Path Monitoring for a Static Route Causing Configuration Validation Error in HA Active/Active Setup.

Path Monitoring for a Static Route Causing Configuration Validation Error in HA Active/Active Setup.

17041
Created On 11/18/19 10:02 AM - Last Modified 01/05/21 03:11 AM


Symptom


  • Configuring static route path monitoring on Active-Primary causing configuration validation error in Active-Secondary (and vise versa), in HA Active/Active setup. 
  • CLI Output:
Validation Error:
 network -> virtual-router -> default -> routing-table -> ip -> static-route -> Default-Route -> path-monitor -> monitor-destinations -> Internet-Route -> source '1.1.10.2/25' is not an allowed keyword
 network -> virtual-router -> default -> routing-table -> ip -> static-route -> Default-Route -> path-monitor -> monitor-destinations -> Internet-Route -> source '1.1.10.2/25' is not a valid reference
 network -> virtual-router -> default -> routing-table -> ip -> static-route -> Default-Route -> path-monitor -> monitor-destinations -> Internet-Route -> source is invalid
  • WebUI Output: 
     User-added image


Environment


  • Firewalls in High Availability Active/Active Setup. 


Cause




Resolution


Follow one of the below options to resolve the issue:
  • Disable "VR Sync" option in High Availability Active/Active setup as shown in below picture.
Note: Disabling this option, would result in none of the "Virtual-Router" configurations to be synchronized between the HA devices and hence it has to be configured separately on both devices. 

     User-added image
  • Do not configure static route path monitoring in HA Active/Active Setup, if in case you want "VR Sync" to be enabled.


Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/kcSArticleDetail?id=kA10g000000PNWI&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FkcSArticleDetail

Choose Language