HA broken after upgrading to 6.0.3

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

HA broken after upgrading to 6.0.3

L3 Networker

Hi,

We have just upgraded our 5020s and 3020s to 6.0.3 and encountered an issue, where the secondary device became the Active one and the primary displays this error, only on the 5020:

HA peer.JPG

does anybody else had this issue or knows how to solve it?

Thank you.

28 REPLIES 28

Hi MMC,

64591 (The fix in this bug resolves two issues: o PA-3000 Series firewalls could stop passing traffic due to errors in the internal datapath. A registry value was changed in the dataplane packet processor to prevent this error. o When highly compressed traffic is passing through PA-7050, PA-5000 Series, or PA-3000 Series firewalls, this caused some additional latency in other traffic passing through the firewall. This fix prevents the latency from being introduced to the traffic by changing the amount of data being handled by the signature matching FPGA.)


Can you try to upgrade one more PAN OS 6.0.3 to PAN OS 6.0.4. i hope its helpful for you. thanks


Regards

Satish

Hi Satish, thank you for your response, I'm reading 6.0.4 release notes and we'll upgrade to 6.0.4 as soon as possible.

thanks again.

Your welcome Luis,

Let me know if you are facing any other challenge.

Regards

Satish

Hello Luis,

For the time being, you may apply the below mentioned command as a workaround:

admin@PA-3020> set system setting packet-path-test enable no

Thanks

Are you sure that bug id 64591 is what is causing this HA link error message?


Reading the notes and associated ticket reports, there is no mention at all of HA in any of them.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

Dear Steven,

How are you dude.., yes cuz one of our client facing same issue after the upgrade  PAN OS issue has been resolve. thanks

Regards

Satish

Not applicable

FAIL

Yesterday we upgraded to 6.0.4 version and the issue arises again.

We followed the next steps:

1) We had two HA nodes in 6.0.2    NodeA  NodeB 5020

2) We suspended the standby NodeB and install 6.0.4 version

3) We did a reboot NodeB to finish instalation

4) NodeB started without problem and it got in standby mode

5) We suspended the primary NodeA so NodeB took control as primary

6) We installed 6.0.4 version in NodeA an we did a reboot to finish

7) When NodeA was starting we got the issue at NodeB "Internal packet path monitoring failure, restarting dataplane"

😎 NodeA was not still ready to take control so we had a network outage of about 2 minutes.

So... if you are experiencing this problem TAKE CARE in migration, in our case the 6.0.4 version doesn't solve the issue.

We are going to open a case.

I would request you to apply below mention CLI commands and let me know the result.


> set system setting packet-path-test enable no

> set system setting packet-descriptor-monitor enable no

Thanks

L7 Applicator

The above mentioned command should be applied to both the nodes.

Thanks

Ok HULK we will apply the mentioned commands although  we've to look for a downtime window in our production environment so the proof could take a time.

If you could go through the DOC: PAN-OS 5.0.5: Addressed Issues , it looks we are hitting the same BUG-50153 in 6.0.x.

Thanks

Really, it looks like this bug.

hello,

PAN requested we try to replicate the issue yesterday evening; the guy did apply this command - set system setting packet-path-test enable no - on the node that had issues before and restarted (he did not require restarting both  nodes). The issue did not re-occur, but, this still does not guarantee is not going to in the future.

I don't quite know what this command does, but it looks like you apply it before the reboot, and once the node is up, it is cleared.

Because we were not able to replicate, it is not considered as a solved issue; we are required to call PAN if happening again, so they can collect more information.

Also, yes, I agree, this is the bug we are hitting - BUG-50153, even after upgrading to 6.0.3; we are not going to upgrade to 6.0.4.

Thank you

  • 12811 Views
  • 28 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!