How to fix Secondary Firewall (HA Pair) connection issue with NSM

Description

When a High Availability Pair(HA Pair) is onboarded in NSM, the Primary Firewall gets synced and connected but the Secondary Firewall shows not connected under Zero Touch Status.

Resolution

In certain instances, when an HA Pair gets acquired on NSM, Primary Zero Touch Status shows up as "Connected" but Secondary as "Disconnected".

We could see the following error messages for Disconnected Zero Touch Status for secondary firewall in NSM:

  • Auth code missing or connection authentication failed.
  • no Zero touch heartbeat response.
  • ZT status for Secondary Standby unit shows "Unknown" in NSM.

 

Steps to troubleshoot for the following error messages:

1. Auth code missing or connection authentication failed or missing license keyset:

Image

 

  •  To fix this issue, Reset Licenses and Security Services Info from diag page of Primary(Active) firewall. This will reset license on secondary firewall as well.

URL for diag page for Gen6 firewalls: https://x.x.x.x/diag.html

URL for diag page for Gen7 firewalls: https://x.x.x.x/sonicui/7/m/diag

CAUTION: Gen 7 firewall will reboot as soon as we Click "Reset Licenses and Security Services Info" in diag. Make sure to do this activity during maintenance window.

 

  •  After the license reset is completed, register both primary and secondary firewall separately.

If issue persists after license reset and re register, contact SonicWall Technical Support.

  

2. no Zero touch heartbeat response OR ZT status for Secondary Standby unit shows "Unknown" in NSM.

 

Image

 

 

 Image

 

  • Make sure that HA monitoring IPs are configured either on X0 interface or X1 interface for both Primary and Secondary.
  • If Wan Failover and Load Balancing is configured on the firewall like Round Robin or Ratio etc, make sure to Enable the "Use Source and Destination IP Address Binding" so that Zero Touch connectivity uses only one wan connection.
  • Check and make sure “Check Network Connectivity” tests from Device->Diagnostics from standby secondary firewall is successful.
  • If network connectivity fails from Standby firewall, packet capture needs to be done in order to troubleshoot the issue further. Contact SonicWall Technical Support.

 

Ideal Zero Touch Status for Primary and Secondary Firewall in NSM should show like this:

Image

 

 

 

 

 

 

Related Articles

  • NSM On-Prem: Backups over SCP to Windows OpenSSH Server
    Read More
  • How to Reconfigure Reporting and Analytics on NSM
    Read More
  • NSM On-Prem Reporting Server configuration
    Read More

Categories

Management and Reporting
Network Security Manager
not finding your answers?
Ask the Community
Chat