SYSTEM ALERT : high : HA Group 1: ** version does not match

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

SYSTEM ALERT : high : HA Group 1: ** version does not match

Not applicable

Hi Friends,

I wanted your help in solving this persiting issue.I have a PA4020 in HA mode which is configured in Active-Passive mode. From last few days i am getting the below error

SYSTEM ALERT : high : HA Group 1: Anti-Virus version does not match

SYSTEM ALERT : high : HA Group 1: URL Database version does not match

the extracts of the logs is attached below:

for "SYSTEM ALERT : high : HA Group 1: Anti-Virus version does not match" the logs says " 1,2012/07/06 00:09:08,SYSTEM,ha,0,2012/07/06 00:09:08,,peer-version-match,,0,0,general,high,HA Group 1: Anti-Virus version does not match,0,0x0 "

and for " SYSTEM ALERT : high : HA Group 1: URL Database version does not match " the logs says " 1,2012/07/06 00:59:20,SYSTEM,ha,0,2012/07/06 00:59:20,,peer-version-match,,0,0,general,high,HA Group 1: URL Database version does not match,0,0x0 "

Can somebody help me in resolving this issue.

5 REPLIES 5

L5 Sessionator

This system logs indicate that Anti-Virus version URL Database version does not match between the HA peer.

This could be verified using the High Availability Widget General information on GUI Dashboard or executing following CLI command on both peers

>show system info

Manually sync the Anti-virus and Url-Filtering visiting Device>Dynamic Update

Hit check now and install the latest version on both the HA peers.

Scheduled Dynamic Updates in HA Environment and automate sync to peer .

Refer: https://live.paloaltonetworks.com/docs/DOC-2038

Regards,

Ameya

We have the same issue ... Two PA5020 Nodes in HA Active-Passive Mode. The gap for dynamic updates configured on the nodes is one hour. But everytime when there is an update we become the error from both nodes. Here are the Logs:

Node1:

2012/07/16 19:15:09    Auto update agent found no new Content updates

2012/07/16 19:15:08    Connection to Update server: updates.paloaltonetworks.com completed successfully, initiated by xxx.xxx.xxx.xxx

2012/07/16 19:10:45    HA Group 24: Anti-Virus version now matches

2012/07/16 19:10:19    Antivirus update job succeeded

2012/07/16 19:10:17    HA Group 24: Anti-Virus version does not match

2012/07/16 19:10:13    Config installed

2012/07/16 19:10:13    Config installed

2012/07/16 19:07:49    Antivirus package upgraded from version 790-1086 to 792-1090 by Auto update agent

2012/07/16 19:07:38    Installed antivirus package: panup-inc-antivirus-792-1090.tgz

2012/07/16 19:07:24    Antivirus version 792-1090 downloaded by Auto update agent

2012/07/16 19:07:21    Connection to Update server:  completed successfully, initiated by xxx.xxx.xxx.xxx

2012/07/16 19:01:03    Connection to Update server: updates.paloaltonetworks.com completed successfully, initiated by xxx.xxx.xxx.xxx

2012/07/16 19:00:09    Connection to Update server: updates.paloaltonetworks.com completed successfully, initiated by xxx.xxx.xxx.xxx

Node2:

2012/07/16 19:10:48    Antivirus update job succeeded

2012/07/16 19:10:45    HA Group 24: Anti-Virus version now matches

2012/07/16 19:10:41    Config installed

2012/07/16 19:10:41    Config installed

2012/07/16 19:10:17    HA Group 24: Anti-Virus version does not match

2012/07/16 19:08:20    Antivirus package upgraded from version 790-1086 to 792-1090 by Auto update agent

2012/07/16 19:08:06    Installed antivirus package: panup-inc-antivirus-792-1090.tgz

2012/07/16 19:07:52    Content image transferred from peer

2012/07/16 19:07:24    Content image transferred from peer

Here are the System-Alert-Mails:

From Node1:

domain: 1

receive_time: 2012/07/16 19:10:17

serial: [node1]

seqno: 3770

actionflags: 0x0

type: SYSTEM

subtype: ha

config_ver: 0

time_generated: 2012/07/16 19:10:17

vsys:

eventid: peer-version-match

object:

fmt: 0

id: 0

module: general

severity: high

opaque: HA Group 24: Anti-Virus version does not match

From Node2:

domain: 1

receive_time: 2012/07/16 19:10:17

serial: [node2]

seqno: 15916

actionflags: 0x0

type: SYSTEM

subtype: ha

config_ver: 0

time_generated: 2012/07/16 19:10:17

vsys:

eventid: peer-version-match

object:

fmt: 0

id: 0

module: general

severity: high

opaque: HA Group 24: Anti-Virus version does not match

Any ideas to this issue?

Well the 1 hour delay between the nodes doesnt seem to be working and I guess it shouldnt either.

When box A gets a new content this is sent to box B for installation aswell so IF a failover occurs they both have the same content db's (no matter if its appid or url-db or something else).

Also reading the logs I get the impression that the auto-commit of config with a new antivirus-package takes approx 2 minutes.

So when node1 is done with its update incl. auto-commit at 2012/07/16 19:10:13 it checks with its peer 4 seconds later if its up2date aswell... but it isnt, its still in the progress of installing the update. Node2 is however done at 2012/07/16 19:10:41 which is shown at 2012/07/16 19:10:45 on both boxes that they are now both up2date in case a failover occurs.

Personally I dont mind about the above logs (even if it would of course be better if this particular case could be logged differently because the passive node will always be updated after active node - unless the active node have way too much to do in mgmtplane, then active node could take longer to complete its auto-commit with new antivirus-db.

However what im worried about is that the above logs shows that IF a failover occurs then the passive box is in the middle of an auto-commit aswell - how will new sessions be handled in this case (since programming of the dataplane isnt atomic, or is it)?

"For stable updates, the best practice is to stagger the time with a sufficient gap (e.g. 30 minutes) for scheduled updates on both boxes enabled with "sync-to-peer".

https://live.paloaltonetworks.com/docs/DOC-2038

We configured one hour as last try because 30 Minutes and 15 Minutes gap didn't work in our tests.

Because we configured the nodes to send alerts when system alerts occur (critical and high), we receive nearly every day the message. Sure we can disable the alerts, but we don't won't to disable this alerts. There must be an other solution to this problem!

Scout24_IT,  agreed. See my comment here to KB DOC-5592 re: how PAN should address these false positives critical alerts (when you look at the overall issue). We're in the same boat as you - we dont want to disable critical/high but the only solution (other than filtering in our email client) is for PAN to address this in the code given the timing of these events. Seems pretty easy to address but also a small company growing pain item, likely on a backlog that should be prioritized up given the # of enterprise HA customers, that others companies like Cisco and Juniper have already resolved. (from first hand experience inside one of those competitors around just this issue, way back in the day)

  • 4264 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!