PAN-OS 7.0.9 any issues on PA-5050?
cancel
Showing results for 
Search instead for 
Did you mean: 

PAN-OS 7.0.9 any issues on PA-5050?

L6 Presenter

Hi Guys,

 

Looking to upgrade HA pair active/passive from 6.1.12 to the 7.0.9. 

Anything that l should be aware of. I am checking known issues and release notes. Same for the security advisory. But maybe something from your experience (issues that currently reported but will be fixed in the next release)

 

Thx,

Myky 

10 REPLIES 10

L3 Networker

I'm running 7.0.9 on a 5050 pair and 5060 pair in active/standby with no issues that I'm currently aware of.

-Brad

Thx Brad for you input 

L1 Bithead

We recently upgraded from 7.0.8 due to issues with the Ldap/UserID failing and locking everyone out of GP Portal. So far so good on 7.0.9 although we are currently looking into an issue where the IPSEC tunnel went down but stills shows up in the gui until you reboot the active unit in the HA Pair. 

@DensonJHH you may want to run both show vpn ipsec-sa tunnel {name} and show vpn ike-sa gatway {name} and see if they are not being released from there. I've run across an issue on our 3020s that if the tunnel goes 'down' but still shows up on the system the 3020 won't realize that the tunnel has dropped and still show that it's up on the gui.  

Hello Denson,

 

Did you try BPry suggestions? 

L4 Transporter

Here is my experience with 7.0.9 on 5060 running vSYS so far.

 

1.  group-mapping shows up as 0 groups.   Only solution is to restart the userID process.

 

2.  group-mapping for UserIDs does not refresh after 12 hours (you can see the refresh timer to go up and up).   TAC is aware of the problem, the suggestion is to restart the userID process or run debug software trace or core userid to see if it will kick start userID process.

 

3.  After restart the userID process, the userID process is not able to connect to the Agentless userID for ip/user mapping update for about every other time to restart the userID process.  The only solution is to restart the userID, if it still does not work, fail over.

 

At this point, TAC said it is related to GLIBC bug, recommended to upgrade to 7.1.4+.   Engineering is not going to backport the GLIBC fixes to 7.0 code.

 

 

Cheers. So this issue seen when you are running vSYSs. Is that correct?

The firewalls that I support run with multiple vsys(es).   I don't have another way to compare it.

 

 

Hi. Thanks. This is what l wanted to confirm :-) 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!