01-30-2018 02:01 PM
Hello,
Under general functionality, its not used/needed when they are already deployed, if you are referring to the following.
Regards,
01-30-2018 02:15 PM
There is very little reason to boot a firewall into maintenance mode. Some examples would be performing a factory reset, setting FIPS, CCEAL4, performing a disk check, disk image changes, content rollbacks, and stuff like that. I would say easily that 95% if not more of Palo Alto customers should never have to boot into maintenance mode.
01-31-2018 05:19 AM
I have a ticket open because my upgrade to 7.1.14 from 7.1.13 failed and according to the system logs and TAC it is due to a autocommit failure. It was their recommendation to go into maintenance mode and attempt the upgrade again. Since I can't really understand most of what the TAC tech says or writes I am confused.
01-31-2018 05:20 AM
Yeah I don't see what good it would do other than a factory reset , which is not what I intend on doing unless there is not other way
01-31-2018 05:39 AM
If everything fails ... before going into maint mode and performing a factory reset I would suggest trying to revert back to the previous version using the 'debug swm revert' CLI.
Good luck !
-Kiwi.
01-31-2018 05:45 AM
I was able to revert back to the previous version through the GUI with no issue and maintenance mode was the recommendation of TAC, not sure why. But I was thinking about attempting the upgrade again in hopes of collecting additional information. TAC said when I reverted back to the pervious version it wiped out the logs, but for some reason it did do anything to the system logs. So this command debug swm revert' CLI. besides reverting back to the previous version does it get me additional information? FYI I have two PA's in and HA pair. The PA I am trying to upgrade is the passive firewall
01-31-2018 06:05 AM
Not sure why TAC would tell you to update through maintenance mode, that seems rather odd to me as long as you were able to revert to a working configuration. In past experiance autocommit issues have always been solved by a rollback and then repeating the process, usually I simply restart the box in question before I attempt the upgrade again just so I know it's got a 'clean' baseline. I've never heard of anyone recommending an upgrade through maintenance mode for anything.
To be clear, I think what TAC is telling you to do would likely work perfectly fine. I just don't think it's actually necessary and you can get yourself in a little bit of a pickle in maintenance mode if you aren't being careful.
debug swm anything gives you slightly more information than would previously be available. The revert command however will revert the configuration to the last successfully loaded version, I believe that it enables a little bit of extra debugging on the software manager during the process. You may want to run the command 'debug swm history' and verify exactly what the failure reason was. If it was trully just an autocommit issue I would recommend simply attempting the upgrade again after restarting the box; generally that's cleared things up for me in the past.
01-31-2018 06:12 AM
this was the process I followed
1. Downloaded and upgraded the passive PA to 7.1.13 to 7.1.14
2. Rebooted, when it came back up the status light was yellow the interfaces were all greyed out and it kept saying autocommit failed.
3.Gave it 15 or 20 minutes to see if it would come back on its own
4. Rebooted the firewall
5. When it came back up the status light was yellow the interfaces were all greyed out and it kept saying autocommit failed.
6. Reinstalled 7.1.13 and rebooted. Everything came back fine
7. Upgraded the passive PA to 7.1.13 to 7.1.14
8. Rebooted, when it came back up the status light was yellow the interfaces were all greyed out and it kept saying
autocommit failed
9. Reinstalled 7.1.13 and rebooted. Everything came back fine
10. Tried to collect all the information and logs to open a ticket with TAC
01-31-2018 06:16 AM
On your box now what's the output of 'show chassis-ready'?
01-31-2018 06:18 AM
Currently while on version 7.1.13 the out put of
show chasis-ready is yes
I don't know what it would be on the upgraded version of 7.1.14 until I do the upgrade again
01-31-2018 06:29 AM
It would have been a no after the 7.1.14 upgrade if the auto-commit process is failing. Essentially if that fails the dataplane and all of your interfaces will show down.
So I would redo the upgrade, but right after you restart for the upgrade perform the following. (This needs to be done quickly before the auto-commit process starts, I would advize doing it through the console port.)
debug management-server set commit all
debug management-server set cfg all
debug management-server set content all
debug management-server on debug
debug device-server set all
debug device-server on debug
Logs will be generated in ms.log and devsrv.log
Once the auto-commit fails or finishes then run the following
debug management-server on info
debug device-server on info
That should provide TAC with all the info they need to see exactly what is going on with autocommit and why it's failing.
01-31-2018 06:31 AM
The swm debug commands that were given would not turn on additional logging, so you don't have to turn them off or 'no' them out if that's what you mean.
01-31-2018 06:31 AM
Great information I wonder why TAC didn't make any or these suggestion to me. The only suggestions they made were to reboot it and put it in maintenance mode
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
