App version mismatch

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

App version mismatch

L2 Linker

Hi All,

My dashboard shows a "App Version Mismatch" in a HA setup. The active is supposed to download the app version and sync it to the passive.

To confound the issue as per the following the "active" firewall is running the older version causing the mismatch:

admin@(active)> show high-availability all | match Application

      Application Content: 327-1497

      Application Content Compatibility: Mismatch

      Application Content: 328-1503

However the following shows active is running the latest version:

admin@(active)> show system info | match app-version

app-version: 328-1503

So HA is saying the active firewall is running a older app version than it actually is. Any hints on how to go about correcting this situation?

Many thanks!

1 accepted solution

Accepted Solutions

Well just had TAC look into it. They restarted the management plane which fixed the issue.

The reason we believe was due to insufficient resource in the management plane at the time of the update.

Thanks Sandeep for your help.

View solution in original post

13 REPLIES 13

L2 Linker

Also how does the App-mismatch impact HA? Does this mean session states are no longer being synced?

L6 Presenter

Can you say the output of just the "show system info" of both the active device and passive device ?.

And regarding the question of what is the impact of the app version mismatch ? - its not going to stop the session sync. Its just the differences in the app versions will not sync means if the newer version has new apps or modified apps the older version will not have that and will behave in a different manner.

Thanks,

Sandeep T

Well just had TAC look into it. They restarted the management plane which fixed the issue.

The reason we believe was due to insufficient resource in the management plane at the time of the update.

Thanks Sandeep for your help.

Which hardware model did this occur on?

Not applicable

We're having the same problem. Is it possible to restart the management plane without contacting support?

you can restart management server yourself. Its not going to cause any traffic interruption. You can do this via command "debug software restart management-server". Once you do this you will be logged out of the device, please re login and check if that resolved the issue.

Sandeep T

Is this really true?

I mean if you use userid and a new user tries to setup a session then this user will not be allowed until mgmtplane is back on track and can answer the dataplane which user is using the specific ip (which the dataplane then will case for the TTL one have set)?

Also if using SSL-termination then SSL-based traffic will be blocked (new sessions) because the MITM cert is being created by the mgmtplane on some models (at least on the PA2000-series)?

And finally you will lose log-entries during the time mgmtplane is offline?

So already established traffic shouldnt be affected, but new sessions might be affected (depending on if you use userid and/or ssl-termination).

L0 Member

Restarting the management plane did not work for.!!

For the peer that is behind and is erroring when attempting a manual install:

A bit drastic but I read somewhere on the KB that backing up your configuration, reinstalling the PAN OS then installing the AV or App threat update will fix it.

Restarting the management plane worked for us and we didn't notice any interruptions.

L1 Bithead

I did restart the Mgmt server, but the App version still mismatch, any other suggestions?

L0 Member

I did restart the Mgmt server, but the App, Content and AV version still mismatch, any other suggestions? On Another hand, Version are matched on secondary FW.

L0 Member

I did restart the Mgmt server, but the App, Content and AV version still mismatch, any other suggestions? On Another hand, Version are matched on secondary FW.

L0 Member

It could potentially be a memory issue.  Run the "show system disk-space" command.  Check and see if your opt/pancfg is above 85%.  If so, open a tac case and have them review what can be removed.

  • 1 accepted solution
  • 27894 Views
  • 13 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!