Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

The PA-3020 in the HA pair cannot automatically run dynamic updates.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

The PA-3020 in the HA pair cannot automatically run dynamic updates.

L1 Bithead

 

Hi All,
I have two PA-3020 that are HA setup, version 9.1.9.
Since the beginning of March, I have found that dynamic updates often fail. Strictly speaking, downloading images is normal. However, one firewall updates normally and the other fails to update, causing the two firewall versions to mismatch. But it does not always fail to update automatically, and the probability of occurrence is about 50%.

PA-3020-mismatch.png

active one:

active oneactive one

passive one:

passive onepassive one
At the beginning of April, we updated the firewall version to 9.1.12. After two weeks of observation, I found that the problem still exists.

If I install the image file directly, there will be an error.

fail  detailfail detail

 

 

At present my solution is: delete the downloaded image file -> manually download the image file -> manually install the latest version

 

How can I fix this problem?

 

Thanks.

5 REPLIES 5

Cyber Elite
Cyber Elite

@DevonFan,

It's not recommended to have both active/passive units set to use the same exact dynamic update scheduled, especially with sync-to-peer enabled. Offset these so that both units aren't kicking off at the exact same time. 

Cyber Elite
Cyber Elite

Hi @DevonFan ,

 

"Sync-to-peer" is intended when the HA secondary has no path to the Internet from the management interface.  I would disable it.  Also, this article reiterates what @BPry said.

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClrnCAC

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

I recommend the same as @TomYoung : disable the sync-to-peer option and your problem should be solved. In order to have the updates installed as soon as possible, think about changing the update values to checks more often. Mainly the antivirus update foe the case when it is released at another time than normal. I do also the same for the apps and threats updates, but I configured a threshold to avoid problems with bugs in these updates. Only in situations of emergency updates or when important vulnerability signatures are released, I install the update manually prior to the threshold time specified.

L1 Bithead

Hi all,

Thanks for the suggestion, I'll modify it and see if it improves.
But I have another pair of firewall PA-820 and they have the same situation yesterday.
I'm wondering if it's the sync to peer settings that caused the installation to fail?

active oneactive onepassive onepassive onefailed detailsfailed details

(Please ignore the miss of Antivirus on 4/20, there was a problem with network to Internet on that day and the download and update were not scheduled.)

Hi @DevonFan 

In this case probably your disk is full. Try to remove the old content updates and also PAN-OS images. Here you can find some more information about cleaning the root partition: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClaJCAS

  • 3843 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!