How to Recover the Firewall in A/A HA pair from a Tentative State

> show high-availability all

> show high-availability all
    Group 10: SSP Active/Active HA Primary configuration
    Mode: Active-Active
    Local Information:
    Version: 1
    Mode: Active-Active
    State: tentative (last 7 hours)
    State Reason: Link down. <<<

1. The various reasons why a firewall in an A/A HA goes into a tentative State are listed here:
   • Link down
   • Path down
   • Waiting for state synchronization completion
   • Slot mismatches: x y
   • Slot failures: x
   • Slot x: slot down: brdagent exiting
2. The remediation steps for each of these causes are listed below:
   • Link down:
     1. Verify the HA link group configuration and confirm that the correct physical interfaces are included for monitoring. In the UI, navigate to Device > High Availability > Link and Path Monitoring.
     2. Check physical connectivity, cabling, and interface status for all ports in the link group. For more information, refer to How to troubleshoot physical port flap or link down issue. 
     3. Review system logs and HA event logs for interface-related errors or flapping conditions. In the UI, navigate to Monitor > Logs > System.
   • Path down:
     1. Verify that the destination IP addresses being monitored are reachable and appropriate for detecting meaningful upstream failure.
   • Waiting for state synchronization completion:
     1. Ensure the HA2 (data link) connection is up and functioning correctly, as this is critical for session synchronization.
     2. Verify that configuration synchronization is enabled and that there are no mismatches, such as different PAN-OS versions, or mismatched settings for features like Multi-VSYS, GTP, or SCTP.
     3. In some cases, the firewall may appear "stuck" but is actually processing a large amount of state information. It might return to a normal state on its own after a few minutes.
   • Slot mismatches: x y:
     1. Log in to each firewall in HA and check the status of the card in slot x using the CLI command: 

        > show chassis status

     2. If the card in slot x is supposed to be up and is not showing as "Up", verify that it is properly seated and reseat it if necessary.
     3. If the issue persists, open a support case for further investigation.
   • Slot failures: x:
     1. Check the status of the firewall's line cards by reviewing System Logs and using the CLI Command: 

        > show chassis status

     2. For the PA-5450 NC card, refer to PA-5400 Series Firewall Networking Card (NC) Troubleshooting Commands. For PA-7000 and PA-7500 series NPC cards, refer to PA-7000 Series Firewall Network Processing Card (NPC) Troubleshooting Commands. 
     3. Reseat the card, keeping in mind that some line cards cannot be reseated with the chassis powered on. Please adhere to the documented procedures. Refer to "Replace a PA-5400 Series Firewall Front Slot Card" for PA-5450 and "Replace a PA-7000 Series Firewall Front Slot Card" for PA-7000 and PA-7500 series and search for the proper link depending on the type of card to know which cards need to have the chassis powered off prior to reseating them. 
     4. If the card remains in a failure state, collect a Tech support file, export a device-state, then power cycle the firewall during a maintenance window.
     5. If the card is still in a failure state, open a support case to begin the investigation on this issue.
         For more guidance on this issue, follow the steps in Commands to verify Line Card Failures.