We are experiencing an upgrade error/failure when we try to upgrade PA3020 from 8.0.11-h1 to 8.1.9-h4.
When our customer tried to upgrade from 8.0.11-h1 to 8.1.9-h4; their PA3020 went to Maintenance Mode after installing and rebooting .
The Maintenance Mode simply stated that there is a "FIPS failure".
The upgrade steps that we followed are:
a) Download 8.1.0 (base) , without installing
b) Download and Install 8.1.9-h4
After we did step b above the PA3020 rebooted and went straight to maintenance mode with error "FIPS failure"
Luckily, we were able to revert back again to 8.0.11-h1. But , we still need to upgrade to 8.1.x, becuase 8.0.x is already EOL.
We have already contacted palo alto TAC and are now waiting for their reply.
While we are waiting for pan tac reply, has anybody ever experienced a FIPS failure upgrade error like ours? if so, How did you guys resolve the FIPS failure error?
any feedback would be great, thanks
What was your actual upgrade path. If you followed recommendation you should have installed the latest maintenance release prior to installing 8.1.0 and attempting to boot into your targeted maintenance release.
Also just to point out, 8.1.10 is the preferred release at the moment.
When upgrading firewalls - specially the older hardware from paloalto like the 3000 series - you should follow the official recommendation for this. For you this means:
This way you shouldn't have any problems and to be eveen more sure try a reboot prior to even installing the latest maintenance release as 8.0.11 sounds like your firewall is already running with this quite a while.
we downloaded and installed 8.0.20 and rebooted. successfully upgrade to 8.0.20
downloaded and installed 8.1.0 and rebooted. successfullyupgraded to 8.1.0
downloaded and installed 8.1.10 and rebooted ---> failed to upgrade to 8.1.10 and went to maintenance mode.
we were able to revert back to 8.1.0 and we are now back online with 8.1.0
we have already submitted the tech support file to TAC and waiting for their advice.
in the meantime, do you guys have any idea or experience with this kind of scenario? we are stuck in 8.1.0
Not sure where you actually see step 2 as the official recommendation. Palo's upgrade articles specifically say to just download a feature release, and then download & install your target release. So for instance from 8.0.11 to 8.1.9 would be:
- Download and install latest 8.0 (8.0.20)
- Download 8.1
- Download & install 8.1.9
" In most cases, the recommended path when moving from one feature release to the next is to download the base image for the next feature release version and then download and install your target maintenance release version. "
On older series hardware (200, 500, 3000) the official recommendation was modified so that you download and install the base image with the release of 8.1 specifically due to a number of issues that was being caused on these older platforms due to disk limitations. When you simply download the base image and directly install the target maintenance image the firewall needs to explode both images and build a functional install image from both images.
Newer platforms the increase in size of PAN-OS was properly accounted for and they can handle needing to build that new image. I would still personally recommend installing the base image before installing the maintenance image even on there platforms as you generally have less of an issue with the firewall not properly updating system files and running into update issues.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!