10-15-2014 09:36 AM
Hey there,
I have 2 PA-500's currently on:
| Software Version | 6.0.2 |
| GlobalProtect Agent | 1.2.3 |
| Application version | 461-2402 (10/14/14) |
| Threat Version | 461-2402 (10/14/14) |
| Antivirus Version | 1391-1863 (10/13/14) |
| URL Filtering version | 4392 |
| Software Version | 6.0.2 |
| GlobalProtect Agent | 1.2.3 |
| Application version | 461-2402 (10/14/14) |
| Threat Version | 461-2402 (10/14/14) |
| Antivirus Version | 1391-1863 (10/13/14) |
| URL Filtering version | 4392 |
| App Version | Mismatch | |
| Threat Version | Mismatch |
From what I can tell they are on the same version ( I know my GP version is outdated...)
My question is how come its stating mismatch when they are matched? From this it states to add the passive MAC to the internal/trust interface of the active PA..
Which I don't understand when the ARPing for the Management subnet is handled by a different device in our network design.. (No firewall, just direct routing between the "internal" subnet of the PA and the "management" subnet)
They can ping each other just fine via their separate mgmt IP's, so I don't see what this would accomplish..
Ideas? Thoughts? Suggestions?
10-15-2014 09:43 AM
Hi Zewwy,
It seems either management server is busy on both or one of the pair. They had same version but that informaiton is not able to process for some reason. Can you please run following on both device and paste the output here :
show system resources | match srvr
If you notice number around 1 gig for mgmtsrvr, so ahead and restart management server on both peer.
debug software restart management-server (this will not impact your production traffic, it will restart the management server process responsible for HA communication)
Hope this helps. Thank you.
10-15-2014 09:43 AM
Hi Zewwy,
It seems either management server is busy on both or one of the pair. They had same version but that informaiton is not able to process for some reason. Can you please run following on both device and paste the output here :
show system resources | match srvr
If you notice number around 1 gig for mgmtsrvr, so ahead and restart management server on both peer.
debug software restart management-server (this will not impact your production traffic, it will restart the management server process responsible for HA communication)
Hope this helps. Thank you.
10-15-2014 09:51 AM
Hi Zewwy,
Possibly its happening because of mgmt utilization, however before that I would like to see "show system info" output for both the units.
Quick fix would be to restart management server. you can use command "debug software restart management-serve". It will not impact data plane which actually passes the traffic.
Regards,
Hardik Shah
10-15-2014 10:00 AM
On active plane:
show system resources | match srvr
2762 20 0 261m 94m 9.8m S 0 10.3 1191:01 devsrvr
2763 20 0 1111m 97m 4060 S 0 10.6 1170:49 mgmtsrvr
passive:
show system resources | match srvr
2805 20 0 266m 59m 7552 S 0 6.5 1098:12 devsrvr
2806 20 0 842m 190m 3680 S 0 20.8 1083:52 mgmtsrvr
Thanks so much for the replies so fast too! But looks like both planes aren't over utilitzed, I'll attempt a mgmt reset on both using the supplied restart command and reply the results!
Thanks again!
10-15-2014 10:01 AM
Active is running high on management plane as suspected and passive is running high as well.
Please go ahead and restart managmenet server on both device and see if that fixes the issue. Thank you.
10-15-2014 10:05 AM
Hi Zewwy,
Active box mgmt process is on 1 Gb utilization, which is definitely significant.
Active:
2762 20 0 261m 94m 9.8m S 0 10.3 1191:01 devsrvr
2763 20 0 1111m 97m 4060 S 0 10.6 1170:49 mgmtsrvr >>>>>>>>>>>>>>>>>>1 Gb utilization.
Passive:
2805 20 0 266m 59m 7552 S 0 6.5 1098:12 devsrvr
2806 20 0 842m 190m 3680 S 0 20.8 1083:52 mgmtsrvr >>>>>>>>>>>>>>>>>>Close to 1 Gb
Active passive both are close to 1 Gb, I would also suggest to restart management server.
debug software restart management-serve
Regards,
Hardik Shah
10-15-2014 10:15 AM
Well I reset both, I wasn't sure if there was a specific order, so I restart them pretty much at the same time.. not sure if that was a bad thing...
Cause now I can log into the passive device and it shows the versions as matched, but every-time I attempt to log into the active on either via the internal IP, or direct via its mgmt IP, it jjust replies "Connecting to Management Server failed."
Do I have to reboot its mgmt service again?!?!
10-15-2014 10:18 AM
Since active was running high, give it some more time. Traffic should be flowing normally however. Try in another 5 minutes and see if you are able to log in. Thank you.
10-15-2014 10:20 AM
Hi Zewwy,
I am glad atleast first issue is resolved. Order doesnt matter, but I suggest not to restart management server together on both the units.
Reboot is always a last option. Wait for 10 more minutes, see if it restores on its own.
If it doesnt than restart management server again.That should help.
Regards,
Hardik Shah
10-15-2014 11:20 AM
Thank you both ssharma, and hshah!!
Went for lunch and when I attempted to log in, it worked as you guys described. Thanks again for your prompt replies and suggestions! Much appreciated!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
