- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
07-06-2012 04:45 PM
Hi Friends,
I wanted your help in solving this persiting issue.I have a PA4020 in HA mode which is configured in Active-Passive mode. From last few days i am getting the below error
SYSTEM ALERT : high : HA Group 1: Anti-Virus version does not match
SYSTEM ALERT : high : HA Group 1: URL Database version does not match
the extracts of the logs is attached below:
for "SYSTEM ALERT : high : HA Group 1: Anti-Virus version does not match" the logs says " 1,2012/07/06 00:09:08,SYSTEM,ha,0,2012/07/06 00:09:08,,peer-version-match,,0,0,general,high,HA Group 1: Anti-Virus version does not match,0,0x0 "
and for " SYSTEM ALERT : high : HA Group 1: URL Database version does not match " the logs says " 1,2012/07/06 00:59:20,SYSTEM,ha,0,2012/07/06 00:59:20,,peer-version-match,,0,0,general,high,HA Group 1: URL Database version does not match,0,0x0 "
Can somebody help me in resolving this issue.
07-06-2012 07:21 PM
This system logs indicate that Anti-Virus version URL Database version does not match between the HA peer.
This could be verified using the High Availability Widget General information on GUI Dashboard or executing following CLI command on both peers
>show system info
Manually sync the Anti-virus and Url-Filtering visiting Device>Dynamic Update
Hit check now and install the latest version on both the HA peers.
Scheduled Dynamic Updates in HA Environment and automate sync to peer .
Refer: https://live.paloaltonetworks.com/docs/DOC-2038
Regards,
Ameya
07-17-2012 12:20 AM
We have the same issue ... Two PA5020 Nodes in HA Active-Passive Mode. The gap for dynamic updates configured on the nodes is one hour. But everytime when there is an update we become the error from both nodes. Here are the Logs:
Node1:
2012/07/16 19:15:09 Auto update agent found no new Content updates
2012/07/16 19:15:08 Connection to Update server: updates.paloaltonetworks.com completed successfully, initiated by xxx.xxx.xxx.xxx
2012/07/16 19:10:45 HA Group 24: Anti-Virus version now matches
2012/07/16 19:10:19 Antivirus update job succeeded
2012/07/16 19:10:17 HA Group 24: Anti-Virus version does not match
2012/07/16 19:10:13 Config installed
2012/07/16 19:10:13 Config installed
2012/07/16 19:07:49 Antivirus package upgraded from version 790-1086 to 792-1090 by Auto update agent
2012/07/16 19:07:38 Installed antivirus package: panup-inc-antivirus-792-1090.tgz
2012/07/16 19:07:24 Antivirus version 792-1090 downloaded by Auto update agent
2012/07/16 19:07:21 Connection to Update server: completed successfully, initiated by xxx.xxx.xxx.xxx
2012/07/16 19:01:03 Connection to Update server: updates.paloaltonetworks.com completed successfully, initiated by xxx.xxx.xxx.xxx
2012/07/16 19:00:09 Connection to Update server: updates.paloaltonetworks.com completed successfully, initiated by xxx.xxx.xxx.xxx
Node2:
2012/07/16 19:10:48 Antivirus update job succeeded
2012/07/16 19:10:45 HA Group 24: Anti-Virus version now matches
2012/07/16 19:10:41 Config installed
2012/07/16 19:10:41 Config installed
2012/07/16 19:10:17 HA Group 24: Anti-Virus version does not match
2012/07/16 19:08:20 Antivirus package upgraded from version 790-1086 to 792-1090 by Auto update agent
2012/07/16 19:08:06 Installed antivirus package: panup-inc-antivirus-792-1090.tgz
2012/07/16 19:07:52 Content image transferred from peer
2012/07/16 19:07:24 Content image transferred from peer
Here are the System-Alert-Mails:
From Node1:
domain: 1
receive_time: 2012/07/16 19:10:17
serial: [node1]
seqno: 3770
actionflags: 0x0
type: SYSTEM
subtype: ha
config_ver: 0
time_generated: 2012/07/16 19:10:17
vsys:
eventid: peer-version-match
object:
fmt: 0
id: 0
module: general
severity: high
opaque: HA Group 24: Anti-Virus version does not match
From Node2:
domain: 1
receive_time: 2012/07/16 19:10:17
serial: [node2]
seqno: 15916
actionflags: 0x0
type: SYSTEM
subtype: ha
config_ver: 0
time_generated: 2012/07/16 19:10:17
vsys:
eventid: peer-version-match
object:
fmt: 0
id: 0
module: general
severity: high
opaque: HA Group 24: Anti-Virus version does not match
Any ideas to this issue?
07-17-2012 12:47 AM
Well the 1 hour delay between the nodes doesnt seem to be working and I guess it shouldnt either.
When box A gets a new content this is sent to box B for installation aswell so IF a failover occurs they both have the same content db's (no matter if its appid or url-db or something else).
Also reading the logs I get the impression that the auto-commit of config with a new antivirus-package takes approx 2 minutes.
So when node1 is done with its update incl. auto-commit at 2012/07/16 19:10:13 it checks with its peer 4 seconds later if its up2date aswell... but it isnt, its still in the progress of installing the update. Node2 is however done at 2012/07/16 19:10:41 which is shown at 2012/07/16 19:10:45 on both boxes that they are now both up2date in case a failover occurs.
Personally I dont mind about the above logs (even if it would of course be better if this particular case could be logged differently because the passive node will always be updated after active node - unless the active node have way too much to do in mgmtplane, then active node could take longer to complete its auto-commit with new antivirus-db.
However what im worried about is that the above logs shows that IF a failover occurs then the passive box is in the middle of an auto-commit aswell - how will new sessions be handled in this case (since programming of the dataplane isnt atomic, or is it)?
07-17-2012 01:57 AM
"For stable updates, the best practice is to stagger the time with a sufficient gap (e.g. 30 minutes) for scheduled updates on both boxes enabled with "sync-to-peer".
https://live.paloaltonetworks.com/docs/DOC-2038
We configured one hour as last try because 30 Minutes and 15 Minutes gap didn't work in our tests.
Because we configured the nodes to send alerts when system alerts occur (critical and high), we receive nearly every day the message. Sure we can disable the alerts, but we don't won't to disable this alerts. There must be an other solution to this problem!
12-25-2013 11:19 AM
Scout24_IT, agreed. See my comment here to KB DOC-5592 re: how PAN should address these false positives critical alerts (when you look at the overall issue). We're in the same boat as you - we dont want to disable critical/high but the only solution (other than filtering in our email client) is for PAN to address this in the code given the timing of these events. Seems pretty easy to address but also a small company growing pain item, likely on a backlog that should be prioritized up given the # of enterprise HA customers, that others companies like Cisco and Juniper have already resolved. (from first hand experience inside one of those competitors around just this issue, way back in the day)
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!