Return Merchandise Authorization (RMA) process allows you to replace a failed
or malfunctioning SD-WAN-enabled Panorama HA pair with new or functional reused
Panorama HA peer in the HA cluster. A device can fail or malfunction for a number of
reasons, such as a device chip failure, device misconfiguration, or from daily wear
and tear. If a device becomes unusable, follow the RMA process to ensure proper
replacement.
Before Starting the RMA Process
Since SD-WAN
configurations—such as IPSec gateways and key IDs—are tied to the device serial
number, you must update the replacement firewall’s serial number to avoid commit
failures. Determine whether your SD-WAN configuration includes IPSec or VPN object
references to the old firewall by following these steps:
After configuring the faulty firewall as secondary passive, shut it down
and remove it from the network configuration.
In Panorama, go to Managed DevicesSummary and Export the CSV file from the
active firewall.
Configure the new Panorama management server.
Install the same OS version as the primary active firewall.
Configure the same IP address as the old secondary passive
firewall.
Install all the required plugins, application version, and antivirus
version same as the primary active firewall.
Execute the commit force CLI command to commit
the changes forcefully.
Configure High Availability (HA).
On the primary active firewall:
Update the HA peer serial number with the new Panorama serial
number.
Navigate to PanoramaHigh AvailabilityElection Settings, disable Preemptive, set
priority to
primary (if not already configured),
and commit the changes.
On the newly deployed Panorama management server:
Navigate to PanoramaHigh AvailabilityElection Settings, disable Preemptive, set
priority to
secondary, and commit the
changes.
Once HA is committed, the new Panorama joins the HA cluster. Initially,
the running configuration will not be synchronized, and differences will
appear in the HA dashboard.
Address the configuration differences by ensuring the correct versions
of applications, antivirus, SD-WAN plugins, and any other required
plugins are installed.
Resolve initial synchronization issues.
Synchronization from active to passive Panorama will fail initially,
showing an error message.
Despite the failure, the authentication key (auth-key), templates,
and device groups will be synchronized.
Verify the synchronization by refreshing the passive Panorama web
interface. The Templates and Device Groups tabs should now be
visible.
Delete any duplicate entries under "No device group
assigned".
Configure Serial Numbers and Finalize Panorama Setup.
Suspend the new Panorama management server using PanoramaHigh AvailabilityOperational Commands and Suspend local Panorama for high
availability.
Copy the serial numbers from the previously exported CSV file and add
them to the newly deployed Panorama.
Adding serial numbers does not
generate the authentication key or trigger a commit.
Wait for all firewalls to reflect their connection status
(connected/disconnected) as seen in the active Panorama.
Once statuses match, make the new Panorama functional by selecting
Make local Panorama functional for high
availability from PanoramaHigh AvailabilityOperational Commands.
Synchronize Databases.
Run the following synchronization command on the active Panorama HA
peer:
debug plugins sd_wan mongo-db
sync-db-to-peer
If the result shows sync-in-progress, restart the
configd process using:
debug software restart
process configd
Reconnect the active Panorama and rerun the synchronization command. If
successful, the active and passive Panorama Mongo databases will be
synchronized.
Synchronize and Verify.
Synchronize the running configuration from active Panorama to passive
Panorama to apply all settings.
Verify both active and passive Panorama details in the HA dashboard.
Check the Mongo database status by running:
debug plugins
sd_wan mongo-db sync-status
Perform a force commit on the passive Panorama to finalize the
setup.
