10-17-2024 06:47 AM
I have two hardware gateways in a HA pair running 9.1.19. Ive upgraded one to 10.0 and then to 10.1.14. It now complains that the HA 'peer version is too old' and it has suspended HA. If i suspend HA on the remaining 9.1 gateway, HA doesnt activate on the 10.1 gateway. If i suspend the 9.1 gateway and try to manually "make local device functional for HA" on 10.1, it still wont enable.
How can i get 10.1 to become the active member while i update the remaining 9.1 member?
10-17-2024 08:07 AM - edited 10-17-2024 08:09 AM
@JimMcGrady wrote:
I have two hardware gateways in a HA pair running 9.1.19. Ive upgraded one to 10.0 and then to 10.1.14. It now complains that the HA 'peer version is too old' and it has suspended HA. If i suspend HA on the remaining 9.1 gateway, HA doesnt activate on the 10.1 gateway. If i suspend the 9.1 gateway and try to manually "make local device functional for HA" on 10.1, it still wont enable.
How can i get 10.1 to become the active member while i update the remaining 9.1 member?
I would disconnect any data interfaces on your 9.1 FW and also disconnect your HA connections between both FWs. Your Active firewall running 10.1.14 will continue to function as your active firewall.
With your 9.1 FW now fully isolated you should still be able to access the firewall via the management connection. In this disconnected state the firewall should let you upgrade it to 10.1.14 matching your active one. I would also ensure dynamic updates match the current active as well. Once this is completed connect your HA-1 connection let things normalize, then connect your HA-2 link and let things normalize. Your current active should still stay active with the other firewall in a HA paired state, but down (non-functional) due to the data links still disconnected. Now reconnect your datalinks to the passive firewall. Shortly there after both firewalls should be in a healthy HA A/P state.
All of these steps should be in a maintenance window.
--edit-- in the future I wouldn't recommend going so far in software version between firewalls. Keep them only 1 revision apart.
10-17-2024 07:20 PM - edited 10-17-2024 08:24 PM
Thanks for the suggestion. Meanwhile, i reinstalled a recent 10.0 version on the 10.1 gateway to try and resolve the issue. It did in that HA is now happy. However Panorama is now disconnected. I gather that is because 10.1 introduced a more secure link between Panorama and gateway. Since i have reverted to 10.0, that is no longer applicable.
How would i reconnect Panorama to the now-10.0 gateway without impacting the working active 9.1 HA member?
EDIT: It turns out the 10.0 version i used is just a bit too old to receive the cert renewal that was recently done for Panorama. Ive applied the most recent 10.0 and that fixed the connection.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
