Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
10-13-2014 05:44 AM
Last month I upgraded to 6.0.4 with no issues. I upgraded my primary, then upgraded the secondary five days later. Again, no problems.
When I upgraded to 6.0.5 h3 (this past weekend), the PA would not pass traffic. I returned to 6.0.4 and traffic restored. I then tried 6.0.5 and had the same problem - no traffic.
I followed the same procedures as I did with the upgrade to 6.0.4.
Any ideas?
Thanks as always.
//moe
10-13-2014 06:17 AM
Hi Moe,
Do you have asymmetric flow in your environment. There has been couple of changes in the way firewall handles Asymmetric traffic with 6.0.5-h3.
Before upgrading again, run following commands to ensure continuity:
set deviceconfig setting tcp asymmetric-path bypass
If you also have zone protection, run following commands as well :
set network profiles zone-protection-profile <profile-name> asymmetric-path [bypass | global]
Hope this helps. Thank you.
10-13-2014 06:21 AM
Here is link to Release note:
And note mentioning changes in the behavior :
"
Note If you have asymmetric routes in your network, before upgrading to 6.0.5-h3, use
the following command to ensure session continuity:
set deviceconfig setting tcp asymmetric-path bypass
And, if you have attached a zone protection profile, you must also use the
following command:
set network profiles zone-protection-profile <profile-name> asymmetric-path
[bypass | global]. "
10-13-2014 08:49 AM
We are symetric right now. Will be asymetric in a couple months.
10-13-2014 08:51 AM
In that case you will need to configure those commands prior to upgrade. That should work, if not then you can contact support for further troubleshooting. Thank you.
10-13-2014 08:53 AM
will the command disrupt traffic before the software is updated? What i'm asking is, can I do this now, and upgrade later?
10-13-2014 09:00 AM
There should not be any disruption with the command, however I would suggest configuring these command just prior to upgrade. Everything should work as expected until 6.0.5. Above condition only applies if you are on 6.0.5-h3 or above and you have asymmetric traffic in your environment. Thank you.
10-13-2014 12:03 PM
What about for right now? My traffic is symetric, yet I had no traffic.
10-13-2014 12:08 PM
If you upgrade to 6.0.5-H3 and you did not have asymmetric traffic and it did not work, that would be something not expected. I would suggest opening a case before next upgrade attempt so that a resource can work with you to verify the issue. It would be hard to tell why traffic did not work. If you look at the monitor logs during the upgrade and see both side traffic was seen (Bytes Sent/Bytes received). I believe you did wait until Auto Commit was completed. Were you able to ping inside interface during the incident? Were you able to ping outside sourcing from one of the inside interface. There can be many variables why it caused that, but 6.0.5-h3 alone would not be issues as we have seen successful upgrades as well. Hope this helps. Thank you.
10-13-2014 12:36 PM
I was pinging the management interface (didn't consider the inside int) and google.com while the firewall rebooted. The management came back up and i could log back into the device. the ping out to google didn't come back. I have two firewalls in HA active-pasive mode. I was updating the primary. (the secondary's inside/outside interfaces are currently not connected to switch)
10-13-2014 12:42 PM
Yes, management interface will respond. But after reboot, auto commit is happens on the device. During this time all dataplane ports would not respond or pass any traffic. Depending on the Hardware of the device and amount of configuration it might take time for auto commit to complete. "show jobs all" shows progress for the auto commit. While updating, secondary will take over as active, and since interfaces are not connected to switch the traffic will be basically blackholed.
Next time during the upgrade monitor the auto-commit, and once it is done, make the primary (connected to switch) active device again and see if that resolves the issue. Thank you.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
