Anti-Virus version does not match" on HA Firewalls Configured with the Same Update Schedule"
Resolution
Symptom
When both High Availability (HA) firewalls are configured to run scheduled antivirus updates at the same time and day, the antivirus versions between them are out of sync for a brief period of time. System logs are generated on the firewalls when each firewall realizes that its antivirus database version is different from the version on the peer firewall.
System logs will also be generated if one of the HA firewalls is configured to check for updates and sync the update to it's peer, while the other firewall is configured not to check for updates.
Note: The same can occur for Content or Application & Threat updates. Antivirus is typically noticed more often because it is more frequently updated.
For example:
Both HA firewall peers are configured to check for Antivirus updates at 06:15 AM every day and Content updates at 06:30 AM every Wednesday. Below are the relevant system logs seen by one of the firewalls:
| Receive Time | Type | Event | Severity | Description |
| 8/10/2013 06:23:15 AM | ha | peer-version-match | informational | HA Group 1: Anti-Virus version now matches |
| 8/10/2013 06:22:46 AM | general | general | informational | Antivirus update job succeeded for user Auto update agent |
| 8/10/2013 06:22:44 AM | ha | peer-version-match | high | HA Group 1: Anti-Virus version does not match |
| 8/10/2013 06:16:30 AM | general | general | informational | Antivirus package upgraded from version 1075-1498 to 1076-1499 by Auto update agent |
| 8/10/2013 06:15:22 AM | general | general | informational | Antivirus version 1076-1499 downloaded by Auto update agent |
| . | . | . | . | . |
| . | . | . | . | . |
| 8/7/2013 06:36:46 AM | ha | peer-version-match | informational | HA Group 1: Threat Content version now matches |
| 8/7/2013 06:36:46 AM | ha | peer-version-match | informational | HA Group 1: Application Content version now matches |
| 8/7/2013 06:36:19 AM | general | general | informational | Content update job succeeded for user Auto update agent |
| 8/7/2013 06:36:17 AM | ha | peer-version-match | high | HA Group 1: Threat Content version does not match |
| 8/7/2013 06:36:17 AM | ha | peer-version-match | high | HA Group 1: Application Content version does not match |
| 8/7/2013 06:30:25 AM | general | general | informational | Content version 387-1893 downloaded by Auto update agent |
Cause
No matter what schedule is specified, there will be a period of time that the HA pair of firewalls have different database versions fully installed. For the brief timeframe that the versions are different, the HA checks may determine this state an generate a "does not match" log entry.
Note: If email alerts are configured to send only higher severity system logs, such as high and critical, then emails will only be received for the system log entries for the non-matching situation. The system log entries that indicate when the versions match again are informational logs.
owner: astanton