After upgrading one device in the HA group, the device is unable to become active and the dashboard reports the status as: suspended (Peer version too old).
Environment
PA firewalls are in Active/Passive HA. Upgrade of one of the Peers in HA is being performed.
Cause
The device has been upgraded at least Two Feature Releases away from the peer device in the HA group.
Resolution
When upgrading an HA group, each version upgrade has to be performed on both the devices in the HA group before upgrading to the next version.
For Simplicity we will consider Firewall-A is in version 10.1.2 and Firewall-B is in 9.1.7. If Firewall-A is in suspended state with dashboard showing Peer version too old 1. Either upgrade Firewall-B to a 10.0.x version which will cause a downtime because Firewall-A is in Suspended state. 2. Or, downgrade Firewall-A to a 10.0.x version, then upgrade Firewall-B to same 10.0.x version and then continue to upgrade both to 10.1.2 version.
Note : Using option 2 downtime can be minimised because once Firewall-A is downgraded to 10.0.x version, the firewall will join the HA and traffic failover can be done.