App version mismatch

L2 Linker

App version mismatch

Hi All,

My dashboard shows a "App Version Mismatch" in a HA setup. The active is supposed to download the app version and sync it to the passive.

To confound the issue as per the following the "active" firewall is running the older version causing the mismatch:

admin@(active)> show high-availability all | match Application

      Application Content: 327-1497

      Application Content Compatibility: Mismatch

      Application Content: 328-1503

However the following shows active is running the latest version:

admin@(active)> show system info | match app-version

app-version: 328-1503

So HA is saying the active firewall is running a older app version than it actually is. Any hints on how to go about correcting this situation?

Many thanks!

L2 Linker

Re: App version mismatch

Also how does the App-mismatch impact HA? Does this mean session states are no longer being synced?

L6 Presenter

Re: App version mismatch

Can you say the output of just the "show system info" of both the active device and passive device ?.

And regarding the question of what is the impact of the app version mismatch ? - its not going to stop the session sync. Its just the differences in the app versions will not sync means if the newer version has new apps or modified apps the older version will not have that and will behave in a different manner.

Thanks,

Sandeep T

Highlighted
L2 Linker

Re: App version mismatch

Well just had TAC look into it. They restarted the management plane which fixed the issue.

The reason we believe was due to insufficient resource in the management plane at the time of the update.

Thanks Sandeep for your help.

L6 Presenter

Re: App version mismatch

Which hardware model did this occur on?

Not applicable

Re: App version mismatch

We're having the same problem. Is it possible to restart the management plane without contacting support?

L6 Presenter

Re: App version mismatch

you can restart management server yourself. Its not going to cause any traffic interruption. You can do this via command "debug software restart management-server". Once you do this you will be logged out of the device, please re login and check if that resolved the issue.

Sandeep T

L6 Presenter

Re: App version mismatch

Is this really true?

I mean if you use userid and a new user tries to setup a session then this user will not be allowed until mgmtplane is back on track and can answer the dataplane which user is using the specific ip (which the dataplane then will case for the TTL one have set)?

Also if using SSL-termination then SSL-based traffic will be blocked (new sessions) because the MITM cert is being created by the mgmtplane on some models (at least on the PA2000-series)?

And finally you will lose log-entries during the time mgmtplane is offline?

So already established traffic shouldnt be affected, but new sessions might be affected (depending on if you use userid and/or ssl-termination).

L0 Member

Re: App version mismatch

Restarting the management plane did not work for.!!

For the peer that is behind and is erroring when attempting a manual install:

A bit drastic but I read somewhere on the KB that backing up your configuration, reinstalling the PAN OS then installing the AV or App threat update will fix it.

Not applicable

Re: App version mismatch

Restarting the management plane worked for us and we didn't notice any interruptions.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!