This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

App and Threat Compatibility MisMatch

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

App and Threat Compatibility MisMatch

Go to solution
Zewwy
L3 Networker

‎10-15-2014 09:36 AM

Hey there,

I have 2 PA-500's currently on:

Software Version6.0.2
GlobalProtect Agent1.2.3
Application version461-2402 (10/14/14)
Threat Version461-2402 (10/14/14)
Antivirus Version1391-1863 (10/13/14)
URL Filtering version4392

Software Version6.0.2
GlobalProtect Agent1.2.3
Application version461-2402 (10/14/14)
Threat Version461-2402 (10/14/14)
Antivirus Version1391-1863 (10/13/14)
URL Filtering version4392

App VersionMismatch
Threat VersionMismatch

From what I can tell they are on the same version ( I know my GP version is outdated...)

My question is how come its stating mismatch when they are matched? From this it states to add the passive MAC to the internal/trust interface of the active PA..

Which I don't understand when the ARPing for the Management subnet is handled by a different device in our network design.. (No firewall, just direct routing between the "internal" subnet of the PA and the "management" subnet)

They can ping each other just fine via their separate mgmt IP's, so I don't see what this would accomplish..

Ideas? Thoughts? Suggestions?

Labels:
0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
ssharma
L5 Sessionator

‎10-15-2014 09:43 AM

Hi Zewwy,

It seems either management server is busy on both or one of the pair. They had same version but that informaiton is not able to process for some reason. Can you please run following on both device and paste the output here :

show system resources | match srvr

If you notice number around 1 gig for mgmtsrvr, so ahead and restart management server on both peer.

debug software restart management-server  (this will not impact your production traffic, it will restart the management server process responsible for HA communication)

Hope this helps. Thank you.

View solution in original post

0 Likes Likes
9 REPLIES 9

Go to solution
ssharma
L5 Sessionator

‎10-15-2014 09:43 AM

Hi Zewwy,

It seems either management server is busy on both or one of the pair. They had same version but that informaiton is not able to process for some reason. Can you please run following on both device and paste the output here :

show system resources | match srvr

If you notice number around 1 gig for mgmtsrvr, so ahead and restart management server on both peer.

debug software restart management-server  (this will not impact your production traffic, it will restart the management server process responsible for HA communication)

Hope this helps. Thank you.

0 Likes Likes

Go to solution
hshah
L6 Presenter

‎10-15-2014 09:51 AM

Hi Zewwy,

Possibly its happening because of mgmt utilization, however before that I would like to see "show system info" output for both the units.

Quick fix would be to restart management server. you can use command "debug software restart management-serve". It will not impact data plane which actually passes the traffic.

Regards,

Hardik Shah

0 Likes Likes

Go to solution
Zewwy
L3 Networker
In response to hshah

‎10-15-2014 10:00 AM

On active plane:

show system resources | match srvr

2762       20   0  261m  94m 9.8m S    0 10.3   1191:01 devsrvr

2763       20   0 1111m  97m 4060 S    0 10.6   1170:49 mgmtsrvr

passive:

show system resources | match srvr
2805       20   0  266m  59m 7552 S    0  6.5   1098:12 devsrvr
2806       20   0  842m 190m 3680 S    0 20.8   1083:52 mgmtsrvr

Thanks so much for the replies so fast too! But looks like both planes aren't over utilitzed, I'll attempt a mgmt reset on both using the supplied restart command and reply the results!

Thanks again!

0 Likes Likes

Go to solution
ssharma
L5 Sessionator
In response to Zewwy

‎10-15-2014 10:01 AM

Active is running high on management plane as suspected and passive is running high as well.

Please go ahead and restart managmenet server on both device and see if that fixes the issue. Thank you.

0 Likes Likes

Go to solution
hshah
L6 Presenter
In response to Zewwy

‎10-15-2014 10:05 AM

Hi Zewwy,

Active box mgmt process is on 1 Gb utilization, which is definitely significant.

Active:

2762       20   0  261m  94m 9.8m S    0 10.3   1191:01 devsrvr

2763       20   0 1111m  97m 4060 S    0 10.6   1170:49 mgmtsrvr >>>>>>>>>>>>>>>>>>1 Gb utilization.

Passive:

2805       20   0  266m  59m 7552 S    0  6.5   1098:12 devsrvr

2806       20   0  842m 190m 3680 S    0 20.8   1083:52 mgmtsrvr >>>>>>>>>>>>>>>>>>Close to 1 Gb


Active passive both are close to 1 Gb, I would also suggest to restart management server.

debug software restart management-serve


Regards,

Hardik Shah

0 Likes Likes

Go to solution
Zewwy
L3 Networker
In response to hshah

‎10-15-2014 10:15 AM

Well I reset both, I wasn't sure if there was a specific order, so I restart them pretty much at the same time.. not sure if that was a bad thing...

Cause now I can log into the passive device and it shows the versions as matched, but every-time I attempt to log into the active on either via the internal IP, or direct via its mgmt IP, it jjust replies "Connecting to Management Server failed."

Do I have to reboot its mgmt service again?!?!

0 Likes Likes

Go to solution
ssharma
L5 Sessionator
In response to Zewwy

‎10-15-2014 10:18 AM

Since active was running high, give it some more time. Traffic should be flowing normally however. Try in another 5 minutes and see if you are able to log in. Thank you.

Go to solution
hshah
L6 Presenter
In response to Zewwy

‎10-15-2014 10:20 AM

Hi Zewwy,

I am glad atleast first issue is resolved. Order doesnt matter, but I suggest not to restart management server together on both the units.

Reboot is always a last option. Wait for 10 more minutes, see if it restores on its own.

If it doesnt than restart management server again.That should help.

Regards,

Hardik Shah

Go to solution
Zewwy
L3 Networker
In response to hshah

‎10-15-2014 11:20 AM

Thank you both ssharma, and hshah!!

Went for lunch and when I attempted to log in, it worked as you guys described. Thanks again for your prompt replies and suggestions! Much appreciated!

  • 1 accepted solution
  • 6900 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks