Bug: 8.1.7/8.1.8 PA-5200 AUX Ports

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Bug: 8.1.7/8.1.8 PA-5200 AUX Ports

Cyber Elite
Cyber Elite

Just FYI,

There is currently a bug within 8.1.7 and 8.1.8 that renders the AUX ports inoperable on the PA-5200 series, which depending on your configuration can cause issues. The Bug ID is PAN-105737 and it's been fixed in 9.*, but you might want to hold off upgrading until its been fixed or update your configuration to remove dependency on AUX interfaces.  


L1 Bithead

Okay. so even We were hit by this bug. we have two 5220 PA FW in HA and HA1 connected via AUX. We were in plan to upgrade from 8.0.10 to 8.1.7 but then while secondary was upgraded and rebooted to 8.1.7 , split brain scenario was occured and we had both our firewall in active active and whole network was down. 

   Then we get to know from PA that its a bug. then we proceeded for 8.1.9 upgrade and it was resolved.

  but now I have a question and looking for solid answer here- this bug only caused HA1 link to remain down but then what about the HA1 backup hearbeat, as we had heartbeat backup enabled in election settings and by default it takes mgmt port. Hence if HA1 was down due to bug, why backup heartbeat did not function through mgmt and made sure that HA can be acheived. could you pleaee help?

@arun_sh , thanks for confirming that 8.1.9 works for HA on your 5220 pair.


I'm thinking of scheduling an update to 8.1.9 now that bug PAN-105737 has actually been fixed, along with the fixes for two of the three security advisories published yesterday.


I'm not sure why the management port was not working for HA1 backup, the bug description only mentions AUX ports being in a link down state. I'd think that should be a question that PAN TAC would be able to answer.


On our 5220 pair we are using AUX1 and AUX2 for HA1 and HA1 Backup as I like to keep management and HA functions separate if the hardware has the capability, but 5220's also have RJ45 dedicated HA1-A and HA1-B 1Gbps ports as well which you could look into using.

L1 Bithead

the reason why some of the Palo Alto firewalls in HA are facing this split brain scenario is due to this BUG -106914.

this is mentioned in 8.1.9 PAN OS as addressed issue.

  please find the detail:

Fixed an issue on a firewall in a high availability (HA) active/passive configuration where HA1 and HA2 links stopped passing packets, which caused a split-brain condition after an automatic configuration sync.

hence , either you are using AUX or mgmt port or any other port, if this bug is hit then HA will stop working and FWs will become active active. I am sure my config though having AUX for HA1 but mgmt for HA1 backup(not physical, but through election settings), was hit with this BUG as well.

  please do upgrade HA FWs with downtime only as there is no mention of any particular hardware model.



I updated our 5220 pair to 8.1.9 during an evening maintenance window a few days ago and no issues with split-brain so far.


I've been running it on production equipment since last Friday without issue, and testing it in a lab environment since slightly before public release. It does appear that 8.1.9 fully addresses this issue as promised. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!