Software Update Issue

Reply
Highlighted
L2 Linker

Software Update Issue

Last month I upgraded to 6.0.4 with no issues.  I upgraded my primary, then upgraded the secondary five days later. Again, no problems.

When I upgraded to 6.0.5 h3 (this past weekend), the PA would not pass traffic. I returned to 6.0.4 and traffic restored. I then tried 6.0.5 and had the same problem - no traffic.

I followed the same procedures as I did with the upgrade to 6.0.4.

Any ideas?

Thanks as always.

//moe

Highlighted
L5 Sessionator

Hi Moe,

Do you have asymmetric flow in your environment.  There has been couple of changes in the way firewall handles Asymmetric traffic with 6.0.5-h3.

Before upgrading again, run following commands to ensure continuity:

set deviceconfig setting tcp asymmetric-path bypass

If you also have zone protection, run following commands as well :

set network profiles zone-protection-profile <profile-name> asymmetric-path [bypass | global]


Hope this helps. Thank you.

Highlighted
L6 Presenter

interesting that you have the issue with 6.0.5 also

Highlighted
L5 Sessionator

Here is link to Release note:

https://downloads.paloaltonetworks.com/software/PAN-OS-6.0.5-h3-RN.pdf?__gda__=1413249439_2154724505...

And note mentioning changes in the behavior :

"

Note If you have asymmetric routes in your network, before upgrading to 6.0.5-h3, use

the following command to ensure session continuity:

set deviceconfig setting tcp asymmetric-path bypass

And, if you have attached a zone protection profile, you must also use the

following command:

set network profiles zone-protection-profile <profile-name> asymmetric-path

[bypass | global]. "

Highlighted
L2 Linker

We are symetric right now.  Will be asymetric in a couple months. 

Highlighted
L5 Sessionator

In that case you will need to configure those commands prior to upgrade. That should work, if not then you can contact support for further troubleshooting. Thank you.

Highlighted
L2 Linker

will the command disrupt traffic before the software is updated? What i'm asking is, can I do this now, and upgrade later?

Highlighted
L5 Sessionator

There should not be any disruption with the command, however I would suggest configuring these command just prior to upgrade. Everything should work as expected until 6.0.5. Above condition only applies if you are on 6.0.5-h3 or above and you have asymmetric traffic in your environment. Thank you.

Highlighted
L2 Linker

What about for right now?  My traffic is symetric, yet I had no traffic.

Highlighted
L5 Sessionator

If you upgrade to 6.0.5-H3 and you did not have asymmetric traffic and it did not work, that would be something not expected. I would suggest opening a case before next upgrade attempt so that a resource can work with you to verify the issue. It would be hard to tell why traffic did not work. If you look at the monitor logs during the upgrade and see both side traffic was seen (Bytes Sent/Bytes received). I believe you did wait until Auto Commit was completed. Were you able to ping inside interface during the incident? Were you able to ping outside sourcing from one  of the inside interface. There can be many variables why it caused that, but 6.0.5-h3 alone would not be issues as we have seen successful upgrades as well. Hope this helps. Thank you.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!