App and Threat Compatibility MisMatch

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

App and Threat Compatibility MisMatch

L3 Networker

Hey there,

I have 2 PA-500's currently on:

Software Version6.0.2
GlobalProtect Agent1.2.3
Application version461-2402 (10/14/14)
Threat Version461-2402 (10/14/14)
Antivirus Version1391-1863 (10/13/14)
URL Filtering version4392

Software Version6.0.2
GlobalProtect Agent1.2.3
Application version461-2402 (10/14/14)
Threat Version461-2402 (10/14/14)
Antivirus Version1391-1863 (10/13/14)
URL Filtering version4392

App VersionMismatch
Threat VersionMismatch

From what I can tell they are on the same version ( I know my GP version is outdated...)

My question is how come its stating mismatch when they are matched? From this it states to add the passive MAC to the internal/trust interface of the active PA..

Which I don't understand when the ARPing for the Management subnet is handled by a different device in our network design.. (No firewall, just direct routing between the "internal" subnet of the PA and the "management" subnet)

They can ping each other just fine via their separate mgmt IP's, so I don't see what this would accomplish..

Ideas? Thoughts? Suggestions?

1 accepted solution

Accepted Solutions

L5 Sessionator

Hi Zewwy,

It seems either management server is busy on both or one of the pair. They had same version but that informaiton is not able to process for some reason. Can you please run following on both device and paste the output here :

show system resources | match srvr

If you notice number around 1 gig for mgmtsrvr, so ahead and restart management server on both peer.

debug software restart management-server  (this will not impact your production traffic, it will restart the management server process responsible for HA communication)

Hope this helps. Thank you.

View solution in original post

9 REPLIES 9

L5 Sessionator

Hi Zewwy,

It seems either management server is busy on both or one of the pair. They had same version but that informaiton is not able to process for some reason. Can you please run following on both device and paste the output here :

show system resources | match srvr

If you notice number around 1 gig for mgmtsrvr, so ahead and restart management server on both peer.

debug software restart management-server  (this will not impact your production traffic, it will restart the management server process responsible for HA communication)

Hope this helps. Thank you.

L6 Presenter

Hi Zewwy,

Possibly its happening because of mgmt utilization, however before that I would like to see "show system info" output for both the units.

Quick fix would be to restart management server. you can use command "debug software restart management-serve". It will not impact data plane which actually passes the traffic.

Regards,

Hardik Shah

On active plane:

show system resources | match srvr

2762       20   0  261m  94m 9.8m S    0 10.3   1191:01 devsrvr

2763       20   0 1111m  97m 4060 S    0 10.6   1170:49 mgmtsrvr

passive:

show system resources | match srvr
2805       20   0  266m  59m 7552 S    0  6.5   1098:12 devsrvr
2806       20   0  842m 190m 3680 S    0 20.8   1083:52 mgmtsrvr

Thanks so much for the replies so fast too! But looks like both planes aren't over utilitzed, I'll attempt a mgmt reset on both using the supplied restart command and reply the results!

Thanks again!

Active is running high on management plane as suspected and passive is running high as well.

Please go ahead and restart managmenet server on both device and see if that fixes the issue. Thank you.

Hi Zewwy,

Active box mgmt process is on 1 Gb utilization, which is definitely significant.

Active:

2762       20   0  261m  94m 9.8m S    0 10.3   1191:01 devsrvr

2763       20   0 1111m  97m 4060 S    0 10.6   1170:49 mgmtsrvr >>>>>>>>>>>>>>>>>>1 Gb utilization.

Passive:

2805       20   0  266m  59m 7552 S    0  6.5   1098:12 devsrvr

2806       20   0  842m 190m 3680 S    0 20.8   1083:52 mgmtsrvr >>>>>>>>>>>>>>>>>>Close to 1 Gb


Active passive both are close to 1 Gb, I would also suggest to restart management server.

debug software restart management-serve


Regards,

Hardik Shah

Well I reset both, I wasn't sure if there was a specific order, so I restart them pretty much at the same time.. not sure if that was a bad thing...

Cause now I can log into the passive device and it shows the versions as matched, but every-time I attempt to log into the active on either via the internal IP, or direct via its mgmt IP, it jjust replies "Connecting to Management Server failed."

Do I have to reboot its mgmt service again?!?!

Since active was running high, give it some more time. Traffic should be flowing normally however. Try in another 5 minutes and see if you are able to log in. Thank you.

Hi Zewwy,

I am glad atleast first issue is resolved. Order doesnt matter, but I suggest not to restart management server together on both the units.

Reboot is always a last option. Wait for 10 more minutes, see if it restores on its own.

If it doesnt than restart management server again.That should help.

Regards,

Hardik Shah

Thank you both ssharma, and hshah!!

Went for lunch and when I attempted to log in, it worked as you guys described. Thanks again for your prompt replies and suggestions! Much appreciated!

  • 1 accepted solution
  • 7006 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!