topic HA Pair - peer version too old in General Topics

HA Pair - peer version too old

JimMcGrady — Thu, 17 Oct 2024 13:47:46 GMT

I have two hardware gateways in a HA pair running 9.1.19. Ive upgraded one to 10.0 and then to 10.1.14. It now complains that the HA 'peer version is too old' and it has suspended HA. If i suspend HA on the remaining 9.1 gateway, HA doesnt activate on the 10.1 gateway. If i suspend the 9.1 gateway and try to manually "make local device functional for HA" on 10.1, it still wont enable.

How can i get 10.1 to become the active member while i update the remaining 9.1 member?

Re: HA Pair - peer version too old

Brandon_Wertz — Thu, 17 Oct 2024 15:09:44 GMT

@JimMcGrady wrote:

I have two hardware gateways in a HA pair running 9.1.19. Ive upgraded one to 10.0 and then to 10.1.14. It now complains that the HA 'peer version is too old' and it has suspended HA. If i suspend HA on the remaining 9.1 gateway, HA doesnt activate on the 10.1 gateway. If i suspend the 9.1 gateway and try to manually "make local device functional for HA" on 10.1, it still wont enable.

How can i get 10.1 to become the active member while i update the remaining 9.1 member?

I would disconnect any data interfaces on your 9.1 FW and also disconnect your HA connections between both FWs. Your Active firewall running 10.1.14 will continue to function as your active firewall.

With your 9.1 FW now fully isolated you should still be able to access the firewall via the management connection. In this disconnected state the firewall should let you upgrade it to 10.1.14 matching your active one. I would also ensure dynamic updates match the current active as well. Once this is completed connect your HA-1 connection let things normalize, then connect your HA-2 link and let things normalize. Your current active should still stay active with the other firewall in a HA paired state, but down (non-functional) due to the data links still disconnected. Now reconnect your datalinks to the passive firewall. Shortly there after both firewalls should be in a healthy HA A/P state.

All of these steps should be in a maintenance window.

--edit-- in the future I wouldn't recommend going so far in software version between firewalls. Keep them only 1 revision apart.

Re: HA Pair - peer version too old

JimMcGrady — Fri, 18 Oct 2024 03:24:27 GMT

Thanks for the suggestion. Meanwhile, i reinstalled a recent 10.0 version on the 10.1 gateway to try and resolve the issue. It did in that HA is now happy. However Panorama is now disconnected. I gather that is because 10.1 introduced a more secure link between Panorama and gateway. Since i have reverted to 10.0, that is no longer applicable.

How would i reconnect Panorama to the now-10.0 gateway without impacting the working active 9.1 HA member?

EDIT: It turns out the 10.0 version i used is just a bit too old to receive the cert renewal that was recently done for Panorama. Ive applied the most recent 10.0 and that fixed the connection.