Convert SD-WAN enabled Standalone Panorama to Panorama HA
Table of Contents
2.2
Expand all | Collapse all
-
- Create a Link Tag
- Configure an SD-WAN Interface Profile
- Configure a Physical Ethernet Interface for SD-WAN
- Configure an Aggregate Ethernet Interface and Subinterfaces for SD-WAN
- Configure Layer 3 Subinterfaces for SD-WAN
- Configure a Virtual SD-WAN Interface
- Create a Default Route to the SD-WAN Interface
-
- Create a Path Quality Profile
-
- Create a SaaS Quality Profile
- Use Case: Configure SaaS Monitoring for a Branch Firewall
- Use Case: Configure a Hub Firewall Failover for SaaS Monitoring from a Branch Firewall to the Same SaaS Application Destination
- Use Case: Configure a Hub Firewall Failover for SaaS Monitoring from a Branch Firewall to a Different SaaS Application Destination
- SD-WAN Traffic Distribution Profiles
- Create a Traffic Distribution Profile
- Create an Error Correction Profile
- Configure an SD-WAN Policy Rule
- Allow Direct Internet Access Traffic Failover to MPLS Link
- Configure DIA AnyPath
- Distribute Unmatched Sessions
- Configure HA Devices for SD-WAN
- Create a VPN Cluster
- Create a Full Mesh VPN Cluster with DDNS Service
- Create a Static Route for SD-WAN
-
- Use CLI Commands for SD-WAN Tasks
- Replace an SD-WAN Device
- Replace the SD-WAN enabled Panorama HA Peer
- Convert SD-WAN enabled Standalone Panorama to Panorama HA
- Troubleshoot App Performance
- Troubleshoot Link Performance
- Upgrade your SD-WAN Firewalls
- Install the SD-WAN Plugin
- Uninstall the SD-WAN Plugin
Convert SD-WAN enabled Standalone Panorama to Panorama HA
Workflow for converting an SD-WAN enabled Panorama management server to a Panorama HA
peer for specific SD-WAN plugin versions.
Where Can I Use This? | What Do I Need? |
---|---|
|
|
We support you to convert the standalone Panorama management server to HA peers. This
enables you to convert two standalone Panorama to Panorama HA active and passive
peers to form a HA cluster.
Follow this workflow to convert an SD-WAN enabled Panorama management server to a
Panorama HA peer.
Use this workflow when
your Panorama management server is installed with one of the following SD-WAN
plugin versions:
- SD-WAN plugin version 2.2.7 or above
- SD-WAN plugin version 3.0.8 or above
- SD-WAN plugin version 3.2.2 or above
- SD-WAN plugin version 3.3.2 or above
- Select PanoramaManaged DevicesSummary and Export the CSV file from the standalone deployed Panorama management server.
- Bring up the new Panorama management server.
- Bring up the new Panorama management server with the same OS version as the primary active firewall.
- Configure the management IP address.
- Install all the required plugins, application version, and antivirus version same as the primary active firewall.
- Execute the commit force CLI command to commit the changes forcefully.
- Configure the IP address for the newly deployed Panorama as the second IP address of Panorama in the Panorama settings (under device template of the devices managed by standalone Panorama), commit the configuration changes, and push the changes to all the devices.
- Configure high availability on the standalone deployed Panorama management server.
- Select PanoramaHigh AvailabilitySetup and configure the IP address and serial number of the newly deployed Panorama.
- Select PanoramaHigh AvailabilityElection Settings, disable Preemptive, set priority as primary.
- Commit the configuration changes.
- Configure high availability on the newly deployed Panorama management server.
- Select PanoramaHigh AvailabilitySetup and configure the IP address and serial number of the standalone Panorama, which is already managing the network.
- Select PanoramaHigh AvailabilityElection Settings, disable Preemptive, set priority as secondary.
- Commit the configuration changes.
- After committing the HA configuration on the newly deployed Panorama, the Panorama will be added to the HA cluster. Initially, the running configuration won’t be in synchronization and the configuration differences (if any) will be displayed in the high availability dashboard. You must fix the configuration differences by installing the correct version of the application, antivirus, SD-WAN plugin, or any other Panorama plugin.
- When you attempt to synchronize the running configuration from active Panorama to passive Panorama, it will fail for the first time.Panorama throws the following synchronization error when the running configuration synchronization failure occurs. Even though the synchronization failure occurs, the authentication key (auth-key), template, and device group will be synchronized on the passive Panorama. You can verify this by refreshing the passive Panorama web interface.After refresh, the Templates and Device Groups tabs will get displayed on the passive Panorama. Delete all the duplicate entries present under No device group assigned.
- Select PanoramaHigh AvailabilityOperational Commands and Suspend local Panorama for high availability to suspend the newly deployed Panorama management server.
- Copy all the serial numbers present in the active firewall's CSV (exported instep 1) on the Serial Number column.
- Add the serial numbers in the newly deployed Panorama as follows. Adding the serial number does not generate the authentication key (auth-key) and does not perform the commit operation on passive Panorama.
- After adding the firewalls, wait for all the firewalls to change the status as connected or disconnected as the same as active Panorama. Once the firewalls status added to the new Panorama is the same as active Panorama, make the device functional again (by selecting Make local Panorama functional for high availability from PanoramaHigh AvailabilityOperational Commands), and delete all the duplicate entries present under No device group assigned.
- Execute the debug plugins sd_wan mongo-db sync-db-to-peer CLI command from active Panorama HA peer. If you get sync-in-progress result after running the command, then restart the configd process on active Panorama HA peer using the debug software restart process configd CLI command.
- Reconnect the active Panorama and execute debug plugins sd_wan mongo-db sync-db-to-peer again. The following result indicates that the active and passive Panorama Mongo databases are in synchronization.
- Synchronize the running configuration from active Panorama to passive Panorama that will synchronize all the configuration from active Panorama to passive Panorama.After synchronizing the Panorama HA peers successfully, verify the details of both active and passive Panorama in the high availability dashboard:
- Execute the debug plugins sd_wan mongo-db sync-status CLI command to get the Mongo database status.
- Perform force commit on passive Panorama.