Issues with pushing out 10.2.9-h1

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Issues with pushing out 10.2.9-h1

L2 Linker

There is not a community discussion for issues implementing 10.2.9-h1

We have a maintenance window to push out 10.2.9-h1 Thursday evening and with recent issues with 1.2.7.h3 and other roll outs i am starting this thread for the community.

Manny C
Sr. Network Engineer
9 REPLIES 9

L0 Member

I attempted to update Panorama this morning (in preparation for upgrading firewall with GP installed) with a failed result.  The error message was "Failed to install Panorama with the following errors. Label sysroot0 does not indicate a valid image"

This was the first time in 6 years I have had an upgrade fail.

L2 Linker

last night upgraded panorama and 2 Azure VM firewalls to 10.2.9-h1 from 10.2.8 without any issues

tonight i will be doing 2 5220s (HA pair) with Global Protect and 10.2.6 with the workaround for the certs.

 

Manny C
Sr. Network Engineer

L2 Linker

We finished the upgrade to 10.2.9-h1 last night

There were no issues with our 3- VM300 (new licensing in May) in Azure

I have a HA pair of 5220s with 2 different global protect portals and gateways

we updated the passive then promoted it to active This is when GP connections got a little wonky.

the connections were still showing up on the originator firewall and didnt transfer to the one activated traffic was showing through both some of the new connections were failing on the one GP that split tunneling was enabled. We upgraded the second firewall rebooted and we still had the connections showing up in both firewalls and some seemed duplicated and some were not.

The 5220s were on 10.2.6 with the workarounds and went to 10.2.9-h1

A TAC case will be created  More to follow

Manny C
Sr. Network Engineer

L0 Member

Good morning,

We did our upgrade on the 15th April and have been having issues with sites failing to connect for perhaps 10 - 30 seconds ever since. Issue is intermittent and occurs several times a day, with no obvious reasons why.

Have opened a case with support but no resolution as yet.

 

L1 Bithead

We updated to 10.2.9-h1 and we're seeing an issue with Panorama templates not working correctly for all interfaces.  All Ethernet, loopback, tunnels, and SDWAN interfaces show 'none' for all virtual/logical routers, zones and IP Addresses even though values exist when queried in CLI.  If I make a change to the template, Pano tries to push out these null values.

I just checked and i am showing the same exact issue with the interfaces VR and LR showing none on the template but it is showing correct in the _stack template.  I have committed some policy changes since the the upgrade but not VR changes and it didnt change the stack template. were you making changes in your routers when it tried to push none to everything. I wont be making any changes till this is resolved. Let us know what TAC says about this when they get back to you. I have a TAC case open on the Global protect issue i had and will do the same

Manny C
Sr. Network Engineer

Palo has started to issue hotfixs for the various builds that addresses this issue.

 

PAN-251013
Fixed an issue on the web interface where the 
Virtual Router
 and 
Virtual System
 configurations for the template incorrectly showed as 
none
.

L0 Member

Hello, just to check on this as I am looking to upgrade and have seen a few posts about issues with Panorama upgrading to 10.2.9-h1.

 

Is there a patch to cover these in a later version?

I have been running 10.2.9.h1 since April due to the Certificate issues

Some hic-ups but no major issues and i am running Panorama physical appliances and VM's in Azure.

it looks like some of the Hic-ups have been addressed in 10.2.10 that came out end of June but has has 2 hotfixes since then.

Unless you are running 10.2.8 with the issues it had and aren't experiencing them plus you didnt have the issues with the April certificates, going to 9 or waiting till they get 10 ready for primetime it is up to you. I personally am waiting for 10 to go to Preferred because some of the hic-ups have been addressed and also hope it will address the new November 2024 certificate issue too.

Manny C
Sr. Network Engineer
  • 3836 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!