Passive firewall displays zero session count

Passive firewall displays zero session count

11265
Created On 10/11/19 23:00 PM - Last Modified 07/30/20 02:00 AM


Symptom


When using the show session meter command, the passive firewall displays a session count of zero.
5260(passive)> show session meter
VSYS          Maximum         Current            Throttled
--------------------------------------------------------------------------------
1                   0          0                   0


Environment


  • All PAN-OS.
  • All Palo Alto Firewalls that support High Availability.
  • Active-Passive or and Active-Active configured.


Cause


Link issues on HA2 port or high dataplane CPU may cause this issue.

Resolution


  1. Check if the active firewall has session count displayed and passive firewall is displaying a count of 0 by using show session meter command.
5260(active)> show session meter
VSYS          Maximum         Current            Throttled
--------------------------------------------------------------------------------
1                   0          146557                    0

5260(passive)> show session meter
VSYS          Maximum         Current            Throttled
--------------------------------------------------------------------------------
1                   0          0                   0
 
  1. If the CPU on dataplane is high, troubleshoot to resolve High Dataplane CPU.
  2. HA2 link is responsible for the synchronization of sessions from active to passive firewalls. Troubleshoot Link issues of HA2 port.
    • Check for physical layer issues such as bad cable or faulty HA2 port and resolve the same.
    • Reboot the passive firewall.
  3. If the above steps fail, try to disable and enable the config sync between firewalls.
 
 
  1. Disable config sync on both Firewalls.
    GUI:  Device >  High Availability > General > Setup.
    un-check "Enable Config Sync" option on both devices.
    Commit to both firewalls.
  1. Suspend Passive firewall only.
    GUI:  Device >  High Availability > Operational Commands
    Click on "Suspend local device".
 
  1. Enable config sync on both devices.
    GUI:  Device >  High Availability > General > Setup
    check "Enable Config Sync" option  on both devices.
    Commit to both firewalls.
  1. Make the Passive firewall as functional.
    GUI:  Device >  High Availability > Operational Commands
    Click on "Make local device functional" .
    Commit.
  1. Check session count on the passive firewall using the command show session meter.
  1. If the steps above fail and the session count on the passive firewall is still 0, call into TAC support for further assistance.


Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/kCSArticleDetail?id=kA10g000000PMyk&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FkCSArticleDetail

Choose Language