06/26/2023
Description
The “License of HA Pair doesn’t match” or “HA License Sync Error” log message will repeat every 15 minutes if licensing of the Primary and Backup firewalls is not equivalent. This message is intended to alert the firewall administrator that not all services configured on the Primary will be active on the Backup firewall.
For example: The error message may occur if the number of Network Anti-Virus licenses are different on the Primary and Backup appliances, or, if the Primary has Content Filtering Service (CFS) but the Backup does not, there will be no CFS functionality if the Backup becomes the active firewall.
Resolution for SonicOS 7.X
This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.
Step 1: Synchronize the licenses on both the devices.
Log into the Backup SonicWall’s unique LAN IP address. The management interface should now display Logged Into: Secondary Device in the upper left corner. If all licenses are not already synchronized with the Primary unit, follow these steps:
- Navigate to the Device | Settings | Licenses page and click Synchronize in the upper right corner.
- From the Device | Diagnostics | DNS Name Lookup page, use the “Lookup Name or IP” option to see if the DNS servers listed in the SonicWall WAN Interface are resolving the license manager URL “licensemanager.SonicWall.com” on both units.
TIP: If the DNS servers are not resolving, try changing the DNS IP addresses on the SonicWall WAN Interface and then try to synchronize the licenses. - If the backup unit is not registered, navigate to the Device | Settings | Licenses page and register the SonicWall security appliance on mySonicWall.com. This allows the SonicWall licensing server to synchronize the licenses.
TIP: If the DNS servers are not resolving, try changing the DNS IP addresses on the SonicWall WAN Interface and then try to synchronize the licenses.Step 2: Verify the licenses on www.mySonicWall.com
To use the High Availability feature, you must register both the SonicWall appliances on mySonicWall.com as Associated Products.
- Both appliances must be the same SonicWall model,
- Must be registered under the same mySonicWall.com user account,
- And must be separately licensed for SonicOS Enhanced.
NOTE: The SonicOS Enhanced license is not shareable between the primary and the backup appliances. Both appliances must be licensed separately.
Verify the HA Secondary device on mySonicWall.com account:
- Login to your www.mySonicWall.com account.
- Go to My Products | Product Management.
- Click on the Primary UTM appliance (e.g. TZ 670) and scroll down to Associated Products section.
- Click on High Availability Secondary and ensure that the Serial number of device matches with the Backup SonicWall entry on the Devices | High Availability | Settings page of your Primary SonicWall appliance.
Please Note that the backup appliance of your high availability pair is referred to as the HA Secondary unit on mySonicWall.com. After the appliances are associated as an HA Pair, they can share licenses.
Step 3: Adding secondary UTM appliance under the HA pair on mySonicWall.com
If you have not registered/Associated the HA Secondary device on the mySonicWall.com, follow these steps:
- Associating an Appliance at First Registration on MySonicWall for High Availability
- Associating a New Unit to a Pre-Registered Appliance on MySonicWall for High Availability
Registering the Secondary/Backup UTM appliance from the SonicWall Management Interface
Important: After registering new SonicWall appliances on mySonicWall.com, you must also register the backup appliance from the SonicOS management interface while logged into its individual management IP address. This allows the backup unit to synchronize with the SonicWall license server (licensemanager.SonicWall.com) and share licenses with the associated primary appliance.
Step 4: Accessing the Secondary UTM appliance and Synchronizing the Licenses
On the Device |High Availability | Monitoring page, you can configure unique management IP addresses for both units in the HA Pair which allows you to log in to each unit independently for management purposes. See also Configuring High Availability Monitoring settings
Also you can configure Logical/Probe IP address for SonicWall to monitor a reliable device on one or more of the connected networks. Failure to periodically communicate with the device by the Active unit in the HA Pair will trigger a failover to the Idle unit. If neither unit in the HA Pair can connect to the device, no action will be taken.
NOTE: The Primary IP Address and Backup IP Address fields must be configured with independent IP addresses on a LAN interface, such as X0, (or a WAN interface, such as X1, for probing on the WAN) to allow logical probing to function correctly.
In the Logical Probe IP Address field, enter the IP address of a downstream device on the LAN network that should be monitored for connectivity. Typically, this should be a downstream router or server. (If probing is desired on the WAN side, an upstream device should be used.) The Primary and Backup appliances will regularly ping this probe IP address. If both can successfully ping the target, no failover occurs. If neither can successfully ping the target, no failover occurs, because it is assumed that the problem is with the target, and not the SonicWall appliances. But, if one appliance can ping the target but the other appliance cannot, failover will occur to the appliance that can ping the target.
Step 5: Try to synchronize the licenses again on both the devices.
Step 6: You may also try to upgrade the firmware to the latest version and try to synchronize the licenses again.
See also How can I upgrade firmware on a High Availability (Hardware Failover) Pair?
Resolution for SonicOS 6.5
This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.
Step 1: Synchronize the licenses on both the devices.
Log into the Backup SonicWall’s unique LAN IP address. The management interface should now display Logged Into: Backup SonicWall Status: (green ball) Active in the upper right corner. If all licenses are not already synchronized with the Primary unit, follow these steps:
- Navigate to the Manage | Licenses page and click Synchronize.
- From the Investigate | Tools | System Diagnostics page, use the “DNS Name Lookup” option under Diagnostic Tool drop down menu to see if the DNS servers listed in the SonicWall WAN Interface are resolving the license manager URL “licensemanager.SonicWall.com” on both units. TIP: If the DNS servers are not resolving, try changing the DNS IP addresses on the SonicWall WAN Interface and then try to synchronize the licenses.
- If the backup unit is not registered, navigate to the Manage | Licenses page and register the SonicWall security appliance on mySonicWall.com. This allows the SonicWall licensing server to synchronize the licenses.
Step 2: Verify the licenses on www.mySonicWall.com
To use the High Availability feature, you must register both the SonicWall appliances on mySonicWall.com as Associated Products.
- Both appliances must be the same SonicWall model,
- Must be registered under the same mySonicWall.com user account,
- And must be separately licensed for SonicOS Enhanced.
NOTE: The SonicOS Enhanced license is not shareable between the primary and the backup appliances. Both appliances must be licensed separately.
Verify the HA Secondary device on mySonicWall.com account:
- Login to your www.mySonicWall.com account.
- Go to My Products | Product Management.
- Click on the Primary UTM appliance (e.g. TZ 600) and scroll down to Associated Products section.
- Click on High Availability Secondary and ensure that the Serial number of device matches with the Backup SonicWall entry on the Manage | High Availability | Base Setup | HA Devices page of your Primary SonicWall appliance.
Please Note that the backup appliance of your high availability pair is referred to as the HA Secondary unit on mySonicWall.com. After the appliances are associated as an HA Pair, they can share licenses.
Step 3: Adding secondary UTM appliance under the HA pair on mySonicWall.com
If you have not registered/Associated the HA Secondary device on the mySonicWall.com, follow these steps:
- Associating an Appliance at First Registration on MySonicWall for High Availability
- Associating a New Unit to a Pre-Registered Appliance on MySonicWall for High Availability
Registering the Secondary/Backup UTM appliance from the SonicWall Management Interface
Important: After registering new SonicWall appliances on mySonicWall.com, you must also register the backup appliance from the SonicOS management interface while logged into its individual management IP address. This allows the backup unit to synchronize with the SonicWall license server (licensemanager.SonicWall.com) and share licenses with the associated primary appliance.
Step 4: Accessing the Secondary UTM appliance and Synchronizing the Licenses
On the Manage |High Availability | Monitoring Settings page, you can configure unique management IP addresses for both units in the HA Pair which allows you to log in to each unit independently for management purposes. See also Configuring High Availability Monitoring settings.
Also you can configure Logical/Probe IP address for SonicWall to monitor a reliable device on one or more of the connected networks. Failure to periodically communicate with the device by the Active unit in the HA Pair will trigger a failover to the Idle unit. If neither unit in the HA Pair can connect to the device, no action will be taken.
NOTE: The Primary IP Address and Backup IP Address fields must be configured with independent IP addresses on a LAN interface, such as X0, (or a WAN interface, such as X1, for probing on the WAN) to allow logical probing to function correctly.
In the Logical Probe IP Address field, enter the IP address of a downstream device on the LAN network that should be monitored for connectivity. Typically, this should be a downstream router or server. (If probing is desired on the WAN side, an upstream device should be used.) The Primary and Backup appliances will regularly ping this probe IP address. If both can successfully ping the target, no failover occurs. If neither can successfully ping the target, no failover occurs, because it is assumed that the problem is with the target, and not the SonicWall appliances. But, if one appliance can ping the target but the other appliance cannot, failover will occur to the appliance that can ping the target.
Step 5: Try to synchronize the licenses again on both the devices.
Step 6: You may also try to upgrade the firmware to the latest version and try to synchronize the licenses again.
See also How to upgrade Firmware on a High Availability (Hardware Failover) Pair
Related Articles
- How can I block Anydesk application using Application Control feature in Sonicwall
- ‘Application Signature List’ type match object does not appear under App list in route policy configuration.
- How to enable logging for SonicPoint?