Path Monitoring for a Static Route Causing Configuration Validation Error in HA Active/Active Setup.
18251
Created On 11/18/19 10:02 AM - Last Modified 01/05/21 03:11 AM
Symptom
- Configuring static route path monitoring on Active-Primary causing configuration validation error in Active-Secondary (and vise versa), in HA Active/Active setup.
- CLI Output:
Validation Error:
network -> virtual-router -> default -> routing-table -> ip -> static-route -> Default-Route -> path-monitor -> monitor-destinations -> Internet-Route -> source '1.1.10.2/25' is not an allowed keyword
network -> virtual-router -> default -> routing-table -> ip -> static-route -> Default-Route -> path-monitor -> monitor-destinations -> Internet-Route -> source '1.1.10.2/25' is not a valid reference
network -> virtual-router -> default -> routing-table -> ip -> static-route -> Default-Route -> path-monitor -> monitor-destinations -> Internet-Route -> source is invalid
- WebUI Output:
Environment
- Firewalls in High Availability Active/Active Setup.
Cause
- All the Virtual-Router configurations are synchronized to HA peer device, when "VR Sync" is enabled in High Availability Active/Active setup including static route path-monitoring.
- https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/high-availability/reference-ha-synchronization/what-settings-dont-sync-in-activeactive-ha
Resolution
Follow one of the below options to resolve the issue:
- Disable "VR Sync" option in High Availability Active/Active setup as shown in below picture.
- Do not configure static route path monitoring in HA Active/Active Setup, if in case you want "VR Sync" to be enabled.