- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
09-18-2012 09:10 PM
Hi All,
My dashboard shows a "App Version Mismatch" in a HA setup. The active is supposed to download the app version and sync it to the passive.
To confound the issue as per the following the "active" firewall is running the older version causing the mismatch:
admin@(active)> show high-availability all | match Application
Application Content: 327-1497
Application Content Compatibility: Mismatch
Application Content: 328-1503
However the following shows active is running the latest version:
admin@(active)> show system info | match app-version
app-version: 328-1503
So HA is saying the active firewall is running a older app version than it actually is. Any hints on how to go about correcting this situation?
Many thanks!
09-18-2012 10:36 PM
Well just had TAC look into it. They restarted the management plane which fixed the issue.
The reason we believe was due to insufficient resource in the management plane at the time of the update.
Thanks Sandeep for your help.
09-18-2012 09:22 PM
Also how does the App-mismatch impact HA? Does this mean session states are no longer being synced?
09-18-2012 09:56 PM
Can you say the output of just the "show system info" of both the active device and passive device ?.
And regarding the question of what is the impact of the app version mismatch ? - its not going to stop the session sync. Its just the differences in the app versions will not sync means if the newer version has new apps or modified apps the older version will not have that and will behave in a different manner.
Thanks,
Sandeep T
09-18-2012 10:36 PM
Well just had TAC look into it. They restarted the management plane which fixed the issue.
The reason we believe was due to insufficient resource in the management plane at the time of the update.
Thanks Sandeep for your help.
09-18-2012 10:56 PM
Which hardware model did this occur on?
09-19-2012 03:00 PM
We're having the same problem. Is it possible to restart the management plane without contacting support?
09-19-2012 05:39 PM
you can restart management server yourself. Its not going to cause any traffic interruption. You can do this via command "debug software restart management-server". Once you do this you will be logged out of the device, please re login and check if that resolved the issue.
Sandeep T
09-20-2012 12:49 AM
Is this really true?
I mean if you use userid and a new user tries to setup a session then this user will not be allowed until mgmtplane is back on track and can answer the dataplane which user is using the specific ip (which the dataplane then will case for the TTL one have set)?
Also if using SSL-termination then SSL-based traffic will be blocked (new sessions) because the MITM cert is being created by the mgmtplane on some models (at least on the PA2000-series)?
And finally you will lose log-entries during the time mgmtplane is offline?
So already established traffic shouldnt be affected, but new sessions might be affected (depending on if you use userid and/or ssl-termination).
09-20-2012 02:56 AM
Restarting the management plane did not work for.!!
For the peer that is behind and is erroring when attempting a manual install:
A bit drastic but I read somewhere on the KB that backing up your configuration, reinstalling the PAN OS then installing the AV or App threat update will fix it.
09-20-2012 08:20 AM
Restarting the management plane worked for us and we didn't notice any interruptions.
08-20-2013 12:09 AM
I did restart the Mgmt server, but the App version still mismatch, any other suggestions?
10-06-2020 12:52 AM
I did restart the Mgmt server, but the App, Content and AV version still mismatch, any other suggestions? On Another hand, Version are matched on secondary FW.
10-06-2020 01:00 AM
I did restart the Mgmt server, but the App, Content and AV version still mismatch, any other suggestions? On Another hand, Version are matched on secondary FW.
07-22-2024 11:42 AM
It could potentially be a memory issue. Run the "show system disk-space" command. Check and see if your opt/pancfg is above 85%. If so, open a tac case and have them review what can be removed.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!