HA Pair - peer version too old

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

HA Pair - peer version too old

L4 Transporter

I have two hardware gateways in a HA pair running 9.1.19.  Ive upgraded one to 10.0 and then to 10.1.14.  It now complains that the HA 'peer version is too old' and it has suspended HA.  If i suspend HA on the remaining 9.1 gateway, HA doesnt activate on the 10.1 gateway. If i suspend the 9.1 gateway and try to manually "make local device functional for HA" on 10.1, it still wont enable. 

 

How can i get 10.1 to become the active member while i update the remaining 9.1 member?

2 REPLIES 2

L6 Presenter

@JimMcGrady wrote:

I have two hardware gateways in a HA pair running 9.1.19.  Ive upgraded one to 10.0 and then to 10.1.14.  It now complains that the HA 'peer version is too old' and it has suspended HA.  If i suspend HA on the remaining 9.1 gateway, HA doesnt activate on the 10.1 gateway. If i suspend the 9.1 gateway and try to manually "make local device functional for HA" on 10.1, it still wont enable. 

 

How can i get 10.1 to become the active member while i update the remaining 9.1 member?


I would disconnect any data interfaces on your 9.1 FW and also disconnect your HA connections between both FWs.  Your Active firewall running 10.1.14 will continue to function as your active firewall. 

 

With your 9.1 FW now fully isolated you should still be able to access the firewall via the management connection.  In this disconnected state the firewall should let you upgrade it to 10.1.14 matching your active one.  I would also ensure dynamic updates match the current active as well.  Once this is completed connect your HA-1 connection let things normalize, then connect your HA-2 link and let things normalize.  Your current active should still stay active with the other firewall in a HA paired state, but down (non-functional) due to the data links still disconnected.  Now reconnect your datalinks to the passive firewall.  Shortly there after both firewalls should be in a healthy HA A/P state.

 

All of these steps should be in a maintenance window.

 

--edit-- in the future I wouldn't recommend going so far in software version between firewalls.  Keep them only 1 revision apart.

Thanks for the suggestion.  Meanwhile, i reinstalled a recent 10.0 version on the 10.1 gateway to try and resolve the issue. It did in that HA is now happy. However Panorama is now disconnected. I gather that is because 10.1 introduced a more secure link between Panorama and gateway. Since i have reverted to 10.0, that is no longer applicable.

How would i reconnect Panorama to the now-10.0 gateway without impacting the working active 9.1 HA member?

 

EDIT: It turns out the 10.0 version i used is just a bit too old to receive the cert renewal that was recently done for Panorama. Ive applied the most recent 10.0 and that fixed the connection.

  • 357 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!