High Availability setup not working - Error Contacting Peer HA Firewall

Description

This article describe one known issue when setting up a new High Availability Pair.

After configuring the HA on the primary firewall as per How to Configure High Availability (HA), the Primary firewall will show the message "Error Contacting Peer HA Firewall" ; "Cannot force failover: Peer's link status is worse than us"

Cause

This error might be related to  one of the following:

  • Version mismatched, both firewall Firewall doesn't have the same Firmware version.
  • You have a cabling issue. This means the standbys unit has less links that are up than the primary; Meaning: your standy unit has an interface that is down, but on the primary it's up.

  • Portshield enabled on the Secondary (Peer) Firewall's interfaces

  • Administration Password is not the default one or is not the same on both firewalls.

Resolution for SonicOS 7.X

This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.

  • Check the current SonicWall firewall firmware version

  1. Login to the SonicWall Management interface.
  2. Navigate to the Dashboard.
  3. Go to Overview | Device | General
  4. You will able to see the firmware version under General
    Image
  • Check the Portshield status on the Secondary (Peer) firewall's interfaces: How to disable Portshield
  • On the Primary firewall, change the Administration Password to the default one:
    1. Navigate to the Device Tab.
    2. Go to Settings| Administration Settings and scroll down to Administrator Name & Password
    3. Set a new password for the Administration that is identical to the Secondary administration password.

      CAUTION: It's highly suggested to use the default password since we assume the secondary is on factory default and so it's set to the default password as well.

After doing this, if everything is properly set up (control interface properly connected, serial numbers correct on HA configuration, and port shield disabled on the Secondary), the HA should start the process of synchronizing the configuration.

The Administration Password can be, of course, changed back to a custom one after the HA Pair is correctly synchronized.

Resolution for SonicOS 6.5

This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.

  • Check the current SonicWall firewall firmware version
    1. Login to the SonicWall Management interface.
    2. Navigate to the Monitor tab.
    3. Go to System Status.
    4. You will able to see the firmware version under System Information.
      Image
  • Check the Portshield status on the Secondary (Peer) firewall's interfaces: How to disable Portshield
  • On the Primary firewall, change the Administration Password to the default one:
    1. Navigate to the Manage tab
    2. Go to Appliance | Base Settings and scroll down to Administrator Name & Password
    3. Set a new password for the Administration that is identical to the Secondary administration password.

      CAUTION: It's highly suggested to use the default password since we assume the secondary is on factory default and so it's set to the default password as well.

After doing this, if everything is properly set up (control interface properly connected, serial numbers correct on HA configuration, and port shield disabled on the Secondary), the HA should start the process of synchronizing the configuration.

The Administration Password can be, of course, changed back to a custom one after the HA Pair is correctly synchronized.

Resolution for SonicOS 6.2 and Below

The below resolution is for customers using SonicOS 6.2 and earlier firmware. For firewalls that are generation 6 and newer we suggest to upgrade to the latest general release of SonicOS 6.5 firmware.

  • Check the Portshield status on the Secondary (Peer) firewall's interfaces: How to disable Portshield
  • On the Primary firewall, change the Administration Password to the default one:
    1. Go to System | Administration and scroll down to Administrator Name & Password
    2. Set a new password for the Administration that is identical to the Secondary administration password.

       CAUTION: It's highly suggested to use the default password since we assume the secondary is on factory default and so it's set to the default password as well.

After doing this, if everything is properly set up (control interface properly connected, serial numbers correct on HA configuration, and port shield disabled on the Secondary), the HA should start the process of synchronizing the configuration.

The Administration Password can be, of course, changed back to a custom one after the HA Pair is correctly synchronized.

Related Articles

  • SonicOS 8.1.0 FAQ
    Read More
  • SonicWall GEN8 TZs and GEN8 NSas Settings Migration
    Read More
  • Getting started with SonicWall firewalls
    Read More

Categories

Firewalls
NSa Series
High Availability
Firewalls
SonicWall NSA Series
High Availability
Firewalls
SonicWall SuperMassive 9000 Series
High Availability
Firewalls
TZ Series
High Availability
not finding your answers?
Ask the Community