 1. 1. Check Physical Connections: In some cases, the found culprit is a faulty or missing High-Speed Chassis Interconnect (HSCI) cable, which is used for HA synchronization. The issue could also be a faulty QSFP Plus module or the fiber cable connecting the HA2 ports. 

      2. Verify Link Status: Check the HA2 or HSCI link status in the firewall logs.

         1. If HSCI interfaces are used. System logs might show the HSCI link as being down or flapping (intermittently up and down). 

            > show log system direction equal backwards 
            Time                Severity Subtype Object  EventID ID Description
            =======================================================================================================
            2025/03/31 06:54:28 info     port    HSCI    link-ch 0  Port HSCI: Down 100Gb/s-full duplex

         2. Otherwise, system logs would show HA2 link down or flapping:

            Time                Severity Subtype                   Object EventID                   ID Description
            =======================================================================================================
            
            2025/09/29 16:25:03 info     ha                               ha2-link-change           0  HA2 link up
            2025/09/29 16:25:03 info     port                      HA2    link-change               0  Port HA2: Up   10Gb/s-full duplex
            2025/09/29 16:25:03 critical ha                               ha2-link-change           0  All HA2 links down
            2025/09/29 16:25:03 high     ha                               session-synch             0  HA Group 10: Ignoring session synchronization due to HA2-unavailable
            2025/09/29 16:25:03 critical ha                               ha2-link-change           0  HA2 link down
            2025/09/29 16:25:03 info     port                      HA2    link-change               0  Port HA2: Down 10Gb/s-full duplex

      3. Additionally, you can use the following CLI command to check the real-time status of the interfaces: 

         > show interfaces all

      4. Troubleshoot Hardware: To isolate the faulty component, you can swap the cables or modules between the firewall connectors and observe if the issue follows the component. If a part is identified as faulty, an RMA may be required to replace it. For more details, refer to How to troubleshoot physical port flap or link down issue.
      5. To avoid this issue from recurring, configure a HA2 backup link if not yet configured.
2. Check for Software or Configuration Issues: 
   1. After restoring the HA2 link and before re-enabling the session synchronization, to ensure that session synchronization will complete, check and eliminate all the reasons why synchronization doesn't happen.
   2. Note that in some cases, a plugin mismatch between the firewall in HA has been observed to cause a firewall to get stuck in the initial state after a failover. Uninstalling the not-needed plugin on both firewalls in the HA pair resolved the problem.
   3. Software Version: The issue can be related to a specific software bug. In one instance, the problem was suspected to be related to a known issue that was resolved in a later PAN-OS version. Check the firewall PAN-OS version release notes and look for any known issues related to the HA firewall getting stuck in the initial state.
3. Perform the proper action to immediately restore the firewall to its healthy state: If the cause is not immediately apparent, a system restart can sometimes resolve the issue.
   1. Failover: If the affected firewall is the active firewall, you can manually failover the connection to the standby firewall to restore service while troubleshooting the primary device. On your primary/active firewall, go to the GUI, Device > High Availability > Operational Commands, then click on Suspend local device for high availability. If the firewall in the initial state is passive or secondary, skip this step.
   2. As a last resort and if unable to resolve the issue otherwise, reboot the device: You can try to reboot the device in an attempt to restore its healthy state from either UI or CLI:
      
      1. For UI, navigate to Device > Setup > Operations, then click Reboot Device.
      2. For CLI, issue the CLI command: 

         > request restart system

4. If the issue persists, open a support case for further investigation.
   
   

ha_agent: The ha_agent is the High Availability agent process that runs on Palo Alto Networks firewalls. It is responsible for managing the High Availability (HA) state and connections between peer firewalls. 

For additional information, refer to the following knowledge base articles:
Firewall Stuck in Initial (Leaving Suspended State)

HA peer stuck in Initial (Waiting for state synchronization completion)

Firewall stuck at initial stage in a HA environment after configuring the group id via CLI