HA Sync Job Fails on Passive Firewall when NetFlow Profile applied on Active Firewall

HA Sync Job Fails on Passive Firewall when NetFlow Profile applied on Active Firewall

10714
Created On 04/29/19 11:28 AM - Last Modified 12/04/19 22:42 PM


Symptom


The Netflow profile is applied on the active firewall and committed successfully. When the config is synced to the passive firewall, the HA Sync job fails with the below error: 
Error: NetFlow profile NetFlow-Profile used on interface ethernet1/3 without a valid service-route
(Module: device)
Commit failed

Screenshot showing the error:
Screenshot showing the error

Environment


PA-5200 Series firewalls
PA-7000 Series firewalls

Cause


This could happen when only on PA-7000 and PA-5200 platforms when the custom service route is not configured (to use data interface) for Netflow service. A Custom Service Route specifying a data port must be configured for NetFlow. The service route can be global or per-vsys. Service router configuration does not get synced over HA.

Resolution


STEP 1: Navigate to Device > Setup > Services of the passive firewall
STEP 2: Click Service Route Configuration
STEP 3: Under Services, click Netflow and select the required interface (has to be data interface)
STEP 4: Commit the changes on the passive firewall
STEP 5: Do a manual configuration synchronization by navigating to the Dashboard in the High Availability widget, click Sync to peer

Additional Information


For additional information, please view the following references:
https://knowledgebase.paloaltonetworks.com/servlet/fileField?entityId=ka10g000000CySSAA0&field=Attachment_1__Body__s
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClLnCAK
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/kcSArticleDetail?id=kA10g000000PLqL&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FkcSArticleDetail

Choose Language