SYSTEM ALERT : high : HA Group 1: ** version does not match

We have the same issue ... Two PA5020 Nodes in HA Active-Passive Mode. The gap for dynamic updates configured on the nodes is one hour. But everytime when there is an update we become the error from both nodes. Here are the Logs:

Node1:

2012/07/16 19:15:09    Auto update agent found no new Content updates

2012/07/16 19:15:08    Connection to Update server: updates.paloaltonetworks.com completed successfully, initiated by xxx.xxx.xxx.xxx

2012/07/16 19:10:45    HA Group 24: Anti-Virus version now matches

2012/07/16 19:10:19    Antivirus update job succeeded

2012/07/16 19:10:17    HA Group 24: Anti-Virus version does not match

2012/07/16 19:10:13    Config installed

2012/07/16 19:10:13    Config installed

2012/07/16 19:07:49    Antivirus package upgraded from version 790-1086 to 792-1090 by Auto update agent

2012/07/16 19:07:38    Installed antivirus package: panup-inc-antivirus-792-1090.tgz

2012/07/16 19:07:24    Antivirus version 792-1090 downloaded by Auto update agent

2012/07/16 19:07:21    Connection to Update server:  completed successfully, initiated by xxx.xxx.xxx.xxx

2012/07/16 19:01:03    Connection to Update server: updates.paloaltonetworks.com completed successfully, initiated by xxx.xxx.xxx.xxx

2012/07/16 19:00:09    Connection to Update server: updates.paloaltonetworks.com completed successfully, initiated by xxx.xxx.xxx.xxx

Node2:

2012/07/16 19:10:48    Antivirus update job succeeded

2012/07/16 19:10:45    HA Group 24: Anti-Virus version now matches

2012/07/16 19:10:41    Config installed

2012/07/16 19:10:41    Config installed

2012/07/16 19:10:17    HA Group 24: Anti-Virus version does not match

2012/07/16 19:08:20    Antivirus package upgraded from version 790-1086 to 792-1090 by Auto update agent

2012/07/16 19:08:06    Installed antivirus package: panup-inc-antivirus-792-1090.tgz

2012/07/16 19:07:52    Content image transferred from peer

2012/07/16 19:07:24    Content image transferred from peer

Here are the System-Alert-Mails:

From Node1:

domain: 1

receive_time: 2012/07/16 19:10:17

serial: [node1]

seqno: 3770

actionflags: 0x0

type: SYSTEM

subtype: ha

config_ver: 0

time_generated: 2012/07/16 19:10:17

vsys:

eventid: peer-version-match

object:

fmt: 0

id: 0

module: general

severity: high

opaque: HA Group 24: Anti-Virus version does not match

From Node2:

domain: 1

receive_time: 2012/07/16 19:10:17

serial: [node2]

seqno: 15916

actionflags: 0x0

type: SYSTEM

subtype: ha

config_ver: 0

time_generated: 2012/07/16 19:10:17

vsys:

eventid: peer-version-match

object:

fmt: 0

id: 0

module: general

severity: high

opaque: HA Group 24: Anti-Virus version does not match

Any ideas to this issue?

Well the 1 hour delay between the nodes doesnt seem to be working and I guess it shouldnt either.

When box A gets a new content this is sent to box B for installation aswell so IF a failover occurs they both have the same content db's (no matter if its appid or url-db or something else).

Also reading the logs I get the impression that the auto-commit of config with a new antivirus-package takes approx 2 minutes.

So when node1 is done with its update incl. auto-commit at 2012/07/16 19:10:13 it checks with its peer 4 seconds later if its up2date aswell... but it isnt, its still in the progress of installing the update. Node2 is however done at 2012/07/16 19:10:41 which is shown at 2012/07/16 19:10:45 on both boxes that they are now both up2date in case a failover occurs.

Personally I dont mind about the above logs (even if it would of course be better if this particular case could be logged differently because the passive node will always be updated after active node - unless the active node have way too much to do in mgmtplane, then active node could take longer to complete its auto-commit with new antivirus-db.

However what im worried about is that the above logs shows that IF a failover occurs then the passive box is in the middle of an auto-commit aswell - how will new sessions be handled in this case (since programming of the dataplane isnt atomic, or is it)?

"For stable updates, the best practice is to stagger the time with a sufficient gap (e.g. 30 minutes) for scheduled updates on both boxes enabled with "sync-to-peer".

https://live.paloaltonetworks.com/docs/DOC-2038

We configured one hour as last try because 30 Minutes and 15 Minutes gap didn't work in our tests.

Because we configured the nodes to send alerts when system alerts occur (critical and high), we receive nearly every day the message. Sure we can disable the alerts, but we don't won't to disable this alerts. There must be an other solution to this problem!

Scout24_IT,  agreed. See my comment here to KB DOC-5592 re: how PAN should address these false positives critical alerts (when you look at the overall issue). We're in the same boat as you - we dont want to disable critical/high but the only solution (other than filtering in our email client) is for PAN to address this in the code given the timing of these events. Seems pretty easy to address but also a small company growing pain item, likely on a backlog that should be prioritized up given the # of enterprise HA customers, that others companies like Cisco and Juniper have already resolved. (from first hand experience inside one of those competitors around just this issue, way back in the day)