en-US
search-icon

Knowledge Base

HA: The Log Shows "Error - High Availability - License of HA Pair doesn't match" or "HA License Sync

Description

HA: The Log Shows "Error - High Availability - License of HA Pair doesn't match" or "HA License Sync Error" with Hardware Failover (HF) on SonicOS Enhanced

Resolution

Problem Definition:

The "License of HA Pair doesn't match" or "HA License Sync Error" log message will repeat every 15 minutes if licensing of the Primary and Backup firewalls is not equivalent. This message is intended to alert the firewall administrator that not all services configured on the Primary will be active on the Backup firewall.

For example: The error message may occur if the number of Network Anti-Virus licenses are different on the Primary and Backup apliances, or, if the Primary has Content Filtering Service (CFS) but the Backup does not, there will be no CFS functionality if the Backup becomes the active firewall.

 


Resolution or Workaround:

 

Step 1: Synchronize the licenses on both the devices.

Log into the Backup SonicWall’s unique LAN IP address. The management interface should now display Logged Into: Backup SonicWall Status: (green ball) Active in the upper right corner. If all licenses are not already synchronized with the Primary unit, follow these steps:

  • Navigate to the System > Licenses page, scroll down to the bottom of the page and click on Synchronize button

    Image
  • From the System > Diagnostics page, use the "DNS Name Lookup" option to see if the DNS servers listed in the SonicWall WAN Interface are resolving the license manager URL "licensemanager.SonicWall.comon both units.

Refer KBID 6008 - UTM: How to use "DNS Name Lookup" diagnostic tool to resolve Name Servers?

TIP: If the DNS servers are not resolving, try changing the DNS IP addresses on the SonicWall WAN Interface and then try to synchronize the licenses.

  • If the backup unit is not register navigate to the System > Licenses page and register this SonicWall security appliance on mySonicWall.com. This allows the SonicWall licensing server to synchronize the licenses.

Step 2: Verify the licenses on www.mySonicWall.com

To use the High Availability feature, you must register both the SonicWall appliances on mySonicWall.com as Associated Products.

  • Both appliances must be the same SonicWall model,
  • Must be registered under the same mySonicWall.com user account,
  • And must be separately licensed for SonicOS Enhanced.

Note: The SonicOS Enhanced license is not shareable between the primary and the backup appliances. Both appliances must be licensed separately.

Verify the HA Secondary device on mySonicWall.com account:

a. Login to your www.mySonicWall.com account.
b. Go to My Products > Product Management.
c. Click on the Primary UTM appliance (e.g. NSA 240) and scroll down to Associated Products section.
d. Click on High Availability Secondary and ensure that the Serial number of device matches with the Backup SonicWall entry on the High Availability > Settings page of your Primary SonicWall appliance.

Please Note that the backup appliance of your high availability pair is referred to as the HA Secondary unit on mySonicWall.com. After the appliances are associated as an HA Pair, they can share licenses. 

Image

Step 3: Adding secondary UTM appliance under the HA pair on mySonicWall.com

If you have not registered/Associated the HA Secondary device on the mySonicWall.com, follow these steps:

• "Associating an Appliance at First Registration" refer KBID 6233
“Associating Pre-Registered Appliances” refer KBID 6235 
“Associating a New Unit to a Pre-Registered Appliance” refer KBID 6236

Registering the Secondary/Backup UTM appliance from the SonicWall Management Interface

Important: After registering new SonicWall appliances on mySonicWall.com, you must also register the backup appliance from the SonicOS management interface while logged into its individual management IP address. This allows the backup unit to synchronize with the SonicWall license server (licensemanager.SonicWall.com) and share licenses with the associated primary appliance.

Step 4: Accessing the Secondary UTM appliance and Synchronizing the Licenses

On the High Availability > Monitoring page, you can configure unique management IP addresses for both units in the HA Pair which allows you to log in to each unit independently for management purposes.

Refer KBID 7803: UTM - HA: Configuring High Availability > Monitoring settings

Also you can configure Logical/Probe IP address for SonicWall to monitor a reliable device on one or more of the connected networks. Failure to periodically communicate with the device by the Active unit in the HA Pair will trigger a failover to the Idle unit. If neither unit in the HA Pair can connect to the device, no action will be taken.

Note: The Primary IP Address and Backup IP Address fields must be configured with independent IP addresses on a LAN interface, such as X0, (or a WAN interface, such as X1, for probing on the WAN) to allow logical probing to function correctly.

Image

In the Logical Probe IP Address field, enter the IP address of a downstream device on the LAN network that should be monitored for connectivity. Typically, this should be a downstream router or server. (If probing is desired on the WAN side, an upstream device should be used.) The Primary and Backup appliances will regularly ping this probe IP address. If both can successfully ping the target, no failover occurs. If neither can successfully ping the target, no failover occurs, because it is assumed that the problem is with the target, and not the SonicWall appliances. But, if one appliance can ping the target but the other appliance cannot, failover will occur to the appliance that can ping the target.

Step 5: Try to synchronize the licenses again on both the devices.

Step 6: You may also try to upgrade the firmware to the latest version and try to synchronize the licenses again.

 


Resolution for SonicOS 6.5 and Later

SonicOS 6.5 was released September 2017. This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 and later firmware.

Problem Definition:

The "License of HA Pair doesn't match" or "HA License Sync Error" log message will repeat every 15 minutes if licensing of the Primary and Backup firewalls is not equivalent. This message is intended to alert the firewall administrator that not all services configured on the Primary will be active on the Backup firewall.

For example: The error message may occur if the number of Network Anti-Virus licenses are different on the Primary and Backup apliances, or, if the Primary has Content Filtering Service (CFS) but the Backup does not, there will be no CFS functionality if the Backup becomes the active firewall.

 


Resolution or Workaround:

 

Step 1: Synchronize the licenses on both the devices.

Log into the Backup SonicWall’s unique LAN IP address. The management interface should now display Logged Into: Backup SonicWall Status: (green ball) Active in the upper right corner. If all licenses are not already synchronized with the Primary unit, follow these steps:

  • Navigate to the Manage | Licenses page, scroll down to the bottom of the page and click on Synchronize button

    Image
  • From the System > Diagnostics page, use the "DNS Name Lookup" option to see if the DNS servers listed in the SonicWall WAN Interface are resolving the license manager URL "licensemanager.SonicWall.comon both units.

Refer KBID 6008 - UTM: How to use "DNS Name Lookup" diagnostic tool to resolve Name Servers?

TIP: If the DNS servers are not resolving, try changing the DNS IP addresses on the SonicWall WAN Interface and then try to synchronize the licenses.

  • If the backup unit is not register navigate to the System > Licenses page and register this SonicWall security appliance on mySonicWall.com. This allows the SonicWall licensing server to synchronize the licenses.

Step 2: Verify the licenses on www.mySonicWall.com

To use the High Availability feature, you must register both the SonicWall appliances on mySonicWall.com as Associated Products.

  • Both appliances must be the same SonicWall model,
  • Must be registered under the same mySonicWall.com user account,
  • And must be separately licensed for SonicOS Enhanced.

Note: The SonicOS Enhanced license is not shareable between the primary and the backup appliances. Both appliances must be licensed separately.

Verify the HA Secondary device on mySonicWall.com account:

a. Login to your www.mySonicWall.com account.
b. Go to My Products > Product Management.
c. Click on the Primary UTM appliance (e.g. TZ 600) and scroll down to Associated Products section.
d. Click on High Availability Secondary and ensure that the Serial number of device matches with the Backup SonicWall entry on the High Availability | Base Setup | HA Devices page of your Primary SonicWall appliance.

Please Note that the backup appliance of your high availability pair is referred to as the HA Secondary unit on mySonicWall.com. After the appliances are associated as an HA Pair, they can share licenses. 

Image

Step 3: Adding secondary UTM appliance under the HA pair on mySonicWall.com

If you have not registered/Associated the HA Secondary device on the mySonicWall.com, follow these steps:

• "Associating an Appliance at First Registration" refer KBID 6233
“Associating Pre-Registered Appliances” refer KBID 6235 
“Associating a New Unit to a Pre-Registered Appliance” refer KBID 6236

Registering the Secondary/Backup UTM appliance from the SonicWall Management Interface

Important: After registering new SonicWall appliances on mySonicWall.com, you must also register the backup appliance from the SonicOS management interface while logged into its individual management IP address. This allows the backup unit to synchronize with the SonicWall license server (licensemanager.SonicWall.com) and share licenses with the associated primary appliance.

Step 4: Accessing the Secondary UTM appliance and Synchronizing the Licenses

On the High Availability > Monitoring page, you can configure unique management IP addresses for both units in the HA Pair which allows you to log in to each unit independently for management purposes.

Refer KBID 7803: UTM - HA: Configuring High Availability | Monitoring settings

Also you can configure Logical/Probe IP address for SonicWall to monitor a reliable device on one or more of the connected networks. Failure to periodically communicate with the device by the Active unit in the HA Pair will trigger a failover to the Idle unit. If neither unit in the HA Pair can connect to the device, no action will be taken.

Note: The Primary IP Address and Backup IP Address fields must be configured with independent IP addresses on a LAN interface, such as X0, (or a WAN interface, such as X1, for probing on the WAN) to allow logical probing to function correctly.

Image

In the Logical Probe IP Address field, enter the IP address of a downstream device on the LAN network that should be monitored for connectivity. Typically, this should be a downstream router or server. (If probing is desired on the WAN side, an upstream device should be used.) The Primary and Backup appliances will regularly ping this probe IP address. If both can successfully ping the target, no failover occurs. If neither can successfully ping the target, no failover occurs, because it is assumed that the problem is with the target, and not the SonicWall appliances. But, if one appliance can ping the target but the other appliance cannot, failover will occur to the appliance that can ping the target.

Step 5: Try to synchronize the licenses again on both the devices.

Step 6: You may also try to upgrade the firmware to the latest version and try to synchronize the licenses again.