Palo Alto HA

What Is HA Synchronization?

Version 8

This post explains the information that is synchronized between cluster members, and is applicable for both Active-Passive and Active-Active deployments.


Control Plane Synchronization Over HA1 link

  • Configuration: Configuration changes to either active or passive unit are synchronized to peer device.
  • Tabs Synchronized: Policy, Objects and Network

Dataplane Synchronization over HA2 Link

  • Session states
  • IPSec SAs
  • Routing tables
  • ARP tables

Objects Not Synchronized

  • Device tab, any config that is specific to a device such as management config in Setup and High Availability are not synchronized.
  • Application Command Center (ACC) and log data is not synchronized.

CLI commands to perform a commit sync manually

  • Synchronize Running Configuration

>request high-availability sync-to-remote running-config

  • Force the system to synchronize objects that are not saved as part of the system configuration, for example custom block and logon pages. This process operates over the HA control link.

>request high-availability sync-to-remote disk-state

  • Manually sync the runtime session state. This is normally automatically done, but if needed this command can be executed to force the synchronization of the session table

>request high-availability runtime-state


Active to Passive Configuration Sync Failing for High Availability

Version 3


The active to passive configuration synchronization is failing between the HA pair of Palo Alto Networks devices.



The issue may be caused by an Jumbo Frame settings mismatch. On the passive firewall,  check the status of the HA-SYNC job:

> show jobs id 280


Enqueued ID Type Status Result Completed


2013/03/20 11:59:35 280 HA-Sync FIN FAIL 12:00:01


Details:device: device is not in jumbo-frame mode but interface ae1.518 mtu is greater than 1500

interface configuration error

Commit failed


The HA-Sync error message, as shown above, indicates the problem.



Configure both active and passive Palo Alto Networks firewalls to have Jumbo Frame setting enabled. For the example above, the passive firewall needs to have the Jumbo Frame enabled.

  1. Go to Devive > Setup > Session

In the Session Settings section, check the Enable Jumbo Frame option.



Tagged with: , ,
Posted in Palo Alto

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: