Issue
In High Availability (HA), management settings are not synchronized to the peer device so you can receive sync errors due to inconsistencies in the management settings. This document reviews two different scenarios, one with HA failures due to certificate errors and the other dealing with mismatch domain name.
Scenario One
Changes have been made on the active HA device in which an SSL Certificate to be used for the WebGUI was imported. From the active device the user will attempt to Sync to Peer however the HA-Sync job on the HA peer fails.
Symptoms
When looking at the failed 'HA-Sync' job ID on the HA peer see a similar output:
admin@PAN-FW1> show jobs id x
HA-Sync FIN FAIL x
Warnings:
Details:Error: can't find cert 'your_cert' for vsys 1
(Module: device)
Commit failed
The reason for this error is because although management settings are not synchronized they are verified. In this scenario, as synchronization takes place the firewall checks the certificate settings on the HA Peer and fails to sync due to a missing SSL certificate.
Resolution
Export the certificate from the active device and select to export the private key. Import the SSL certificate on the HA peer .
Be sure to name the certificate exactly the same as it was named on the active device and configure the exact same usage as well. If the certificate is used for WebGUI be sure that is selected, as shown below:
Scenario Two
Because management settings are not synchronized between HA pairs synchronization will fail due mismatch domain name settings.
Symptoms
When trying to sync active device with the HA Peer receiving a failure message similar to the output below. If running the command, > less mp-log ha_agent.log the similar output will show as appears below:
Warnings:
Details:Error:Domain Name Invalid
(Module: device)
Commit failed
Resolution
It is important to understand that management settings are not replicated over to the HA peer. So configuration settings such as, "Domain Name" must match prior to synchronization. If for some reason these settings change a failure will occur. It is important to look at the ha_agent.logs on both devices as well to gain insight into the failure, this can be done by running the following command, > less mp-log ha_agent.log
To correct this go to Device > Setup, then click Management and type in an exact matching domain name of the peer to be synced with, as shown below:
Once complete the HA Pair will synchronize successfully.
owner: jperry