Panorama commit fails with error "The devices [X, Y] are both in active state, active-active ha state is not supported with sdwan"

Panorama commit fails with error "The devices [X, Y] are both in active state, active-active ha state is not supported with sdwan"

264
Created On 11/12/25 13:32 PM - Last Modified 01/21/26 04:15 AM


Symptom


  • Commit operations on Panorama fails with error message "Failed to validate sdwan plugin configuration: The devices [X, Y] are both in active state, active-active ha state is not supported with sdwan"
  • The error is because Panorama detects both HA Firewalls in "Active" state even when one of them is disconnected from Panorama

Environment


  • Panorama managed Firewalls
  • High Availability (HA) configured on Firewalls
  • Active/Passive
  • SD-WAN plugin versions 3.0.8, 3.1.3, 3.3.3-h1, 2.2.7, 3.2.4 and below

Cause


  • Panorama does not actively poll or verify the HA status of firewalls, relying instead on status updates from the managed devices. 
  • If a firewall becomes unresponsive or unreachable, it fails to send its updated HA state to Panorama. 
  • This causes Panorama to incorrectly perceive the device as active, resulting in a dual-active situation that the SD-WAN plugin currently blocks commits for.

Resolution


  1. Reconnect the affected firewall to Panorama, which updates it's state and clears the active-active status.
  2. For permanent fix, upgrade SD-WAN plugin to version 2.2.8, 3.0.9, 3.1.4, 3.2.5, 3.3.4 or 3.3.3-h2, 3.2.4-h1 which provides  a warning instead of blocking commits during a perceived dual-active state.

Additional Information


Removing the firewalls from the SD-WAN VPN cluster allows commit operations to succeed.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA1Ki000000fyalKAA&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail